[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: MDB indices operations (MIT Kerberos with OpenLDAP backend)
- To: openldap-technical@openldap.org
- Subject: Re: MDB indices operations (MIT Kerberos with OpenLDAP backend)
- From: Дилян Палаузов <dpa-openldap@aegee.org>
- Date: Sat, 21 Sep 2019 07:39:58 +0000
- Authentication-results: mail.aegee.org/x8L7dwau007401; auth=pass (LOGIN) smtp.auth=didopalauzov
- Authentication-results: mail.aegee.org/x8L7dwau007401; dkim=none
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1569051599; i=dkim+MSA-tls@aegee.org; r=y; bh=4rHntKALMJgamsqG0H+JRgOch8uh8j/+T5HofZ2di0M=; h=Subject:From:To:Date:In-Reply-To:References; b=UHB3LREnlosWkhozbOFJrpEfuzm9BgtVzdzfQl08I4RLEqxp96gBjRLDg7zO5uV8C 1xwC8UuLBAAyS5ZLyjGW3P2ZNKydkpNOMRQ7MAxzaZZJJTTvLe+tvjUsZqLMhbVGqk L25ppFE3AlCgHjEOLHPz5drGxLXCO2HTz0zB1Xq4rOKzYD6WrMe7/ukQ5RoJ+OlGiV stC4NvCyF7NDVl3EiNapKTEJZD1jqQ2IWJDPiHJtiBE6VMiClxcZqDUiM2rrwHwid6 u7HEgYq6yuhjhtzf8G7/6ADkbC7IKYmFavkO1yjescL0Y9NNfac8DBTa6YJ3B+K9pL YQUT/f63Cyie/UhqzM9I8NfPf6ISpb9Vd6n0/xD4+R00Yzoe9IuIUhE25oYqHPEs+k S4An+p4A9Ko1obZO8iw9tqPNscnrhgTtZIOjKjIrQIzwNGtunfZWwPZKJgRRohMdIq 7KuaNkoeINO1k3MjrbD4mN2Fq5jtZWteF3DFczprrUwOGzpmi9mr4XVyeDy8+gA3tu l6W2Da8bGXS3oTYZrixQF2hSwVTiAM+piSJbSHHW30s6jr7PiWsht/f1lydebxqqeX fr43Vpntlz6dTOd0mPWP+TeoGPDs70ECO0jv6ZwHJ3ZAsx0L7jppaELO9Yrpa32qgV u6PYidgIFTPxj/7BPCxqMG68=
- In-reply-to: <0440FDB1E22D09305F91818A@[192.168.1.144]>
- References: <97ea652caf8c9404f01c4de300e606a20a5ed3e3.camel@aegee.org> <0440FDB1E22D09305F91818A@[192.168.1.144]>
- User-agent: Evolution 3.35.1
Hello Quanah,
thanks for your answer.
Does a mdb_equality_candidates log message mean, that adding indices will improve the search?
The particular use-case is the OpenLDAP backend of MIT Kerberos and the indices it
needs for this query, as discussed at
https://github.com/krb5/krb5/pull/974#issuecomment-531167854. The debug output
of OpenLDAP, when there is no objectClass eq index, but a krbPrincipal eq index, is:
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SRCH
base="cn=X.NET,cn=krbContainer" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/X.NET@X.NET))"
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewable age krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd
krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf <= mdb_equality_candidates:
(objectClass) not indexed
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SEARCH RESULT tag=101
err=0 nentries=1 text=
Does it need one index on objectClass, one index on krbPrincipal, or both?
If no mdb_candidate output can be triggered, does it mean, that creating an
index is pointless?
Moreover, it is not clear when changing the oldDbIndex on a database regenerates
the index, and when running slapindex is necessary.
My reading of https://www.openldap.org/doc/admin24/tuning.html , Section 21.3.2. “What to watch out for”, is that the
output “mdb_equality_candidates” means inefficient searches.
But a different interpretation is possible:
This equality_candidates may be targeted at the simple case, where the search filter is just one equality test, and
where an index could significantly reduce the number of candidates to be loaded and checked. For a krb5 LDAP KDB
get_principal operation, the filter expression is
(&(|(objectclass=krbprincipalaux)(objectclass=krbprincipal))(krbprincipalname=...)), so the objectClass equality test is
intersected with a krbPrincipalName equality test.
If the Kerberos LDAP DB is large and isn't shared with a lot of other LDAP data, almost every object in the database
will match one of the objectClass equality tests, but only one will match the krbPrincipalName test. In that scenario,
an objectClass index is useless, as it doesn't reduce the number of candidates significantly, while the krbPrincipalName
index is useful. In fact, it is possible for the objectClass index to slow down the search, relative to having only a
krbPrincipalName index--slapd might have to read in a large list of krbprincipal objects, then intersect that with a
one-element list of objects matching the krbPrincipalName. While that would be much faster than loading and checking
every principal object, it would still be O(n) in space and time rather than O(1).
On Thu, 2019-09-19 at 09:23 -0700, Quanah Gibson-Mount wrote:
>
> --On Wednesday, September 18, 2019 2:41 PM +0000 Дилян
> Палаузов <dpa-openldap@aegee.org> wrote:
>
> > Hello,
> >
> > https://www.openldap.org/software/man.cgi?query=slapd-mdb&apropos=0&sekti
> > on=0&manpath=OpenLDAP+2.4-Release&format=html (man slapd-mdb) is not
> > clear about indices.
> >
> > Is
> > olcDbIndex A eq
> > olcDbIndex B eq
> > the same as
> > olcDbIndex A,B eq
> > and is the latter the same as
> > oldDbIndex B,A eq
> > ? In the SQL word these are different things and while Postgresql is
> > supposed to handle "index A,B" and "index B,A" as equivalent, it does
> > not, so a query has to be tuned to make use of existing indices.
>
> LDAP is not SQL.
>
> All of these are equivalent:
>
> index A eq
> index B eq
>
> OR
>
> index A,B eq
>
> OR
>
> index B,A eq
>
> OR
>
> index default eq
> index A
> index B
>
> OR
>
> index default eq
> index A,B
>
> OR
>
> index default eq
> index B,A
>
> In all of the above cases, "A" will have an equality index created for that
> attribute, and "B" wil have an equality index created for that attribute.
> There are is no concept of "combined" indices for two attributes.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>