Re: Question about ldap filter
mmm, I'm planning to build something like this in /etc/saslauthd.conf:
(&(mail=%U@%d)(|(&(objectClass=VirtualMailaccount)(accountActive=TRUE))(objectClass=VirtualMailAlias)))
that tries to locate two kind of entries:
1. mail=user@domain,vd=domain,o=hosting,dc=myldap,dc=com
(VirtualMailAccount)
2. cn=postmaster,vd=domain,o=hosting,dc=myldap,dc=com
(VirtualMailAlias)
There could be hundreds or maybe thousand of entries of type (1), but
only 1 entry of type (2).
The filter shown above is used to authenticate users trough saslauthd.
So 95% of times users authenticate using type (1), but sometimes I would
need to authenticate as 'postmaster' using type (2).
I was worried about performance because using
(objectClass=VirtualMailAlias) with OR just for a unique account in my
domain.
Would I get much better performance if remove
(objectClass=VirtualMailAlias) from the filter?
Do you believe that the performance impact will be big?
Hallvard B Furuseth escribió:
Jason Voorhees writes:
> Thanks. That allows me to build complex filters using OR logic without
> being worried about performance.
Sorry, no. First slapd must locate all entries to compare with the
filter. For that it uses indexes. First it uses the DN index, to find
just the entry IDs of just entries in the search scope.
Then if all the ORed components are indexed, it can narrow this list
further down by only checking entries that match one of the filter
components. OTOH if one of the ORed components is not indexed, slapd
cannot narrow down the entry candidate list further.
Finally it checks each candidate entry against the filter. When
checking an entry, slapd can indeed stop the first time an OR yields
TRUE. Or the first time an AND yields not-TRUE (FALSE or Undefined).