openldap-technical September 2012

openldap-technical@openldap.org

70 participants
88 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

memberOf data in new replica servers 2.4.31
by Todd Stein 02 Nov '12

02 Nov '12

Hi, I have a provider server and five consumer servers, all of which have the memberOf overlay configured: overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniqueMember memberof-refint true memberof-dangling ignore syncrepl rid=005 provider=ldap://<server>:389 type=refreshAndPersist interval=00:00:05:00 retry="60 10 600 +" searchbase="dc=<removed>,dc=<removed>" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off starttls=no bindmethod=simple binddn="cn=replica,dc=<removed>,dc=<removed>" credentials=<removed> When I bring a new replica online, it appears that entries are replicated in the order that they were created on the provider server which produces many "memberof_value_modify failed err=32" messages in the log, and incomplete memberOf data. To get around this, I wrote a script which empties all groups prior to replication, and then recreates the memberships after the initial replication. This seems to work, but is hardly ideal. Is there a "more correct" way of replicating memberOf values without manipulating my provider each time I bring up a new consumer? Thank you very much, Todd

2 1

MDB Status
by Howard Chu 13 Oct '12

13 Oct '12

For those who haven't been following along, support for OpenLDAP's MDB (memory-mapped database) library is also available for several other open source projects, including Cyrus SASL (sasldb mech), Heimdal Kerberos (hdb module), SQLite3, OpenDKIM, and MemcacheDB. A work-in-progress patch for Postfix is also available, with a final version coming soon. A backend for SQLite4 is also in the works. A port of Android (JellyBean) for the Motorola Droid4 using MDB/SQLite3 is in progress (since my current phone is a Droid4). Other projects are also in progress and will be announced in the near future. The current list is also posted on http://highlandsun.com/hyc/mdb/ - feel free to suggest other projects. OpenLDAP MDB completely outclasses other embedded databases (like Oracle BerkeleyDB, Google LevelDB, SQLite, Kyoto Cabinet) from every angle: performance, efficiency, reliability, administrative ease, simplicity, whatever. With MDB not only have we made the world's fastest LDAP server even faster, but we can also make anything else that uses a database even better. I'll also be presenting an updated talk on MDB at LinuxCon Europe in Barcelona, November 7. http://events.linuxfoundation.org/events/linuxcon-europe/schedule -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 3

How indexes used with search
by Roman Rybalko 13 Oct '12

13 Oct '12

I'd like to understand how indexes are used with search. I've found some info http://www.openldap.org/doc/admin24/tuning.html#Understanding how a search works <http://www.openldap.org/doc/admin24/tuning.html#Understanding%20how%20a%20s…> but that's not very precise. Suppose there is a search like (&(attr1=value1)(attr2=value2)), attr1 and attr2 are indexed. As far as I understand, this search fetches objectIDs from the index on attr1, than the objectIDs from the index on attr2, than, according to operation "and" ("&"), objectIDs that present in BOTH sets are determined (using some set-intersection algorithm). When the search is "or" (|(...)(...)), the objectIDs from both sets are joined and duplicates are removed (using some set-union algorithm). If there is no index on attribute, the resulting objectID set is determined by bare iterate-and-compare on all the objects, or so. Am I right? Could anyone advice some docs on this? -- WBR, Roman Rybalko

