ldap backend - krbPrincipalName substring search
Paul B. Henson
henson at acm.org
Thu Apr 2 19:37:23 EDT 2015
I've been happily using the ldap backend via openldap for many years.
Over the past couple of days, I've seen a new message pop up a handful
of times that I've never seen before:
Apr 1 16:45:47 chaos slapd[8670]: <= mdb_substring_candidates:
(krbPrincipalName) not indexed
which basically means something did a substring search on the
krbPrincipalName, and there is no substring index, hence it had to do a
full crawl to find the matches. I've only ever had an equality index on
krbPrincipalName, this is the first time I've ever seen something try to
do a substring search. Given kerberos is the only thing with access to
the ldap server, the search must have come from it. I don't currently
have query logging enabled so I'm not quite sure what it was up to.
Does the ldap backend need a substring index on krbPrincipalName in
addition to the equality index? What kdc or kadmin operation might
result in a substring search?
Thanks...
More information about the Kerberos
mailing list