Re: Expiration accounts and indexes ?

[Jonathan Clarke <jclarke@linagora.com>]

On 09.04.2009 11:21, Jordi Espasa Clofent wrote:
> Hi folks,
>
> Yesterday I see a lot of
>
> "Apr 6 16:08:20 xen-ldap01 slapd[1167]: <= bdb_equality_candidates:
> (objectClass) not indexed"
>
> in my OpenLDAP provider server log. After searching in docs
> (http://www.openldap.org/faq/data/cache/42.html), I applied
>
> index objectClass eq
>
> instead of previous
>
> #index objectClass eq
>
> and restart the service.
>
> The suprise has been when a few users cannot login in system through
> LDAP validation this morning. The errors in log (in client logs) was:
>
> [...]
> Apr 9 09:11:13 hc23 sshd[44389]: pam_ldap: error trying to bind as user
> "uid=ivan,ou=SAT,ou=Tecnic,dc=my_company,dc=com" (Invalid credentials)
> Apr 9 09:11:13 hc23 sshd[44387]: error: PAM: authentication error for
> illegal user ivan from XXX.XXX.XXX.XXX
> [...]
>
> The solution has been easy: comment the "index objectClass eq" parameter
> again in slapd conf file.
>
> ¿Why it happens? I wonder it. Maybe some cache-related issue...

After setting a new index in slapd.conf, you must force a rebuild of the 
indexes, as indicated in man slapd-bdb(5):

> Note: changing index settings in slapd.conf(5) requires rebuilding
> indices, see slapindex(8)

The result you're seeing is because slapd is configured to use an index. 
It tries to search it, but if it is not up-to-date, it will return 
erroneous results, as you have seen.

Regards,
Jonathan Clarke
--
LinID - Open Source Identity Management
---------------------------------------------------------------
Linagora
27 rue de Berri, 75008 Paris
Tel: 01 58 18 68 28 / 06 99 60 03 10
---------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org/
---------------------------------------------------------------