Sun Identity Manager 8.1 Resources Reference

Virtual List View Support for Directory Server

Note –

This discussion assumes that Identity Manager connects to the LDAP resource as a non-RootDN user. If you are connecting as a RootDN user, the procedures described are applicable, but additional LDAP attribute values might be possible. Consult the Directory Server documentation for more information.

See Modifying the ADAM Schema for information about enabling this feature with Microsoft ADAM.

In Directory Server, the nsLookThroughLimit and nsslapd-sizelimit attributes define how many LDAP entries can be searched and returned, respectively. The default value for nsLookThroughLimit is 5,000, while the default for nsslapd-sizelimit is 2,000. Both attributes can be set to -1 to disable limits. You must restart Directory Server if you change the value of these attributes.

It is not always desirable to change the default values. To improve performance on LDAP searches, you can enable the LDAP Virtual List View (VLV) control. VLV returns partial results of a search, rather than returning all results at once.

The Use Blocks resource attribute enables Identity Manager to stay within the query result size limit by using the VLV control. The Block Count resource attribute specifies how many users to return, but this value must be less than or equal to the value set in the nsslapd-sizelimit attribute.

A VLV index (also known as a browsing index) must be created, or the nsslapd-sizelimit size limit will still be in effect. Using a VLV index significantly improves the performance of iterating over accounts, so you should set up the index if you plan to reconcile, load from resource, or export to file frequently.

Refer to the Directory Server documentation for detailed instructions on creating a VLV index. The basic process follows:

ProcedureCreating a VLV Index

  1. Create a vlvsearch object with the following properties:

    vlvbase: YourBaseContext
    vlvfilter: (&(objectclass=top)(objectclass=person)
    (objectclass=organizationalPerson) (objectclass=inetorgperson))
    vlvscope: 2

    The vlvbase attribute must match the value specified in the Base Context resource attribute. The vlvfilter attribute must contain the classes specified in the Object Classes resource attribute in the format shown. The vlvscope value of 2 indicates subtree searches.

  2. Create a vlvindex component as a subobject of vlvsearch. The vlvsort attribute must be set to uid.

  3. Build the VLV index using the vlvindex command or other mechanism.

  4. Set permissions through access control instructions (ACI) for the following:

    • vlvsearch object

      • vlvindex

      • the directory the index was created for.

        To set up VLV for the changelog, use the following general steps. Refer to the Directory Server documentation for detailed instructions.

  5. If you have not already done so, create a browsing index for the changelog. If you use the Directory Server user interface, then by default, a vlvsearch object named “MCC cn=changelog” and a vlvindex object named “SN MCC cn=changelog” will be created.

  6. Set permissions through access control instructions (ACI) so that the Identity Manager account has read, compare, and search rights for the following:

    • The changelog (cn=changelog)

      • The vlvsearch object (cn=”MCC cn=changelog”,cn=config,cn=ldbm)

      • The vlvindex object (“SN MCC cn=changelog”,cn=config,cn=ldbm)

    On some versions of Directory Server, the changelog nsLookThroughLimit attribute has a hard-coded value of 5,000. To avoid hitting the changelog lookthrough limit, restrict the maximum number of changelog entries that are kept on the server to less than 5,000. To avoid losing changelog entries, set the polling frequency for the adapter to a short interval.