[Samba] High cpu load on LDAP

Marco Gaiarin gaio at lilliput.linux.it
Wed Dec 11 12:02:27 UTC 2024


Mandi! Douglas Bagnall via samba
  In chel di` si favelave...

I've noted that there's no info on samba wiki on index manipulation. And
i've some doubt.

> If you run
>  ldbsearch -s base -b @INDEXLIST
> you will see a list of "@IDXATTR" attributes. You need to modify it so 
> that there is one saying:
> @IDXATTR: member

OK, i've 'member' not indexed:

 root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST | grep -i member
 @IDXATTR: msDS-Cached-Membership-Time-Stamp


> and trigger a reindex.

With:
	samba-tool dbcheck --reindex

rigth?!


> The thing that determines whether an attribute is indexed its schema 
> definition has an odd number (or in some versions, the string 
> "fATTINDEX") for the searchFlags attribute.
> There is this samba-tool command:
> samba-tool schema attribute \
>      modify  \
>      member \
>     --searchflags="fATTINDEX" \
>     --option="dsdb:schema update allowed = true"

In the past i've added index (eg, for an added 'lasr draft' schema) as:

	ldbedit -H /var/lib/samba/private/sam.ldb -b CN=mailLocalAddress,CN=Schema,CN=Configuration,DC=ad,DC=mydomain,DC=it --option="dsdb:schema update allowed"=true

and adding:

	searchFlags: 1

it is the same? It is safest to use 'samba-tool'?


But the more general question is: AFAIK the Samba AD schema is as compatible
as possible to the MS AD schema; so MS AD schema have no 'member' index by
default? And if true, why?

Or MS AD have no 'index' concept whatsoever and manage AD performance in
other way?


Thanks.

-- 





More information about the samba mailing list