[Samba] High cpu load on LDAP

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Thu Nov 21 23:16:00 UTC 2024


On 20/11/24 21:44, Heinz Hölzl wrote:
> hi,
> 
>> It is possible to tell Samba to index 'member'.
> 
> How i can do this?
> 
>          dbindex:member = yes in smb.conf ??
> 

No, that has no effect.

If you run

  ldbsearch -s base -b @INDEXLIST

you will see a list of "@IDXATTR" attributes. You need to modify it so 
that there is one saying:

@IDXATTR: member

and trigger a reindex.

The thing that determines whether an attribute is indexed its schema 
definition has an odd number (or in some versions, the string 
"fATTINDEX") for the searchFlags attribute.


There is this samba-tool command:

samba-tool schema attribute \
      modify  \
      member \
     --searchflags="fATTINDEX" \
     --option="dsdb:schema update allowed = true"

Notice the last option. Without it samba-tool will refuse to do anything 
because this kind of modification is perhaps NOT SAFE.

I wouldn't do this in production without trying it first in a lab domain.

Others here might have actual experience.

Douglas



More information about the samba mailing list