[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with searches on unindexed attributes


Here is my problem...

When I do an anonymous search on an unindexed attribute, the load on my server goes way up (a slapd process takes all the cpu). Turning on heavy logging, I was able to see that this process actually goes through all of our 40,000 records and checks if "anonymous" can perform a search operation on this attribute for this record (which he can't because we block pretty much everything to "anonymous" in our ACLs). Of course, doing this takes a lot of time. If I do the same thing on an indexed attribute, it only goes through a few records instead of all of them (which is correct).

Currently, this is only a minor problem since only a few trusted servers can communicate with our ldap server and we simply don't perform searches on unindexed attributes. However, this will change soon and we don't want somebody to put the server down by sending a bunch of anonymous searches on unindexed attributes.

Of course, building indexes on all the attributes would solve the problem. However, I already have indexes for all the attributes on which I want to allow searches (my ACLs block searches on all the other attributes anyway) and don't really need more (I've got a lot of unindexed attributes).

Is there any way to completely disable searches on an attribute? Any way to make the process return without going through all the records?