Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 5 months
memberOf data in new replica servers 2.4.31
by Todd Stein
Hi,
I have a provider server and five consumer servers, all of which have the
memberOf overlay configured:
overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-refint true
memberof-dangling ignore
syncrepl rid=005
provider=ldap://<server>:389
type=refreshAndPersist
interval=00:00:05:00
retry="60 10 600 +"
searchbase="dc=<removed>,dc=<removed>"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
starttls=no
bindmethod=simple
binddn="cn=replica,dc=<removed>,dc=<removed>"
credentials=<removed>
When I bring a new replica online, it appears that entries are replicated
in the order that they were created on the provider server which produces
many "memberof_value_modify failed err=32" messages in the log, and
incomplete memberOf data. To get around this, I wrote a script which
empties all groups prior to replication, and then recreates the memberships
after the initial replication. This seems to work, but is hardly ideal. Is
there a "more correct" way of replicating memberOf values without
manipulating my provider each time I bring up a new consumer?
Thank you very much,
Todd
11 years
MDB Status
by Howard Chu
For those who haven't been following along, support for OpenLDAP's MDB
(memory-mapped database) library is also available for several other open
source projects, including Cyrus SASL (sasldb mech), Heimdal Kerberos (hdb
module), SQLite3, OpenDKIM, and MemcacheDB. A work-in-progress patch for
Postfix is also available, with a final version coming soon. A backend for
SQLite4 is also in the works. A port of Android (JellyBean) for the Motorola
Droid4 using MDB/SQLite3 is in progress (since my current phone is a Droid4).
Other projects are also in progress and will be announced in the near future.
The current list is also posted on http://highlandsun.com/hyc/mdb/ - feel free
to suggest other projects.
OpenLDAP MDB completely outclasses other embedded databases (like Oracle
BerkeleyDB, Google LevelDB, SQLite, Kyoto Cabinet) from every angle:
performance, efficiency, reliability, administrative ease, simplicity,
whatever. With MDB not only have we made the world's fastest LDAP server even
faster, but we can also make anything else that uses a database even better.
I'll also be presenting an updated talk on MDB at LinuxCon Europe in
Barcelona, November 7.
http://events.linuxfoundation.org/events/linuxcon-europe/schedule
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 1 month
How indexes used with search
by Roman Rybalko
I'd like to understand how indexes are used with search.
I've found some info
http://www.openldap.org/doc/admin24/tuning.html#Understanding how a
search works
<http://www.openldap.org/doc/admin24/tuning.html#Understanding%20how%20a%2...>
but that's not very precise.
Suppose there is a search like (&(attr1=value1)(attr2=value2)), attr1
and attr2 are indexed.
As far as I understand, this search fetches objectIDs from the index on
attr1, than the objectIDs from the index on attr2, than, according to
operation "and" ("&"), objectIDs that present in BOTH sets are
determined (using some set-intersection algorithm).
When the search is "or" (|(...)(...)), the objectIDs from both sets are
joined and duplicates are removed (using some set-union algorithm).
If there is no index on attribute, the resulting objectID set is
determined by bare iterate-and-compare on all the objects, or so.
Am I right?
Could anyone advice some docs on this?
--
WBR,
Roman Rybalko
11 years, 1 month
Openldap overloading
by Nick Milas
Hi,
I am running a v2.4.31 consumer on CentOS 5.8 to serve user accounts
(and aliases) on a Postfix mail server running locally. It has been
running for a long time without problems.
Today, after a user sent (on 14:53:39) a mass mail (through a group
alias, implemented using ldap dynlist), Postfix stalled and the server
(a VM under KVM) became overloaded. I noticed that openldap was using
all the cpu:
# top
top - 15:30:01 up 81 days, 2:11, 1 user, load average: 113.58,
114.36, 104.02
Tasks: 460 total, 3 running, 457 sleeping, 0 stopped, 0 zombie
Cpu(s): 98.9%us, 0.0%sy, 0.0%ni, 0.0%id, 0.0%wa, 1.1%hi, 0.0%si,
0.0%st
Mem: 3089988k total, 3074912k used, 15076k free, 12180k buffers
Swap: 2064376k total, 92k used, 2064284k free, 1909976k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2209 ldap 18 0 577m 17m 8952 S 93.4 0.6 55:03.67 slapd
...
