Usage Notes

This section provides information related to using the LDAP resource adapter, which is organized into the following sections:

• General Notes

• Virtual List View Support for Directory Server

• ADAM Support

For information about enabling password synchronization on an LDAP resource, see Chapter 51, Synchronizing LDAP Passwords.

General Notes

• You should create an Identity Manager service account to connect to LDAP, rather than using the administrator account CN=Directory Manager. Use your LDAP Directory Server management tool to set permissions by an ACI (access control instructions) at each base context.

  Set the permissions in the ACI based on the source. If the adapter is connecting to an authoritative source, then set read, search, and possibly compare permissions only. If the adapter is used to write back, then you will need to set write and possibly delete permissions.

---

Note –

If the account will be used for the monitoring the changelog, an ACI should also be created on cn=changelog. The permissions should be set to read and search only, because you cannot write or delete changelog entries.

---

• The LDAP adapter can manage aliases. However, when a getUser call is performed, the alias is dereferenced and the adapter returns the referenced object. As a result, the adapter will not find attributes on the alias object itself.

  This occurs because JNDI defaults to the following setting:

  java.naming.ldap.derefAliases=always

  You can change this property globally by creating a jndi.properties file that contains the following line:

  java.naming.ldap.derefAliases=never

  The jndi.properties file must be placed in the Java library path, such as $WSHOME/WEB-INF/classes. You must restart the application server for the change to take effect.

• When editing synchronization policy, be sure to specify a value for the Filter Changes By field. The standard value is the administrator name used by this adapter. Entering an administrator name will prevent infinite loops from occurring. Entries should be of the format cn=Directory Manager.

Virtual List View Support for Directory Server

---

Note –

This discussion assumes that Identity Manager connects to the LDAP resource as a non-RootDN user. If you are connecting as a RootDN user, the procedures described are applicable, but additional LDAP attribute values might be possible. Consult the Directory Server documentation for more information.

See Modifying the ADAM Schema for information about enabling this feature with Microsoft ADAM.

---

In Directory Server, the nsLookThroughLimit and nsslapd-sizelimit attributes define how many LDAP entries can be searched and returned, respectively. The default value for nsLookThroughLimit is 5,000, while the default for nsslapd-sizelimit is 2,000. Both attributes can be set to -1 to disable limits. You must restart Directory Server if you change the value of these attributes.

It is not always desirable to change the default values. To improve performance on LDAP searches, you can enable the LDAP Virtual List View (VLV) control. VLV returns partial results of a search, rather than returning all results at once.

The Use Blocks resource attribute enables Identity Manager to stay within the query result size limit by using the VLV control. The Block Count resource attribute specifies how many users to return, but this value must be less than or equal to the value set in the nsslapd-sizelimit attribute.

A VLV index (also known as a browsing index) must be created, or the nsslapd-sizelimit size limit will still be in effect. Using a VLV index significantly improves the performance of iterating over accounts, so you should set up the index if you plan to reconcile, load from resource, or export to file frequently.

Refer to the Directory Server documentation for detailed instructions on creating a VLV index. The basic process follows:

Creating a VLV Index

1. Create a vlvsearch object with the following properties:

   vlvbase: YourBaseContext vlvfilter: (&(objectclass=top)(objectclass=person) (objectclass=organizationalPerson) (objectclass=inetorgperson)) vlvscope: 2

   The vlvbase attribute must match the value specified in the Base Context resource attribute. The vlvfilter attribute must contain the classes specified in the Object Classes resource attribute in the format shown. The vlvscope value of 2 indicates subtree searches.

2. Create a vlvindex component as a subobject of vlvsearch. The vlvsort attribute must be set to uid.

3. Build the VLV index using the vlvindex command or other mechanism.

4. Set permissions through access control instructions (ACI) for the following:

   • vlvsearch object

     • vlvindex

     • the directory the index was created for.

       To set up VLV for the changelog, use the following general steps. Refer to the Directory Server documentation for detailed instructions.

5. If you have not already done so, create a browsing index for the changelog. If you use the Directory Server user interface, then by default, a vlvsearch object named “MCC cn=changelog” and a vlvindex object named “SN MCC cn=changelog” will be created.

6. Set permissions through access control instructions (ACI) so that the Identity Manager account has read, compare, and search rights for the following:

   • The changelog (cn=changelog)

     • The vlvsearch object (cn=”MCC cn=changelog”,cn=config,cn=ldbm)

     • The vlvindex object (“SN MCC cn=changelog”,cn=config,cn=ldbm)

   On some versions of Directory Server, the changelog nsLookThroughLimit attribute has a hard-coded value of 5,000. To avoid hitting the changelog lookthrough limit, restrict the maximum number of changelog entries that are kept on the server to less than 5,000. To avoid losing changelog entries, set the polling frequency for the adapter to a short interval.

Disabling and Enabling Accounts

The LDAP adapter provides several ways to disable accounts on an LDAP resource. Use one of the following techniques to disable accounts.

Change the Password to an Unknown Value

To disable accounts by changing the password to an unknown value accounts, leave the LDAP Activation Method and LDAP Activation Parameter fields blank. This is the default method for disabling accounts. The account can be re-enabled by assigning a new password.

Assign the nsmanageddisabledrole Role

To use the nsmanageddisabledrole LDAP role to disable and enable accounts, configure the LDAP resource as follows:

Configuring the LDAP Resource to Use the nsmanageddisabledrole LDAP Role

1. On the Resource Parameters page, set the LDAP Activation Method field to nsmanageddisabledrole.

2. Set the LDAP Activation Parameter field to IDMAttribute=CN=nsmanageddisabledrole,baseContext. (IDMAttribute will be specified on the schema in the next step.)

