Problem

You notice entries like these in /var/log/debug:

Nov 5 15:06:39 ucs slapd[1257]: <= mdb_equality_candidates: (<ucsAttr1>) not indexed
Nov 5 15:06:40 ucs slapd[1257]: <= mdb_equality_candidates: (<ucsAttr2>) not indexed

Note: You must adopt the attribute name in brackets <ucsAttr> to the one from your specific message!

Solution

These entries indicate attributes not being indexed for faster search. In case you see these messages really often you might generate an index for the attributes in question (<ucsAttr>) - adopt it to the one in your message!

Note: To create the index you have to stop your OpenLDAP server. This causes interruption in service. The indexing should not take more than a couple of minutes. Consider to perform these steps during maintenance.

systemctl stop slapd
/usr/share/univention-ldap/ldap_setup_index --add-eq ucsAttr1 --add-eq ucsAttr2
systemctl start slapd

Additional Information

If you want to make sure more data is being indexed, perform the following steps to find all attributes not indexed.

Step 1

First, make sure (r)syslog will log all messages from ldap and not suppress due to flooding:

ucr set syslog/limit/burst=0
ucr set syslog/limit/interval=0
systemctl restart rsyslog
systemctl restart syslog

Step 2

Enable debug logging for ldap:

ucr set ldap/debug/level=257
systemctl restart slapd

Step 3

Monitor logfile for matching entries

tail -f /var/log/syslog | grep "not indexed"

Step 4

Create the indexes as shown above