discover wrote:
Thanks David . Regarding the order of ACI , I meant for example, say there are 4 ACIs on dc=example,dc=com. One for config admins, one for directory admins, Anonymous Access and one for group admin listed in that order. Whether this particular order has any impact ? Or the order is insignificant ?
The order isn't supposed to be significant (in fact, there is no defined order, but in reality I bet the server reads the acis in the order they were added). It's possible that the order could affect performance in the case that an expensive to evaluate aci comes after or before a cheap to evaluate aci that denies access. Evaluation may stop when access is found to be denied. You'd need to run tests to determine if this is the case or not. I don't think the acl code is smart enough to decide which acis might be more or less expensive to evaluate (like a database query planner would do, for example).
