Skip to content

OpenLDAP Quick Tips: Check your indices

OpenLDAPOpen SourceSuretec Hi All,

Here's my 11th tip in the "OpenLDAP Quick Tips" series:

"You want to make sure you have the correct indices configured for the best performance":

It's easy to discover when you do not have the correct indices set by checking your ldap[?] log. If you see something similar to:

Nov 26 11:10:16 localhost slapd[2957]: conn=17 fd=13 ACCEPT from IP=XXX.XXX.XXX.XXX:38019 (IP= Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=0 BIND dn="" method=128 Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=0 RESULT tag=97 err=0 text= Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=1 SRCH base="dc=suretecsystems,dc=com" scope=2 deref=0 filter="(o=suretec systems ltd.)" Nov 26 11:10:16 localhost slapd[2957]: <= bdb_equality_candidates: (o) not indexed Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=1 SEARCH RESULT tag=101 err=0 nentries=3 text= Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=2 UNBIND Nov 26 11:10:16 localhost slapd[2957]: conn=17 fd=13 closed


Nov 26 11:10:16 localhost slapd[2957]: <= bdb_equality_candidates: (o) not indexed

then you have not configured an equality index for the o attribute.

Add index o eq to your slapd.conf and then stop slapd and run slapindex as the user that runs slapd (probably the ldap[?] user). Now start slapd up again.

If you add an index over the LDAP[?] protocol whilst using the slapd config backend, then the index will be created on the fly and you won't need to use slapdindex or restart your directory server. Use the following LDIF as your starting point:

dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: o eq

The above assumes you have an hdb backend and it is configured to hold your directory data as the first database (database 0 holds cn=config):

ldapmodify -D 'cn=config' -W -f newindex.ldif

will show in your logs as:

Nov 26 11:57:51 localhost slapd[2957]: conn=27 fd=13 ACCEPT from IP=XXX.XXX.XXX.XXX:45776 (IP= Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=0 BIND dn="cn=config" method=128 Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0 Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=0 RESULT tag=97 err=0 text= Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=1 MOD dn="olcDatabase={1}hdb,cn=config" Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=1 MOD attr=olcDbIndex Nov 26 11:57:51 localhost slapd[2957]: slap_queue_csn: queing 0xa2b4aa52 20081126115751.937214Z&000000;000#000000 Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=1 RESULT tag=103 err=0 text= Nov 26 11:57:51 localhost slapd[2957]: slap_graduate_commit_csn: removing 0x98743b8 20081126115751.937214Z&000000;000#000000 Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=2 UNBIND Nov 26 11:57:51 localhost slapd[2957]: conn=27 fd=13 closed

and then to confirm by searching for the o attribute again:

Nov 26 11:58:25 localhost slapd[2957]: conn=28 fd=19 ACCEPT from IP=XXX.XXX.XXX.XXX:33576 (IP= Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=0 BIND dn="" method=128 Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=0 RESULT tag=97 err=0 text= Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=1 SRCH base="dc=suretecsystems,dc=com" scope=2 deref=0 filter="(o=suretec systems ltd.)" Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=1 SEARCH RESULT tag=101 err=0 nentries=3 text= Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=2 UNBIND Nov 26 11:58:25 localhost slapd[2957]: conn=28 fd=19 closed

No more compliants about the lack of an index and no restarting slapd!



If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.


Cardspace Community Bloggers on : OpenSSO and ldapvi

Show preview
WARNING - guru level information in this blog entry. Don't try ANY of this unless you're CERTAIN you

The Suretec Blog on : OpenLDAP Quick Tips: Change loglevels on the fly!

Show preview
Hi All, Here's the 15th tip in the &quot;OpenLDAP Quick Tips&quot; series: &quot;You want to change your OpenLDAP loglevel to get more information, but can't take your directory server offline&quot;: If you've been following the OpenLDAP Quick Tips series, you would


Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Pavatar, Gravatar, Favatar, MyBlogLog, Pavatar author images supported.
Form options