Quanah Gibson-Mount wrote: > > As a curiosity, servers matched by the first rules are about 5 or 6 times > > faster to response than servers matched by last rules. I thought that > > the ACL evaluation time will be uniform because the whole set of rules > > would be evaluated. this makes sense to someone?
... > The one other thing I noticed about your configuration is that you had a > 9.5MB BDB cache. This may or may not really be sufficient. You have a > small number of entries, but you also have a large number of attributes per > entry, and if you have extensive indexing, that would also be a factor. Quanah, I don't know if it makes some difference but 125 is the theorical number of attributes (it is the raw number of attributes for the set of objectclasses I use), the real number of attributes used by entries is 50 approx. > I'd be curious if you'd get a performance increase with a larger BDB cache > size (say 100MB, where you would have set_cachesize 0 104857600 0) and see > if that improved your results. with 100MB the response times are almost identical, of course this time I have reconstructed the bdb database (slapcat, rm, slapadd) please remember I do a heavy use of break controls in the who part of the rules (100 x 2 = 200 rules). these are the times (tests were done in idle machines): # time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... -x > /dev/null real 0m1.482s user 0m0.110s sys 0m0.000s # time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w .. -x > /dev/null real 0m1.405s user 0m0.070s sys 0m0.000s the second time is lower because of caching. In this test the matched identity for the server was located last in the ACL and in the next the server identity was first in the list: # time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... -x > /dev/null real 0m0.191s user 0m0.080s sys 0m0.000s # time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... -x > /dev/null real 0m0.132s user 0m0.090s sys 0m0.010s as you can see there is a big difference. I can understand that this setup is cpu intensive, but I still can't understand why the order is so important. -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w--- O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++ G++ e- h+(++) !r !z ------END GEEK CODE BLOCK------
