Emmanuel Lecharny wrote:
Hi,
I'm just checking the subentryInterceptor while trying to find the best
way to fix the ACI handling when the server is stopped and restarted.
There is something really unpleasant in this interceptor : when adding a
subtree, we do a search in the DIT to find all the entries part of the
subtree, and each of them is modified to have the
accessControlSubentries AT added, with a reference to the subentry.
If the server contains millions of enries, this is simply not an option.
The direct consequence is that anytime we add an ACI which span over a
lot of entries, we wwill have a large number of modifications applied,
and it's definitively a costly operation (moreover, I don't see how we
can assure the atomicity of such an operation...)
This is one of the reasons we still don't have proper subentry support in
OpenLDAP. I think to do it in a sane fashion you want all of these XXXsubEntry
attributes to be generated dynamically. But, if you have a lot of subentry
specifications applying to a tree, you'll pay for it in search performance
because you have to evaluate all of them each time you reference an entry.
That leaves the caching approach that we took for subtree rename.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
