"José M. Fandiño" wrote: > > Quanah Gibson-Mount wrote: > > > As a curiosity, servers matched by the first rules are about 5 or 6 times > > > faster to response than servers matched by last rules. I thought that > > > the ACL evaluation time will be uniform because the whole set of rules > > > would be evaluated. this makes sense to someone? > > ... > > > The one other thing I noticed about your configuration is that you had a > > 9.5MB BDB cache. This may or may not really be sufficient. You have a > > small number of entries, but you also have a large number of attributes per > > entry, and if you have extensive indexing, that would also be a factor. > > Quanah, I don't know if it makes some difference but 125 is the theorical > number of attributes (it is the raw number of attributes for the set of > objectclasses I use), the real number of attributes used by entries is > 50 approx. > > > I'd be curious if you'd get a performance increase with a larger BDB cache > > size (say 100MB, where you would have set_cachesize 0 104857600 0) and see > > if that improved your results. > > with 100MB the response times are almost identical, of course this time > I have reconstructed the bdb database (slapcat, rm, slapadd) > > please remember I do a heavy use of break controls in the who part of the > rules (100 x 2 = 200 rules). > > these are the times (tests were done in idle machines): > > # time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... > -x > /dev/null > real 0m1.482s > user 0m0.110s > sys 0m0.000s > > # time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w .. > -x > /dev/null > real 0m1.405s > user 0m0.070s > sys 0m0.000s > > the second time is lower because of caching. In this test the matched identity > for the server was located last in the ACL and in the next the server identity > was first in the list: > > # time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... > -x > /dev/null > real 0m0.191s > user 0m0.080s > sys 0m0.000s > > # time ldapsearch -b ou=personas,ou=cuentas,dc=domain -s sub -D cn=... -w ... > -x > /dev/null > real 0m0.132s > user 0m0.090s > sys 0m0.010s > > as you can see there is a big difference. > > I can understand that this setup is cpu intensive, but I still can't > understand why the order is so important.
hhmm, might it be that the OpenLDAP daemon gives a response as soon as it has data available to return? if this is true I should see cpu consumption until 1.482 - 0.191 seconds later and the total time whould be always 1.482ms (approx.) -- -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS/IT d- s+:+() a31 C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w--- O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++ G++ e- h+(++) !r !z ------END GEEK CODE BLOCK------