3. On the Account Attributes page, add IDMAttribute as an Identity System User attribute. Set the Resource User attribute to nsroledn. The attribute must be of type string.

4. Create a group named nsAccountInactivationTmp on the LDAP resource and assign CN=nsdisabledrole,baseContext as a member.

   LDAP accounts can now be disabled. To verify using the LDAP console, check the value of the nsaccountlock attribute. A value of true indicates the account is locked.

   If the account is later re-enabled, the account is removed from the role.

Set the nsAccountLock Attribute

To use the nsAccountLock attribute to disable and enable accounts, configure the LDAP resource as follows:

Configuring the LDAP Resource to Use the nsAccountLock Attribute

1. On the Resource Parameters page, set the LDAP Activation Method field to nsaccountlock.

2. Set the LDAP Activation Parameter field to IDMAttribute=true. (IDMAttribute will be specified on the schema in the next step.) For example, accountLockAttr=true.

3. On the Account Attributes page, add the value specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to nsaccountlock. The attribute must be of type string.

4. Set the nsAccountLock LDAP attribute on the resource to true.

   Identity Manager sets nsaccountlock to true when disabling an account. It also assumes that pre-existing LDAP users that have nsaccountlock set to true are disabled. If the nsaccountlock has any value other than true (including null), the system concludes the user is enabled.

Disable Accounts without the nsmanageddisabledrole and nsAccountLock Attributes

If the nsmanageddisabledrole and nsAccountLock attributes are not available on your directory server, but the directory server has a similar method of disabling accounts, enter one of the following class names into the LDAP Activation Method field. The value to enter in the LDAP Activation Parameter field varies, depending on the class.

Class Name	When to Use:
com.waveset.adapter.util.ActivationByAttributeEnableFalse	The directory server enables an account by setting an attribute to false, and disables an account by setting the attribute to true.  Add the attribute to the schema map. Then enter the Identity Manager name for the attribute (defined on the left side of the schema map) in the LDAP Activation Parameter field.
com.waveset.adapter.util.ActivationByAttributeEnableTrue	The directory server enables an account by setting an attribute to true, and disables an account by setting the attribute to false.  Add the attribute to the schema map. Then enter the Identity Manager name for the attribute (defined on the left side of the schema map) in the LDAP Activation Parameter field.
com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable	Identity Manager should disable accounts by pulling an attribute/value pair from LDAP and enable accounts by pushing an attribute/value pair to LDAP.  Add the attribute to the schema map. Then enter the attribute/value pair in the LDAP Activation Parameter field. Use the Identity Manager name for the attribute, as defined on the left side of the schema map.
com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable	Identity Manager should disable accounts by pushing an attribute/value pair to LDAP and enable accounts by pulling an attribute/value pair from LDAP.  Add the attribute to the schema map. Then enter the attribute/value pair in the LDAP Activation Parameter field. Use the Identity Manager name for the attribute, as defined on the left side of the schema map.
com.waveset.adapter.util.ActivationNsManagedDisabledRole	The directory uses a specific role to determine the account status. If an account is assigned to this role, the account is disabled.  Add the role name to the schema map. Then enter a value in the LDAP Activation Parameter field, using the following format: IDMAttribute=CN=roleName,baseContext IDMAttribute is the Identity Manager name for the role, as defined on the left side of the schema map.

ADAM Support

The LDAP adapter can be configured to provision to Microsoft’s Active Directory Application Mode (ADAM). The following sections describe how to enable ADAM support.

• Modifying the ADAM Schema

• Enabling and Disabling Accounts in ADAM

Modifying the ADAM Schema

The ADAM schema may have to be adjusted for use with Identity Manager. The resource schema and the identity template in an LDAP resource often contains a reference to a unique identifier (or account ID). ADAM differs from other LDAP implementation in that

• In ADAM, objectclass definitions only allow a single naming attribute. (A naming attribute is an attribute that appears in the leftmost RDN component of the DN.)

• The uid attribute is defined as multi-valued.

• The cn attribute is defined as single-valued and cannot be longer than 64 characters.

The ADAM schema defines the attribute index configuration. Each attribute definition entry in the schema has a searchFlags attribute. For example, the definition for Uid is located at cn=Uid,cn=Schema under the schema context. The searchFlags attribute is a bitmask and values 1 (create index), 2 (create index in each container) and 64 (index to support efficient VLV queries) are related to indexing.

Refer to the Microsoft documentation on updating the schema in an ADAM instance.

Enabling and Disabling Accounts in ADAM

Reconciliation in ADAM can use either the Paged Results Control or the Virtual List View Control. To use the former, check the “Use Paged Results Control” checkbox in the resource's resource parameters configuration page. To use the latter, the attribute named in the “VLV Sort Attribute” field on the resource's resource parameters configuration page must be indexed in ADAM with the option to support efficient VLV queries. See Modifying the ADAM Schema for details.

Active Sync is not supported with ADAM.

Use the following procedure to allow Identity Manager to enable and disable accounts in ADAM.

Enabling and Disabling Accounts in ADAM

1. On the LDAP Resource Parameters page, set the LDAP Activation Method parameter to com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable

2. Set the LDAP Activation Parameter to Identity_System_Attribute=true (The Identity System attribute will be specified on the Account Attributes page in the next step.) For example, MyUserAccountDisabled=true

3. On the Account Attributes page, add the Identity System attribute specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to msDS-UserAccountDisabled. The attribute must be of type string.