LDAP

LDAP Permissions

• create a proxy user, e.g. cn=karma,ou=sa,o=system
• make the proxy user trustee of the tree object with all needed read/write permissions.

For eDirectory 9.0 onwards Karma uses the Proxied Authorization LDAP Control to read the Provisioning request definitions with the permissions of the logged-in user instead of the configured LDAP Proxy user. For this feature to work, the Karma LDAP Proxy account must have supervisor rights on the impersonated user. Click here for more details and configuration.

LDAP Tuning

Indexes

Indexes can be set via iManager or via LDIF import. Both alternatives require write permissions to the eDirectory server object are documented in the following sub-sections.

Installation via LDIF Import

<Index Version>$<Index Name>$<Index State>$<Index Rule>$<Index Type>$<Index Value State>$<AttributeName>

• Index State: should be 2 Specifies the state of the index.

  • 0 – Denotes the ‘suspended’ state. This means that this index is not used in queries and not updated.
  • 1 – Denotes the ‘Bringing Online’ state. This means that the index is in the process of being created. It has two states, Bringing Online (low) and Bringing online (high).
    • Bringing Online (low) indicates that the index creation process on the said attribute is pending.
    • Bringing Online(high) indicates that the index creation is in progress.
  • 2 – Denotes the ‘online’ state, which indicates that the index is up and working.
  • 3 – Denotes the ‘Pending Creation’ state, which indicates that the index has been defined and is waiting for the background process to run.

  The background process changes the state after the building begins. Note that when defining an index, this field should be set to 2 (online).

• Index Rule

  • 0 – Value Matching, which optimizes queries that involve the entire value or the first part of the value. For example, a query for all entries with a surname equal to Jensen or beginning with Jen.
  • 1 – Presence Matching, which optimizes queries that involve only the presence of an attribute. For example, a query for all entries with a surname attribute.
  • 2 – Substring Matching, which optimizes queries that involve a match of a few characters. For example, a query for all entries with a surname containing .der. This query returns entries with the surnames of Derington, Anderson, and Lauder.

• Index Type: always 0 Specifies who created the index.

  • 0 – User Defined
  • 1 – Added on Attribute Creation
  • 2 – Required for Operation
  • 3 – System Index

  When defining an index, this field has to be set to 0.

• Index Value State: always 1 Specifies the source of the index.

  • 0 – Uninitialized
  • 1 – Added from Server
  • 2 – Added from Local DIB
  • 3 – Deleted from Local DIB
  • 4 – Modified from Local DIB

  When defining an index, set this field needs to be 1.

Set the following index definitions for each server that will be queried by Karma. Be sure that NetIQ Identity Manager has been installed so that the schema is extended accordingly. eDirectory will respond with an error: LDAP: error code 16 - No Such Attribute if you try to index an attribute that does not exist.

If you define a custom sort attribute in your configuration, add a value index for this attribute as well.

Adjust the server dn according to your evironemnt.

