An LDAP search in eDirectory returns results depending on the number of attributes returned for a user (inetOrgPerson).
When an object is created in eDirectory, default ACLs might be added on the object. This depends on ACL templates in the schema definition for the objectClass to which this object belongs. For example, in the default configuration for inetOrgPerson, there can be up to six ACLs added on the user object. When an LDAP search request is made to return this user object with all attributes, it takes slightly longer to return this object to the client than returning this user object without ACL attributes.
Though default ACLs can be turned off, administrators may not want to turn them off because they are required for better access control. However, you can improve the search performance by not requesting them or by marking them as read filtered attributes. These changes do not break any applications because most applications use effective privileges and do not rely on specific ACLs.
Not requesting ACLs: An ACL attribute is not needed by several applications, so the applications can be modified to request specific attributes in which the application is interested. This results in better performance of the LDAP search.
Marking an ACL as read filtered: If an application cannot be modified, the arf_acl.ldif can be used by an administrator to mark the ACL attribute as a read filtered attribute. When the ACL is marked as a read filtered attribute, the server does not return the attribute on the entry if all attributes are requested. However, the if the LDAP search is done to return operational attributes or if the request specifically asks for ACL attributes, the marked attribute is returned. rrf_acl.ldif can be used to turn off the read filtered flag on an ACL attribute. These LDIFs affect the ACL attribute on the schema, so only a user with Supervisor rights on tree root can extend them.
By default, an ACL is not marked as read filtered, so the performance benefit for requests to return all attributes is not seen.
The following table depicts the location of arf_acl.ldif and rrf_acl.ldif files in different platforms.
|
Platform |
Location |
|---|---|
|
Linux |
|
|
Windows |
|
You can disable the Access Control List (ACL) templates to increase the bulkload performance. The implication of this is that some of the ACLs will be missing. However, you can resolve this by adding the required ACLs to the LDIF file or applying them later.
Run the following command:
ldapsearch -D cn_of_admin -w password -b cn=schema -s base objectclasses=inetorgperson
The output of this command would be as follows:
dn: cn=schema
objectClasses: (2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP
organizationalPerson STRUCTURAL MAY (groupMembership $ ndsHomeDirectory
$ loginAllowedTimeMap $ loginDisabled $ loginExpirationTime $
loginGraceLimit $ loginGraceRemaining $ loginIntruderAddress $
loginIntruderAttempts $ loginIntruderResetTime $
loginMaximumSimultaneous $ loginScript $ loginTime $
networkAddressRestriction $ networkAddress $ passwordsUsed $
passwordAllowChange $ passwordExpirationInterval $
passwordExpirationTime $ passwordMinimumLength $ passwordRequired $
passwordUniqueRequired $ printJobConfiguration $ privateKey $ Profile $
publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $
minimumAccountBalance $ messageServer $ Language $ UID $
lockedByIntruder $ serverHolds $ lastLoginTime $ typeCreatorMap $
higherPrivileges $ printerControl $ securityFlags $ profileMembership $
Timezone $ sASServiceDN $ sASSecretStore $ sASSecretStoreKey $
sASSecretStoreData $ sASPKIStoreKeys $ userCertificate
$ nDSPKIUserCertificateInfo $ nDSPKIKeystore $ rADIUSActiveConnections $
rADIUSAttributeLists $ rADIUSConcurrentLimit $ rADIUSConnectionHistory
$ rADIUSDefaultProfile $ rADIUSDialAccessGroup $ rADIUSEnableDialAccess
$ rADIUSPassword $ rADIUSServiceList $ audio $ businessCategory $
carLicense $ departmentNumber $ employeeNumber $ employeeType $
givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledUri $ mail $ manager $ mobile $ pager $ ldapPhoto $
preferredLanguage $ roomNumber $ secretary $ uid $ userSMIMECertificate
$ x500UniqueIdentifier $ displayName $ userPKCS12) X-NDS_NAME 'User' X
-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' X-NDS_ACL_TEMPLATES ('2#subtree#[Self]#[All Attributes Rights]' '6#entry#[Self]#loginScript' '1#subtree#[Root Template]#[Entry Rights]' '2#entry#[Public]#messageServer' '2#entry#[Root Template]#groupMembership' '6#entry#[Self]#printJobConfiguration' '2#entry#[Root Template]#networkAddress'))In the output noted in the previous step, delete the information marked in bold.
Save the revised output as an LDIF file.
Add the following information to the newly saved LDIF file:
dn: cn=schema
changetype: modify
delete: objectclasses
objectclasses: (2.16.840.1.113730.3.2.2)
-
add:objectclasses
Therefore, your LDIF should now be similar to the following:
dn: cn=schema
changetype: modify
delete: objectclasses
objectclasses: (2.16.840.1.113730.3.2.2)
-
add:objectclasses
objectClasses: (2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP organizationalPerson STRUCTURAL MAY (groupMembership $ ndsHomeDirectory $ loginAllowedTimeMap $ loginDisabled $ loginExpirationTime $ loginGraceLimit $ loginGraceRemaining $ loginIntruderAddress $ loginIntruderAttempts $ loginIntruderResetTime $ loginMaximumSimultaneous $ loginScript $ loginTime $ networkAddressRestriction $ networkAddress $ passwordsUsed $ passwordAllowChange $ passwordExpirationInterval $ passwordExpirationTime $ passwordMinimumLength $ passwordRequired $ passwordUniqueRequired $ printJobConfiguration $ privateKey $ Profile $ publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $ minimumAccountBalance $ messageServer $ Language $ UID $ lockedByIntruder $ serverHolds $ lastLoginTime $ typeCreatorMap $ higherPrivileges $ printerControl $ securityFlags $ profileMembership $ Timezone $ sASServiceDN $ sASSecretStore $ sASSecretStoreKey $ sASSecretStoreData $ sASPKIStoreKeys $ userCertificate $ nDSPKIUserCertificateInfo $ nDSPKIKeystore $ rADIUSActiveConnections $ rADIUSAttributeLists $ rADIUSConcurrentLimit $ rADIUSConnectionHistory $ rADIUSDefaultProfile $ rADIUSDialAccessGroup $ rADIUSEnableDialAccess $ rADIUSPassword $ rADIUSServiceList $ audio $ businessCategory $ carLicense $ departmentNumber $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledUri $ mail $ manager $ mobile $ pager $ ldapPhoto $ preferredLanguage $ roomNumber $ secretary $ uid $ userSMIMECertificate $ x500UniqueIdentifier $ displayName $ userPKCS12) X-NDS_NAME 'User' X-ND S_NOT_CONTAINER '1' X -NDS_NONREMOVABLE '1')
Enter the following command:
ldapmodify -D cn_of_admin -w password -f LDIF_file_name