Go to main content

Working With Oracle® Solaris 11.4 Directory and Naming Services: LDAP

Exit Print View

Updated: November 2020
 
 

NIS-to-LDAP Best Practices With Oracle Unified Directory

The N2L service supports OUD. Although other third-party LDAP servers might work with the N2L service, they are not supported by Oracle. If you are using an LDAP server other than an OUD server or compatible Oracle servers, you must manually configure the server to support the schemas of RFC 2307, RFC 2307bis and RFC 4876, or later standards.

If you are using OUD, you can enhance the directory server to improve performance. To make these enhancements, you must have LDAP administrator privileges on the OUD server. In addition, you must coordinate with the LDAP clients if the directory server need to be rebooted. The OUD documentation is available at Oracle Unified Directory documentation.

Creating Virtual List View Indexes With Oracle Unified Directory

For large maps, you must use the LDAP virtual list view (VLV) indexes to ensure that LDAP searches return complete results. For information about setting up VLV indexes on OUD, see the Oracle Unified Directory documentation.

VLV search results use a fixed page size of 50000. If you are using VLVs with OUD, ensure that both the LDAP server and N2L server are able to handle transfers of this size. If all of your maps are known to be smaller than this limit, you do not need to use VLV indexes. However, if your maps are larger than the size limit or you are unsure of the size of all maps, use VLV indexes to avoid incomplete returns.

If you are using VLV indexes, set up the appropriate size limits as follows:

  • On the OUD server, ensure that the nsslapd-sizelimit attribute is set to greater than or equal to 50000 or –1. For more information, see the ldapservercfg(8) man page.

  • On the N2L server, ensure that the nisLDAPsearchSizelimit attribute is set to either greater than or equal to 50000 or zero. For more information, see the NISLDAPmapping(5) man page.

After VLV indexes have been created, activate them by running dsadm with the vlvindex option on the OUD server. For more information, see the dsadm (8) man page.

VLVs for Standard Maps

Use the OUD ldapservercfg command to set up VLVs if the following conditions apply:

  • You are using OUD.

  • You are mapping standard maps to RFC 2307bis LDAP entries.

VLVs are domain specific, so each time ldapservercfg is run, VLVs are created for one NIS domain. Therefore, during the N2L transition, you must run ldapservercfg once for each nisLDAPdomainContext attribute included in the NISLDAPmapping file.

VLVs for Custom and Nonstandard Maps

You must manually create new OUD VLVs for maps, or copy and modify existing VLV indexes, if the following conditions apply:

  • You are using OUD.

  • You have large custom maps or have standard maps that are mapped to nonstandard DIT locations.

To view existing VLV indexes, type the following command:

% ldapsearch -H ldapuri -s sub -b "cn=ldbm database,cn=plugins,cn=config" "objectclass=vlvSearch" 

Avoiding Server Timeouts With Oracle Unified Directory

When the N2L server refreshes a map, the result might require a lengthy LDAP directory access. If OUD is not correctly configured, the refresh operation might time out before completion. To avoid directory server timeouts, modify OUD attributes manually or by running the ldapservercfg command.

For example, you might want to modify the following attributes to increase the minimum amount of time in seconds that the server should spend performing the search request:

dn: cn=config
nsslapd-timelimit: -1

For testing purposes, you can use an attribute value of –1, which indicates no limit. When you have determined the optimum limit value, change the attribute value. Do not maintain any attribute settings at –1 on a production server. With no limits, the server might be vulnerable to Denial of Service attacks.

For more information about configuring OUD with LDAP, see Setting Up an Oracle Unified Directory Server or OpenLDAP Server.

Avoiding Buffer Overruns With Oracle Unified Directory

To avoid buffer overruns, modify the following attributes manually or by running the ldapservercfg command.

Example 3  Increase the Maximum Number of Entries Returned

This example shows how to set attributes to increase the maximum number of entries that are returned for a client search query.

The following example is specific to OpenLDAP:

dn: cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: -1

The following example is specific to OUD:

dn: cn=MyRootUser,cn=Root DNs,cn=config
changetype: modify
add: ds-rlim-lookthrough-limit
ds-rlim-size-limit: -1

The attribute value -1 indicates no limit. A value of -1 can be used for testing purposes. When you have determined the optimum limit value, change the attribute value.


Note -  Do not maintain any attribute settings at -1 on a production server. With no limits, the server might be vulnerable to Denial of Service attacks.

If VLVs are being used, the sizelimit attribute values should be set as defined in Creating Virtual List View Indexes With Oracle Unified Directory. If VLVs are not being used, the size limit should be set large enough to accommodate the largest container.

Example 4  Increase the Maximum Number of Entries Verified

This example shows how to set attributes to increase the maximum number of entries that are verified for a client search query.

The following example is specific to OUD. OpenLDAP does not have an equivalent to the lookthrough-limit attribute.

dn: cn=MyRootUser,cn=Root DNs,cn=config
changetype: modify
add: ds-rlim-lookthrough-limit
ds-rlim-lookthrough-limit: -1