I had to stop and restart openldap manually, and after that I only found
in the log (nothing has been logged earlier):
Sep 28 15:00:07 mail slapd[2209]: connection_input: conn=14847 deferring
operation: too many executing
Sep 28 15:00:38 mail slapd[2209]: connection_input: conn=19285 deferring
operation: too many executing
Sep 28 15:32:46 mail slapd[2209]: connection_input: conn=19419 deferring
operation: binding
Sep 28 15:32:47 mail slapd[2209]: connection_input: conn=19419 deferring
operation: binding
Sep 28 15:32:57 mail slapd[4484]: [INFO] Using /etc/default/slapd for
configuration
Sep 28 15:32:57 mail slapd[4489]: [INFO] Halting OpenLDAP...
Sep 28 15:32:57 mail slapd[2209]: daemon: shutdown requested and initiated.
Sep 28 15:32:57 mail slapd[2209]: slapd shutdown: waiting for 1
operations/tasks to finish
Sep 28 15:33:03 mail slapd[2209]: slapd stopped.
Sep 28 15:33:05 mail slapd[4510]: [OK] OpenLDAP stopped after 7 seconds
Sep 28 15:33:05 mail slapd[4511]: [INFO] No data backup done
Sep 28 15:33:12 mail slapd[4529]: [INFO] Using /etc/default/slapd for
configuration
Sep 28 15:33:12 mail slapd[4534]: [INFO] Launching OpenLDAP
configuration test...
Sep 28 15:33:16 mail slapd[4568]: [OK] OpenLDAP configuration test
successful
Sep 28 15:33:16 mail slapd[4578]: [INFO] No db_recover done
Sep 28 15:33:16 mail slapd[4579]: [INFO] Launching OpenLDAP...
Sep 28 15:33:16 mail slapd[4580]: [OK] File descriptor limit set to 1024
Sep 28 15:33:17 mail slapd[4581]: @(#) $OpenLDAP: slapd 2.4.31 (Apr 26
2012 19:53:11) $
clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2.4.31/servers/slapd
...
Possibly, a number of parallel group alias uses, caused a large number
of LDAP queries by Postfix. Can you please advise on what may have
caused OpenLDAP overloading, and on how can we avoid it from happening
again? Any config changes?
My config follows.
Thanks in advance for your time and assistance.
Regards,
Nick
# cat /usr/local/openldap/var/openldap-data/DB_CONFIG
#====================================================================
# BDB configuration
#
# Provided by LTB-project (http://www.ltb-project.org)
#====================================================================
#====================================================================
# Cache size for DB files
#====================================================================
set_cachesize 1 0 1
#====================================================================
# Flags
#====================================================================
#set_flags DB_TXN_WRITE_NOSYNC
#set_flags DB_TXN_NOSYNC
set_flags DB_LOG_AUTOREMOVE
#====================================================================
# Logs
#====================================================================
# Size
set_lg_regionmax 1048576
set_lg_max 10485760
set_lg_bsize 2097152
# Directory
set_lg_dir /usr/local/berkeleydb/openldap-logs
************************************************************************
# cat /usr/local/openldap/etc/openldap/slapd.conf
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/eduperson.schema
include /usr/local/openldap/etc/openldap/schema/postfix.schema
include /usr/local/openldap/etc/openldap/schema/dyngroup.schema
include /usr/local/openldap/etc/openldap/schema/misc.schema
include /usr/local/openldap/etc/openldap/schema/ppolicy.schema
include /usr/local/openldap/etc/openldap/schema/schac-20090326-1.4.0.schema
include /usr/local/openldap/etc/openldap/schema/dnsdomain2.schema
include /usr/local/openldap/etc/openldap/schema/proftpd-quota.schema
include /usr/local/openldap/etc/openldap/schema/kerberos.schema
include /usr/local/openldap/etc/openldap/schema/localemail.schema
include /usr/local/openldap/etc/openldap/schema/entryaccess.schema