3 8

Openldap overloading
by Nick Milas 01 Oct '12

01 Oct '12

Hi, I am running a v2.4.31 consumer on CentOS 5.8 to serve user accounts (and aliases) on a Postfix mail server running locally. It has been running for a long time without problems. Today, after a user sent (on 14:53:39) a mass mail (through a group alias, implemented using ldap dynlist), Postfix stalled and the server (a VM under KVM) became overloaded. I noticed that openldap was using all the cpu: # top top - 15:30:01 up 81 days, 2:11, 1 user, load average: 113.58, 114.36, 104.02 Tasks: 460 total, 3 running, 457 sleeping, 0 stopped, 0 zombie Cpu(s): 98.9%us, 0.0%sy, 0.0%ni, 0.0%id, 0.0%wa, 1.1%hi, 0.0%si, 0.0%st Mem: 3089988k total, 3074912k used, 15076k free, 12180k buffers Swap: 2064376k total, 92k used, 2064284k free, 1909976k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2209 ldap 18 0 577m 17m 8952 S 93.4 0.6 55:03.67 slapd ... I had to stop and restart openldap manually, and after that I only found in the log (nothing has been logged earlier): Sep 28 15:00:07 mail slapd[2209]: connection_input: conn=14847 deferring operation: too many executing Sep 28 15:00:38 mail slapd[2209]: connection_input: conn=19285 deferring operation: too many executing Sep 28 15:32:46 mail slapd[2209]: connection_input: conn=19419 deferring operation: binding Sep 28 15:32:47 mail slapd[2209]: connection_input: conn=19419 deferring operation: binding Sep 28 15:32:57 mail slapd[4484]: [INFO] Using /etc/default/slapd for configuration Sep 28 15:32:57 mail slapd[4489]: [INFO] Halting OpenLDAP... Sep 28 15:32:57 mail slapd[2209]: daemon: shutdown requested and initiated. Sep 28 15:32:57 mail slapd[2209]: slapd shutdown: waiting for 1 operations/tasks to finish Sep 28 15:33:03 mail slapd[2209]: slapd stopped. Sep 28 15:33:05 mail slapd[4510]: [OK] OpenLDAP stopped after 7 seconds Sep 28 15:33:05 mail slapd[4511]: [INFO] No data backup done Sep 28 15:33:12 mail slapd[4529]: [INFO] Using /etc/default/slapd for configuration Sep 28 15:33:12 mail slapd[4534]: [INFO] Launching OpenLDAP configuration test... Sep 28 15:33:16 mail slapd[4568]: [OK] OpenLDAP configuration test successful Sep 28 15:33:16 mail slapd[4578]: [INFO] No db_recover done Sep 28 15:33:16 mail slapd[4579]: [INFO] Launching OpenLDAP... Sep 28 15:33:16 mail slapd[4580]: [OK] File descriptor limit set to 1024 Sep 28 15:33:17 mail slapd[4581]: @(#) $OpenLDAP: slapd 2.4.31 (Apr 26 2012 19:53:11) $ clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2.4.31/servers/slapd ... Possibly, a number of parallel group alias uses, caused a large number of LDAP queries by Postfix. Can you please advise on what may have caused OpenLDAP overloading, and on how can we avoid it from happening again? Any config changes? My config follows. Thanks in advance for your time and assistance. Regards, Nick # cat /usr/local/openldap/var/openldap-data/DB_CONFIG #==================================================================== # BDB configuration # # Provided by LTB-project (http://www.ltb-project.org) #==================================================================== #==================================================================== # Cache size for DB files #==================================================================== set_cachesize 1 0 1 #==================================================================== # Flags #==================================================================== #set_flags DB_TXN_WRITE_NOSYNC #set_flags DB_TXN_NOSYNC set_flags DB_LOG_AUTOREMOVE #==================================================================== # Logs #==================================================================== # Size set_lg_regionmax 1048576 set_lg_max 10485760 set_lg_bsize 2097152 # Directory set_lg_dir /usr/local/berkeleydb/openldap-logs ************************************************************************ # cat /usr/local/openldap/etc/openldap/slapd.conf # include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/eduperson.schema include /usr/local/openldap/etc/openldap/schema/postfix.schema include /usr/local/openldap/etc/openldap/schema/dyngroup.schema include /usr/local/openldap/etc/openldap/schema/misc.schema include /usr/local/openldap/etc/openldap/schema/ppolicy.schema include /usr/local/openldap/etc/openldap/schema/schac-20090326-1.4.0.schema include /usr/local/openldap/etc/openldap/schema/dnsdomain2.schema include /usr/local/openldap/etc/openldap/schema/proftpd-quota.schema include /usr/local/openldap/etc/openldap/schema/kerberos.schema include /usr/local/openldap/etc/openldap/schema/localemail.schema include /usr/local/openldap/etc/openldap/schema/entryaccess.schema pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args modulepath /usr/local/openldap/lib64 loglevel sync sizelimit unlimited timelimit unlimited TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/openldap/etc/openldap/cacerts/chain.pem TLSCertificateFile /usr/local/openldap/etc/openldap/cacerts/cert.pem TLSCertificateKeyFile /usr/local/openldap/etc/openldap/cacerts/key.pem TLSVerifyClient never ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database hdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret ######## # ACLs # ######## include /usr/local/openldap/etc/openldap/acl.conf directory /usr/local/openldap/var/openldap-data index objectClass eq,pres index employeeType pres,eq index cn eq,pres,sub index sn,givenname eq,pres,sub index mail eq,pres,sub index uid eq,pres index ou eq,pres index mailacceptinggeneralid eq,pres index owner eq index entryCSN,entryUUID eq index vacationActive eq index associatedDomain pres,eq,sub index dc eq index emailLocalAddress eq,pres,sub overlay dynlist dynlist-attrset nisMailAlias labeledURI dynlist-attrset groupOfURLs labeledURI member syncrepl rid=111 provider=ldaps://ldap.example.com tls_reqcert=never type=refreshAndPersist retry="60 15 180 +" searchbase="dc=example,dc=com" schemachecking=off bindmethod=simple binddn="uid=FullReplAcc1,ou=System,dc=example,dc=com" credentials="mypassword" database monitor access to * by dn.exact="cn=Manager,dc=example,dc=com" read by * none ********************************************************************* # ls -la /usr/local/openldap/var/openldap-data/ total 14120 drwxr-xr-x 2 ldap ldap 4096 Sep 28 15:33 . drwxr-xr-x 4 ldap ldap 4096 Apr 26 20:56 .. -rw-r--r-- 1 ldap ldap 4096 Sep 28 15:33 alock -rw------- 1 ldap ldap 1261568 Sep 28 15:32 associatedDomain.bdb -rw------- 1 ldap ldap 512000 Sep 28 15:32 cn.bdb -rw------- 1 ldap ldap 24576 Sep 28 15:33 __db.001 -rw------- 1 ldap ldap 1294336 Sep 28 16:12 __db.002 -rw------- 1 ldap ldap 32776192 Sep 28 16:12 __db.003 -rw------- 1 ldap ldap 3145728 Sep 28 16:11 __db.004 -rw------- 1 ldap ldap 729088 Sep 28 16:12 __db.005 -rw------- 1 ldap ldap 32768 Sep 28 16:11 __db.006 -rw-r--r-- 1 ldap ldap 924 Apr 26 21:01 DB_CONFIG -rw------- 1 ldap ldap 845 Apr 26 20:56 DB_CONFIG.example -rw------- 1 ldap ldap 61440 Sep 28 15:32 dc.bdb -rw------- 1 ldap ldap 339968 Sep 28 15:33 dn2id.bdb -rw------- 1 ldap ldap 212992 Sep 28 15:33 emailLocalAddress.bdb -rw------- 1 ldap ldap 20480 Sep 28 15:33 employeeType.bdb -rw------- 1 ldap ldap 118784 Sep 28 15:33 entryCSN.bdb -rw------- 1 ldap ldap 81920 Sep 28 15:33 entryUUID.bdb -rw------- 1 ldap ldap 90112 Sep 28 15:32 givenName.bdb -rw------- 1 ldap ldap 2457600 Sep 28 15:33 id2entry.bdb -rw------- 1 ldap ldap 24576 Jul 9 13:13 mailacceptinggeneralid.bdb -rw------- 1 ldap ldap 212992 Sep 28 15:33 mail.bdb -rw------- 1 ldap ldap 266240 Sep 28 15:33 objectClass.bdb -rw------- 1 ldap ldap 40960 Sep 28 15:33 ou.bdb -rw------- 1 ldap ldap 8192 Sep 28 15:32 owner.bdb -rw------- 1 ldap ldap 253952 Sep 28 15:32 sn.bdb -rw------- 1 ldap ldap 28672 Sep 28 15:33 uid.bdb -rw------- 1 ldap ldap 8192 Sep 25 2011 vacationActive.bdb ***************************************************************************

