Re: disabling dn substring index

[Julio Sánchez Fernández <j_sanchez@stl.es>]

Gaël Roualland wrote:

> We are setting up an LDAP server for a huge database (5 million
> entries), and openldap performs very slow on index building with it,
> spending a very long time building the substring dn index (dn.dbb). Is
> there a configuration way to disable it (or just build an eq index) ? We
> don't really need that index in our context and it would speed up
> things.

I think that, currently, the ability to do substring searches on the
dn is closely coupled to the ability to do subtree-scope searches.
The workaround would be to skip that part in search.c in the backend.
There is a fragment in search_candidates that reads:

        if ( scope == LDAP_SCOPE_SUBTREE ) {
                lf = (Filter *) ch_malloc( sizeof(Filter) );
                lf->f_next = NULL;
                lf->f_choice = LDAP_FILTER_AND;
                lf->f_and = (Filter *) ch_malloc( sizeof(Filter) );

                lf->f_and->f_choice = LDAP_FILTER_SUBSTRINGS;
                lf->f_and->f_sub_type = ch_strdup( "dn" );
                lf->f_and->f_sub_initial = NULL;
                lf->f_and->f_sub_any = NULL;
                lf->f_and->f_sub_final = ch_strdup( e->e_ndn );

                lf->f_and->f_next = f;
                f = lf;

If you skip it, the whole backend will be searched (does not mean
necessarily a sequential read, other indexed attributes may limit
the searches).  False hits will be filtered out later.  This is
harmless, since on a large database the result of that partial
filter at the initial search on indexes will always be ID
BLOCK_ALLIDS_VALUE anyway.

But I have not tried this.

> On a side note, is there a way to change the default special attributes
> names (objectClass, userPassword) to something else ?

No.  The name objectClass is sacred.  And userPassword is hardwired for
binding.  Why would you want to do that?  Maybe access lists are what you
are looking for.

Julio