You notice entries like these in
/var/log/debug or in
Nov 5 15:06:39 ucs slapd: <= mdb_equality_candidates: (<ucsAttr1>) not indexed Nov 5 15:06:40 ucs slapd: <= mdb_equality_candidates: (<ucsAttr2>) not indexed
Note: You must adopt the attribute name in brackets
<ucsAttr>to the one from your specific message!
These entries indicate attributes not being indexed for faster search. In case you see these messages really often you might generate an index for the attributes in question (
<ucsAttr>) - adopt it to the one in your message!
Note: To create the index you have to stop your OpenLDAP server. This causes interruption in service. The indexing should not take more than a couple of minutes. Consider to perform these steps during maintenance.
systemctl stop slapd /usr/share/univention-ldap/ldap_setup_index --add-eq ucsAttr1 --add-eq ucsAttr2 systemctl start slapd
If you want to make sure more data is being indexed, perform the following steps to find all attributes not indexed.
First, make sure (r)syslog will log all messages from ldap and not suppress due to flooding:
ucr set syslog/limit/burst=0 ucr set syslog/limit/interval=0 systemctl restart rsyslog systemctl restart syslog
Enable debug logging for ldap:
ucr set ldap/debug/level=257 systemctl restart slapd
Monitor logfile for matching entries
tail -F /var/log/syslog | grep "not indexed"
Create the indexes as shown above
Note for memberOf attribute
slapd: <= mdb_equality_candidates: (memberOf) not indexed
The problem arises from the order of configuration statements in the slapd.conf file. Currently the index definitions come before the loading of the memberof module, so we simply have to change that, so OpenLDAP knows the attribute when the indices are specified. I guess we just need to rename management/univention-ldap-overlay-memberof/conffiles/etc/ldap/slapd.conf.d/41univention-ldap-overlay-memberof to 39univention-ldap-overlay-memberof , to make indexing possible. Regarding the warning message that is topic of this bug please note the general advice by Michael Ströder: https://unix.stackexchange.com/questions/451118/openldap-bdb-equality-candidates-memberof-not-indexed