dn: cn=idm,ou=servers,o=system
changetype: modify
add: indexDefinition
indexDefinition: 0$karma(businessCategory_v)$2$0$0$1$businessCategory
indexDefinition: 0$karma(cn_ss)$2$2$0$1$cn
indexDefinition: 0$karma(costCenter_ss)$2$2$0$1$costCenter
indexDefinition: 0$karma(costCenter_v)$2$0$0$1$costCenter
indexDefinition: 0$karma(description_ss)$2$2$0$1$description
indexDefinition: 0$karma(displayName_ss)$2$2$0$1$displayName
indexDefinition: 0$karma(displayName_v)$2$0$0$1$displayName
indexDefinition: 0$karma(employeeType_v)$2$0$0$1$employeeType
indexDefinition: 0$karma(givenName_ss)$2$2$0$1$Given Name
indexDefinition: 0$karma(groupMembership_v)$2$0$0$1$Group Membership
indexDefinition: 0$karma(mail_ss)$2$2$0$1$Internet EMail Address
indexDefinition: 0$karma(mail_v)$2$0$0$1$Internet EMail Address
indexDefinition: 0$karma(memberQueryURL_p)$2$1$0$1$memberQuery
indexDefinition: 0$karma(nrfApprovalProcessId_v)$2$0$0$1$nrfApprovalProcessId
indexDefinition: 0$karma(nrfAssignedRoles_v)$2$0$0$1$nrfAssignedRoles
indexDefinition: 0$karma(nrfAssociatedRoles_v)$2$0$0$1$nrfAssociatedRoles
indexDefinition: 0$karma(nrfContainerRoles_v)$2$0$0$1$nrfContainerRoles
indexDefinition: 0$karma(nrfDecisionDate_v)$2$0$0$1$nrfDecisionDate
indexDefinition: 0$karma(nrfDescription_v)$2$0$0$1$nrfDescription
indexDefinition: 0$karma(nrfEndDate_v)$2$0$0$1$nrfEndDate
indexDefinition: 0$karma(nrfGroupRoles_v)$2$0$0$1$nrfGroupRoles
indexDefinition: 0$karma(nrfInheritedRoles_v)$2$0$0$1$nrfInheritedRoles
indexDefinition: 0$karma(nrfLocalizedNames_v)$2$0$0$1$nrfLocalizedNames
indexDefinition: 0$karma(nrfMemberOf_v)$2$0$0$1$nrfMemberOf
indexDefinition: 0$karma(nrfOriginator_v)$2$0$0$1$nrfOriginator
indexDefinition: 0$karma(nrfRequestDate_v)$2$0$0$1$nrfRequestDate
indexDefinition: 0$karma(nrfRequester_v)$2$0$0$1$nrfRequester
indexDefinition: 0$karma(nrfSourceDN_v)$2$0$0$1$nrfSourceDN
indexDefinition: 0$karma(nrfStartDate_v)$2$0$0$1$nrfStartDate
indexDefinition: 0$karma(nrfTargetDN_v)$2$0$0$1$nrfTargetDN
indexDefinition: 0$karma(ou_ss)$2$2$0$1$ou
indexDefinition: 0$karma(ou_v)$2$0$0$1$ou
indexDefinition: 0$karma(sapUsername_ss)$2$2$0$1$sapUsername
indexDefinition: 0$karma(sapUsername_v)$2$0$0$1$sapUsername
indexDefinition: 0$karma(srvprvCategoryKey_v)$2$0$0$1$srvprvCategoryKey
indexDefinition: 0$karma(srvprvLocalizedNames_v)$2$0$0$1$srvprvLocalizedNames
indexDefinition: 0$karma(srvprvStatus_v)$2$0$0$1$srvprvStatus
indexDefinition: 0$karma(surname_ss)$2$2$0$1$surname
indexDefinition: 0$karma(surname_v)$2$0$0$1$surname
indexDefinition: 0$karma(workforceID_ss)$2$2$0$1$workforceID
indexDefinition: 0$karma(workforceID_v)$2$0$0$1$workforceID

If the Karma shopping cart feature shall be used and the attributes k5CorrelationId and k5OrderId exist in the schema, add an index definition for those attributes as well.

dn: cn=idm,ou=servers,o=system
changetype: modify
add: indexDefinition
indexDefinition: 0$karma(k5CorrelationId_v)$2$0$0$1$k5CorrelationId
indexDefinition: 0$karma(k5OrderId_v)$2$0$0$1$k5OrderId

After modifing indexes using LDIF trigger the LIMBER process to initiate the indexing update. If not, the update will automatically happen when the LIMBER process starts as per its schedule.

At the shell prompt, type the following commands:

ndstrace
set ndstrace= +lmbr
set ndstrace= *l
exit

Installation via iManager

To add indexes via iManager, navigate to your iManager URL (https://server:port/nps), login with administrative credentials and navigate to eDirectory Maintenance - Indexes. Then select a server object and click create to add a new index definition. Repeat the step for all indexes listed in the previous section.

Note: If using iManager, the limber process will be automatically started when you apply the settings.

Cache

• https://www.novell.com/coolsolutions/feature/16117.html

• https://www.novell.com/support/kb/doc.php?id=3178089

• https://the.server.lan:8030/nds/agent?config=CacheCtl

• Large (4GB dib): optimal between 250 MB and 1 GB

• Medium (>700 MB) 300MB and 600MB

• Small (<700 MB) 250MB and 400MB

Datenbank-Cache-Konfiguration
Max. Festplattenspeicher     x
Maximale Cache-Größe 600000 KB
Block-Cache in Prozent 50 %  
Cache-Einstellungsintervall 15 Sek.  
Cache-Bereinigungsintervall 15 Sek.  
Permanente Cache-Einstellungen x