PSla Blog

Blog Piotra Ślatały | Peter Slatala's Blog

cn=admin,cn=config password and bdb_equality_candidates: not indexed

So you want to modify your config of ldap, you might want to use ldapvi, such as below:

ldapvi -h ldap://localhost -D cn=admin,cn=config -b cn=config

--- Login
Type M-h for help on key bindings.

Filter or DN: cn=admin,cn=config
Password:

ldap_bind: Invalid credentials (49)

and it asks you for password. You have no clue what the password was? You might be tempted to follow this advice: http://serverfault.com/questions/377762/user-not-found-for-cn-config-in-openldap and modify che config.ldif file manually… But it is not a right thing to do. If you do so, you will likely get following error message:


Jul 14 14:41:53 usa slapd[5953]: ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif"

So how should I add this line? To get SSHA for new password run:
[cc]
slappasswd -h {SSHA}
[/cc]

Lets say the output is: {SSHA}zlj44XAKxSyO7OT78PEwxpr3gVYIep0q
Create ldif file with following content:
[cc]
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}zlj44XAKxSyO7OT78PEwxpr3gVYIep0q
[/cc]
and now run
[cc]
ldapmodify -Y EXTERNAL -H ldapi:/// -f change-password-cn-config.ldif
[/cc]

After changing password you can now run:
[cc]
ldapvi -h ldap://localhost -D cn=admin,cn=config -b cn=config
[/cc]

Now you ask: so what? Well, I didn’t look at my ldap server for a while, but recently I noticed following log messages:

bdb_equality_candidates: (uniqueMember) not indexed
bdb_equality_candidates: (gidNumber) not indexed
bdb_equality_candidates: (sambaSIDList) not indexed
bdb_equality_candidates: (sambaSID) not indexed

I wanted to add indexes. How would I do this? Run the mentioned ldapvi / create ldif file for “olcDatabase={1}hdb,cn=config” and modify following entries for record “olcDatabase={1}hdb,cn=config”, add:

olcDbIndex: uniqueMember eq
olcDbIndex: gidNumber eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaGroupType eq

This can be represented as following ldif:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: cn eq
olcDbIndex: dc eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: gidNumber eq
olcDbIndex: objectClass eq
olcDbIndex: ou eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaSIDList eq
olcDbIndex: uid eq
olcDbIndex: uniqueMember eq
olcDbIndex: sambaGroupType eq

One response to “cn=admin,cn=config password and bdb_equality_candidates: not indexed”

  1. prego Avatar
    prego

    awesome! i’ve been looking for the first part since ages. thanks mate! 🙂

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *