Wednesday, August 5, 2009

Eliminating openldap '(uid) not indexed' errors

My ldap server logs were full of hundreds of these:
slapd[2921]: <= bdb_equality_candidates: (uid) not indexed

Basically one of these gets written every time a ldap search is done on a non-indexed attribute. The fix is, like most things with LDAP, completely unintuitive.

Take a look at the current indexing being done by:

sudo /usr/sbin/slapcat -n 0 -l output.ldif

and grep for olcDbIndex (mine was only indexing objectClass by default).

Create a ldif file (indexchanges.ldif) to change the indexing attribute:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: uid,uidNumber,gidNumber,memberUid,uniqueMember,objectClass,cn eq


And run it with:

sudo ldapmodify -f indexchanges.ldif -D cn=admin,cn=config -x -y /etc/ldap.secret

Note that as I mentioned previously ldapmodify fails if you are only listening on ldaps. Change SLAPD_SERVICES to include ldap:/// in '/etc/default/slapd', restart ldap, use ldapmodify, change back, restart ldap.

You then need to tell it to actually build those indexes (need to keep the index files owned by openldap user):

sudo /etc/init.d/slapd stop
sudo su -s /bin/bash -c slapindex openldap
sudo /etc/init.d/slapd start

4 comments:

  1. I got this error trying ldapmodify:
    "ldap_modify: Insufficient access (50)", though I use admin user. Do I need to configure anything else?

    ReplyDelete
  2. i run ldapmodify , and output like that
    ldap_bind: Invalid credentials (49)
    what happend ??

    ReplyDelete
  3. I ran into this issue on turnkey openldap.
    Here is what I used to resolve.

    Save your /etc/ldap/slapd.d & /var/lib/ldap first

    stop ldap (/etc/init.d/slapd stop)
    edit (/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif)
    add directly under olcDbIndex: objectClass eq

    olcDbIndex: cn eq
    olcDbIndex: gidNumber eq
    olcDbIndex: memberUid eq
    olcDbIndex: uid eq
    olcDbIndex: uidNumber eq
    olcDbIndex: uniqueMember eq

    run as root (slapindex -F /etc/ldap/slapd.d/)
    Check file permessions in (/var/lib/ldap/)
    Everything should be owned by openldap
    run (chown openldap:openldap *) if not
    start ldap (/etc/init.d/slapd start)

    Hope this works!

    ReplyDelete