Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Understanding LDAP connector iterate modes and paging

Understanding LDAP connector iterate modes and paging

 

Product

IdentityIQ 6.x; IdentityIQ 7.x

 

Question

How is iterateModeOverride used and how does an LDAPConnector type application set the iterate mode?

 

Answer

Paging is used for LDAP based connectors (including ADLDAPConnector). The LDAP connector class checks the LDAP server's paging capabilities, looks to see if an override is set, then sets the iterate mode accordingly. When the connector for the application checks the supported controls for the LDAP server (whether it be Active Directory, OpenLDAP, etc.) it looks for: PagedResultsControl for Paged Results and VirtualListViewResponseControl for Virtual List View. Here is the processing by which the connector determines which iterate mode to use:

1. Check if the VirtualListViewResponseControl (VLV) control is available on the LDAP server.

2. Check if the PagedResultsControl (Paged Results) control is available on the LDAP server.

3. If both VLV and Paged Results are available, use Paged Results because of a Microsoft issue.

4. If just one is available, use the one that is found.

5. If neither is available, use “DEFAULT”.

 

And here are some things to note regarding the iterate mode for each iterate mode type:

  • DEFAULT does not using paging. So PageSize is not used for DEFAULT.
  • If the default mode is used, only the DN is initially returned and then the connector binds back to the object and fills in the attributes during the iteration.
  • Both VLV and paged result controls use paging.
  • The VLV control is a newer control.
  • You can explicitly set the iterate mode with one of these values: PAGED_RESULTS,  VIRTUAL_LIST_VIEW, DEFAULT. Use this format in the application xml:<entry key="iterateModeOverride" value="PAGED_RESULTS"/>

 

Generally, an override does not need to be set. It should only be set in unique circumstances when the override is necessary.

Labels (2)
Labels:
Comments
harriga
‎Sep 12, 2019 06:48 PM
‎Sep 12, 2019 06:48 PM

This helped a ton.   We were getting an error connecting to our LDAP after upgrading Sailpoint to 7.3.    In our DEV environment,  we updated this field to "VIRTUAL_LIST_VIEW"  and it ran perfectly.  In PROD,  the "VIRTUAL_LIST_VIEW" would not work,  so I switched it to "PAGED_RESULTS"  and it is now running perfectly.    Thank you so much for the information.

ricardo_s_araujo
‎Oct 09, 2019 10:25 AM
‎Oct 09, 2019 10:25 AM

You can look up the supportedControl and supportedExtension attributes of the root object. The OID for VLV is 2.16.840.1.113730.3.4.9. The OID for the Paged Results Control is 1.2.840.113556.1.4.319. If the OID is present in the supportControl attribute, the corresponding feature is supported.

carlodevittoria
‎Jan 12, 2021 03:24 AM
‎Jan 12, 2021 03:24 AM

I would recommend to put this kind of tip and tricks in the connector documentation. Information about VLV and OID were useful to optimize our environment and the way LDAP is queried

Version history
Revision #:
2 of 2
Last update:
‎Jul 28, 2023 12:07 AM
Updated by:
Community Administrator
 
View Article History