Hi there,
is there any way to use multiple keys for a node in a LPD tree?
I mean, there are several subtree-s:
ou=company1,dc=foo,dc=com ou=company2,dc=foo,dc=com
and I have to store the users under these subtrees. Sometimes the users have same names, eg. John Smith, and the nodes will be:
uid=jsmith,ou=company1,dc=foo,dc=com uid=jsmith,ou=company2,dc=foo,dc=com
but the any other attributes (sn, cn, ...) also the same.
How do I set up the indexes?
Thanks,
a.
Ervin Hegedüs wrote:
is there any way to use multiple keys for a node in a LPD tree?
I mean, there are several subtree-s: ou=company2,dc=foo,dc=com
and I have to store the users under these subtrees.
Are these two subtrees within the same database? Or do you have separate databases with the suffixes above?
Which search base do your LDAP clients use? dc=foo,dc=com or ou=companyX,dc=foo,dc=com?
Sometimes the users have same names, eg. John Smith, and the nodes will be:
uid=jsmith,ou=company1,dc=foo,dc=com uid=jsmith,ou=company2,dc=foo,dc=com
but the any other attributes (sn, cn, ...) also the same.
How do I set up the indexes?
I'm not sure whether I really understand your issue.
An index just speeds up a lookup for a small search candidate set.
Example:
Assuming you have a single database with suffix dc=foo,dc=com and sub-trees ou=companyX,dc=foo,dc=com:
index uid eq
Using search base dc=foo,dc=com there will be two results returned for filter "(uid=jsmith)". But indeed the lookup will be faster because uid is indexed.
Off course a typical LDAP-based "login" will fail because there are two search results returned and therefore the uid->DN mapping is not unique.
In general indexes defined for several assertion attributes used in a filter are used. But note that search performance can be worse if you're indexing attributes with same values in many entries.
Ciao, Michael.
Hi Michael,
thanks for your answers,
On Tue, Oct 03, 2017 at 01:06:59PM +0200, Michael Ströder wrote:
Ervin Hegedüs wrote:
is there any way to use multiple keys for a node in a LPD tree?
I mean, there are several subtree-s: ou=company2,dc=foo,dc=com
and I have to store the users under these subtrees.
Are these two subtrees within the same database?
yes,
Or do you have separate databases with the suffixes above?
no, there are in same db,
Which search base do your LDAP clients use? dc=foo,dc=com or ou=companyX,dc=foo,dc=com?
dc=foo,dc=com. The "clients" will be "black-box-like" devices, like application level firewalls, access-points, etc... I just acn set up only one search base dn for one uniq LDAP source.
Sometimes the users have same names, eg. John Smith, and the nodes will be:
uid=jsmith,ou=company1,dc=foo,dc=com uid=jsmith,ou=company2,dc=foo,dc=com
but the any other attributes (sn, cn, ...) also the same.
How do I set up the indexes?
I'm not sure whether I really understand your issue.
An index just speeds up a lookup for a small search candidate set.
yes, I thought it - the records (nodes) in db will be about k*100000.
Example:
Assuming you have a single database with suffix dc=foo,dc=com and sub-trees ou=companyX,dc=foo,dc=com:
index uid eq
that was what I tried,
Using search base dc=foo,dc=com there will be two results returned for filter "(uid=jsmith)". But indeed the lookup will be faster because uid is indexed.
no, whit this index I got 0 result. Without this index I get 2 results.
That was the reason why I asked this question.
Here are the search's:
# ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=foo,dc=com "(&(uid=airween))" ... # search result search: 2 result: 0 Success
# numResponses: 1
[no entry]
# grep ^index /etc/ldap/slapd.conf index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid eq index displayName pres,sub,eq index default sub index uidNumber eq index gidNumber eq index mail,givenName eq,subinitial index dc eq
Ok, now I turned off the uid index:
# grep ^index /etc/ldap/slapd.conf index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index displayName pres,sub,eq index default sub index uidNumber eq index gidNumber eq index mail,givenName eq,subinitial index dc eq
# ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=foo,dc=com "(&(uid=airween))" ... # airween, ABC Customer, foo.com dn: uid=airween,ou=ABC Customer,dc=foo,dc=com cn: airween sn: airween uid: airween uidNumber: 10001 ...
# airween, XYZ Customer, foo.com dn: uid=airween,ou=XYZ Customer,dc=foo,dc=com uid: airween uidNumber: 10001 cn: airween sn: airween ...
Off course a typical LDAP-based "login" will fail because there are two search results returned and therefore the uid->DN mapping is not unique.
sure, that's clear.
In general indexes defined for several assertion attributes used in a filter are used. But note that search performance can be worse if you're indexing attributes with same values in many entries.
right - I just don't understand, why didn't I got the results when the uid index had turned on.
Thanks again,
a.
Ervin Hegedüs wrote:
no, whit this index I got 0 result. Without this index I get 2 results.
Did you re-index after changing indexing config?
See also: http://www.openldap.org/faq/data/cache/136.html
Ciao, Michael.
Hi Michael,
On Tue, Oct 03, 2017 at 05:32:29PM +0200, Michael Ströder wrote:
Ervin Hegedüs wrote:
no, whit this index I got 0 result. Without this index I get 2 results.
Did you re-index after changing indexing config?
yep' - I forgot it. After I did it, the search works as well.
Many thanks for your help!
a.
openldap-technical@openldap.org
-
Ervin Hegedüs -
Michael Ströder