#7792 Missing index on ipaconfigstring
Closed: fixed a year ago Opened a year ago by cheimes.


Bug https://pagure.io/freeipa/issue/7790 and my log analysis of other installations show repeatedly that 389-DS complains about a missing index on ipaconfigstring.

  Unindexed Component #1 (notes=U)
  -  Date/Time:             03/Dec/2018:17:42:08
  -  Connection Number:     289891
  -  Operation Number:      16
  -  Etime:                 0.0000473303
  -  Nentries:              1
  -  IP Address:  
  -  Search Base:           cn=ops-ovc-ipa-1.ops.example.com,cn=masters,cn=ipa,cn=etc,dc=example,dc=com
  -  Search Scope:          2 (subtree)
  -  Search Filter:         (&(objectclass=ipaconfigobject)(ipaconfigstring=enabledservice)(cn=ca))
  -  Bind DN:               uid=admin,cn=users,cn=accounts,dc=example,dc=com

The ipaConfigString attribute is used in service definition in the cn=masters,cn=ipa,cn=etc,$SUFFIX subtree. It is queried to find active services, servers with a CA, the CA renewal master, and so on. The attribute is not only used during installation and in ipactl, but also in virtually any command that deals with CA, certs, and vault/KRA. Since not every IPA server has to be a CA master, clients and servers use a search with filter (ipaConfigString=enabledService) to locate a CA or KRA server.

Steps to Reproduce

  1. install server
  2. perform vault or cert operations
  3. restart 389-DS or wait until server flushes logs
  4. analyse log file with logconf.pl

Actual behavior

logconf shows unindexed filters with ipaconfigstring.

Expected behavior

There should be no unindexed filters.



Additional info:

IPA should add an eq and maybe also a pres index on ipaconfigstring

dn: cn=ipaconfigstring,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsIndex
cn: ipaconfigstring
nsIndexType: eq
nsIndexType: pres
nsSystemIndex: false

Metadata Update from @cheimes:
- Issue set to the milestone: FreeIPA 4.6.5
- Issue tagged with: performance

a year ago

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2649

a year ago

Metadata Update from @cheimes:
- Issue assigned to cheimes

a year ago


  • 0fb87bf LDAPUpdate: Batch index tasks
  • ed436e4 Add more LDAP indices
  • a34d92d Create reindex task for ipaca DB


  • 55f18a8 LDAPUpdate: Batch index tasks
  • f29ab77 Add more LDAP indices
  • 26d90cd Create reindex task for ipaca DB


  • ad37e0c LDAPUpdate: Batch index tasks
  • 903cfe3 Add more LDAP indices
  • e484c4b Create reindex task for ipaca DB

The new indices will be available in 4.7.3 and next 4.6 update.

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.