[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Database indexing: slapindex

On Mittwoch 13 Juli 2011 09:49:06 openldap@ayni.com wrote:
> Hi listers
> Installation here:
> openldap-servers-2.4.15-7.fc11.i586
> One master server, two backup servers (syncrepl).
> All authentication and mailing is managed by ldap.
> 1. About indexing:
> When i check the slapd-log, i see many
> <= bdb_equality_candidates: (uidNumber) not indexed
> <= bdb_equality_candidates: (gidNumber) not indexed
> In the discussion about slapd tuning
> http://www.openldap.org/doc/admin24/tuning.html#Indexes, however, i
> read that if each entry in a certain set of ldap-entries has got the
> candidate-attribute, it is not worth while to index the attribute,
> because slapd needs to read each entry in any case in order to find
> the requested one. this is the case for uidNumber as well as
> gidNumber, because both are compulsory attributes for objectClass
> posixAccount.
> My first question:
> is it therefore correct to disregard the above indexing requests of
> slapd?
No. The Admin Guide section you are referring to is about "presence" 
indexing. The log message you pasted above is about a missing "equality" 

> 2. About slapindex:
> When it comes to use slapindex, the docu is not clear about how to do
> that. Some places say, that you need to stop slapd entirely, some
> places say that it is sufficient to put slapd in read-only mode for
> the corresponding background database, which in this case would be
> /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif
> this file contains both the olcReadOnly and the olcDbIndex attributes.
> So i could just add the following two lines in the above file:
> olcDbIndex: uidNumber eq
> olcDbIndex: gidNumber eq
> set the olcReadOnly attribute to TRUE, and restart slapd, and
> everything would be done automatically?
No. If you are using cn=config you should only do configuration via LDAP.
You should never touch the files in /etc/openldap/slapd.d/ directly 
(there have been many threads about why touching /etc/openldap/slapd.d/ 
is a bad idea, please see the archives for details).

If you add the new index by doing an ldapmodify on 
"olcDatabase={2}bdb,cn=config" you get the additional benefit that slapd 
will start generating the new indexes on the fly in the background. No 
need to run slapindex in that case.

> Or would i need to invoke slapindex additionally with the following
> command slapindex -c
> And if i had to start slapindex additionally, would slapindex tell me,
> that the database is in read-only mode, so no changes are possible,
> not even index changes?
> And, if i had to start slapindex additionally, i would do it as root.
> the files generated by slapindex would they be owned by root
> (inaccessible by slapd) or by the slapd user?
> Would the new indexes be propagated to the backup servers by syncrepl
> automatically? If not, what would i have to change on the backup
> servers?
Depends on the configuration of your servers. Do they replicate the 
cn=config database as well?  If yes they'll automatically get the 
configuration changes (if you did them via LDAP).