This appendix explains some of the concepts about setting up virtual list view (VLV) in the directory server and the global address list (GAL) for Oracle Communications Connector for Microsoft Outlook.
The GAL allows users to view and search address book information for users, groups, and calendar resources stored in the corporate directory on the directory server. You can configure the end-user package with VLV browsing index configurations that affect how Connector for Microsoft Outlook queries the GAL.
The GAL is a read-only MAPI address book provided by a directory server. The VLV settings are not configurable if the address book service is provided by Contacts Server.
Connector for Microsoft Outlook uses VLV to optimize GAL information requests. The directory server must also be configured for VLV. The VLV configurations for Connector for Microsoft Outlook must match those configured on the directory server.
In the directory Server, the VLV index is very precisely defined by the following properties:
basedn
search filter
sort attribute
scope
Any mismatch between these properties on the directory server and the configurations in Connector for Microsoft Outlook negatively affect search performance of the corporate directory.
If you wanted the GAL search to also provide results from other hosted-domain organizations, you could use the overall base for hosted domains, that is o=isp.
The security ramifications of selecting the Require authentication check box are discussed in "About Granting User Data Access".
This article assumes that the directory server has a single database back-end for user/group information (o=isp in this example). If multiple database back ends are used for the user/group tree (that is, one per hosted domain), then you need to add VLV browsing indexes will need to each appropriate back end.
The easiest mechanism to determine the database_backend setting is to refer to the dse.ldif directory configuration file located under the ds5_root_path/config/ directory for Directory Server 5.2, or the ds6_root_path/config/ directory for Directory Server 6.0, and search for nsslapd-suffix: user_group_base.
You must create a VLV browsing index on every directory server used by Connector for Microsoft Outlook. Directory server index configuration settings are not replicated.
Without a VLV browsing index, or if the index settings differ from those configured in Connector for Microsoft Outlook, searches and lookups in the corporate directory take considerable time and the Outlook appears to freeze. If the time taken to perform the search is longer then the configured search time out (1 minute by default), no results are seen by the end-user.
In the directory server logs you will see VLV searches returning after a period of time and a "notes=U" in the result line, indicating the lack of an index.
The following example shows a sample search log:
conn=2500737 op=1 msgId=2 - SRCH base="o=aus.sun.com,o=isp" scope=2 filter="(&(mail=*)(cn=*))" attrs="cn mail uid objectClass"
conn=2500737 op=1 msgId=2 - SORT cn (12345)
conn=2500737 op=1 msgId=2 - VLV 1:1:1:0 0:0 (0)
conn=2500737 op=1 msgId=2 - RESULT err=12 tag=101 nentries=0 etime=60 notes=U
conn=2500737 op=10 msgId=11 - ABANDON targetop=9 msgid=10 nentries=0 etime=60
The following ldap modifications add the required directory settings to allow for the VLV index creation.
ldapmodify -h ds_hostname -p ds_port -D "cn=Directory Manager" dn: cn=Browsing db_backend,cn=db_backend,cn=ldbm database,cn=plugins,cn=config changetype: add objectClass: top objectClass: vlvSearch cn: Browsing db_backend vlvbase: org_base vlvscope: 2 vlvfilter: vlv_search_filter aci: (targetattr="*")(version 3.0; acl "VLV for Anonymous"; allow (read,search,compare) userdn="ldap:///anyone";) dn: cn=Sort by vlv_sort_attribute,cn=Browsing db_backend,cn=db_backend,cn=ldbm database,cn=plugins,cn=config changetype: add objectClass: top objectClass: vlvIndex cn: Sort by vlv_sort_attribute vlvSort: vlv_sort_attribute
The following example shows the directory server settings with sample values:
ldapmodify -h directory.example.com -p 389 -D "cn=Directory Manager" dn: cn=Browsing isp,cn=isp,cn=ldbm database,cn=plugins,cn=config changetype: add objectClass: top objectClass: vlvSearch cn: Browsing isp vlvbase: o=example.com,o=isp vlvscope: 2 vlvfilter: (&(mail=*)(cn=*)) aci: (targetattr="*")(version 3.0; acl "VLV for Anonymous"; allow (read,search,compare) userdn="ldap:///anyone";) dn: cn=Sort by cn,cn=Browsing isp,cn=isp,cn=ldbm database,cn=plugins,cn=config changetype: add objectClass: top objectClass: vlvIndex cn: Sort by cn vlvSort: cn
See your directory server documentation for more information about creating the VLV browsing index.
Run the following commands to generate the VLV browsing index on the directory server. Because the directory server needs to be shut down, you should consider generating the VLV browsing index during non-peak hours.
