The design of the LDAP object tree should be carefully thought
out. The Policy Agent uses a variety of mechanisms to search for
and retrieve objects from an LDAP server:
- An initial search is done for a subtree of objects based on the
SearchBaseDN parameter on the ReadFromDirectory statement.
- If any objects retrieved by this initial search contain subtree
pointer references (using the ibm-policySubtreesAuxContainedSet attribute)
then a search is done for all such subtrees. This is a recursive
search: additional objects retrieved might also contain subtree pointer
references.
- The above searches use a filter to retrieve only certain object
classes. For LDAP protocol version 3, the default is to scan only
for the ibm-policy object class. This is an abstract object class
from which all other policy object classes are derived. Most LDAPv3
servers implement abstract and auxiliary classes such that this search
will properly retrieve policy, and only policy, object classes. However,
some LDAPv3 servers do not honor abstract/auxiliary object classes
as a search filter. For these servers, specify LDAP_AbstractPolicy
NO on the ReadFromDirectory statement. This causes the searches to
use a filter that retrieves ALL object classes.
- All of the above searches may be scoped, or filtered, using keywords
specified on the ReadFromDirectory statement parameters SearchPolicyKeyword,
SearchPolicyGroupKeyword, or SearchPolicyRuleKeyword. The LDAP server
returns only objects with any matching keywords.
- Some objects retrieved using the above searches may contain DN
pointer references to additional objects. These objects are individually
retrieved. If the object to be retrieved is a policy rule, then a
subtree search is performed, using the keywords specified on the ReadFromDirectory
statement. All other objects are retrieved as single objects, using
the DN pointers (no keywords are used on the search).
- All policy rule objects retrieved using the above searches are
further filtered using the PolicyRole parameter on the ReadFromDirectory
statement. Any rules that do not match policy roles specified on
the ReadFromDirectory statement are discarded.
Therefore, it is possible to design an LDAP tree such that a
minimal set of objects is initially retrieved, followed by many additional
individual LDAP retrievals. If the total set of objects is large,
there is a performance impact to retrieving objects in this manner.
If possible, try to design the tree and the ReadFromDirectory parameters
to retrieve the largest set of objects initially, to achieve the best
performance, or to use subtree pointer references to retrieve larger
sets of objects in one operation.