On 02/22/2017 10:30 AM, Gordon Messmer wrote:
On 02/22/2017 03:27 AM, wodel youchi wrote:
we have many entries like these
* Unindexed Search #32105 (notes=A)
(&(null=uid=lastname.lastname,ou=people,dc=domain,dc=tld))
- Bind DN: cn=directory manager
*
You've got two problems here. One is that you appear to be using
"cn=directory manager" for one of your LDAP clients, and that is a
very serious security risk. Don't do that!
The other is that this application appears to be misconfigured. It
looks like it's searching for an attribute whose value will be an LDAP
DN, but it doesn't have the name of that attribute. It might be
looking for a group by "member" but because it doesn't know the name
of the attribute, it's searching for an attribute named "null".
*Unindexed Component #1 (notes=U)
** - Search Base: ou=people,***dc=domain,dc=tld*
- Search Filter: (&(objectclass=*)(uid=pat))
- Bind DN: uid=dovecot,***dc=domain,dc=tld**
Take a look at either the 389 console or
/etc/dirsrv/slapd-<instance>/dse.ldif (where you will look for default
indexes,cn=config,cn=ldbm database,cn=plugins,cn=config). You should
see equality indexes (nsIndexType: eq) for both of those attributes by
default. Is one of them not currently indexed?
A tiny correction...
presence (pres) for objectclass, and
equality (eq) for uid
And we recommend to tune nsslapd-idlistscanlimit with the appropriate
value to avoid unnecessary unindexed search.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/Database_Plug_in_Attributes.html#nsslapd_idlistscanlimit
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
