Problem: Log Entries mdb_equality_candidates: (o) not indexed

Problem

You notice entries like these in /var/log/debug or in /var/log/syslog:

Nov 5 15:06:39 ucs slapd[1257]: <= mdb_equality_candidates: (<ucsAttr1>) not indexed
Nov 5 15:06:40 ucs slapd[1257]: <= mdb_equality_candidates: (<ucsAttr2>) not indexed

Note: You must adopt the attribute name in brackets <ucsAttr> to the one from your specific message!

Solution

These entries indicate attributes not being indexed for faster search. In case you see these messages really often you might generate an index for the attributes in question (<ucsAttr>) - adopt it to the one in your message!

Note: To create the index you have to stop your OpenLDAP server. This causes interruption in service. The indexing should not take more than a couple of minutes. Consider to perform these steps during maintenance.

systemctl stop slapd
/usr/share/univention-ldap/ldap_setup_index --add-eq ucsAttr1 --add-eq ucsAttr2
systemctl start slapd

Additional Information

If you want to make sure more data is being indexed, perform the following steps to find all attributes not indexed.

Step 1

First, make sure (r)syslog will log all messages from ldap and not suppress due to flooding:

ucr set syslog/limit/burst=0
ucr set syslog/limit/interval=0
systemctl restart rsyslog
systemctl restart syslog

Step 2

Enable debug logging for ldap:

ucr set ldap/debug/level=257
systemctl restart slapd

Step 3

Monitor logfile for matching entries

tail -F /var/log/syslog | grep "not indexed"

Step 4

Create the indexes as shown above

Note for memberOf attribute

slapd[7728]: <= mdb_equality_candidates: (memberOf) not indexed

See also:
Bug 47464

The problem arises from the order of configuration statements in the slapd.conf file.
Currently the index definitions come before the loading of the memberof module,
so we simply have to change that, so OpenLDAP knows the attribute when the indices are specified.

I guess we just need to rename  management/univention-ldap-overlay-memberof/conffiles/etc/ldap/slapd.conf.d/41univention-ldap-overlay-memberof to 39univention-ldap-overlay-memberof , to make indexing possible.

Regarding the warning message that is topic of this bug please note the general advice by Michael Ströder:

https://unix.stackexchange.com/questions/451118/openldap-bdb-equality-candidates-memberof-not-indexed
1 Like