Hello everybody,
we're just setting up a new Q1IM installation in our corporation. One essential part is a synchronisation between our existing LDAP directory and Q1IM.
The LDAP directory is a Sun/Oracle Directory Server Version 11.1.1.5.1
We have to sync more than 100k user accounts every day.
In Q1IM we configured a LDAP domain using the LDAPNovell provider.
Before we can even think about going live, we have to get an agreement with the team responsible for the LDAP directory. They need a detailled list of the data exchange sequence during the sync process, i.e. search requests and how each account is fetched. To get this information, I've set up an LDAP proxy, so I can see exactly what Q1IM is doing during a full sync.
In that log I can see two issues that have to be resolved, otherwise we cannot go live:
- During a FullSync, Q1IM is retrieving the complete LDAP schema twice. It seems that the process step "Check Namespace LDAP" is fetching the LDAP schema (why is it doing that?) and then the actual Full Sync is doing the same again.
Even though this doesn't cause any performance issue right away, I will have a hard time explaining to the LDAP team why we're doing this. Especially since that will also happen each time any change is provisioned to an LDAP account, which will caus a lot of unnecessary load in production.
I found this thread: http://communities.quest.com/message/92108#92108 where this problem has already been discussed. Unfortunately, the solution doesn't work for us. I've made a copy of the VI_LDAP_Domain_FullSync process chain and edited both the "Check Namespace LDAP" step and the "FullSync" step to include the SchemaValidation attribute set to False as described in the thread. Is this attribut even recognized by the LDAPNovell provider, or is it meant for the ADSI provider only? - Even more problematic, however, is the fact that Q1IM fetches ALL attributes it can find in the schema for each account, no matter whether they are actually mapped or not. We have defined a very distinctive list of attributes we'd like to fetch for each account and we created a mapping for these in Q1IM. Also, we only have the permission to read these attributes in this specific use case.
Unfortunately, as you can see in the LDAP log, Q1IM always reads all attributes, some of them containing binary data. This will not only slow down the sync considerably, but we won't get an agreement to go live like this, because the LDAP team will not let us fetch attributes we don't have a read permission for. They will set their ACLs accordingly, but they won't accept that we're explicitly asking for attributes we don't have a read permission for (as this would also clutter their logs).
I don't understand why Q1IM is fetching the schema all the time, even though it's already stored in the LDAP domain object. And I would like to know if there's a way to limit the list of attributes that are read for each account during the sync.
Thanks & best regards, Martin