mmm, I'm planning to build something like this in /etc/saslauthd.conf:
(&(mail=%U@%d)(|(&(objectClass=VirtualMailaccount)(accountActive=TRUE))(objectClass=VirtualMailAlias)))
that tries to locate two kind of entries:
1. mail=user@domain,vd=domain,o=hosting,dc=myldap,dc=com (VirtualMailAccount)
2. cn=postmaster,vd=domain,o=hosting,dc=myldap,dc=com (VirtualMailAlias)
There could be hundreds or maybe thousand of entries of type (1), but only 1 entry of type (2). The filter shown above is used to authenticate users trough saslauthd. So 95% of times users authenticate using type (1), but sometimes I would need to authenticate as 'postmaster' using type (2).
I was worried about performance because using (objectClass=VirtualMailAlias) with OR just for a unique account in my domain.
Would I get much better performance if remove (objectClass=VirtualMailAlias) from the filter? Do you believe that the performance impact will be big?
Hallvard B Furuseth escribió:
Jason Voorhees writes:
Thanks. That allows me to build complex filters using OR logic without being worried about performance.
Sorry, no. First slapd must locate all entries to compare with the filter. For that it uses indexes. First it uses the DN index, to find just the entry IDs of just entries in the search scope.
Then if all the ORed components are indexed, it can narrow this list further down by only checking entries that match one of the filter components. OTOH if one of the ORed components is not indexed, slapd cannot narrow down the entry candidate list further.
Finally it checks each candidate entry against the filter. When checking an entry, slapd can indeed stop the first time an OR yields TRUE. Or the first time an AND yields not-TRUE (FALSE or Undefined).