[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: MDB indices operations (MIT Kerberos with OpenLDAP backend)
- To: Дилян Палаузов <dpa-openldap@aegee.org>, openldap-technical@openldap.org
- Subject: Re: MDB indices operations (MIT Kerberos with OpenLDAP backend)
- From: Michael Ströder <michael@stroeder.com>
- Date: Sun, 22 Sep 2019 12:21:52 +0200
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- Content-language: en-US
- In-reply-to: <06b2595ef8a86443d4744ce3707d6297c04567ed.camel@aegee.org>
- References: <97ea652caf8c9404f01c4de300e606a20a5ed3e3.camel@aegee.org> <0440FDB1E22D09305F91818A@[192.168.1.144]> <06b2595ef8a86443d4744ce3707d6297c04567ed.camel@aegee.org>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.0
On 9/21/19 9:39 AM, Дилян Палаузов wrote:
> Does a mdb_equality_candidates log message mean, that adding indices
> will improve the search?
Not in every case. You have to analyze the filters actually used by your
application.
Otherwise blindly indexing attributes without analysis can result in
performance getting worse.
IMO in its current form the message is useless.
> The particular use-case is the OpenLDAP backend of MIT Kerberos and the indices it
> needs for this query, as discussed at
> https://github.com/krb5/krb5/pull/974#issuecomment-531167854. The debug output
> of OpenLDAP, when there is no objectClass eq index, but a krbPrincipal eq index, is:
>
> If the Kerberos LDAP DB is large and isn't shared with a lot of other
> LDAP data, almost every object in the database will match one of the
> objectClass equality tests, but only one will match the
> krbPrincipalName test. In that scenario, an objectClass index is
> useless, as it doesn't reduce the number of candidates significantly,
> while the krbPrincipalName index is useful.
Correct.
But IIRC attribute objectClass is a special case. It should have an
eq-index for other stuff. Forgot the details though. Maybe Quanah or
others could provide more info.
Ciao, Michael.