[Date Prev][Date Next]
Problem with searches on unindexed attributes
Here is my problem...
When I do an anonymous search on an unindexed attribute, the load on my
server goes way up (a slapd process takes all the cpu). Turning on
heavy logging, I was able to see that this process actually goes through
all of our 40,000 records and checks if "anonymous" can perform a search
operation on this attribute for this record (which he can't because we
block pretty much everything to "anonymous" in our ACLs). Of course,
doing this takes a lot of time. If I do the same thing on an indexed
attribute, it only goes through a few records instead of all of them
(which is correct).
Currently, this is only a minor problem since only a few trusted servers
can communicate with our ldap server and we simply don't perform
searches on unindexed attributes. However, this will change soon and we
don't want somebody to put the server down by sending a bunch of
anonymous searches on unindexed attributes.
Of course, building indexes on all the attributes would solve the
problem. However, I already have indexes for all the attributes on
which I want to allow searches (my ACLs block searches on all the other
attributes anyway) and don't really need more (I've got a lot of
Is there any way to completely disable searches on an attribute? Any
way to make the process return without going through all the records?