Identity Manager 4.6 brings a modern Users Catalog for you, through which you can get user details, find user permissions, groups a user belongs to, or edit user details.
The User Catalog lists users in three different views as follows:
List view: provides a user listing with complete details, where a user will be listed in the left hand side and detailed information upon selection on right, in addition to this it also provides editing for the selected user and an option to navigate to the Organization chart.
Card View: users will be listed in card with primary details, which are configured by the administrator under the settings. Users complete details and editing will be provided by clicking on the card, which redirects to the details page.
Manage Users View: users will be detailed in a tabular format, where user attributes (configured properties) are defined as table columns against listed users.
Manage Users provides sorting users against a selected column (attribute). In selected order.
Attributes listed as a column header can be customized, the column customization section provides an ability to add any attribute you have configured in your schema as a column header which is shown below.
Manager users supports multiple user deletion upon selection of the listed user check box as shown below.
Manager Users Column customization.
Comprehensive solution to find the user with given attribute value.
User Catalog provides two types of search:
Quick Search – type down search.
Advanced Search – definitive search, where a user will be provided with an option to enter a value against a defined attribute. In addition, it also provides, starts with, and ends with, check on the attributes.
DN Search – search user by inputting DN.
All three views support both quick as well as advanced search. Quick search is the default search. Quick searchable attributes are configured under the quick search filter as shown below.
Advanced search will be enabled upon selection, it is shown as below.
Advanced search takes precedence over quick search.
Sorting and Pagination:
User catalog uses eDirectory as its directory store for data processing, which is an indexed data store. Where sorting will be done against two forms, single indexed attribute sort, and compound index attribute sort. User catalog supports both. These are configurable under ism-configuration property.
Compound indexed attributes are explained in the below section.
Pagination: where user search results will be returned in chunks, size defined as page size from the index specified by the user.
Users catalog achieves pagination and sorting support with the help of Virtual List View Control (VLV), which runs at LDAP OID: 2.16.840.1.113730.3.4, works in combination with Sort Control.
Provides two counts as part of Users Catalog views.
Note: VLV Control in addition to sorted results in a page also provides the overall result count. Sometimes calculating the overall result count can take time.
To overcome this issue, eDirectory introduced new Control in 9.0.2, 8.8.8 patch 9 hot fix 2 with OID “2.16.840.1.113722.214.171.124.57”, enabling or disabling this control removes Search Count from VLV result.
The Organization chart lists logged in Users, Managers, and Direct Reports.
It also provides user search – where the user can search other users and view their Organization chart (Full Name search).
A user can also view the position of other users in Organization hierarchy.
It also provides a View More Information option, which details user Complete Information by redirecting to the user list view. Show Quick Info provides user, manager, and direct Report basic details which are listed as primary attributes under settings page.
A compound index is a new type of index available in eDirectory 9.0.2 or 8.8.8 patch 9 hot fix 2. It is a value index on more than one attribute.
It behaves similar to value indexes, stores the value for the attributes as part of the key for the index.
Why Compound Index:
It was primarily added to support sorting on multiple attributes for Server Side Sort control.
Indexes are internally stored in ordered form of the keys.
Having compound indexes helps having ordered results on multiple attributes.
Though the primary use for compound indexes is for sorting, they can be used for better performance of searches if the attributes being searched are part of some compound indexes. In case you are interested in sorting (Hint: Manage Users) on custom attributes, then read the following section on how to create compound indexes.
How to configure compound indexes:
1. Create an Ldif file with the compound index entries: (Example)
dn: CN=linux-32ep,OU=servers,O=system (Your Server DN)
indexdefinition: 0$gnsnindex$0$0$0$1$given name$surname (Order Should be proper)
dn: CN=linux-32ep,OU=servers,O=system (Your Server DN)
2. Command to create indexes:
ice -S LDIF -a -c -f comp.ldif -D LDAP -s 126.96.36.199 -p 389 -d cn=admin,ou=sa,o=system -w novell -F –B
3. To check if indexes are online or not you can use the below command:
ndsindex list -D cn=admin,ou=sa,o=system -w novell -s CN=linux-32ep,OU=servers,O=system
Comparison with OTHER Indexes:
The cost of managing compound indexes in terms of time should be of the same order as of any other value index.
Any modification (addition/deletion of value) would require the index to be updated.
Cost in terms of disk space for compound indexes would be in the order of number of attributes added to the compound index.
The key size for compound indexes would be higher as all attribute values would need to be added to the key as well if any of the attributes are present, then a key for that would be added to the index,
Which would result is bigger keys as well as more keys as compared to normal value indexes.
(Note: Having a high number of indexes in general, has an adverse performance impact on modify operations as all indexes having the modified attribute have to be updated. This is not specific to compound indexes.)
Error Message to look for (in case compound indexes are not working).
If compound indexes are present for the attribute, you will receive the following error in “Manage Users page”.
“Sorting functionality does not work for //attribute key//attribute. Please contact the system administrator for more details”.
Following error user would receive in the Catalina.out with complete exception trace.
OperationNotSupportedException: [LDAP: error code 53 – Unwilling To Perform].
User catalog details user information (attributes) with two level abstraction.
Schema Configuration under User Application Driver – Schema is an attribute abstraction from eDirectory, where a customer configures their own attributes as part of the schema. It also provides an attribute name map between eDirectory attribute name and LDAP attribute name.
User catalog is configured to read the default user schema.
User Settings Page – Identity Manager 4.6 introduced Settings page, which provides an abstraction for the Administrator to configure user attributes, differentiating them as primary, secondary, and other.
Settings page provides customization under customization->navigation Items type User.
User Attributes are divided as primary, secondary, and other. Each will be configured by drag and dropping attributes under respective section.
Primary and secondary attributes will be part of the card view displayed under the Organization chart and card view. You can also configure the Image, hide or show with user display.
Attributes Listed under Edit user profile will be configured under Editable Attributes. In addition to this you can also configure the Default attribute values, which will be prepopulated in create user profile.
User catalog lists user under configured container (Organization Unit), Settings page facilitates this under User General Settings.
Access and Rights:
User catalog Navigation and Access Rights can be configured under Settings->Access-> Navigation type user.
Please Refer to https://www.netiq.com/communities/cool-solutions/identity-manager-4-6-dashboard-configuring-client-settings/ for further details.
Note: If the logged in user does not have sufficient eDirectory rights to view other users…list or card view will not display those users, but users count will still count on those users. You will see a difference in count.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.