directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject ACI and subtrees interactions
Date Mon, 05 Jul 2010 22:08:22 GMT

I'm just checking the subentryInterceptor while trying to find the best 
way to fix the ACI handling when the server is stopped and restarted.

There is something really unpleasant in this interceptor : when adding a 
subtree, we do a search in the DIT to find all the entries part of the 
subtree, and each of them is modified to have the 
accessControlSubentries AT added, with a reference to the subentry.

If the server contains millions of enries, this is simply not an option.

The direct consequence is that anytime we add an ACI which span over a 
lot of entries, we wwill have a large number of modifications applied, 
and it's definitively a costly operation (moreover, I don't see how we 
can assure the atomicity of such an operation...)

We have to find a better way to determinate if an entry is part of a 
subtree than by modifying this entry.

Another annoying aspect is that when we evaluate an ACI, we have to get 
the subtree from the subEntry interceptor, because the associated cache 
is not global. This is not a good thing too. Caches must be handled 
globally by the DirectoryService instance, not by each interceptors.

Still a lot of work before we can release a production ready server, 

Emmanuel L├ęcharny

View raw message