Creating an LDAP environment to test a tool
Yesterday I spent some time helping a developer who is creating a tool for synchronizing accounts between a RDBMS and an LDAP server and thought I would document the process. The tool basically makes a request to the RDBMS for all the accounts sorted by a specific attribute, then makes a similar request to the LDAP server. The customer expected the number of records to max out at about 200,000 entries.
The first thing we did was spin up local copies of Mysql and the LDAP server. I’m not going to document the mysql part since there are a million pages available on that.
Note that the DSEE 6.3 binaries were already installed on my test machine under /opt/dsee6. I personally prefer the zip based distribution.
Here are the steps for the LDAP server:
Step 1 – create a new instance and add a suffix for the data
# export PATH=$PATH:/opt/dsee63/ds6/bin
# dsadm create -w /tmp/dspassword /data/ds3
# dsadm start /data/ds3
# dsconf create-suffix dc=example,dc=com
Step 2 – create an sample LDIF with 200k entries
# cd /opt/dsee63/dsrk6/bin/example_files
# cp example.template 200k.template
# vi 200k.template (change numusers value to be 200000 and added employeeNumber as a sequentially valued attribute)
# ../makeldif -t 200k.template -o 200k.ldif
Step 3 import the sample data
# dsadm stop /data/ds3
# dsadm import -i /data/ds3 /opt/dsee63/dsrk6/bin/example_files/200k.ldif
# dsadm start /data/ds3
Step 4 create an account with proper settings
We created an account uid=dbsync,ou=admins,dc=example,dc=com that will be used by the application to perform the search and updates.
Note that we had to adjust 2 attributes on the dbsync account. We added the following operational attributes/values:
nsSizeLimit: -1
nsLookThroughLimit: -1
We also added an ACI to the ou=people,dc=example,dc=com branch giving the dbsync user full permissions.
aci: (targetattr !=”aci”)(version
3.0;acl “db sync – full permissions”;allow (all)(userdn = “ldap:///uid=dbsync,ou=admins,dc=example,dc=com”);)
The tool was now able to pull back all 200,000 entries, but was not able to make server-side sort request.
To enable server-side sorting we had to create a VLV index.
Step 5 – VLV index creation
We used the following LDIF to create a VLV index sorting on employeenumber
dn: cn=people_browsing_index,cn=example,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: vlvSearch
cn: Browsing ou=People
vlvBase: ou=People,dc=example,dc=com
vlvScope: 1
vlvFilter: (objectclass=inetOrgPerson)
aci: (targetattr=”*”)(version 3.0; acl “VLV for Anonymous”;
allow (read,search,compare) userdn=”ldap:///all”;)
dn: cn=Sort employeenumber,cn=people_browsing_index,
cn=example,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: vlvIndex
cn: Sort employeenumber
vlvSort: employeenumber
We then had to use dsadm to create the index
# dsadm stop /data/ds3
# dsadm reindex -l -t “Sort employeeNumber” /data/ds3 dc=example,dc=com
# dsadm start /data/ds3
After these changes the tool was now able to query all 200,000 entries and have the server return it as a sorted list.
We also ended up doing 2 small performance tweaks to the server, but these weren’t strictly required:
dsconf set-server-prop db-env-path:/tmp/ds_cache
dsconf set-server-prop db-batched-transaction-count:5
dsadm restart /data/ds3