Hi listers
Installation here: openldap-servers-2.4.15-7.fc11.i586
One master server, two backup servers (syncrepl).
All authentication and mailing is managed by ldap.
1. About indexing:
When i check the slapd-log, i see many
<= bdb_equality_candidates: (uidNumber) not indexed
<= bdb_equality_candidates: (gidNumber) not indexed
In the discussion about slapd tuning http://www.openldap.org/doc/admin24/tuning.html#Indexes, however, i read that if each entry in a certain set of ldap-entries has got the candidate-attribute, it is not worth while to index the attribute, because slapd needs to read each entry in any case in order to find the requested one. this is the case for uidNumber as well as gidNumber, because both are compulsory attributes for objectClass posixAccount.
My first question: is it therefore correct to disregard the above indexing requests of slapd?
2. About slapindex:
When it comes to use slapindex, the docu is not clear about how to do that. Some places say, that you need to stop slapd entirely, some places say that it is sufficient to put slapd in read-only mode for the corresponding background database, which in this case would be /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif this file contains both the olcReadOnly and the olcDbIndex attributes.
So i could just add the following two lines in the above file: olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq set the olcReadOnly attribute to TRUE, and restart slapd, and everything would be done automatically?
Or would i need to invoke slapindex additionally with the following command slapindex -c
And if i had to start slapindex additionally, would slapindex tell me, that the database is in read-only mode, so no changes are possible, not even index changes?
And, if i had to start slapindex additionally, i would do it as root. the files generated by slapindex would they be owned by root (inaccessible by slapd) or by the slapd user?
Would the new indexes be propagated to the backup servers by syncrepl automatically? If not, what would i have to change on the backup servers?
Thank you for your attention
suomi
On Mittwoch 13 Juli 2011 09:49:06 openldap@ayni.com wrote:
Hi listers
Installation here: openldap-servers-2.4.15-7.fc11.i586
One master server, two backup servers (syncrepl).
All authentication and mailing is managed by ldap.
- About indexing:
When i check the slapd-log, i see many
<= bdb_equality_candidates: (uidNumber) not indexed
<= bdb_equality_candidates: (gidNumber) not indexed
In the discussion about slapd tuning http://www.openldap.org/doc/admin24/tuning.html#Indexes, however, i read that if each entry in a certain set of ldap-entries has got the candidate-attribute, it is not worth while to index the attribute, because slapd needs to read each entry in any case in order to find the requested one. this is the case for uidNumber as well as gidNumber, because both are compulsory attributes for objectClass posixAccount.
My first question: is it therefore correct to disregard the above indexing requests of slapd?
No. The Admin Guide section you are referring to is about "presence" indexing. The log message you pasted above is about a missing "equality" index.
- About slapindex:
When it comes to use slapindex, the docu is not clear about how to do that. Some places say, that you need to stop slapd entirely, some places say that it is sufficient to put slapd in read-only mode for the corresponding background database, which in this case would be /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif this file contains both the olcReadOnly and the olcDbIndex attributes.
So i could just add the following two lines in the above file: olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq set the olcReadOnly attribute to TRUE, and restart slapd, and everything would be done automatically?
No. If you are using cn=config you should only do configuration via LDAP. You should never touch the files in /etc/openldap/slapd.d/ directly (there have been many threads about why touching /etc/openldap/slapd.d/ is a bad idea, please see the archives for details).
If you add the new index by doing an ldapmodify on "olcDatabase={2}bdb,cn=config" you get the additional benefit that slapd will start generating the new indexes on the fly in the background. No need to run slapindex in that case.
Or would i need to invoke slapindex additionally with the following command slapindex -c
And if i had to start slapindex additionally, would slapindex tell me, that the database is in read-only mode, so no changes are possible, not even index changes?
And, if i had to start slapindex additionally, i would do it as root. the files generated by slapindex would they be owned by root (inaccessible by slapd) or by the slapd user?
Would the new indexes be propagated to the backup servers by syncrepl automatically? If not, what would i have to change on the backup servers?
Depends on the configuration of your servers. Do they replicate the cn=config database as well? If yes they'll automatically get the configuration changes (if you did them via LDAP).
Ralf
openldap-technical@openldap.org