4.4. Fine Grained ID List Size
In large databases, some queries can consume a large amount of CPU and RAM resources. To improve the performance, you can set a default ID scan limit that applies to all indexes in the database using the
nsslapd-idlistscanlimit
attribute. However in some cases it is useful to define a limit for certain indexes, or use no ID list. You can set individual settings for ID list scan limits for different types of search filters using the nsIndexIDListScanLimit
attribute.
To set a limit, for example for the
objectClass
attribute, add the nsIndexIDListScanLimit
parameter to the DN cn=objectclass,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
.
The
nsIndexIDListScanLimit
attribute is multi valued and takes the following list of parameters as a value:
nsIndexIDListScanLimit: limit=NNN [type=eq[,sub,...]] [flags=AND[,XXX,...]] [values=val[,val,...]]
limit
: The maximum size of the ID list. Valid values are:-1
: Unlimited.0
: Do not use the index.1 to the maximum 32-bit integer (2147483647)
: Maximum number of IDs.
type
: Optional. The type of the index.eq
,sub
,pres
, and so on. The value must be one of the actualnsIndexType
specified for the index definition. For example, you cannot usetype=eq
if you do not havensIndexType=eq
defined.flags
: Optional. Flags that alter the behavior of applying the scan limit. Valid values are:AND
: Apply the scan limit only to searches in which the attribute appears in anAND
clause.OR
: Apply the scan limit only to searches in which the attribute appears in anOR
clause.
values
: Optional. Comma separated list of values which must match the search filter in order for the limit to be applied. Since the matches are done one at a time, the values will match if any of the values matches.The values must be used with only one type at a time.The values must correspond to the index type, and must correspond to the syntax of the attribute to which the index is applied. For example, if you specified the integer based attributeuidNumber
and it is indexed foreq
, you cannot usetype=eq values=abc
.If the value contains spaces, commas, NULL, or other values which require to be escaped, the LDAP filter escape syntax should be used: backslash (\) followed by the 2 hex digit code for the character. In the following example, the commas in the DN value are escaped with\2C
.nsIndexIDListScanLimit: limit=0 type=eq values=uid=user\2Cou=People\2Cdc=example\2Cdc=com
Example 4.1. Setting nsIndexIDListScanLimit
In a large database with 10 million entries that contain the object class
inetOrgPerson
, a search for (&(objectClass=inetOrgPerson)(uid=user))
creates first an ID list containing all 10 million IDs matching objectClass=inetOrgPerson
. When the database applies the second part of the filter, it searches the result list for objects matching uid=user
. In this cases it is useful to define a limit for certain indexes, or use no ID list at all.
To set that no ID list is created for
objectClass=inetOrgPerson
in AND
clauses, add the following nsIndexIDListScanLimit
:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=objectclass,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsIndexIDListScanLimit
nsIndexIDListScanLimit: limit=0 type=eq flags=AND values=inetOrgPerson
modifying entry "cn=objectclass,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config"
No ID list is created for
objectClass=inetOrgPerson
when used in an AND
clause. In all other situations the value of nsslapd-idlistscanlimit
is applied.