Problem
You notice entries like these in /var/log/debug
:
Nov 5 15:06:39 ucs slapd[1257]: <= mdb_equality_candidates: (<ucsAttr1>) not indexed
Nov 5 15:06:40 ucs slapd[1257]: <= mdb_equality_candidates: (<ucsAttr2>) not indexed
Note: You must adopt the attribute name in brackets
<ucsAttr>
to the one from your specific message!
Solution
These entries indicate attributes not being indexed for faster search. In case you see these messages really often you might generate an index for the attributes in question (<ucsAttr>
) - adopt it to the one in your message!
Note: To create the index you have to stop your OpenLDAP server. This causes interruption in service. The indexing should not take more than a couple of minutes. Consider to perform these steps during maintenance.
systemctl stop slapd
/usr/share/univention-ldap/ldap_setup_index --add-eq ucsAttr1 --add-eq ucsAttr2
systemctl start slapd
Additional Information
If you want to make sure more data is being indexed, perform the following steps to find all attributes not indexed.
Step 1
First, make sure (r)syslog will log all messages from ldap and not suppress due to flooding:
ucr set syslog/limit/burst=0
ucr set syslog/limit/interval=0
systemctl restart rsyslog
systemctl restart syslog
Step 2
Enable debug logging for ldap:
ucr set ldap/debug/level=257
systemctl restart slapd
Step 3
Monitor logfile for matching entries
tail -f /var/log/syslog | grep "not indexed"
Step 4
Create the indexes as shown above