OpenLDAP Quick Tips: Check your indices



Here's my 11th tip in the "OpenLDAP Quick Tips" series:
"You want to make sure you have the correct indices configured for the best performance":
It's easy to discover when you do not have the correct indices set by checking your ldap[?] log. If you see something similar to:
CODE:
Nov 26 11:10:16 localhost slapd[2957]: conn=17 fd=13 ACCEPT from IP=XXX.XXX.XXX.XXX:38019 (IP=0.0.0.0:389)
Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=0 BIND dn="" method=128
Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=0 RESULT tag=97 err=0 text=
Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=1 SRCH base="dc=suretecsystems,dc=com" scope=2 deref=0 filter="(o=suretec systems ltd.)"
Nov 26 11:10:16 localhost slapd[2957]: <= bdb_equality_candidates: (o) not indexed
Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=1 SEARCH RESULT tag=101 err=0 nentries=3 text=
Nov 26 11:10:16 localhost slapd[2957]: conn=17 op=2 UNBIND
Nov 26 11:10:16 localhost slapd[2957]: conn=17 fd=13 closed
namely:
CODE:
Nov 26 11:10:16 localhost slapd[2957]: <= bdb_equality_candidates: (o) not indexed
then you have not configured an equality index for the o attribute.
Add index o eq to your slapd.conf and then stop slapd and run slapindex as the user that runs slapd (probably the ldap[?] user). Now start slapd up again.
If you add an index over the LDAP[?] protocol whilst using the slapd config backend, then the index will be created on the fly and you won't need to use slapdindex or restart your directory server. Use the following LDIF as your starting point:
CODE:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: o eq
The above assumes you have an hdb backend and it is configured to hold your directory data as the first database (database 0 holds cn=config):
CODE:
ldapmodify -D 'cn=config' -W -f newindex.ldif
will show in your logs as:
CODE:
Nov 26 11:57:51 localhost slapd[2957]: conn=27 fd=13 ACCEPT from IP=XXX.XXX.XXX.XXX:45776 (IP=0.0.0.0:389)
Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=0 BIND dn="cn=config" method=128
Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0
Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=0 RESULT tag=97 err=0 text=
Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=1 MOD dn="olcDatabase={1}hdb,cn=config"
Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=1 MOD attr=olcDbIndex
Nov 26 11:57:51 localhost slapd[2957]: slap_queue_csn: queing 0xa2b4aa52 20081126115751.937214Z&000000;000#000000
Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=1 RESULT tag=103 err=0 text=
Nov 26 11:57:51 localhost slapd[2957]: slap_graduate_commit_csn: removing 0x98743b8 20081126115751.937214Z&000000;000#000000
Nov 26 11:57:51 localhost slapd[2957]: conn=27 op=2 UNBIND
Nov 26 11:57:51 localhost slapd[2957]: conn=27 fd=13 closed
and then to confirm by searching for the o attribute again:
CODE:
Nov 26 11:58:25 localhost slapd[2957]: conn=28 fd=19 ACCEPT from IP=XXX.XXX.XXX.XXX:33576 (IP=0.0.0.0:389)
Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=0 BIND dn="" method=128
Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=0 RESULT tag=97 err=0 text=
Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=1 SRCH base="dc=suretecsystems,dc=com" scope=2 deref=0 filter="(o=suretec systems ltd.)"
Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=1 SEARCH RESULT tag=101 err=0 nentries=3 text=
Nov 26 11:58:25 localhost slapd[2957]: conn=28 op=2 UNBIND
Nov 26 11:58:25 localhost slapd[2957]: conn=28 fd=19 closed
No more compliants about the lack of an index and no restarting slapd!
Thanks,
Gavin.
If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.
P.S. For direct access to this section, you can click OpenLDAP Quick Tips.
Trackbacks
Cardspace Community Bloggers on : OpenSSO and ldapvi
Show preview
WARNING - guru level information in this blog entry. Don't try ANY of this unless you're CERTAIN you
The Suretec Blog on : OpenLDAP Quick Tips: Change loglevels on the fly!
Show preview
Hi All, Here's the 15th tip in the "OpenLDAP Quick Tips" series: "You want to change your OpenLDAP loglevel to get more information, but can't take your directory server offline": If you've been following the OpenLDAP Quick Tips series, you would
Comments
Display comments as Linear | Threaded