slapd[2921]: <= bdb_equality_candidates: (uid) not indexed
Basically one of these gets written every time a ldap search is done on a non-indexed attribute. The fix is, like most things with LDAP, completely unintuitive.
Take a look at the current indexing being done by:
sudo /usr/sbin/slapcat -n 0 -l output.ldif
and grep for olcDbIndex (mine was only indexing objectClass by default).
Create a ldif file (indexchanges.ldif) to change the indexing attribute:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: uid,uidNumber,gidNumber,memberUid,uniqueMember,objectClass,cn eq
And run it with:
sudo ldapmodify -f indexchanges.ldif -D cn=admin,cn=config -x -y /etc/ldap.secret
Note that as I mentioned previously ldapmodify fails if you are only listening on ldaps. Change SLAPD_SERVICES to include ldap:/// in '/etc/default/slapd', restart ldap, use ldapmodify, change back, restart ldap.
You then need to tell it to actually build those indexes (need to keep the index files owned by openldap user):
sudo /etc/init.d/slapd stop
sudo su -s /bin/bash -c slapindex openldap
sudo /etc/init.d/slapd start
4 comments:
I got this error trying ldapmodify:
"ldap_modify: Insufficient access (50)", though I use admin user. Do I need to configure anything else?
ldap.secret?
i run ldapmodify , and output like that
ldap_bind: Invalid credentials (49)
what happend ??
I ran into this issue on turnkey openldap.
Here is what I used to resolve.
Save your /etc/ldap/slapd.d & /var/lib/ldap first
stop ldap (/etc/init.d/slapd stop)
edit (/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif)
add directly under olcDbIndex: objectClass eq
olcDbIndex: cn eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
run as root (slapindex -F /etc/ldap/slapd.d/)
Check file permessions in (/var/lib/ldap/)
Everything should be owned by openldap
run (chown openldap:openldap *) if not
start ldap (/etc/init.d/slapd start)
Hope this works!
Post a Comment