[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#9487) Indices MDB

To: openldap-its@OpenLDAP.org
Subject: (ITS#9487) Indices MDB
From: dpa-openldap@aegee.org
Date: Fri, 13 Sep 2019 16:54:55 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: &amp;#1044;&amp;#1080;&amp;#1083;&amp;#1103;&amp;#1085; &amp;#1055;&amp;#1072;&amp;#1083;&amp;#1072;&amp;#1091;&amp;#1079;&amp;#1086;&amp;#1074;
Version: 2.4
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (87.118.146.153)


How can I write to a ticket here, after I submit it?

https://www.openldap.org/software/man.cgi?query=slapd-mdb&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html
(man slapd-mdb) is not clear about indices.

Is 
olcDbIndex A eq
olcDbIndex B eq
the same as
olcDbIndex A,B eq
and is the latter the same as
oldDbIndex B,A eq
?  In the SQL word these are different things and while Postgresql is supposed
to handle "index A,B" and "index B.A" as equivalent, it does not, so a query has
to be tuned to make use of existing indices.

The particular use-case is the LDAP backend of MIT Kerberos and the indices it
needs for this query, as discussed at
https://github.com/krb5/krb5/pull/974#issuecomment-531167854.  The debug output
of OpenLDAP is:

Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SRCH
base="cn=X.NET,cn=krbContainer" scope=2 deref=0
filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/X.NET@X.NET))"
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SRCH
attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey
krbmaxrenewable age krbmaxticketlife krbticketflags krbprincipalexpiration
krbticketpolicyreference krbUpEnabled krbpwdpolicyreference
krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount
krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd
krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf <= mdb_equality_candidates:
(objectClass) not indexed
Sep 13 09:09:03 mail slapd[14296]: 5d7b5caf conn=1117 op=7 SEARCH RESULT tag=101
err=0 nentries=1 text=

Does it need one index on objectClass, one index on krbPrincipal, or one index
on "first objectClass, then krbPrincipal"?

If no mdb_candidate output can be triggered, does it mean, that creating an
index is pointless?

Moreover, it is not clear when changing the oldDbIndex on a database regenerates
the index, and when running slapindex is necessary.

Prev by Date: Re: (ITS#9055) contrib/slapd-modules/passwd/totp improvements
Next by Date: (ITS#9488) documentation: slapo-unique syntax explanation unclear
Index(es):
- Chronological
- Thread