As a directory server admin, I need to look at access log and find out who is doing
expensive unindexed searchs. So that I can work with ldap clients to optimize search
filter and DS indexes.
The way DSEE reports notes=U make it very simple for DS admin to find expensive unindexed
searchs.
----------------------------------------
> From: picturebook16(a)hotmail.com
> To: 389-users(a)lists.fedoraproject.org
> Subject: RE: [389-users] notes=U, unindex search? really
> Date: Fri, 18 Jan 2013 11:52:22 -0500
>
> ----------------------------------------
> > Date: Fri, 18 Jan 2013 08:53:34 -0700
> > From: rmeggins(a)redhat.com
> > To: 389-users(a)lists.fedoraproject.org
> > CC: picturebook16(a)hotmail.com
> > Subject: Re: [389-users] notes=U, unindex search? really
> >
> > On 01/18/2013 08:29 AM, Picture Book wrote:
> > > filter="(&(AllowAccess=Y)(uid=bill))"
> > > AllowAccess is unindexed attribute
> > > uid is indexed attribute
> > >
> > > access log search result: notes=U
> > >
> > > I imagine that directory server will do an indexed search by uid=bill, get
the entry and then verify if AllowAccess=Y. To me this kind of search is indexed search.
> > >
> > > example:
> > >
> > > [18/Jan/2013:10:17:24 -0500] conn=124757 op=1 SRCH
base="ou=people,dc=?" scope=1
filter="(&(AllowAccess=Y)(uid=bill))" attrs=ALL
> > > [18/Jan/2013:10:17:24 -0500] conn=124757 op=1 RESULT err=0 tag=101
nentries=1 etime=0 notes=U
> > >
> > > etime=0 confirms that this search is fast.
> >
> > You might imagine that, but that's not how the server works. It parses
> > the filter, sees that AllowAccess is unindexed, and uses an unindexed
> > search.
>
> I tried filter="(&(uid=bill)(AllowAccess=Y))". no more
"notes=U". It would be great if the server can optimize search filter like I
imagine. Because some ldap clients do not allow custom search filter.
>
> Thank you.
>
> >
> > >
> > > --
> > > 389 users mailing list
> > > 389-users(a)lists.fedoraproject.org
> > >
https://admin.fedoraproject.org/mailman/listinfo/389-users
> >