(ITS#9487) Indices MDB - openldap-bugs

13 Sep 2019


      Full_Name: &amp;#1044;&amp;#1080;&amp;#1083;&amp;#1103;&amp;#1085; &amp;#1055;&amp;#1072;&amp;#1083;&amp;#1072;&amp;#1091;&amp;#1079;&amp;#1086;&amp;#1074;
Version: 2.4
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.118.146.153)
How can I write to a ticket here, after I submit it?
https://www.openldap.org/software/man.cgi?query=slapd-mdb&apropos=0&...
(man slapd-mdb) is not clear about indices.
Is 
olcDbIndex A eq
olcDbIndex B eq
the same as
olcDbIndex A,B eq
and is the latter the same as
oldDbIndex B,A eq
?  In the SQL word these are different things and while Postgresql is supposed
to handle "index A,B" and "index B.A" as equivalent, it does not, so a query has
to be tuned to make use of existing indices.
The particular use-case is the LDAP backend of MIT Kerberos and the indices it
needs for this query, as discussed at
https://github.com/krb5/krb5/pull/974#issuecomment-531167854.  The debug output
of OpenLDAP is:
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SRCH
base="cn=X.NET,cn=krbContainer" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/X.NET@X.NET))"
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewable age krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd
krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf <= mdb_equality_candidates:
(objectClass) not indexed
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SEARCH RESULT tag=101
err=0 nentries=1 text=
Does it need one index on objectClass, one index on krbPrincipal, or one index
on "first objectClass, then krbPrincipal"?
If no mdb_candidate output can be triggered, does it mean, that creating an
index is pointless?
Moreover, it is not clear when changing the oldDbIndex on a database regenerates
the index, and when running slapindex is necessary.