directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Chu <>
Subject Re: ACI and subtrees interactions
Date Tue, 06 Jul 2010 00:49:04 GMT
Emmanuel Lecharny wrote:
>    Hi,
> I'm just checking the subentryInterceptor while trying to find the best
> way to fix the ACI handling when the server is stopped and restarted.
> There is something really unpleasant in this interceptor : when adding a
> subtree, we do a search in the DIT to find all the entries part of the
> subtree, and each of them is modified to have the
> accessControlSubentries AT added, with a reference to the subentry.
> If the server contains millions of enries, this is simply not an option.
> The direct consequence is that anytime we add an ACI which span over a
> lot of entries, we wwill have a large number of modifications applied,
> and it's definitively a costly operation (moreover, I don't see how we
> can assure the atomicity of such an operation...)

This is one of the reasons we still don't have proper subentry support in 
OpenLDAP. I think to do it in a sane fashion you want all of these XXXsubEntry 
attributes to be generated dynamically. But, if you have a lot of subentry 
specifications applying to a tree, you'll pay for it in search performance 
because you have to evaluate all of them each time you reference an entry. 
That leaves the caching approach that we took for subtree rename.

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

View raw message