5 11

Re: slapd ACLs
by Mik J 30 Sep '12

30 Sep '12

Thank you for your answer Olivier, I tried to do this but it didn't work. The logs look like this conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128 conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0 conn=1001 op=0 RESULT tag=97 err=0 text= conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)" conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= conn=1001 op=2 UNBIND I triple checked, and when it works, with the dn.subtree permission in the begining of slapd.conf I have conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128 conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1000 op=2 UNBIND ----- Mail original ----- > De : Olivier <ldap(a)guillard.nom.fr> > À : Mik J <mikydevel(a)yahoo.fr> > Cc : > Envoyé le : Dimanche 30 septembre 2012 20h29 > Objet : Re: slapd ACLs > >T ry to put this rule : > >> access to dn.subtree="" >> by * read > > after the two others. > > (ionce a rule matches, then the scan stops : order counts) > > -- > Olivier > > 2012/9/30 Mik J <mikydevel(a)yahoo.fr>: >> Hello, >> >> I'm a bit confused with the ACLs in my slapd.conf considering I have > this >> >> access to dn.subtree="" >> by * read >> >> access to > attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword >> by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" > write >> by dn="uid=admin,ou=people,dc=mydomain,dc=org" write >> by self write >> by anonymous auth >> by * none >> >> access to * >> by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" > =wrscx >> by self write >> by users read >> by anonymous auth >> by * none >> >> >> When I do a ldapsearch without authentication, I can see the user's > details including the unencrypted password >> >> ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org" >> I think that it's because the rule access to dn.subtree="" by > * read >> With an authenticated user is works as well >> >> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b > "uid=user1,ou=people,dc=mydomain,dc=org" -W >> >> But if I comment these two lines >> #access to dn.subtree="" >> # by * read >> The search doesn't give me any result >> >> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b > "uid=user1,ou=people,dc=mydomain,dc=org" -W >> # search result >> search: 2 >> result: 32 No such object >> # numResponses: 1 >> >> I would have expected that this command matched >> access to * >> by users read >> >> My goal is that only authenticated user would be able to access the ldap > directory and users can change their passwords >> >> Does anyone has an idea on how to explain this behavior. ? >> >> Thank you >> >

