Howard Chu wrote:
Michael Ströder wrote:
Tomasz Lesniewski wrote:
I would like to use sets in my openldap ACLs, but i'm worried about "Sets are considered experimental"as is written in docs (http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting%...)
Is anybody using sets in production environment without problems? Are there any known issues with sets? Or is known when sets will be ready to use?
I put one setup with many set ACLs in production. Sets work as intended but are not documented very well. It costs some time to get it right. It's a good idea to implement ACL regression testing.
The main problem with sets: They are slow - I mean really slow.
And they will continue to be - very very slow. There is currently no way to cache set evaluations, like we do with group ACLs.
So the only work-around to improve performance a bit is to maintain additional attributes to avoid set ACLs follow too many references.
E.g. slapo-memberof can be used to set back-link references in group member entries (attribute 'memberOf') which sometimes can improve the set performance of specific group membership relations. (Yes, I know the normal by group ACLs but those are not sufficient for some use-cases.)
Ciao, Michael.