This bug is created as a clone of upstream ticket:
The problem was originally described here: http://lists.fedoraproject.org/pipermail/389-devel/2009-March/001020.html
Shorter description: we noticed that some queries (ldapsearch) to our directory caused a drop in performance, and our log file was filled with the following message:
acl_TestRights - cache overflown
We also noticed that increasing the value ACLPB_MAX_SELECTED_ACLS from 200 to 2000 solved the problem for us. A more permanent solution could be to make this value configurable.
We have made a patch that seems to solve the problem, as far as we have tested. I will upload it as soon as it is ready for review.
please add steps to reproduce/verify this issue
(In reply to comment #1)
> please add steps to reproduce/verify this issue
To reproduce this issue we do ldapsearch on an internal database that contains many nodes having acl restrictions. In our case the number of ACIs is 1500++.
This probably means that the acl plugin needs to check permissions on too many nodes. In any case we managed to reproduce the overflow every time we run ldapsearch.
Unfortunately, we are unable to disclose the data set we have used to test this, but we hope this information can be helpful.
svn ci -m "added tests for cache overflow and new config attr nsslapd-aclpb-max-selected-acls for bug 772778"
Transmitting file data ....
Committed revision 6472.
Acl startup(o=ace industry,c=us) 100% (1/1)
Acl run(o=ace industry,c=us) 100% (373/373)
Acl cleanup 100% (1/1)
Hence marking as VERIFIED.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Cause: Creating over 200 ACIs in the directory server, and having entries that have to be evaulated against all 200 of these ACIs.
Consequence: ACI evaluation would fail with the error message acl_TestRights - cache overflown
Fix: Change the default limit for the ACI cache to 2000, and allow it to be configurable with the new nsslapd-aclpb-max-selected-acls attribute in cn=ACL Plugin,cn=plugins,cn=config
Result: Much harder to trigger the acl_TestRights - cache overflown message, and allow customers with many ACIs to raise the limit.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.