Univention Bugzilla – Bug 54092
Add LDAP eq Index for krb5ValidStart
Last modified: 2022-08-08 13:39:02 CEST
The standard feature developed for Bug #53631 uses a cron job which periodically searches for "(krb5ValidStart<=$now)". The attribute should be added to the eq index. The discussion at https://www.openldap.com/lists/openldap-technical/201205/msg00027.html doesn't recommend to index for combined filters like "(&(krb5ValidStart<=$now)(disabled=1)", but in this case the script /usr/share/univention-directory-manager-tools/univention-delayed-account-activation doesn't use a combined filter and the script removes that attribute for all matched accounts, so the number of match candidates should always be low, so an index should be beneficial.
Just to satisfy my hunger for knowledge: Does OpenLDAP has a "EXPLAIN" to investigate its query plan? I'm asking this as I haven't found any information on if OpenLDAP does query optimization by itself, e.g. if swapping the constraints makes any differences: 1. (&(krb5ValidStart<=$now)(disabled=1)) 2. (&(disabled=1)(krb5ValidStart<=$now)) - Lacking any index a full scan has to be performed anyway -> slow FOR entry IN ALL: IF NOT (entry.krb5ValidStart <= $now): CONTINUE IF NOT (entry.disabled == 1): CONTINUE YIELD entry - If you have an index you normally can drastically reduce the number of entries to check - if the other constrains do not have an index you just iterate over them and check them directly FOR entry IN FROM_BTREE_INDEX(SEEK="krb5ValidStart = $now", DIRECTION=backwards): IF NOT (entry.disabled == 1): CONTINUE YIELD entry FOR entry IN FROM_HASHED_INDEX("disabled == 1"): IF NOT (entry.krb5ValidStart <= $now): CONTINUE YIELD entry - if other constrains are also indexed, you can combine both index results via logical AND or OR. This might be very expensive if your number of potential objects is large as then you have to create, combine, free large bitmaps. BY_krb5ValidStart := {entry FOR entry IN FROM_BTREE_INDEX(SEEK="krb5ValidStart = $now", DIRECTION=backwards) BY_valid := {entry FOR entry IN FROM_HASHED_INDEX("disabled == 1") FOR entry IN (BY_krb5ValidStart & BY_valid): YIELD entry That questions was also asked at <https://www.openldap.org/lists/openldap-technical/201204/msg00124.html> but remains unanswered there.
Issue: krb5ValidStart was not added to eq-index (LDAP) in any way. Fix: Added attribute (static) within recommended indexlist at file "ldap_setup_index" fixed with branch: asteffen/54092-add-krb5VailidStart-to-eq-index requesting QA
To see the problem, execute # /usr/share/univention-directory-manager-tools/univention-delayed-account-activation # grep krb5ValidStart /var/log/syslog | tail
After installing the updated package, the problem remains. The script "ldap_setup_index" was not executed by the update.
Please don't invoke slapindex via an errata update. This will cause severe downtimes on bigger installations and most maintenance windows for errata updates in the wild are not long enough for this. Maybe just run it on new installs and add a hint to the changelog and UCS 5.0-2 release notes to run slapindex/ldap_setup_index manually on existing installs
Also, for new installs an explicit reindex doesn't make sense, does it?
OK, please merge the change to 5.0-1, changelog, build and create an advisory (yaml) that contains instructions how to manually run the script, so that it creates the index. Alternatively point in the yaml to an existing page on help.univention.com or create a new one, that explains the steps.
rebased branch to avoid copyright errors in pipelines. mergerequest can be found here: https://git.knut.univention.de/univention/ucs/-/merge_requests/254
changes haven been applied with https://git.knut.univention.de/univention/ucs/-/commit/92dccc0b2e36cc157058c09a60aa172422451673 and merged with 5.0-1
(In reply to Alexander Steffen from comment #11) > changes haven been applied with > > https://git.knut.univention.de/univention/ucs/-/commit/ > 92dccc0b2e36cc157058c09a60aa172422451673 > > and merged with 5.0-1 @asteffen Your added `Alexander Steffen <steffen@univention.de> Tue, 25 Feb 2022 11:22:07 +0100` to `management/univention-ldap/debian/changelog`: date from the *future* now breaks `ucslint` everywhere. PLEASE: rebase and squash your commits before merging in to main: probably nobody is interested in all the side-ways you had to take to achieve your goal, but a clean history helps everyone to to understand the change in the years to come. Now we have a mess!
Successful build Package: univention-ldap Version: 16.0.7-15A~5.0.0.202202081250 Branch: ucs_5.0-0 Scope: errata5.0-1
OK: code change OK: no automatic rebuild of indices OK: help article explaining manual rebuild of indices OK: index exists after executing code from help article
<https://errata.software-univention.de/#/?erratum=5.0x214>
I've added a KCS article to collect the current knowledge about this: https://help.univention.com/t/problem-mdb-equality-candidates-exampleldapattribute-not-indexed