Re: [Nufw-users] openldap configuration

[Francesco Varano]

Thank you very much for your help!
just one more question: i must run "slapindex" just once or every time i
add an acl?

thank you again,
Francesco

On Wed, 2009-02-11 at 20:48 +0100, Pierre Chifflier wrote:
> On Wed, Feb 11, 2009 at 11:38:43AM +0100, Francesco Varano wrote:
> > Dear all,
> >  i'm having some troubles configuring ldap acls with openldap server.
> >  
> >  i installed nuface and configured everything following the docs, but
> > i'm having some problems with ldap indexes.
> 
> Hi,
> 
> Seems you are running slapd in full debug mode (-1), which is not a good
> idea for performance. I'll assume this is for debug only - if not, you
> should reduce debug devel.
> 
> 
> > 
> >  If i do not use index i find plenty of these messages
> > in /var/log/syslog:
> > 
> > slapd[2418]: <= bdb_inequality_candidates: (SrcIPStart) not indexed 
> > slapd[2418]: <= bdb_inequality_candidates: (SrcIPEnd) not indexed 
> 
> Fields are not indexed. Indexes are optional, tough it may increase
> performance (and require more disk, of course). You are seeing this only
> because of the debug level. These warnings are harmless, unless you
> experience problems with performance.
> 
> > 
> > else, if i define indexes in /etc/ldap/slapd.conf as suggested:
> > 
> > index OsName,OsRelease,OsVersion,AppSig,AppName pres,eq
> > index SrcIPStart,SrcIPEnd,DstIPStart,DstIPEnd pres,eq
> > index Proto,SrcPortStart,SrcPortEnd,DstPortStart,DstPortEnd pres,eq
> > index SrcPort,DstPort pres,eq
> > 
> > then alcs defined with nuface will not match.
> 
> This is not normal. How did you add the indexes ? Remember that after
> adding lines in slapd.conf, you must run the "slapindex" command, while
> the server is stopped (this is important: without this command, entries
> will not be accessible, and if you index while the server is running,
> you will corrupt data and/or indexes).
> 
> HTH,
> Pierre