[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CN must be indexed?

To: Howard Chu <hyc@symas.com>
Subject: Re: CN must be indexed?
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 01 Jan 2008 15:03:27 +1100
Cc: openldap-technical@openldap.org
In-reply-to: <4779B863.1060407@symas.com>
References: <1199158333.3926.10.camel@localhost.localdomain> <4779B863.1060407@symas.com>

On Mon, 2007-12-31 at 19:49 -0800, Howard Chu wrote:
> Andrew Bartlett wrote:
> > Working on the OpenLDAP backend for Samba4, I'm wondering if this is expected:
> 
> No, there's no special indexing requirements for any attributes. Indexing is 
> always optional. But of course, performance will suffer as DB sizes grow. It's 
> always recommended to index the "objectclass" attribute, since it's used so 
> frequently in internal searches as well as user searches, but nothing will 
> break without it.
> 
> > Is 'cn' a special attribute in the OpenLDAP code?  It seems that the
> > builtin schema definition (or something else) requires that the 'cn'
> > attribute be indexed with
> > 
> > index cn eq
> > 
> > Otherwise, searches for cn=foo fail, where cn=foo* succeeds...
> 
> Sounds like either a corrupt DB, or a bug. If you can provide a test case to 
> reproduce the problem, that'll help. More likely it's a misconfiguration...

If you still have your Samba4 build around, then with current SVN try:

TEST_LDAP=yes OPENLDAP_ROOT=/data/openldap/prefix make test

with the patch attached to this mail, which simply removes the CN index.
the provision will fail because it searches for cn=

However, the database is setup, and slapd is still running, so you can
prove it with:

ldapsearch -H ldapi://%2fdata%2fsamba%2fsamba4%2fsvn%2fsource%2fst%2fdc%
2fprivate%2fldap%2fldapi -x cn=administrators*
and

ldapsearch -H ldapi://%2fdata%2fsamba%2fsamba4%2fsvn%2fsource%2fst%2fdc%
2fprivate%2fldap%2fldapi -x cn=administrators

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

Index: setup/slapd.conf
===================================================================
--- setup/slapd.conf	(revision 26636)
+++ setup/slapd.conf	(working copy)
@@ -32,7 +32,6 @@
 index objectCategory eq
 index lDAPDisplayName eq
 index subClassOf eq
-index cn eq
 
 database        hdb
 suffix		${CONFIGDN}
@@ -46,7 +45,6 @@
 index subClassOf eq
 index dnsRoot eq
 index nETBIOSName eq
-index cn eq
 
 database        hdb
 suffix		${DOMAINDN}
@@ -68,7 +66,6 @@
 index subClassOf eq
 index dnsRoot eq
 index nETBIOSName eq
-index cn eq
 
 #syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
 #We only need this for the contextCSN attribute anyway....

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: CN must be indexed?
  - From: Howard Chu <hyc@symas.com>

References:
- CN must be indexed?
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: CN must be indexed?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: CN must be indexed?
Next by Date: Cannot replicate userPassword?
Index(es):
- Chronological
- Thread