[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Index Usage
- To: openldap-technical@openldap.org
- Subject: Index Usage
- From: Paul <paul@ehawaii.gov>
- Date: Mon, 20 Dec 2010 12:44:37 -1000
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Lightning/1.0b2 Thunderbird/3.1.7
Hi all,
When I started at this job I acquired OpenLDAP based authentication
infrastructure, which I've pretty much been able to leave to its own
devices without looking under the hood at what's going on. Recently
I've been noticing that a few minor performance problems I'm having seem
to be linked to LDAP so I've started looking at how it's set up and it's
got some quirks, e.g.
# Indices to maintain
index entryUUID eq
index cn,sn,uid,displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index sambaGroupType eq
index sambaSIDList eq
index sudoUser eq
index uniqueMember,member eq
index objectClass pres,eq
index mail,mailAlternateAddress eq,sub
index accountStatus eq
index mailHost,deliveryMode eq
index Status,HostGroup eq
index default sub
There are only around 600 users in the ldap tree, hardly anything. It
seems a bit excessive to have that many indexes set up for the tree. Is
there any way to identify which indexes are being used and how
frequently? I'm pretty certain some of those entries probably get
checked once in a blue moon.
I'm also seeing odd entries in the ldap logs:
Dec 20 11:21:17 <server> slapd[11171]: <= bdb_equality_candidates:
(objectClass) index_param failed (18)
Dec 20 11:21:17 <server> slapd[11171]: <= bdb_equality_candidates:
(objectClass) index_param failed (18)
Dec 20 11:21:17 <server> slapd[11171]: <= bdb_equality_candidates:
(gidNumber) index_param failed (18)
Which seems bizarre given those entries are in the list of indexes.
I've tried running slapindex and restarting to no avail. Those items
still seem to throw up those alerts, as does the sudoUser entry.
On a separate note I've found the slapcat doesn't produce an LDIF file
that slapadd will use, even keeping to the same version of software
(2.3.37), or importing into newer (2.3.43).
It always errors after the first entry because it seems to be trying to
add a user to an ou that doesn't exist yet, which disturbs me slightly
because the backup infrastructure has been relying on that mechanism for
recovery. To create another ldap slave I ended up having to use Apache
Directory Studio to create the LDIF for import, which slapadd was
perfectly happy to work with. I'm not sure if that may be a known bug
that I'm running up against. I see a few entries in archives relating
to it but not much by way of response other than suggests it should work.
Paul