For Oracle Directory Server Enterprise Edition 6
cd /opt/SUNWdsee/ds6/bin ./dsadm stop ds_instance_path ./dsadm reindex -l -t "Sort by vlv_sort_attribute" ds_root_path "user_group_base" ./dsadm start ds_root_path
The following example shows the commands with sample values:
cd /opt/SUNWdsee/ds6/bin ./dsadm stop /var/opt/SUNWdsee/dsins1/ ./dsadm reindex -l -t "Sort by cn" /var/opt/SUNWdsee/dsins1/ "o=isp" ./dsadm start /var/opt/SUNWdsee/dsins1/
For Oracle Directory Server Enterprise Edition 5
cd ds_root_path ./stop-slapd ./vlvindex -n db_backend -T "Sort by vlv_sort_attribute" ./start-slapd
The following example shows the commands with sample values:
cd /opt/SUNWdir/slapd-directory ./stop-slapd ./vlvindex -n userRoot -T "Sort by cn" ./start-slapd
Consider carefully how to grant access to user and group data in the organizations directory. Organizations are now increasingly under pressure to reduce the amount of private data that non-authorised entities can access. Connector for Microsoft Outlook, however, must access user data for correct operation of the GAL and other functionality.
Default directory server installation blocks access to user data. You likely need to modify access controls for Connector for Microsoft Outlook to provide the best end-user experience.
The following list enumerates some security approaches for granting access to user data, from most to least preferred:
Access by authenticated users in the same domain to limited attributes
Access by authenticated users in the same domain to all attributes (except userpassword)
Access by authenticated users in any domain to limited attributes
Access by authenticated users in any domain to all attributes (except userpassword)
Anonymous access to limited attributes
Anonymous access to all attributes (except userpassword)
To any of these approaches, you can also apply IP-based restrictions (for example, restrict access to clients running Connector for Microsoft Outlook on hosts within a specific IP range).
See your directory server documentation for more information about ACI mechanisms.
Configuring authenticated user access is the most desirable approach as it restricts access to only those users who provide the correct authentication details. This has the advantage of being very granular and allowing the administrator to identify which user is attempting to make a search which can be useful for debugging, or throttling.
If using this approach, also consider the use of SSL encryption for directory server access. Connector for Microsoft Outlook sends user login details in clear-text when binding to the directory if not configured to communicate with the directory server on a secure port.
Consider making the following configurations:
Configure the end-user package with the Require Authentication option.
In the DCP, on the LDAP tab, select Require Authentication.
Set the User DN value.
In the DCP, on the LDAP tab, in the User DN field, enter a DN pattern, such as uid=%s,ou=People,o=example.com,o=isp.
This example value binds Connector for Microsoft Outlook as the login user (%s is substituted with the login user name).
Enable user access to user/group details.
Determine the most appropriate ACI for your organization. Specifically, consider who needs to be given access to what.
If the who is any authenticated user (any user in the directory), then the ACI representation is ldap:///all. If the who is any user at a specific domain level, then the ACI representation can be expressed as a DN wildcard match, such as ldap:///uid=*,ou=people,o=example.com,o=isp.
The what is controlled by where in the directory tree you add the ACI (for example, at the base of the organization or at the base of a hosted domain). The user/group attributes you choose to return determine what information is provided back to Connector for Microsoft Outlook.
For example, in a hosted domain environment, you may want to prevent users in one domain from accessing another domain. Apply the access control at the domain level and allow results to be returned for users whose DN contain the hosted domain LDAP base path.
Test your settings.
Use the following directory server command to test that your settings are working correctly:
ldapsearch -h ds_hostname -p ds_port -D user_dn -b user_group_base objectclass=inetmailuser dn uid mail
For example:
ldapsearch -h directory.example.com -p 389 -D "uid=someuser,ou=people,o=aus.sun.com,o=isp" -b o=isp objectclass=inetmailuser dn uid mail
This command should return a list of UIDs, mail addresses, and DNs of the users and groups in the domain or organization, depending on the ACI.
The following examples show different ACI authentication approaches.
