Step 1: Check for Unindexed Attributes
-
Disable System Log Rate Limits:
echo '$SystemLogRateLimitInterval 0' >> /etc/rsyslog.conf echo '$SystemLogRateLimitBurst 0' >> /etc/rsyslog.conf invoke-rc.d rsyslog restart -
Increase LDAP Debug Level:
ucr set ldap/debug/level=257 /etc/init.d/slapd restart -
Identify Unindexed Searches:
tail -f /var/log/syslog | grep "not indexed"
Step 2: Check for Recursive Group Memberships
Run the script to check for recursive group memberships:
/usr/share/univention-directory-manager-tools/check_group_recursion -v
Step 3: Verify LDAP Index for Specific Attributes
Check if specific attributes like oxDisplayName are indexed:
ucr get ldap/index/eq | grep -o oxDisplayName
-
If
oxDisplayNameis not indexed, add it to the index. This process may take several minutes depending on the size of your LDAP database.Method 1: Using
ldap_setup_indexservice slapd stop /usr/share/univention-ldap/ldap_setup_index --add-eq oxDisplayName service slapd startMethod 2: Manually Using
slapindexservice slapd stop ucr set ldap/index/eq="$(ucr get ldap/index/eq),oxDisplayName" slapindex service slapd start
You may also take a look at:
How To: Debug High CPU Load on LDAP Server
How-To: Enable Debugging for libnss-ldap