Partitioning Aggregation

The LDAP connector supports the Partitioning Aggregation feature to enable faster retrieval of LDAP Directory data.

In LDAP, objects can be retrieved by using searchDN or searchFilter.

Typically, for a container-based partitioning of data, define the search DNs or partition list as follows:

Copy 
<entry key="searchDNs">
 <value>    
  <List>      
    <Map>        
      <entry key="searchDN" value="ou=test1,DC=test,DC=sailpoint,DC=com"/>
      <entry key="iterateSearchFilter" value="(&(objectclass=user) )"/>       
    </Map>      
    <Map>        
      <entry key="searchDN" value="ou=test2,DC=test,DC=sailpoint,DC=com"/>       
      <entry key="iterateSearchFilter" value="(&(objectclass=user) )"/>             
   </Map>    
  </List>
 </value>
</entry>

Then for filter-based partition, define the search DNs list or partition list as follows:

Copy 
<entry key="searchDNs">  
  <value>    
    <List>      
      <Map>       
        <entry key="searchDN" value="DC=test,DC=sailpoint,DC=com"/>       
        <entry key="iterateSearchFilter" value="(&(objectclass=user)(sn=a*))"/>       
      </Map>      
      <Map>       
        <entry key="searchDN" value="DC=test,DC=sailpoint,DC=com"/>       
        <entry key="iterateSearchFilter" value="(&(objectclass=user) (sn=b*))"/>           
      </Map>    
    </List> 
   </value>
 </entry>

As seen above, in the first example, the OUs on which the search is performed are different although the searchFilter is the same. Whereas, in the second partitions entry, the OUs are the same, but the iterateSearchFilter values are different. Since the required key values are similar, you could have both the above examples coupled together in the application configuration of a single LDAP connector application. The LDAP connector combines the searchDN value and the iterateSearchFilter value, and then considers it as the partition context, avoiding any additional required configurations.

Each of the partitions specified must be unique by way of the searchDN value or the iterateSearchFilter value. If not, the first partition is aggregated, skipping the subsequent duplicate ones.

When there is no partitions list defined, the aggregation executes over the baseDN and the iteraterSearchFilter only, even though the task definition has partitioning enabled. Similarly, with a partition list defined and partitioning is not enabled on the task definition, IdentityIQ retrieves data from each searchDN entry in sequential order.