[389-users] ACL processing

[Russell Beall]

I did a lot of work experimenting with 389 for use as a replacement to Sun SJES.  Worked really well when I focused my efforts on the backend processing we do with Directory Manager, except for a few performance issues which are being addressed in bug reports.

I thought sure I had done at least some load testing with service accounts.  The service accounts must go through ACL processing, and we have a lot of ACLs.  I'm not sure if I changed something, or if I just didn't quite test this feature enough, but now that I am doing more development work with service accounts, I am showing a huge processing hit taken if a service account is used as opposed to Directory Manager.  This is on the order of a second and a half to respond to a simple base query, versus instantaneous.  Our old SJES servers respond very snappily in comparison for this type of query.

CPU usage for a single thread maxes out during the time spent waiting and I/O wait is zero, so I know that probably the bulk of time is being spent processing the ACLs.  This is especially true if I turn on logging for ACL processing, then it takes a very long time, with one example taking about 9 minutes.

It seems to be processing and reprocessing the ACLs many many times over.

I think I must have changed something or done something wrong because I'm pretty sure I remember much quicker response times when using a service account in earlier testing.

This is with 389-ds-base 1.2.10.14 on RedHat 6.2.

This was an experimental version downloaded to check out a memory fragmentation option that was coded in, so maybe I just have a version that was mid ACL processing changes?

Thanks for any help,
Russ.