Jump to: navigation, search

Obsolete:Samba 4 Attribute Indexing

Obsolete Documentation

Please note that this content was marked as obsolete. We left the content here for study and archaeological purposes.

Please check our Documentation for a recent list of topics.

Overview

Samba relies on the LDAP backend to do attribute indexing. Currently the provisioning tool can already configure the indexing on OpenLDAP, but it still needs to be modified to configure the indexing on DS.

Attribute Indexing

AD schema uses the fATTINDEX bit in the searchFlags attribute of an attribute type to indicate whether the attribute will be indexed. For example:

cn: Alt-Security-Identities
searchFlags: fATTINDEX

Finding the attributes that need to be indexed can be done by searching the schema subtree using the following filter:

(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))

There are 114 attributes that need indexing in AD schema.

Current Code

OpenLDAP Configuration

Indexing an attribute in OpenLDAP can be done by specifying the following directive in slapd.conf:

index ${ATTR} eq

Provisioning Tool

The provision_openldap_backend() uses the following code to configure attribute indexing in OpenLDAP:

index_config = ""

// get indexed attributes
attrs = ["linkID", "lDAPDisplayName"]
res = schema.ldb.search(
    expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))",
    base=names.schemadn,
    scope=SCOPE_ONELEVEL,
    attrs=attrs)

// for each indexed attribute
for i in range (0, len(res)):
    index_attr = res[i]["lDAPDisplayName"][0]

    // map objectGUID to entryUUID
    if index_attr == "objectGUID":
        index_attr = "entryUUID"

    // generate indexing configuration
    index_config += "index " + index_attr + " eq\n"

Default Indexes

The following attributes are indexed by default in DS:

  • aci
  • cn
  • entrydn
  • entryusn
  • givenName
  • mail
  • mailAlternateAddress
  • mailHost
  • member
  • memberOf
  • nsUniqueId
  • ntUniqueId
  • ntUserDomainId
  • numsubordinates
  • objectclass
  • owner
  • parentid
  • seeAlso
  • sn
  • telephoneNumber
  • uid
  • uniquemember

All except aci and numsubordinates have an equality index.

Linked Attributes

The following attributes are linked, so they need to have an equality index. See also this page.

  • bridgeheadTransportList
  • frsComputerReference
  • fRSMemberReference
  • hasMasterNCs
  • hasPartialReplicaNCs
  • managedBy
  • manager
  • member
  • msCOM-PartitionLink
  • msCOM-UserPartitionSetLink
  • msDFSR-ComputerReference
  • msDFSR-MemberReference
  • msDS-AuthenticatedAtDC
  • msDS-HasDomainNCs
  • msDS-hasFullReplicaNCs
  • msDS-hasMasterNCs
  • msDS-KrbTgtLink
  • msDS-MembersForAzRole
  • msDS-NC-RO-Replica-Locations
  • msDS-NonMembers
  • msDS-ObjectReference
  • msDS-OperationsForAzRole
  • msDS-OperationsForAzTask
  • msDS-PSOAppliesTo
  • msDS-TasksForAzRole
  • msDS-TasksForAzTask
  • msSFU30PosixMember
  • netbootServer
  • nonSecurityMember
  • owner
  • privilegeHolder
  • queryPolicyObject
  • serverReference
  • siteObject

The member and owner are already defined in the default indexes and have an equality index.

Proposed Changes

DS Configuration

Indexing an attribute in DS can be done by adding the following configuration entry:

dn: cn=${ATTR},cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: ${ATTR}
nsSystemIndex: false
nsIndexType: eq

This template should be stored in source4/setup/fedorads-index.ldif.

Provisioning Tool

The provision_fds_backend() should use the following code to configure attribute indexing in DS. First it will configure the indexes for all linked attributes, then it will configure the indexes for all indexed attributes as defined in AD schema. The code might generate duplicate indexes, but they will be ignored during instance creation.

index_config = ""

// get linked attributes
lnkattr = get_linked_attributes(names.schemadn,schema.ldb)

// for each linked attribute
for attr in lnkattr.keys():

    // generate indexing configuration
    index_config += read_and_sub_file(
        setup_path("fedorads-index.ldif"),
        { "ATTR" : attr })

// get indexed attributes
attrs = ["linkID", "lDAPDisplayName"]
res = schema.ldb.search(
    expression="(&(objectclass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))",
    base=names.schemadn,
    scope=SCOPE_ONELEVEL,
    attrs=attrs)

// for each indexed attribute
for i in range (0, len(res)):

    attr = res[i]["lDAPDisplayName"][0]

    // map objectGUID to nsUniqueId
    if attr == "objectGUID":
        attr = "nsUniqueId"

    // generate indexing configuration
    index_config += read_and_sub_file(
        setup_path("fedorads-index.ldif"),
        { "ATTR" : attr })

Samba Patches

References