ldap backend - krbPrincipalName substring search
Michael Ströder
michael at stroeder.com
Mon Apr 6 09:47:11 EDT 2015
Paul B. Henson wrote:
> I've been happily using the ldap backend via openldap for many years.
> Over the past couple of days, I've seen a new message pop up a handful
> of times that I've never seen before:
>
> Apr 1 16:45:47 chaos slapd[8670]: <= mdb_substring_candidates:
> (krbPrincipalName) not indexed
>
> which basically means something did a substring search on the
> krbPrincipalName, and there is no substring index, hence it had to do a
> full crawl to find the matches. I've only ever had an equality index on
> krbPrincipalName, this is the first time I've ever seen something try to
> do a substring search. Given kerberos is the only thing with access to
> the ldap server, the search must have come from it. I don't currently
> have query logging enabled so I'm not quite sure what it was up to.
>
> Does the ldap backend need a substring index on krbPrincipalName in
> addition to the equality index? What kdc or kadmin operation might
> result in a substring search?
1. Make sure to be aware of this schema declaration bug:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8150
2. OpenLDAP's "not indexed" messages do not mean that you should enable
indexing without first analyzing the search request sent. Note that you can
get lower performance by adding an index (due to the way OpenLDAP builds
search candidate sets). You should enable "loglevel stats" to see the filters
really used.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4272 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150406/d2ae80cc/attachment.bin
More information about the Kerberos
mailing list