Similar to other databases, LDAP supports the creation of index tables to speed up queries. Any attribute can be used to define an index and can either be indexed by equality matching (uid=ameyer) or substring matching (uid=ameyer).
Stock Values
By default the following index tables are created:
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
or:
| Attribute | Equality | Substring | Notes |
|---|---|---|---|
| objectClass | X | defines one or more object classes belonging to an object | |
| cn | X | The Common Name of an object (usually a user’s first name) | |
| uid | X | The User ID of an object (usually a user’s username) | |
| uidNumber | X | A user’s POSIX style user ID (1000) | |
| gidNumber | X | A group’s POSIX style group ID (1000) | |
| member | X | the Distinguished Name of a member of a groupOfNames | |
| memberUid | X | The POSIX UserID of a member of a POSIX style group |
Improved Values
Here are the index values that I use:
olcDbIndex: objectClass eq
olcDbIndex: cn,sn,uid,mail eq,sub
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid,memberOf eq
or:
| Attribute | Equality | Substring | Notes |
|---|---|---|---|
| objectClass | X | defines one or more object classes belonging to an object | |
| cn | X | X | The Common Name of an object (usually a user’s first name or full name) |
| sn | X | X | The Surname of an object (usually a user’s last name) |
| uid | X | X | The User ID of an object (usually a user’s username) |
| X | X | The email address of a user (ameyer@zerosla.com) | |
| uidNumber | X | A user’s POSIX style user ID (1000) | |
| gidNumber | X | A group’s POSIX style group ID (1000) | |
| member | X | the Distinguisted Name of a member of a groupOfNames | |
| memberUid | X | The POSIX UserID of a member of a POSIX style group | |
| memberOf | X | A dynamic attribute introduced by the memberOf overlay[1] |
[1] memberOf entries are the Distinguished Name of a groupOfNames a user belongs to. This is useful for two reasons:
- If the user object is deleted, all corresponding
memberattributes are removed from all groupOfNames listed - Provides a way to determine group membership by querying the user object instead of querying all groupOfNames objects
- By adding an index for
mailwe can significantly speed up queries for a user’s email address: great for postfix systems. - Cn, sn, uid, and mail also create substring index tables: these are (usually) short values that are commonly substring searched when performing user searches.
- Some systems prefer to use
memberOfinstead ofmemberto determine group membership, by indexing we can speed these queries up as well
Deployment
Your environment may vary, but I will assume that you are using a single MDB database for your LDAP directory as this is the stock configuration.
change-indices.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass eq
olcDbIndex: cn,sn,uid,mail eq,sub
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid,memberOf eq
ldapmodify -Y EXTERNAL -H ldapi:/// -v -f ./change-indices.ldif
When executed, this ldif will replace ALL olcDbIndex attributes with the list provided. Be sure to edit the ldif if you have already customized your index tables.