2:21 a.m.
Hi folks,
Yesterday I see a lot of
"Apr 6 16:08:20 xen-ldap01 slapd[1167]: <= bdb_equality_candidates:
(objectClass) not indexed"
in my OpenLDAP provider server log. After searching in docs
(http://www.openldap.org/faq/data/cache/42.html), I applied
index objectClass eq
instead of previous
#index objectClass eq
and restart the service.
The suprise has been when a few users cannot login in system through
LDAP validation this morning. The errors in log (in client logs) was:
[...]
Apr 9 09:11:13 hc23 sshd[44389]: pam_ldap: error trying to bind as user
"uid=ivan,ou=SAT,ou=Tecnic,dc=my_company,dc=com" (Invalid credentials)
Apr 9 09:11:13 hc23 sshd[44387]: error: PAM: authentication error for
illegal user ivan from XXX.XXX.XXX.XXX
[...]
The solution has been easy: comment the "index objectClass eq" parameter
again in slapd conf file.
¿Why it happens? I wonder it. Maybe some cache-related issue...
--
Thanks,
Jordi Espasa Clofent
7:11 a.m.
On Thu, Apr 09, 2009 at 11:21:29AM +0200, Jordi Espasa Clofent wrote:
in my OpenLDAP provider server log. After searching in docs
(http://www.openldap.org/faq/data/cache/42.html), I applied
index objectClass eq
instead of previous
#index objectClass eq
and restart the service.
You need to create the actual index before restarting. slapindex will
do that for you.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
8:09 a.m.
On 09.04.2009 11:21, Jordi Espasa Clofent wrote:
Hi folks,
Yesterday I see a lot of
"Apr 6 16:08:20 xen-ldap01 slapd[1167]: <= bdb_equality_candidates:
(objectClass) not indexed"
in my OpenLDAP provider server log. After searching in docs
(http://www.openldap.org/faq/data/cache/42.html), I applied
index objectClass eq
instead of previous
#index objectClass eq
and restart the service.
The suprise has been when a few users cannot login in system through
LDAP validation this morning. The errors in log (in client logs) was:
[...]
Apr 9 09:11:13 hc23 sshd[44389]: pam_ldap: error trying to bind as user
"uid=ivan,ou=SAT,ou=Tecnic,dc=my_company,dc=com" (Invalid credentials)
Apr 9 09:11:13 hc23 sshd[44387]: error: PAM: authentication error for
illegal user ivan from XXX.XXX.XXX.XXX
[...]
The solution has been easy: comment the "index objectClass eq" parameter
again in slapd conf file.
¿Why it happens? I wonder it. Maybe some cache-related issue...
After setting a new index in slapd.conf, you must force a rebuild of the
indexes, as indicated in man slapd-bdb(5):
Note: changing index settings in slapd.conf(5) requires rebuilding
indices, see slapindex(8)
The result you're seeing is because slapd is configured to use an index.
It tries to search it, but if it is not up-to-date, it will return
erroneous results, as you have seen.
Regards,
Jonathan Clarke
--
LinID - Open Source Identity Management
---------------------------------------------------------------
Linagora
27 rue de Berri, 75008 Paris
Tel: 01 58 18 68 28 / 06 99 60 03 10
---------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org/
---------------------------------------------------------------
5352
days inactive
5352
days old
openldap-technical@openldap.org
2 comments
3 participants
participants (3)
-
Andrew Findlay -
Jonathan Clarke -
Jordi Espasa Clofent