Example B-1 Authenticated Access by Users in the Same Domain to Limited Attributes
aci: (targetattr = "cn || displayName || givenName || sn || initials || uid || departmentNumber || title || homePhone || mail || manager || mobile || company || pager || secretary || description || facsimileTelephoneNumber || l || physicalDeliveryOfficeName || postalCode || st || street || c || telephoneNumber || mailAlternateAddress || isMemberOf || objectClass") (version 3.0;acl "Authenticated user access at domain-level"; allow (read,compare,search)(userdn = "ldap:///uid=*,ou=people,o=aus.sun.com,o=isp");)
Example B-2 Authenticated Access by Users in Same Domain to All Attributes (Except Password)
aci: (targetattr != "userPassword")(version 3.0;acl "Authenticated user access at domain-level"; allow (read,compare,search)(userdn = "ldap:///uid=*,ou=people,o=aus.sun.com,o=isp");)
Example B-3 Authenticated Access by Users in Any Domain to Limited Attributes
aci: (targetattr = "cn || displayName || givenName || sn || initials || uid || departmentNumber || title || homePhone || mail || manager || mobile || company || pager || secretary || description || facsimileTelephoneNumber || l || physicalDeliveryOfficeName || postalCode || st || street || c || telephoneNumber || mailAlternateAddress || isMemberOf || objectClass") (version 3.0;acl "Authenticated user access"; allow (read,compare,search)(userdn = "ldap:///all");)
Example B-4 Authenticated Access by Users in Any Domain to All Attributes (Except Passwords)
aci: (targetattr != "userPassword")(version 3.0;acl "Authenticated user access"; allow (read,compare,search)(userdn = "ldap:///all");)
Once you have determined the most appropriate ACI settings, use the following command to apply the rule to the directory:
ldapmodify -h ds_hostname -p ds_port -D "cn=Directory manager" dn: base_for_aci changetype: modify add: aci aci: user_data_aci
For example:
ldapmodify -h directory.example.com -p 389 -D "cn=Directory manager" dn: o=example.com,o=isp changetype: modify add: aci aci: (targetattr != "userPassword")(version 3.0;acl "Authenticated user access at domain-level"; allow (read,compare,search)(userdn = "ldap:///uid=*,ou=people,o=aus.sun.com,o=isp");)
Granting data access for connections that bind anonymously is not-desirable, as it increases the risk that data could be accessed by unwanted agents, such as spammers. At a minimum, consider restricting anonymous access by IP address (such as, IP addresses used by your organization's servers and clients).
Consider making the following configurations:
Configure the end-user package without the Require Authentication option.
In the DCP, on the LDAP tab, deselect Require Authentication.
Connector for Microsoft Outlook uses anonymous bind functionality.
In the directory server, grant anonymous access to the VLV browsing indexes.
By default, the directory server does not allow anonymous VLV browsing access. Use the following command on the directory server to enable anonymous VLV browsing access:
ldapmodify -h ds_hostname -p ds_port -D "cn=Directory Manager"
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
changetype: modify
add: aci
aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (compare,read,search) userdn = "ldap:///anyone";)
For example:
ldapmodify -h directory.example.com -p 389 -D "cn=Directory Manager" dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config changetype: modify add: aci aci: (targetattr !="aci")(version 3.0; acl "VLV Request Control"; allow (compare,read,search) userdn = "ldap:///anyone";)
In the directory server, enable anonymous access to user/group details.
By default, the directory server does not allow anonymous access to user/group details. Use the following command on the directory server to grant anonymous access to user/group details.
ldapmodify -h ds_hostname -p ds_port -D "cn=Directory manager" dn: base_for_aci changetype: modify add: aci aci: user_data_aci
For example:
ldapmodify -h directory.example.com -p 389 -D "cn=Directory manager" dn: o=aus.sun.com,o=isp changetype: modify add: aci aci: (targetattr != "userPassword")(version 3.0;acl "Anonymous access"; allow (read,compare,search)(userdn = "ldap:///anyone");)
If you do not successfully add this entry, you do not receive any search results and you receive the following error message:
conn=197 op=1 msgId=10 - SRCH base="o=example.com,o=isp" scope=2 filter="(&(mail=*)(cn=*))" attrs="uid mail cn title company telephoneNumber physicalDeliveryOfficeName objectClass" conn=197 op=1 msgId=10 - SORT cn (10) conn=197 op=1 msgId=10 - VLV 0:9:0:0 1:10 (0) conn=197 op=1 msgId=10 - RESULT err=0 tag=101 nentries=0 etime=0
Test your settings.
Use the following directory server command to test that your settings are working correctly:
ldapsearch -h ds_hostname -p ds_port -b user_group_base objectclass=inetmailuser dn uid mail
For example:
ldapsearch -h directory.example.com -p 389 -b o=isp objectclass=inetmailuser dn uid mail
This command should return a list of UIDs, mail addresses, and DNs of the users and groups in the domain or organization, depending on the ACI.
If your organization restricts access to the directory servers through some other means (for example, network perimeter firewalls which block access to port 389/636), you could use the following rules to allow access to data.
Example B-5 Anonymous Access to Limited Attributes
aci: (targetattr = "cn || displayName || givenName || sn || initials || uid || departmentNumber || title || homePhone || mail || manager || mobile || company || pager || secretary || description || facsimileTelephoneNumber || l || physicalDeliveryOfficeName || postalCode || st || street || c || telephoneNumber || mailAlternateAddress || isMemberOf || objectClass") (version 3.0;acl "Anonymous access"; allow (read,compare,search)(userdn = "ldap:///anyone");)