Paul B. Henson wrote:
I've been happily using the ldap backend via openldap for many years. Over the past couple of days, I've seen a new message pop up a handful of times that I've never seen before:Apr 1 16:45:47 chaos slapd[8670]: <= mdb_substring_candidates: (krbPrincipalName) not indexed which basically means something did a substring search on the krbPrincipalName, and there is no substring index, hence it had to do a full crawl to find the matches. I've only ever had an equality index on krbPrincipalName, this is the first time I've ever seen something try to do a substring search. Given kerberos is the only thing with access to the ldap server, the search must have come from it. I don't currently have query logging enabled so I'm not quite sure what it was up to. Does the ldap backend need a substring index on krbPrincipalName in addition to the equality index? What kdc or kadmin operation might result in a substring search?
1. Make sure to be aware of this schema declaration bug: http://krbdev.mit.edu/rt/Ticket/Display.html?id=81502. OpenLDAP's "not indexed" messages do not mean that you should enable indexing without first analyzing the search request sent. Note that you can get lower performance by adding an index (due to the way OpenLDAP builds search candidate sets). You should enable "loglevel stats" to see the filters really used.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
