Wednesday, August 5, 2009

Eliminating openldap '(uid) not indexed' errors

My ldap server logs were full of hundreds of these:
slapd[2921]: <= bdb_equality_candidates: (uid) not indexed

Basically one of these gets written every time a ldap search is done on a non-indexed attribute. The fix is, like most things with LDAP, completely unintuitive.

Take a look at the current indexing being done by:

sudo /usr/sbin/slapcat -n 0 -l output.ldif

and grep for olcDbIndex (mine was only indexing objectClass by default).

Create a ldif file (indexchanges.ldif) to change the indexing attribute:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: uid,uidNumber,gidNumber,memberUid,uniqueMember,objectClass,cn eq


And run it with:

sudo ldapmodify -f indexchanges.ldif -D cn=admin,cn=config -x -y /etc/ldap.secret

Note that as I mentioned previously ldapmodify fails if you are only listening on ldaps. Change SLAPD_SERVICES to include ldap:/// in '/etc/default/slapd', restart ldap, use ldapmodify, change back, restart ldap.

You then need to tell it to actually build those indexes (need to keep the index files owned by openldap user):

sudo /etc/init.d/slapd stop
sudo su -s /bin/bash -c slapindex openldap
sudo /etc/init.d/slapd start

4 comments:

Anonymous said...

I got this error trying ldapmodify:
"ldap_modify: Insufficient access (50)", though I use admin user. Do I need to configure anything else?

AndreS said...

ldap.secret?

giel said...

i run ldapmodify , and output like that
ldap_bind: Invalid credentials (49)
what happend ??

Adam Hall said...

I ran into this issue on turnkey openldap.
Here is what I used to resolve.

Save your /etc/ldap/slapd.d & /var/lib/ldap first

stop ldap (/etc/init.d/slapd stop)
edit (/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif)
add directly under olcDbIndex: objectClass eq

olcDbIndex: cn eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq

run as root (slapindex -F /etc/ldap/slapd.d/)
Check file permessions in (/var/lib/ldap/)
Everything should be owned by openldap
run (chown openldap:openldap *) if not
start ldap (/etc/init.d/slapd start)

Hope this works!