The N2L service supports ODSEE. Although other third-party LDAP servers might work with the N2L service, they are not supported by Oracle. If you are using an LDAP server other than an ODSEE server or compatible Oracle servers, you must manually configure the server to support the schemas of RFC 2307, RFC 2307bis and RFC 4876, or later standards.
If you are using ODSEE, you can enhance the directory server to improve performance. To make these enhancements, you must have LDAP administrator privileges on the ODSEE server. In addition, you must coordinate with the LDAP clients if the directory server need to be rebooted. The ODSEE documentation is available at Oracle Directory Server Enterprise Edition documentation.
For large maps, you must use the LDAP virtual list view (VLV) indexes to ensure that LDAP searches return complete results. For information about setting up VLV indexes on ODSEE, see the Oracle Directory Server Enterprise Edition documentation.
VLV search results use a fixed page size of 50000. If you are using VLVs with ODSEE, ensure that both the LDAP server and N2L server are able to handle transfers of this size. If all of your maps are known to be smaller than this limit, you do not need to use VLV indexes. However, if your maps are larger than the size limit or you are unsure of the size of all maps, use VLV indexes to avoid incomplete returns.
If you are using VLV indexes, set up the appropriate size limits as follows:
On the ODSEE server, ensure that the nsslapd-sizelimit attribute is set to greater than or equal to 50000 or –1. For more information, see the idsconfig(1M) man page.
On the N2L server, ensure that the nisLDAPsearchSizelimit attribute is set to either greater than or equal to 50000 or zero. For more information, see the NISLDAPmapping(4) man page.
After VLV indexes have been created, activate them by running dsadm with the vlvindex option on the ODSEE server. For more information, see the dsadm (1M) man page.
Use the ODSEE idsconfig command to set up VLVs if the following conditions apply:
You are using ODSEE.
You are mapping standard maps to RFC 2307bis LDAP entries.
VLVs are domain specific, so each time idsconfig is run, VLVs are created for one NIS domain. Therefore, during the NIS-to-LDAP transition, you must run idsconfig once for each nisLDAPdomainContext attribute included in the NISLDAPmapping file.
You must manually create new ODSEE VLVs for maps, or copy and modify existing VLV indexes, if the following conditions apply:
You are using ODSEE.
You have large custom maps or have standard maps that are mapped to nonstandard DIT locations.
To view existing VLV indexes, type the following command:
% ldapsearch -h hostname -s sub -b "cn=ldbm database,cn=plugins,cn=config" "objectclass=vlvSearch"
When the N2L server refreshes a map, the result might require a lengthy LDAP directory access. If ODSEE is not correctly configured, the refresh operation might time out before completion. To avoid directory server timeouts, modify ODSEE attributes manually or by running the idsconfig command.
For example, you might want to modify the following attributes to increase the minimum amount of time in seconds that the server should spend performing the search request:
dn: cn=config nsslapd-timelimit: -1
For testing purposes, you can use an attribute value of –1, which indicates no limit. When you have determined the optimum limit value, change the attribute value. Do not maintain any attribute settings at –1 on a production server. With no limits, the server might be vulnerable to Denial of Service attacks.
For more information about configuring ODSEE with LDAP, see Setting Up the Oracle Directory Server Enterprise Edition With LDAP Clients.
To avoid buffer overruns, modify the ODSEE attributes manually or by running the idsconfig command. For example:
Modify the following attributes to increase the maximum number of entries that are returned for a client search query:
dn: cn=config nsslapd-sizelimit: -1
Modify the following attributes to increase the maximum number of entries that are verified for a client search query:
dn: cn=config, cn=ldbm database, cn=plugins, cn=config nsslapd-lookthroughlimit: -1
For testing purposes, you can use an attribute value of –1, which indicates no limit. When you have determined the optimum limit value, change the attribute value. Do not maintain any attribute settings at –1 on a production server. With no limits, the server might be vulnerable to Denial of Service attacks.
If VLVs are being used, the sizelimit attribute values should be set as defined in Creating Virtual List View Indexes With Oracle Directory Server Enterprise Edition. If VLVs are not being used, the size limit should be set large enough to accommodate the largest container.
For more information about configuring ODSEE with LDAP, see Setting Up the Oracle Directory Server Enterprise Edition With LDAP Clients.