Hi folks,
Yesterday I see a lot of
"Apr 6 16:08:20 xen-ldap01 slapd[1167]: <= bdb_equality_candidates: (objectClass) not indexed"
in my OpenLDAP provider server log. After searching in docs (http://www.openldap.org/faq/data/cache/42.html), I applied
index objectClass eq
instead of previous
#index objectClass eq
and restart the service.
The suprise has been when a few users cannot login in system through LDAP validation this morning. The errors in log (in client logs) was:
[...] Apr 9 09:11:13 hc23 sshd[44389]: pam_ldap: error trying to bind as user "uid=ivan,ou=SAT,ou=Tecnic,dc=my_company,dc=com" (Invalid credentials) Apr 9 09:11:13 hc23 sshd[44387]: error: PAM: authentication error for illegal user ivan from XXX.XXX.XXX.XXX [...]
The solution has been easy: comment the "index objectClass eq" parameter again in slapd conf file.
¿Why it happens? I wonder it. Maybe some cache-related issue...
On Thu, Apr 09, 2009 at 11:21:29AM +0200, Jordi Espasa Clofent wrote:
in my OpenLDAP provider server log. After searching in docs (http://www.openldap.org/faq/data/cache/42.html), I applied
index objectClass eq
instead of previous
#index objectClass eq
and restart the service.
You need to create the actual index before restarting. slapindex will do that for you.
Andrew
On 09.04.2009 11:21, Jordi Espasa Clofent wrote:
Hi folks,
Yesterday I see a lot of
"Apr 6 16:08:20 xen-ldap01 slapd[1167]: <= bdb_equality_candidates: (objectClass) not indexed"
in my OpenLDAP provider server log. After searching in docs (http://www.openldap.org/faq/data/cache/42.html), I applied
index objectClass eq
instead of previous
#index objectClass eq
and restart the service.
The suprise has been when a few users cannot login in system through LDAP validation this morning. The errors in log (in client logs) was:
[...] Apr 9 09:11:13 hc23 sshd[44389]: pam_ldap: error trying to bind as user "uid=ivan,ou=SAT,ou=Tecnic,dc=my_company,dc=com" (Invalid credentials) Apr 9 09:11:13 hc23 sshd[44387]: error: PAM: authentication error for illegal user ivan from XXX.XXX.XXX.XXX [...]
The solution has been easy: comment the "index objectClass eq" parameter again in slapd conf file.
¿Why it happens? I wonder it. Maybe some cache-related issue...
After setting a new index in slapd.conf, you must force a rebuild of the indexes, as indicated in man slapd-bdb(5):
Note: changing index settings in slapd.conf(5) requires rebuilding indices, see slapindex(8)
The result you're seeing is because slapd is configured to use an index. It tries to search it, but if it is not up-to-date, it will return erroneous results, as you have seen.
Regards, Jonathan Clarke -- LinID - Open Source Identity Management --------------------------------------------------------------- Linagora 27 rue de Berri, 75008 Paris Tel: 01 58 18 68 28 / 06 99 60 03 10 --------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org/ ---------------------------------------------------------------
openldap-technical@openldap.org
-
Andrew Findlay -
Jonathan Clarke -
Jordi Espasa Clofent