[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Expiration accounts and indexes ?

On 09.04.2009 11:21, Jordi Espasa Clofent wrote:
Hi folks,

Yesterday I see a lot of

"Apr 6 16:08:20 xen-ldap01 slapd[1167]: <= bdb_equality_candidates:
(objectClass) not indexed"

in my OpenLDAP provider server log. After searching in docs
(http://www.openldap.org/faq/data/cache/42.html), I applied

index objectClass eq

instead of previous

#index objectClass eq

and restart the service.

The suprise has been when a few users cannot login in system through
LDAP validation this morning. The errors in log (in client logs) was:

Apr 9 09:11:13 hc23 sshd[44389]: pam_ldap: error trying to bind as user
"uid=ivan,ou=SAT,ou=Tecnic,dc=my_company,dc=com" (Invalid credentials)
Apr 9 09:11:13 hc23 sshd[44387]: error: PAM: authentication error for
illegal user ivan from XXX.XXX.XXX.XXX

The solution has been easy: comment the "index objectClass eq" parameter
again in slapd conf file.

¿Why it happens? I wonder it. Maybe some cache-related issue...

After setting a new index in slapd.conf, you must force a rebuild of the indexes, as indicated in man slapd-bdb(5):

> Note: changing index settings in slapd.conf(5) requires rebuilding
> indices, see slapindex(8)

The result you're seeing is because slapd is configured to use an index. It tries to search it, but if it is not up-to-date, it will return erroneous results, as you have seen.

Jonathan Clarke
LinID - Open Source Identity Management
27 rue de Berri, 75008 Paris
Tel: 01 58 18 68 28 / 06 99 60 03 10
Ldap Synchronization Connector (LSC) - http://lsc-project.org/