Hello,
I had a curious problem with ldapsearch:
A wildcard search like ldapsearch -LLL -Wx -h myldap -D cn=xx -b dc=xx -b "ou=Accounts,xx" uid='xyzzs*' uid
lists only three entries:
dn: uid=xyzzs146,ou=Accounts,xx uid: xyzzs146
dn: uid=xyzzs147,ou=Accounts,xx uid: xyzzs147
dn: uid=xyzzs148,ou=Accounts,xx uid: xyzzs148
though there exists more, which can be displayed with ldapsearch not specifying a filter or by specifying the object exactly like
ldapsearch -LLL -Wx -h myldap -D cn=xx -b dc=xx -b "ou=Accounts,xx" uid='xyzzs020' uid
Reindexing with slapindex solved the problem, ldapsearch with uid='xyzzs*' shows all those entries, not only three. But I'm afraid that this happens again. Can you tell me how somethink like this can happen and how I can prevent such a situation?
The slapd is running on a RHLE 6.4 server, using a hdb database. We indexed olcDbIndex: objectClass pres,eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: cn pres,eq olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: CAUmailHost pres,eq olcDbIndex: memberUid pres,eq olcDbIndex: ou eq olcDbIndex: uniqueMember pres,eq olcDbIndex: uid pres,eq,sub
Thanks in advance for your help Birgit
Birgit Ohlenbusch writes:
A wildcard search like ldapsearch (...) uid='xyzzs*' uid
lists only three entries: (...) dn: uid=xyzzs146,ou=Accounts,xx uid: xyzzs146
dn: uid=xyzzs147,ou=Accounts,xx uid: xyzzs147 dn: uid=xyzzs148,ou=Accounts,xx uid: xyzzs148though there exists more, which can be displayed with ldapsearch not specifying a filter or by specifying the object (...) Reindexing with slapindex solved the problem, ldapsearch with uid='xyzzs*' shows all those entries, not only three. But I'm afraid that this happens again. Can you tell me how somethink like this can happen and how I can prevent such a situation?
Your 'uid' index thought only three entries existed in the search scope. A search without an uid filter worked because it did not use the index.
Maybe you edited slapd.conf and inserted an uid index without running slapindex. Thata index would initially be empty, telling slapd there were no entries matching the filter. Later you added these three entries, which did get indexed.
The fix is to always run slapindex after editing the indexes. Or switch to using cn=config and modify the configuration over the LDAP protocol, then the attributes get reindexed automatically.
On 27.09.2013 15:53, Hallvard Breien Furuseth wrote:
Birgit Ohlenbusch writes:
A wildcard search like ldapsearch (...) uid='xyzzs*' uid
lists only three entries: (...) dn: uid=xyzzs146,ou=Accounts,xx uid: xyzzs146
dn: uid=xyzzs147,ou=Accounts,xx uid: xyzzs147 dn: uid=xyzzs148,ou=Accounts,xx uid: xyzzs148though there exists more, which can be displayed with ldapsearch not specifying a filter or by specifying the object (...) Reindexing with slapindex solved the problem, ldapsearch with uid='xyzzs*' shows all those entries, not only three. But I'm afraid that this happens again. Can you tell me how somethink like this can happen and how I can prevent such a situation?
Your 'uid' index thought only three entries existed in the search scope. A search without an uid filter worked because it did not use the index.
Maybe you edited slapd.conf and inserted an uid index without running slapindex. Thata index would initially be empty, telling slapd there were no entries matching the filter. Later you added these three entries, which did get indexed.
The fix is to always run slapindex after editing the indexes. Or switch to using cn=config and modify the configuration over the LDAP protocol, then the attributes get reindexed automatically.
Thankyou for your fast response and explanation.
We are using cn=config and are modifying the index with ldapmodify, so over the LDAP protocoll. But - what can cause an index getting empty? Maybe a restart of the slapd? Or not optimal settings for the hdb database parameters?
And: Is it possible to check if the index is correct?
Best Regards Birgit
--On Friday, September 27, 2013 4:11 PM +0200 Birgit Ohlenbusch ohlenbusch@rz.uni-kiel.de wrote:
We are using cn=config and are modifying the index with ldapmodify, so over the LDAP protocoll. But - what can cause an index getting empty? Maybe a restart of the slapd? Or not optimal settings for the hdb database parameters?
Well, the indexing is a background operation, so yes, if you restarted slapd after adding the index, it could interrupt that task, and I don't believe it would resume. The point of cn=config is to not restart slapd. ;)
Also, you noted you are using RHEL6.4. I assume you are not running their broken packages but something current that is sanely built? ;)
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
On 27.09.2013 20:58, Quanah Gibson-Mount wrote:
Also, you noted you are using RHEL6.4. I assume you are not running their broken packages but something current that is sanely built? ;)
Oh, we are running the packages from the original RHEL repository. I didn't know that's a problem. Do you know a repository with sanely built openldap packages for RHEL 6 which you can recommend?
--On Monday, September 30, 2013 11:57 AM +0200 Birgit Ohlenbusch ohlenbusch@rz.uni-kiel.de wrote:
On 27.09.2013 20:58, Quanah Gibson-Mount wrote:
Also, you noted you are using RHEL6.4. I assume you are not running their broken packages but something current that is sanely built? ;)
Oh, we are running the packages from the original RHEL repository. I didn't know that's a problem. Do you know a repository with sanely built openldap packages for RHEL 6 which you can recommend?
http://ltb-project.org/wiki/download#openldap
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Birgit Ohlenbusch -
Hallvard Breien Furuseth -
Quanah Gibson-Mount