Search code examples
javaactive-directoryldap

Ldap simple user search return LDAP: error code 53 - Unwilling to process the unindexed search operation


I am not a LDAP expert, all I try to do is to run some filters on users, like get username starting with some prefix. I am getting an error every time I use * in filter:

[LDAP: error code 53 - Unwilling to process the unindexed search operation]; remaining name 'ou=internal,o=XXX,c=us'

It doesn't make any since, not sure what is that error message even means.

Passing in filter exact match of user name works fine:

String filter = "uid=exactMatchuserName";

SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
constraints.setReturningAttributes(attrIdsToSearch);

NamingEnumeration users = ldapConnection().search(
    "ou=internal,o=XXX,c=us",
    filter,
    constraints
);

but with i use * in search String filter = "uid=*ma"; then i am getting an error


Solution

  • The server is telling you that it's not willing to perform a search that cannot use an index. If you don't know what an index is, you can read the Wikipedia article on database indexes, but in short:

    Indexes are used to quickly locate data without having to search every row in a database table every time a database table is accessed.

    An index is built by sorting one of the columns in a way specified in the index (usually alphabetically, for a string column). So, for example, if I searched for uid=gabriel, it doesn't need to look at every user in the directory. It can just skip to the G's and find it quickly.

    However, that means that the index can only be used when you know at least the first letter. When you use a wildcard at the beginning of the search, you don't know the first letter, so it's impossible to use the index and it will need to check every user in the directory for a match.

    You have 3 options:

    1. Don't put a wildcard at the beginning.
    2. Add another criteria to the query that uses an indexed attribute, then you'll be able to use the wildcard in uid. You just need at least one indexed criteria.
    3. Enable unindexed searches on your server. You tagged , but I suspect that's not what you're using since AD doesn't use the uid attribute. So search online for the directory server you're using and see if it possible to enable. Just keep in mind that disabling unindexed searches is the default for a reason.