I've been happily using the ldap backend via openldap for many years. Over the past couple of days, I've seen a new message pop up a handful of times that I've never seen before:
Apr 1 16:45:47 chaos slapd[8670]: <= mdb_substring_candidates: (krbPrincipalName) not indexed which basically means something did a substring search on the krbPrincipalName, and there is no substring index, hence it had to do a full crawl to find the matches. I've only ever had an equality index on krbPrincipalName, this is the first time I've ever seen something try to do a substring search. Given kerberos is the only thing with access to the ldap server, the search must have come from it. I don't currently have query logging enabled so I'm not quite sure what it was up to. Does the ldap backend need a substring index on krbPrincipalName in addition to the equality index? What kdc or kadmin operation might result in a substring search? Thanks... ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