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
modulepath /usr/local/openldap/lib64
loglevel sync
sizelimit unlimited
timelimit unlimited
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/openldap/etc/openldap/cacerts/chain.pem
TLSCertificateFile /usr/local/openldap/etc/openldap/cacerts/cert.pem
TLSCertificateKeyFile /usr/local/openldap/etc/openldap/cacerts/key.pem
TLSVerifyClient never
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database hdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
########
# ACLs #
########
include /usr/local/openldap/etc/openldap/acl.conf
directory /usr/local/openldap/var/openldap-data
index objectClass eq,pres
index employeeType pres,eq
index cn eq,pres,sub
index sn,givenname eq,pres,sub
index mail eq,pres,sub
index uid eq,pres
index ou eq,pres
index mailacceptinggeneralid eq,pres
index owner eq
index entryCSN,entryUUID eq
index vacationActive eq
index associatedDomain pres,eq,sub
index dc eq
index emailLocalAddress eq,pres,sub
overlay dynlist
dynlist-attrset nisMailAlias labeledURI
dynlist-attrset groupOfURLs labeledURI member
syncrepl rid=111
provider=ldaps://ldap.example.com
tls_reqcert=never
type=refreshAndPersist
retry="60 15 180 +"
searchbase="dc=example,dc=com"
schemachecking=off
bindmethod=simple
binddn="uid=FullReplAcc1,ou=System,dc=example,dc=com"
credentials="mypassword"
database monitor
access to *
by dn.exact="cn=Manager,dc=example,dc=com" read
by * none
*********************************************************************
# ls -la /usr/local/openldap/var/openldap-data/
total 14120
drwxr-xr-x 2 ldap ldap 4096 Sep 28 15:33 .
drwxr-xr-x 4 ldap ldap 4096 Apr 26 20:56 ..
-rw-r--r-- 1 ldap ldap 4096 Sep 28 15:33 alock
-rw------- 1 ldap ldap 1261568 Sep 28 15:32 associatedDomain.bdb
-rw------- 1 ldap ldap 512000 Sep 28 15:32 cn.bdb
-rw------- 1 ldap ldap 24576 Sep 28 15:33 __db.001
-rw------- 1 ldap ldap 1294336 Sep 28 16:12 __db.002
-rw------- 1 ldap ldap 32776192 Sep 28 16:12 __db.003
-rw------- 1 ldap ldap 3145728 Sep 28 16:11 __db.004
-rw------- 1 ldap ldap 729088 Sep 28 16:12 __db.005
-rw------- 1 ldap ldap 32768 Sep 28 16:11 __db.006
-rw-r--r-- 1 ldap ldap 924 Apr 26 21:01 DB_CONFIG
-rw------- 1 ldap ldap 845 Apr 26 20:56 DB_CONFIG.example
-rw------- 1 ldap ldap 61440 Sep 28 15:32 dc.bdb
-rw------- 1 ldap ldap 339968 Sep 28 15:33 dn2id.bdb
-rw------- 1 ldap ldap 212992 Sep 28 15:33 emailLocalAddress.bdb
-rw------- 1 ldap ldap 20480 Sep 28 15:33 employeeType.bdb
-rw------- 1 ldap ldap 118784 Sep 28 15:33 entryCSN.bdb
-rw------- 1 ldap ldap 81920 Sep 28 15:33 entryUUID.bdb
-rw------- 1 ldap ldap 90112 Sep 28 15:32 givenName.bdb
-rw------- 1 ldap ldap 2457600 Sep 28 15:33 id2entry.bdb
-rw------- 1 ldap ldap 24576 Jul 9 13:13 mailacceptinggeneralid.bdb
-rw------- 1 ldap ldap 212992 Sep 28 15:33 mail.bdb
-rw------- 1 ldap ldap 266240 Sep 28 15:33 objectClass.bdb
-rw------- 1 ldap ldap 40960 Sep 28 15:33 ou.bdb
-rw------- 1 ldap ldap 8192 Sep 28 15:32 owner.bdb
-rw------- 1 ldap ldap 253952 Sep 28 15:32 sn.bdb
-rw------- 1 ldap ldap 28672 Sep 28 15:33 uid.bdb
-rw------- 1 ldap ldap 8192 Sep 25 2011 vacationActive.bdb
***************************************************************************
11 years, 2 months
Re: slapd ACLs
by Mik J
Thank you for your answer Olivier, I tried to do this but it didn't work. The logs look like this
conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128
conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0
conn=1001 op=0 RESULT tag=97 err=0 text=
conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)"
conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
conn=1001 op=2 UNBIND
I triple checked, and when it works, with the dn.subtree permission in the begining of slapd.conf I have
conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" method=128
conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" mech=SIMPLE ssf=0
conn=1000 op=0 RESULT tag=97 err=0 text=
conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" scope=2 deref=0 filter="(objectClass=*)"
conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1000 op=2 UNBIND
----- Mail original -----
> De : Olivier <ldap(a)guillard.nom.fr>
> À : Mik J <mikydevel(a)yahoo.fr>
> Cc :
> Envoyé le : Dimanche 30 septembre 2012 20h29
> Objet : Re: slapd ACLs
>
>T ry to put this rule :
>
>> access to dn.subtree=""
>> by * read
>
> after the two others.
>
> (ionce a rule matches, then the scan stops : order counts)
>
> --
> Olivier
>
> 2012/9/30 Mik J <mikydevel(a)yahoo.fr>:
>> Hello,
>>
>> I'm a bit confused with the ACLs in my slapd.conf considering I have
> this
>>
>> access to dn.subtree=""
>> by * read
>>
>> access to
> attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword
>> by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
> write
>> by dn="uid=admin,ou=people,dc=mydomain,dc=org" write
>> by self write
>> by anonymous auth
>> by * none
>>
>> access to *
>> by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
> =wrscx
>> by self write
>> by users read
>> by anonymous auth
>> by * none
>>
>>
>> When I do a ldapsearch without authentication, I can see the user's
> details including the unencrypted password
>>
>> ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org"
>> I think that it's because the rule access to dn.subtree="" by
> * read
>> With an authenticated user is works as well
>>
>> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
> "uid=user1,ou=people,dc=mydomain,dc=org" -W
>>
>> But if I comment these two lines
>> #access to dn.subtree=""
>> # by * read
>> The search doesn't give me any result
>>
>> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
> "uid=user1,ou=people,dc=mydomain,dc=org" -W
>> # search result
>> search: 2
>> result: 32 No such object
>> # numResponses: 1
>>
>> I would have expected that this command matched
>> access to *
>> by users read
>>
>> My goal is that only authenticated user would be able to access the ldap
> directory and users can change their passwords
>>
>> Does anyone has an idea on how to explain this behavior. ?
>>
>> Thank you
>>
>
11 years, 2 months
slapd ACLs
by Mik J
Hello,
I'm a bit confused with the ACLs in my slapd.conf considering I have this
access to dn.subtree=""
by * read
access to attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword
by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" write
by dn="uid=admin,ou=people,dc=mydomain,dc=org" write
by self write
by anonymous auth
by * none
access to *
by dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?" =wrscx
by self write
by users read
by anonymous auth
by * none
When I do a ldapsearch without authentication, I can see the user's details including the unencrypted password
ldapsearch -x -b "uid=user1,ou=people,dc=mydomain,dc=org"
I think that it's because the rule access to dn.subtree="" by * read
With an authenticated user is works as well
ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W
But if I comment these two lines
#access to dn.subtree=""
# by * read
The search doesn't give me any result
ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b "uid=user1,ou=people,dc=mydomain,dc=org" -W
# search result
search: 2
result: 32 No such object
# numResponses: 1
I would have expected that this command matched
access to *
by users read
My goal is that only authenticated user would be able to access the ldap directory and users can change their passwords
Does anyone has an idea on how to explain this behavior. ?
