[Fedora-directory-devel] ACI evaluation
David Boreham
david_list at boreham.org
Mon Oct 10 14:37:21 UTC 2005
discover wrote:
> Thanks David . Regarding the order of ACI , I meant for example, say
> there are 4 ACIs on dc=example,dc=com.
> One for config admins, one for directory admins, Anonymous Access and
> one for group admin listed in that order. Whether this particular
> order has any impact ? Or the order is insignificant ?
The order isn't supposed to be significant (in fact, there is no defined
order, but in reality I bet the server reads the acis in the order they
were added).
It's possible that the order could affect performance in the case
that an expensive to evaluate aci comes after or before a cheap to evaluate
aci that denies access. Evaluation may stop when access is found
to be denied.
You'd need to run tests to determine if this is the case or not.
I don't think the acl code is smart enough to decide which acis
might be more or less expensive to evaluate (like a database
query planner would do, for example).
More information about the Fedora-directory-devel
mailing list