Hi all,
I want to find all entries in my ldap directory that contain certain ou's, e.g.
ldapsearch -x "(ou:dn:=Administration)"
which returns (in my case) all entries that correspond to administrative staff. The query works but it is slow and puts a high load on the ldap server.
I wonder if I can create an index which would speed things up, but I could not figure out what I should index.
Note that I cannot do this using a specific basedn, because we have administrative staff in several subtrees of our ldap hierarchy.
Best
Hanspeter Kunz writes:
I want to find all entries in my ldap directory that contain certain ou's, e.g.
ldapsearch -x "(ou:dn:=Administration)"
which returns (in my case) all entries that correspond to administrative staff. The query works but it is slow and puts a high load on the ldap server.
I wonder if I can create an index which would speed things up, but I could not figure out what I should index.
You can't. You can index 'ou', search for each admin OU, and then issue one search request based on each returned DN. The OU filter would be something like (&(ou=Administration)(ou:dn:=Administration)) or maybe (&(ou=Administration)(objectClass=organizationalUnit)(ou:dn:=Administration)).
Remember to drop OU DNs below other returned OU DNs to avoid duplicates, i.e. ou=Administration,ou=foo,ou=Administration,ou=bar,dc=example,dc=com.
On Thu, 2012-12-06 at 15:52 +0100, Hallvard Breien Furuseth wrote:
Hanspeter Kunz writes:
I want to find all entries in my ldap directory that contain certain ou's, e.g.
ldapsearch -x "(ou:dn:=Administration)"
which returns (in my case) all entries that correspond to administrative staff. The query works but it is slow and puts a high load on the ldap server.
I wonder if I can create an index which would speed things up, but I could not figure out what I should index.
You can't.
ok, bad, but good to know.
You can index 'ou', search for each admin OU, and then issue one search request based on each returned DN. The OU filter would be something like (&(ou=Administration)(ou:dn:=Administration)) or maybe (&(ou=Administration)(objectClass=organizationalUnit)(ou:dn:=Administration)).
I was thinking about this too. I just hoped that there is an elegant solution.
actually the (ou:dn:=Administration) term is unnecessary, because this is implied by (ou=Administration).
but thanks anyhow, hp
Hanspeter Kunz writes:
actually the (ou:dn:=Administration) term is unnecessary, because this is implied by (ou=Administration).
It's not implied in LDAP, but maybe it is in your data.
dn: ou=Cat herding,dc=example,dc=com ou: Cat herding ou: Administration objectClass: organizationalUnit
On Thu, 2012-12-06 at 17:20 +0100, Hallvard Breien Furuseth wrote:
Hanspeter Kunz writes:
actually the (ou:dn:=Administration) term is unnecessary, because this is implied by (ou=Administration).
It's not implied in LDAP, but maybe it is in your data.
dn: ou=Cat herding,dc=example,dc=com ou: Cat herding ou: Administration objectClass: organizationalUnit
ok, you're right. I wasn't aware of this.
thanks, Hp
openldap-technical@openldap.org
-
Hallvard Breien Furuseth -
Hanspeter Kunz