Thank you
11 years, 2 months
LDAP search filter on superior/parent attribute
by Roman Rybalko
Have a schema:
olcAttributeTypes: ( 2.999.777.1.1.1.3 NAME 'orderingInteger' DESC
'Integer with ordering' EQUALITY integerMatch ORDERING
integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
olcAttributeTypes: ( 2.999.777.1.1.2.16 NAME 'timeInteger' DESC 'Integer
time representation' SUP orderingInteger )
olcAttributeTypes: ( 2.999.777.1.1.2.17 NAME 'Mailbox' DESC 'Mailbox
name' SUP info )
olcAttributeTypes: ( 2.999.777.1.1.2.16.1 NAME 'timeIntegerYear' DESC
'Integer year representation' SUP timeInteger )
olcAttributeTypes: ( 2.999.777.1.1.2.16.2 NAME 'timeIntegerMonth' DESC
'Integer month representation' SUP timeInteger )
olcAttributeTypes: ( 2.999.777.1.1.2.16.3 NAME 'timeIntegerDay' DESC
'Integer day of the month representation' SUP timeInteger )
olcAttributeTypes: ( 2.999.777.1.1.2.16.4 NAME 'timeIntegerHour' DESC
'Integer hour representation' SUP timeInteger )
olcAttributeTypes: ( 2.999.777.1.1.2.16.5 NAME 'timeIntegerMinute' DESC
'Integer minute representation' SUP timeInteger )
olcObjectClasses: ( 2.999.777.1.2.3 NAME 'entry' SUP top STRUCTURAL MAY
( timeInteger $ timeIntegerYear $ timeIntegerMonth $ timeIntegerDay $
timeIntegerHour $ timeIntegerMinute ) )
Have a search:
(&(timeInteger>=1348900000)(timeInteger<=1349000000))
This search may return entries like:
timeInteger: 1347014897
timeIntegerYear: 2012
timeIntegerMonth: 9
...
The entry with timeInteger=1347014897 is obviously not in
[1348900000,1349000000] range, but it is matched because there are
another attributes in the entry with "SUP timeInteger", so
timeIntegerYear=2012 is matched the (timeInteger<=1349000000) filter part.
I'm looking for RFC that describes such behavior.
--
WBR,
Roman Rybalko
11 years, 2 months
Appropriate index for <= >= filter on generalizedTime (Re: reqStart<= slow)
by Roman Rybalko
Hi,
I'm trying to use >= <= filter on eq-indexed generalizedTime attribute.
Seems eq-index does not work for <= filter.
olcAttributeTypes: ( 2.999.777.1.1.1.5 NAME 'logTime' DESC 'Time'
EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcDbIndex: logTime eq
(&(logTime>=201209201440+0400)(logTime<=201209201450+0400)) - 57sec
(|(logTime=20120920144001+0400)(logTime=20120920144008+0400)) - 0.03sec
~ 1000000 records in db, target = 100000000 records
What should I do to make >= filters work efficiently?
I may consider using another data type that work with <=/=> filters for
sure. Strings? Integers? Anything that can mimic TIME semantics. Any advice?
14.04.2012 19:44, Michael Ströder пишет:
> can I influence the order of index usage by order in the filter or slapd index configuration?
The same question from me. Is it possible to select indexes using some
sort of filter syntax?
--
WBR,
Roman Rybalko
11 years, 2 months