Re: [Nufw-users] openldap configuration

[Pierre Chifflier]

On Wed, Feb 11, 2009 at 11:38:43AM +0100, Francesco Varano wrote:
> Dear all,
>  i'm having some troubles configuring ldap acls with openldap server.
>  
>  i installed nuface and configured everything following the docs, but
> i'm having some problems with ldap indexes.

Hi,

Seems you are running slapd in full debug mode (-1), which is not a good
idea for performance. I'll assume this is for debug only - if not, you
should reduce debug devel.


> 
>  If i do not use index i find plenty of these messages
> in /var/log/syslog:
> 
> slapd[2418]: <= bdb_inequality_candidates: (SrcIPStart) not indexed 
> slapd[2418]: <= bdb_inequality_candidates: (SrcIPEnd) not indexed 

Fields are not indexed. Indexes are optional, tough it may increase
performance (and require more disk, of course). You are seeing this only
because of the debug level. These warnings are harmless, unless you
experience problems with performance.

> 
> else, if i define indexes in /etc/ldap/slapd.conf as suggested:
> 
> index OsName,OsRelease,OsVersion,AppSig,AppName pres,eq
> index SrcIPStart,SrcIPEnd,DstIPStart,DstIPEnd pres,eq
> index Proto,SrcPortStart,SrcPortEnd,DstPortStart,DstPortEnd pres,eq
> index SrcPort,DstPort pres,eq
> 
> then alcs defined with nuface will not match.

This is not normal. How did you add the indexes ? Remember that after
adding lines in slapd.conf, you must run the "slapindex" command, while
the server is stopped (this is important: without this command, entries
will not be accessible, and if you index while the server is running,
you will corrupt data and/or indexes).

HTH,
Pierre