Changing the ACL Refresh Rate and its Effect on Performance
Novell Cool Solutions: Tip
Digg This -
Posted: 23 May 2003
I want to set the ACL refresh to something like 15 minutes. What sort of performance impact this might have on my iChain server?
At this time there are only 2000 users in the eDir tree, 4 groups (used in ACLs), and 6 accelerators.
Every time refresh aclcheck is refreshed, the software resets all the cache links (check out http://developer.novell.com/research/appnotes/2002/october/02/a0210024.htm) and rebuilds the cache entries from scratch (we cache when a particular rule is hit). Depending on the design of the rules in the tree and which containers they are assigned to, this may impact performance due to the fact that we'll have to send LDAP requests to the back end LDAP server to verify authorization credentials. However, if the aclcheck rules are placed high enough in the tree, then this is unlikely to be a major issue because the cache entry will satisfy most users under that container.
Eg. /Novell | | /Users | | /CN=Neil
If user Neil tries to access a protected resource that the Users container has access to, user neil and all other users under the Users container will have access to it. When it discovers the match, the rule is cached so that future calls for access to that protected resource will start looking to see if the authenticated user is in the Users container. If so, no LDAP request is required to be sent and authorization is granted.
Loading aclcheck /F allows you to change the refresh interval.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com