Tuning LDAP to Improve Searches in Communications Services Clients

Allowing Directory Browsing

New in this release, Connector for Microsoft Outlook 7 2005Q4 allows the end user to browse directories. When the user brings up the address book page, the user sees the first 10 entries in the directory. The user can scroll up and down or type a few characters and see the results automatically refreshed. This is a change from previous versions of Connector for Microsoft Outlook where the user was only able to search for one particular user.

To enable this feature while keeping good performance, the connector relies on two LDAP control extensions called Virtual List View (VLV) and Server Side Sorting of Search Results (RFC 2891). The following ldapsearch example returns the list of supported controls:

ldapsearch -s base "objectclass=*" supportedControl 
supportedControl=1.2.840.113556.1.4.473  ------> Server Side Sort Control 
supportedControl=2.16.840.1.113730.3.4.9 ------> VLV Control 

The Sun Java System Directory Server supports both controls. Nevertheless, the VLV control is by default only available to authenticated users:

ldapsearch -D "cn=Directory Manager" -b \
"oid=2.16.840.1.113730.3.4.9,cn=features,cn=config" \
"objectclass=*" aci 

aci=(targetattr != "aci")(version 3.0; acl "VLV Request Control"; \
allow( read, search, compare, proxy ) userdn = "ldap:///all";)

To grant anonymous access to the VLV control, add the corresponding ACI:

ldapmodify -D "cn=Directory Manager" 
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config 
changetype: modify
add: aci
aci: (targetattr !="aci")\
 (version 3.0; acl "VLV Request Control"; allow (compare,read,search) \
 userdn = "ldap:///anyone"; )

To improve the performance of searches requiring VLV plus Sort, create a Browsing Index in the Directory Server (as described in “Managing Browsing Indexing” in the Sun Java System Directory Server 5 2005Q1 Administration Guide). Each Browsing Index is specific to one base DN, search filter, scope, and sorting attribute. The VLV settings can be tuned on the client side using the deployment configuration tool.

In that particular case, create a Browsing Index for a base dn equal to dc=red,dc=sesta,dc=com, a filter equal to (&(mail=*)(cn=*)), using a sort on the cn attribute. The Browsing Index information is added into the configuration containing the base dn (in this case userRoot):

ldapmodify -D "cn=Directory Manager" 
dn: cn=Browsing red.sesta.com,cn=userRoot, 
cn=ldbm database,cn=plugins,cn=config 
changetype: add 
objectClass: top 
objectClass: vlvSearch 
cn: Browsing red.sesta.com 
vlvbase: dc=red,dc=sesta,dc=com 
vlvscope: 2 
vlvfilter: (&(mail=*)(cn=*)) 
aci: (targetattr="*") 
(version 3.0; acl "VLV for Anonymous"; 
allow (read,search,compare) 
dn: cn=Sort by cn, cn=Browsing red.sesta.com,cn=userRoot, 
cn=ldbm database,cn=plugins,cn=config 
changetype: add 
objectClass: top 
objectClass: vlvIndex 
cn: Sort by cn 
vlvSort: cn 

Next run the vlvindex command located under serverroot/slapd-instance:

./vlvindex -n userRoot -T "Sort by cn"