9.7 Enabling Compound Index on Identity Vault Attributes

Compound index is a value index covering multiple attributes. Compound index was primarily added to support sorting on multiple attributes for the Server Side Sort control, you can use it for improving the performance of searches if the attributes being searched are part of a compound index.

When compound index is not enabled, you are likely to encounter issues where results are not displayed in the Identity Applications user interface. For example, the User Catalog page does not display the results.

The Identity Applications installation program automatically creates the following indexes:

0$GnSnIndex$0$0$0$1$Given Name$Surname 
0$SnGnIndex$0$0$0$1$Surname$Given Name 
0$mailSnIndex$0$0$0$1$Internet EMail Address$Surname 
0$telephoneNumberSnIndex$0$0$0$1$Telephone Number$Surname

To create and manage indexes and compound indexes, use eDirectory’s ndsindex utility. For compound indexes, specify multiple attributes separated by $ sign in the ndsindex utility.

For example, to create a value index with the name MyIndex on the email address and surname attributes, enter the following command:

ndsindex add –h myhost –D cn=admin, o=mycompany –w password –s cn=myhost, o=netiq 'MyIndex;email address$surname;value'

Alternatively, you can create a compound index by using an LDIF file. For example, sort users on custom attributes.

  1. Create an LDIF file with the compound index entries.

    1. dn: CN=linux-32ep,OU=servers,O=system (Your Server DN)

      changetype: modify
      add: indexdefinition
      indexdefinition: 0$gnsnindex$0$0$0$1$given name$surname (specify the correct order)
    2. dn: CN=linux-32ep,OU=servers,O=system (Your Server DN)

      changetype: modify
      add: indexdefinition
      indexdefinition: 0$sntitleindex$0$0$0$1$Title$surname
  2. Run the following command to create indexes:

    ice -S LDIF -a -c -f comp.ldif -D LDAP -s -p 389 -d cn=admin,ou=sa,o=system -w novell -F –B
  3. (Optional) Check if the indexes are online:

    ndsindex list -D cn=admin,ou=sa,o=system -w novell -s CN=linux-32ep,OU=servers,O=system

Consider the following while creating compound indexes:

  • Although you can specify multiple attributes for compound index, try not to add more than three attributes. As you go on adding the attributes, the performance of the searches is decreased. In case of value type compound index, you can add a maximum of five attributes.

  • You are recommended to connect ndsindex utility to the same eDirectory server where the index has been added.


  • An index with ancestor id can only be created with value index type. Presence and Substring index types are not supported with ancestor id.

  • Database size increases after creating index with ancestor id.

9.7.1 Comparison with Other Indexes

The cost of managing compound indexes in terms of time is the same as any other value index. Any modification such as addition or deletion of value requires the index to update.The order of the number of attributes added to a compound index determine disk space used by the index.The key size for a compound index is higher because all attribute values are added to the key. If other attributes are present, then a key for those attributes is added to the index. This can lead to bigger keys and increased number of keys as compared to normal value indexes.NOTE: Having a high number of indexes has an adverse performance impact on modify operations because it requires updating the indexes with the modified attribute. This is not specific to compound indexes.)Any modification (addition/deletion of value) would require the index to be updated.

For more details on how to create or manage compound indexes, see Examples of Compound Indexes in the eDirectory Administration Guide.

9.7.2 Sample Error Message

If an attribute is part of compound indexes, the following error message is displayed in the Manage Users page.

Sorting functionality does not work for //attribute key//attribute. Please contact the system administrator for more details".

The following error message is displayed in the catalina.out with complete exception trace.

OperationNotSupportedException: [LDAP: error code 53 - Unwilling To Perform].