Configure User Management to use Virtual List View (VLV)

Directory synchronization is an important requirement for User Management. The users and groups are synchronized from an enterprise directory to the LiveCycle database for assigning roles and permissions. The number of users varies from 100 to 100000+ depending on the requirements, and it poses an engineering challenge to synchronize data efficiently.

The LDAP protocol provides a mechanism to query large data sets in a paginated way by using request controls. When using Microsoft Active Directory, LDAP to LiveCycle database synchronization uses PagedResultsControl for retrieving data in batches of a particular size. The Sun ONE Directory Server does not support this control. To complete a paginated query against the Sun ONE Directory Server, use the Virtual List View (VLV) control. This control involves both directory server-side configuration and client-side implementation.

Note: This section describes using the VLV control for the Sun ONE Directory Server. However, you can use this control for any directory server that supports VLV control.

  1. When configuring the directory, select Enable Virtual List View (VLV) Control on both the User Settings page and the Group Settings page. When you select the check box, you must also specify a sort name in the Sort Field box. The default value is uid. (See Adding directories or custom SPIs or Edit a directory.)

  2. Use Sun ONE Administration Console or a command-line script to create the LDAP VLV entries for users and groups. If you use a command-line script, you can use the sample users and groups LDIF files. (See Configuring the Sun ONE Directory Server for VLV.)

  3. Stop the server and create the required index. (See Create the Directory Server Index for VLV.)

Configuring the Sun ONE Directory Server for VLV

Creating a VLV requires a pair of entries that include the vlvSearch and vlvIndex object classes. The vlvSearch entry includes a search base and the vlvFilter attribute, which specifies the object class that contains the attributes you intend to sort. The vlvIndex object class includes the vlvSort attribute, which specifies one or more attributes to sort and the order to sort them in. (A minus sign (-) denotes reverse alphabetical order). Using VLV with LiveCycle requires separate entries for users and groups.

Note: The Object entries can be created by using the Sun ONE graphical user interface (GUI) or through a command-line script. For instructions about creating the Object entries using the GUI, see the Sun ONE documentation.

Here is a sample script LDIF for VLV entry for users:

dn: cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config 
objectclass: top 
objectclass: vlvSearch 
cn: lcuser 
vlvBase: dc=corp,dc=adobe,dc=com 
vlvScope: 2 
vlvFilter: (&(objectclass=inetOrgPerson)) 
aci: (target="ldap:///cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config")(targetattr="*")(version 3.0; acl "Config" 
;allow(read,search,compare) userdn="ldap:///all"; ) 
dn: cn=lcuser,cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config 
cn: lcuser 
vlvSort: cn 
objectclass: top 
objectclass: vlvIndex

Create the object entries using a script

  1. The sample script has an LDAP entry named lcuser. This entry is for VLV-related configuration for user synchronization in LiveCycle. Modify the following properties accordingly:

    Entry name: The entry name in this sample is lcuser. If lcuser is changed, it must be changed in all areas of the sample script.

    vlvBase: The Base DN specified on the User Settings page.

    vlvFilter: The Search Filter specified on the User Settings page.

    vlvSort: The Sort Field specified in the VLV settings section of the User Settings page. A VLV control requires you to specify a sort control. This field is used as the sort parameter for the vlv index created.

    aci: The access control specified in the sample script grants any authenticated user the right to access the VLV indexes for read, search, and compare operations. The administrator can restrict access to a binding user, which is configured in the Directory Server Settings page specified in the User Management user interface. If permissions are not given, user search cannot use the VLV, and the LDAP server throws a permission exception.

    Note: As a convention, the vlvIndex entry name is also set to lcuser, but you can give it a different name. Use the same name in the vlvindex tool. (See Create the Directory Server Index for VLV.)

  2. Using the ldapmodify tool provided with Sun ONE Server, create a similar entry for groups by using the group's Base DN, Search Filter and Sort Field respectively:

    server directory\shared\bin>ldapmodify -v -a -h host -p port -D "admin user" -w "password" -f "LDIF file location"

    For example, type the following text:

    D:\tools\ldap\sun\shared\bin> -v -a -h localhost -p 55850 -D "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" -w "admin" -f "D:\tools\ldap\data\vlv feature\users.ldif"

Create the Directory Server Index for VLV

After configuring the directory settings and creating the LDAP VLV entries for users and groups, stop the server and create the required index.

  1. After creating object entries, stop the Sun ONE Server.

  2. Using the vlvindex tool, generate the index by typing the following text:

    directory server instance\vlvindex.bat -n userRoot -T lcuser

    The following output is generated:

    D:\tools\ldap\sun\shared\bin>..\..\slapd-chetanmeh-xp3\vlvindex.bat -n userRoot -T livecycle 
[21/Nov/2007:16:47:26 +051800] - userRoot: Indexing VLV: livecycle 
[21/Nov/2007:16:47:27 +051800] - userRoot: Indexed 1000 entries (5%). 
[21/Nov/2007:16:47:27 +051800] - userRoot: Indexed 2000 entries (9%). 
... 
[21/Nov/2007:16:47:29 +051800] - userRoot: Indexed 20000 entries (94%). 
[21/Nov/2007:16:47:29 +051800] - userRoot: Indexed 21000 entries (99%). 
[21/Nov/2007:16:47:29 +051800] - userRoot: Finished indexing.

    The vlvindex tool is present in the directory server instance directory. If the Sun ONE Server has two instances running server1 and server2, the vlvindex tool is located in Sun ONE server directory\server1 directory. The value for parameter -T is the value of the cn attribute of the vlvindex entry created previously in the sample LDIF. In this case, it is lcuser.

  3. If VLV is also enabled for groups, create the corresponding index for the groups. Verify whether the indexes are created by running the following command:

    sun one server directory\shared\bin>ldapsearch -h hostname -p port no -s base -b "" objectclass=*

    Output such as the following sample data is generated:

    D:\tools\ldap\sun\shared\bin>ldapsearch.exe -h localhost -p 55850 -s base -b "" objectclass=* 
ldapsearch.exe: started Tue Nov 27 16:34:20 2007 
version: 1 
dn: 
objectClass: top 
namingContexts: dc=corp,dc=adobe,dc=com 
supportedExtension: 2.16.840.1.113730.3.5.7 
... 
vlvsearch: cn=MCC ou=testdata dc=corp dc=adobe dc=com, cn=userRoot,cn=ldbm dat 
    abase,cn=plugins,cn=config 
vlvsearch: cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config 
vlvsearch: cn=Browsing ou=testdata,cn=userRoot,cn=ldbm database,cn=plugins,cn= 
    config 
1 matches

// Ethnio survey code removed