Directory synchronization is an important requirement for
User Management. The users and groups are synchronized from an enterprise
directory to the LiveCycle database for assigning roles and permissions.
The number of users varies from 100 to 100000+ depending on the
requirements, and it poses an engineering challenge to synchronize
data efficiently.
The LDAP protocol provides a mechanism to query large data sets
in a paginated way by using request controls. When using Microsoft
Active Directory, LDAP to LiveCycle database synchronization uses
PagedResultsControl for retrieving data in batches of a particular
size. The Sun ONE Directory Server does not support this control.
To complete a paginated query against the Sun ONE Directory Server,
use the Virtual List View (VLV) control. This control involves both
directory server-side configuration and client-side implementation.
Note: This section describes using the VLV control
for the Sun ONE Directory Server. However, you can use this control
for any directory server that supports VLV control.
When configuring the directory, select Enable Virtual
List View (VLV) Control on both the User Settings page and the Group
Settings page. When you select the check box, you must also specify
a sort name in the Sort Field box. The default value is uid. (See Adding directories or custom SPIs or Edit a directory.)
Use Sun ONE Administration Console or a command-line script
to create the LDAP VLV entries for users and groups. If you use
a command-line script, you can use the sample users and groups LDIF
files. (See Configuring the Sun ONE Directory Server for VLV.)
Stop the server and create the required index. (See Create the Directory Server Index for VLV.)
Configuring the Sun ONE Directory Server for VLVCreating a VLV requires a pair of entries that include
the vlvSearch and vlvIndex object
classes. The vlvSearch entry includes a search base and the vlvFilter attribute,
which specifies the object class that contains the attributes you
intend to sort. The vlvIndex object class includes
the vlvSort attribute, which specifies one or more
attributes to sort and the order to sort them in. (A minus sign
(-) denotes reverse alphabetical order). Using VLV with LiveCycle
requires separate entries for users and groups.
Note: The Object entries can be created by using the
Sun ONE graphical user interface (GUI) or through a command-line
script. For instructions about creating the Object entries using
the GUI, see the Sun ONE documentation.
Here is a sample script LDIF for VLV entry for users:
dn: cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
objectclass: top
objectclass: vlvSearch
cn: lcuser
vlvBase: dc=corp,dc=adobe,dc=com
vlvScope: 2
vlvFilter: (&(objectclass=inetOrgPerson))
aci: (target="ldap:///cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config")(targetattr="*")(version 3.0; acl "Config"
;allow(read,search,compare) userdn="ldap:///all"; )
dn: cn=lcuser,cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: lcuser
vlvSort: cn
objectclass: top
objectclass: vlvIndex
Create the object entries using a scriptThe sample script
has an LDAP entry named lcuser. This entry is for
VLV-related configuration for user synchronization in LiveCycle.
Modify the following properties accordingly:
Entry name: The
entry name in this sample is lcuser. If lcuser is
changed, it must be changed in all areas of the sample script.
vlvBase: The
Base DN specified on the User Settings page.
vlvFilter: The
Search Filter specified on the User Settings page.
vlvSort: The
Sort Field specified in the VLV settings section of the User Settings
page. A VLV control requires you to specify a sort control. This
field is used as the sort parameter for the vlv index created.
aci: The
access control specified in the sample script grants any authenticated user
the right to access the VLV indexes for read, search, and compare
operations. The administrator can restrict access to a binding user,
which is configured in the Directory Server Settings page specified
in the User Management user interface. If permissions are not given,
user search cannot use the VLV, and the LDAP server throws a permission
exception.
Using the ldapmodify tool provided with
Sun ONE Server, create a similar entry for groups by using the group's
Base DN, Search Filter and Sort Field respectively:
server directory\shared\bin>ldapmodify -v -a -h host -p port -D "admin user" -w "password" -f "LDIF file location"
For
example, type the following text:
D:\tools\ldap\sun\shared\bin> -v -a -h localhost -p 55850 -D "uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" -w "admin" -f "D:\tools\ldap\data\vlv feature\users.ldif"
Create the Directory Server Index for VLVAfter configuring the directory settings and creating the
LDAP VLV entries for users and groups, stop the server and create
the required index.
After creating object entries, stop the Sun ONE Server.
Using the vlvindex tool, generate the index by typing the
following text:
directory server instance\vlvindex.bat -n userRoot -T lcuser
The
following output is generated:
D:\tools\ldap\sun\shared\bin>..\..\slapd-chetanmeh-xp3\vlvindex.bat -n userRoot -T livecycle
[21/Nov/2007:16:47:26 +051800] - userRoot: Indexing VLV: livecycle
[21/Nov/2007:16:47:27 +051800] - userRoot: Indexed 1000 entries (5%).
[21/Nov/2007:16:47:27 +051800] - userRoot: Indexed 2000 entries (9%).
...
[21/Nov/2007:16:47:29 +051800] - userRoot: Indexed 20000 entries (94%).
[21/Nov/2007:16:47:29 +051800] - userRoot: Indexed 21000 entries (99%).
[21/Nov/2007:16:47:29 +051800] - userRoot: Finished indexing.
The
vlvindex tool is present in the directory server instance directory.
If the Sun ONE Server has two instances running server1 and server2,
the vlvindex tool is located in Sun ONE server directory\server1
directory. The value for parameter -T is the value
of the cn attribute of the vlvindex entry created previously
in the sample LDIF. In this case, it is lcuser.
If VLV is also enabled for groups, create the corresponding
index for the groups. Verify whether the indexes are created by
running the following command:
sun one server directory\shared\bin>ldapsearch -h hostname -p port no -s base -b "" objectclass=*
Output
such as the following sample data is generated:
D:\tools\ldap\sun\shared\bin>ldapsearch.exe -h localhost -p 55850 -s base -b "" objectclass=*
ldapsearch.exe: started Tue Nov 27 16:34:20 2007
version: 1
dn:
objectClass: top
namingContexts: dc=corp,dc=adobe,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
...
vlvsearch: cn=MCC ou=testdata dc=corp dc=adobe dc=com, cn=userRoot,cn=ldbm dat
abase,cn=plugins,cn=config
vlvsearch: cn=lcuser,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
vlvsearch: cn=Browsing ou=testdata,cn=userRoot,cn=ldbm database,cn=plugins,cn=
config
1 matches
|
|
|