NIS-to-LDAP Best Practices With Oracle Directory Server Enterprise Edition

The N2L service supports Oracle Directory Server Enterprise Edition. Other third-party LDAP servers might work with the N2L service, but they are not supported by Oracle. If you are using an LDAP server other than the Oracle Directory Server Enterprise Edition server or compatible Oracle servers, you must manually configure the server to support RFC 2307, RFC 2307bis and RFC 4876, or their successors' schemas.

If you are using the Oracle Directory Server Enterprise Edition, you can enhance the directory server to improve performance. To make these enhancements, you must have LDAP administrator privileges on the Oracle Directory Server Enterprise Edition. In addition, the directory server might need to be rebooted, a task that must be coordinated with the server's LDAP clients. The Oracle Directory Server Enterprise Edition documentation is available on the Sun Java System Directory Server Enterprise Edition 6.2 web site.

Creating Virtual List View Indexes With Oracle Directory Server Enterprise Edition

For large maps, LDAP virtual list view (VLV) indexes must be used to ensure LDAP searches return complete results. For information about setting up VLV indexes on the Oracle Directory Server Enterprise Edition, see the Sun Java System Directory Server Enterprise Edition 6.2 documentation.

VLV search results use a fixed page size of 50000. If VLVs are used with Oracle Directory Server Enterprise Edition, both the LDAP server and N2L server must be able to handle transfers of this size. If all of your maps are known to be smaller than this limit, you do not need to use VLV indexes. However, if your maps are larger than the size limit, or you are unsure of the size of all maps, use VLV indexes to avoid incomplete returns.

If you are using VLV indexes, set up the appropriate size limits as follows.

• On the Oracle Directory Server Enterprise Edition: nsslapd-sizelimit attribute must be set greater than or equal to 50000 or -1. See the idsconfig(1M) man page.

• On the N2L server: nisLDAPsearchSizelimit attribute must be set greater than or equal to 50000 or zero. For more information, see the NISLDAPmapping(4) man page.

After VLV indexes have been created, activate them by running dsadm with the vlvindex option on the Oracle Directory Server Enterprise Edition server. See the dsadm(1M) man page for more information.

VLVs for Standard Maps

Use the Oracle Directory Server Enterprise Edition idsconfig command to set up VLVs if the following conditions apply:

• You are using Oracle Directory Server Enterprise Edition.

• You are mapping standard maps to RFC 2307bis LDAP entries.

VLVs are domain specific, so each time idsconfig is run, VLVs are created for one NIS domain. Therefore, during the NIS-to-LDAP transition, you must run idsconfig once for each nisLDAPdomainContext attribute included in the NISLDAPmapping file.

VLVs for Custom and Nonstandard Maps

You must manually create new Oracle Directory Server Enterprise Edition VLVs for maps, or copy and modify existing VLV indexes, if the following conditions apply:

• You are using the Oracle Directory Server Enterprise Edition.

• You have large custom maps or have standard maps that are mapped to nonstandard DIT locations.

To view existing VLV indexes, type the following:

% ldapsearch -h hostname -s sub -b "cn=ldbm database,cn=plugins,cn=config" "objectclass=vlvSearch" 

Avoiding Server Timeouts With Oracle Directory Server Enterprise Edition

When the N2L server refreshes a map, the result might be a large LDAP directory access. If the Oracle Directory Server Enterprise Edition is not correctly configured, the refresh operation might time out before completion. To avoid directory server timeouts, modify the following Oracle Directory Server Enterprise Edition attributes manually or by running the idsconfig command.

For example, to increase the minimum amount of time in seconds that the server should spend performing the search request, modify these attributes:

dn: cn=config
nsslapd-timelimit: -1

For testing purposes, you can use an attribute value of -1, which indicates no limit. When you have determined the optimum limit value, change the attribute value. Do not maintain any attribute settings at -1 on a production server. With no limits, the server might be vulnerable to Denial of Service attacks.

For more information about configuring Oracle Directory Server Enterprise Edition with LDAP, see Chapter 11, Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks) of this book.

Avoiding Buffer Overruns With Oracle Directory Server Enterprise Edition

To avoid buffer overruns, modify the Oracle Directory Server Enterprise Edition attributes manually or by running the idsconfig command.

1. For example, to increase the maximum number of entries that are returned for a client search query, modify these attributes:

   dn: cn=config
   nsslapd-sizelimit: -1

2. To increase the maximum number of entries that are verified for a client search query, modify these attributes:

   dn: cn=config, cn=ldbm database, cn=plugins, cn=config
   nsslapd-lookthroughlimit: -1

For testing purposes, you can use an attribute value of -1, which indicates no limit. When you have determined the optimum limit value, change the attribute value. Do not maintain any attribute settings at -1 on a production server. With no limits, the server might be vulnerable to Denial of Service attacks.

If VLVs are being used, the sizelimit attribute values should be set as defined in Creating Virtual List View Indexes With Oracle Directory Server Enterprise Edition. If VLVs are not being used, the size limit should be set large enough to accommodate the largest container.

For more information about configuring Oracle Directory Server Enterprise Edition with LDAP, see Chapter 11, Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks).