On 12/21/2010 07:26 AM, Quanah Gibson-Mount wrote:
--On Monday, December 20, 2010 12:44 PM -1000 Paul paul@ehawaii.gov wrote:
I'm also seeing odd entries in the ldap logs:
Dec 20 11:21:17 <server> slapd[11171]: <= bdb_equality_candidates: (objectClass) index_param failed (18) Dec 20 11:21:17 <server> slapd[11171]: <= bdb_equality_candidates: (objectClass) index_param failed (18) Dec 20 11:21:17 <server> slapd[11171]: <= bdb_equality_candidates: (gidNumber) index_param failed (18)
This means those entries are being searched on with a search other than the way they are indexed. No amount of re-running slapindex is going to change those messages.
Sorry, I may be being completely dense here. So those errors are because the wrong type of index is being specified in these lines in my config file?
index objectClass pres,eq index gidNumber eq
I assumed that "bdb_equality_candidates" would indicate "eq" indexing as being the type of search it's trying to do, is my assumption off the mark?
Your assumption is correct. You don't need to index "objectClass" for "pres", as the objectClass attribute is always present, "eq" suffices. If you changed the "index" directive in slapd.conf you need to run slapindex while slapd is not running. Make sure you run slapindex with the correct identity, as all index files will be generated with that identity, and then slapd needs to be able to read them.
On the general subject of indexes, is there a way to identify in OpenLDAP/slapd which ones are actually being used? Beyond just basic pam/e-mail stuff I've got a number of java apps and the like not all done in house that could be querying the LDAP server in numerous ways.
You can enable monitoring (configure the monitor database in slapd.conf), and check the contents of olmBDBNotIndexed in the database entry (e.g. "cn=Database 1,cn=databases,cn=monitor" if the BDB database is the first one); to use this feature, you need to #define BDB_MONITOR_IDX and recompile slapd. You'll get data like
olmBDBNotIndexed: description#present=1#substr=1
indicating that "description" was searched once with "present" and once with "substring" and they were not indexed.
p.