1 0

slapd ACLs
by Mik J 30 Sep '12

30 Sep '12

Hello, I'm a bit confused with the ACLs in my slapd.conf considering I have this access to dn.subtree="" by * read access to attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" write by dn="uid=admin,ou=people,dc=mydomain,dc=org" write by self write by anonymous auth by * none access to * by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" =wrscx by self write by users read by anonymous auth by * none When I do a ldapsearch without authentication, I can see the user's details including the unencrypted password ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org" I think that it's because the rule access to dn.subtree="" by * read With an authenticated user is works as well ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W But if I comment these two lines #access to dn.subtree="" # by * read The search doesn't give me any result ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W # search result search: 2 result: 32 No such object # numResponses: 1 I would have expected that this command matched access to * by users read My goal is that only authenticated user would be able to access the ldap directory and users can change their passwords Does anyone has an idea on how to explain this behavior. ? Thank you

1 0

LDAP search filter on superior/parent attribute
by Roman Rybalko 30 Sep '12

30 Sep '12

Have a schema: olcAttributeTypes: ( 2.999.777.1.1.1.3 NAME 'orderingInteger' DESC 'Integer with ordering' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) olcAttributeTypes: ( 2.999.777.1.1.2.16 NAME 'timeInteger' DESC 'Integer time representation' SUP orderingInteger ) olcAttributeTypes: ( 2.999.777.1.1.2.17 NAME 'Mailbox' DESC 'Mailbox name' SUP info ) olcAttributeTypes: ( 2.999.777.1.1.2.16.1 NAME 'timeIntegerYear' DESC 'Integer year representation' SUP timeInteger ) olcAttributeTypes: ( 2.999.777.1.1.2.16.2 NAME 'timeIntegerMonth' DESC 'Integer month representation' SUP timeInteger ) olcAttributeTypes: ( 2.999.777.1.1.2.16.3 NAME 'timeIntegerDay' DESC 'Integer day of the month representation' SUP timeInteger ) olcAttributeTypes: ( 2.999.777.1.1.2.16.4 NAME 'timeIntegerHour' DESC 'Integer hour representation' SUP timeInteger ) olcAttributeTypes: ( 2.999.777.1.1.2.16.5 NAME 'timeIntegerMinute' DESC 'Integer minute representation' SUP timeInteger ) olcObjectClasses: ( 2.999.777.1.2.3 NAME 'entry' SUP top STRUCTURAL MAY ( timeInteger $ timeIntegerYear $ timeIntegerMonth $ timeIntegerDay $ timeIntegerHour $ timeIntegerMinute ) ) Have a search: (&(timeInteger>=1348900000)(timeInteger<=1349000000)) This search may return entries like: timeInteger: 1347014897 timeIntegerYear: 2012 timeIntegerMonth: 9 ... The entry with timeInteger=1347014897 is obviously not in [1348900000,1349000000] range, but it is matched because there are another attributes in the entry with "SUP timeInteger", so timeIntegerYear=2012 is matched the (timeInteger<=1349000000) filter part. I'm looking for RFC that describes such behavior. -- WBR, Roman Rybalko

3 2

Appropriate index for <= >= filter on generalizedTime (Re: reqStart<= slow)
by Roman Rybalko 30 Sep '12

30 Sep '12

Hi, I'm trying to use >= <= filter on eq-indexed generalizedTime attribute. Seems eq-index does not work for <= filter. olcAttributeTypes: ( 2.999.777.1.1.1.5 NAME 'logTime' DESC 'Time' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) olcDbIndex: logTime eq (&(logTime>=201209201440+0400)(logTime<=201209201450+0400)) - 57sec (|(logTime=20120920144001+0400)(logTime=20120920144008+0400)) - 0.03sec ~ 1000000 records in db, target = 100000000 records What should I do to make >= filters work efficiently? I may consider using another data type that work with <=/=> filters for sure. Strings? Integers? Anything that can mimic TIME semantics. Any advice? 14.04.2012 19:44, Michael Ströder пишет: > can I influence the order of index usage by order in the filter or slapd index configuration? The same question from me. Is it possible to select indexes using some sort of filter syntax? -- WBR, Roman Rybalko

2 11

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2012