Home

Fixing "bdb_equality_candidates" errors on your OpenLDAP server

Mon, 2010.04.26 - 09:31 — müzso
http://trac.ebox-platform.com/wiki/Document/HowTo/LDAPoptimization
I used to get "<= bdb_equality_candidates: (cn) not indexed" messages in my /var/log/debug log file all the time. The linked page describes the fix (assuming a split OpenLDAP configuration), but it's specialized for Ebox. It's quite easy to adapt the instructions for a generic OpenLDAP setup.


Update (2013.08.12): the below instructions are not really the right way to go. Use ldapmodify instead, as described on Ubuntu's "Samba and LDAP" page.


  1. Stop the LDAP server:
    sudo stop slapd
  2. Open the right OpenLDAP config file with an editor:
    sudo vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
  3. Add new lines (after the one with olcDbIndex: objectClass eq in it) for the missing indexes. Eg.:
    olcDbIndex: cn eq
    olcDbIndex: gidNumber eq
    olcDbIndex: memberUid eq
    olcDbIndex: uid eq
    olcDbIndex: uidNumber eq
    olcDbIndex: uniqueMember eq
  4. Run the OpenLDAP indexer for your configuration:
    sudo -u openldap slapindex -F /etc/ldap/slapd.d/
  5. Start the LDAP server:
    sudo start slapd
PS: don't forget to back up your OpenLDAP database (in /var/lib/ldap) before you touch it.

PS2: after applying the changes I was hit by something that might be a bug (or it's just me not knowing all the internals). Our users and groups come from the LDAP server which is a fileserver too. One of our users was denied access on all of our (LTSP) servers to an NFS mounted directory (that was mounted from an NFS export of the LDAP server). The directory was set to be accessible to a specific LDAP group and requesting the effective groups of that users showed that it had that group assigned. I tried reloading the nfs-kernel-server service on the LDAP+file server, I tried restarting the nscd service on both the LDAP+file server and the other (LTSP) servers and I tried remounting the directory. It didn't help. What helped was a reboot of both the LDAP server and the other (LTSP) servers. It might have been sufficient to reboot just the other (LTSP) servers, but I didn't want to pull this out any longer so I just rebooted all servers that might have been part of the problem.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Tue, 2012.04.03 - 10:58 — Anonymous (not verified)

a "d" is missing

sudo vi /etc/ldap/slap.d/cn\=config/olcDatabase\=\{1\}hdb.ldif

sudo vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif

Tue, 2012.04.03 - 11:02 — müzso

Re: a "d" is missing

Yes, thanks for the feedback. Fixed it.

Sat, 2013.03.02 - 19:43 — James (not verified)

Use 'sudo -u openldap' to avoid fixing permissions

You can use the -u option with sudo to avoid needing to fix the permissions after rebuilding the index.
sudo -u openldap slapindex -F /etc/ldap/slapd.d/
Thanks for posting this fix for missing indices!

Sun, 2013.03.03 - 19:19 — müzso

Re: Use 'sudo -u openldap' to avoid fixing permissions

Thanks! I don't know why I didn't think of this myself. Shock I've updated the post.

Fri, 2013.05.24 - 23:26 — Anonymous (not verified)

After doing your steps am

After doing your steps am getting these kind of syslog messages??

slapd[8540]: <= bdb_equality_candidates: (uid) index_param failed (13)
May 24 17:12:04 panther slapd[8540]: bdb_db_cache: db_open(uidNumber) failed: Permission denied (13)
May 24 17:12:04 panther slapd[8540]: <= bdb_equality_candidates: (uidNumber) index_param failed (13)

Sat, 2013.05.25 - 09:10 — müzso

Re: After doing your steps am

Are you sure that you ran the fourth step using sudo and the openldap user? Shock
The error messages indicate that the OpenLDAP server couldn't open some files (probably the LDAP database) due to permission problems. If you missed the use of sudo -u openldap ..., then the LDAP database files are now owned by root and the LDAP server (running with the openldap user) has no access to them.

Check out the owner of the files in the /var/lib/ldap directory. It should be the openldap user (and group). Fix it if it's not.

Wed, 2013.09.11 - 01:36 — Yuli (not verified)

An new error

Hi, after change the file, when I run slapindex -F /etc/ldap/slapd.d/, I get a error:
ldif_read_file: checksum error on “/etc/ldap/slapd.d//cn=config/olcDatabase={1}hdb/ldif ”
Seems they no longer let user to modify this file……
can anyone help?

Wed, 2013.09.11 - 06:19 — müzso

Re: A new error

Check out the link I added in the "Update ..." section a month ago:
Update (2013.08.12): the below instructions are not really the right way to go. Use ldapmodify instead, as described on Ubuntu's "Samba and LDAP" page.

Sun, 2014.06.01 - 09:04 — Udai Mehra (not verified)

Unable to see the update for checksum error

After I did the changes, I have started facing the checksum error as follows. Which I can't seem to have a control. The DS works well, but I am concerned as if it will not allow me to add new entries in the concerned file. Can you please share your experience on following error.

# slaptest -n 0
538ade12 ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif"
config file testing succeeded

Thanks,
Udai

Tue, 2014.06.03 - 21:47 — müzso

Did you read the "Update"

Did you read the "Update" section in my post about the right way to do the task described here? Did you back up your OpenLDAP DB before you started messing with it (as I suggested in my post)?