For an overview of the connections between clients and Directory Proxy Server, connection handlers, and a description of the criteria and policies used in connection handlers, see Chapter 20, Connections Between Clients and Directory Proxy Server, in Sun Directory Server Enterprise Edition 7.0 Reference.
This chapter covers the following topics:
Creating and Configuring Request Filtering Policies and Search Data Hiding Rules
Configuring Directory Proxy Server as a Connection Based Router
For information about how to create, configure, and delete connection handlers, and to configure affinity for data views, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create a connection handler.
$ dpconf create-connection-handler -h host -p port connection-handler-name |
(Optional) View the list of connection handlers.
$ dpconf list-connection-handlers -h host -p port |
The properties of a connection handler must be defined in relation to the properties of the other connection handlers that are defined for the Directory Proxy Server instance. Consider the properties of all of your connection handlers to ensure that they specify different sets of criteria and are prioritized correctly.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
View a verbose list of connection handlers to see their key properties and relative priorities.
$ dpconf list-connection-handlers -h host -p port -v Name is-enabled priority description --------------------------------- ---------- -------- --------------------------- anonymous false 99 unauthenticated connections default connection handler true 100 default connection handler directory services administrators true 1 Administrators connection handler |
The connection handlers anonymous and default connection handler are created when you create an instance of Directory Proxy Server.
View all of the properties of one connection handler.
$ dpconf get-connection-handler-prop -h host -p port connection-handler-name |
The default properties of a new connection handler are as follows:
aci-source : none allowed-auth-methods : anonymous allowed-auth-methods : sasl allowed-auth-methods : simple allowed-ldap-ports : ldap allowed-ldap-ports : ldaps bind-dn-filters : any close-client-connection : false data-view-routing-custom-list : none data-view-routing-policy : all-routable data-view-use-internal-client-identity : false description : - domain-name-filters : any enable-data-view-affinity : false group-dn-filters : any group-search-bind-dn : any group-search-bind-pwd : none ip-address-filters : any is-enabled : false is-ssl-mandatory : false priority : 99 request-filtering-policy : no-filtering require-data-view-availability : true resource-limits-policy : no-limits schema-check-enabled : false user-filter : any |
Configure the priority of the connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name\ priority:value |
The priority can be any number from 1 to 100, where 1 is the highest priority. For an instance of Directory Proxy Server, the connection handlers are evaluated in order of priority.
You cannot set the priority of a connection handler to 100 because 100 is already set as the priority of the default connection handler.
(Optional) Specify the DN filtering property of the connection handler.
This property enables you to control access based on part or all of the bind DN. The value of the property is a regular expression.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ bind-dn-filters:regular-expression |
The bind DN filter takes the form of a JavaTM regular expression. For information about creating Java regular expressions, see http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html.
For example, to send all binds from users under ou=people,dc=example,dc=com to a connection handler named secure-handler, set the bind-dn-filters property as follows:
$ dpconf set-connection-handler-prop -h host1 -p 1389 secure-handler \ bind-dn-filters:"uid=.*,ou=people,dc=example,dc=com" |
(Optional) Specify the name of a request filtering policy to use with this connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name |
where policy-name is the name of an existing request filtering policy. For information about how to create and configure a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules.
(Optional) Specify the name of a resource limits policy to use with this connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name |
where policy-name is the name of an existing resource limits policy. For information about how to create and configure a resource limits policy, see Creating and Configuring a Resource Limits Policy.
Configure any other properties that are listed in Step 2.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ property:value [property:value ...] |
For example, configure the connection handler to accept SSL connections only.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ is-ssl-mandatory:true |
For a description of a property and a list of its valid values, run this command:
$ dpconf help-properties connection-handler |
Configure group-dn-filters, group-search-bind-dn, group-search-bind-pwd, and group-search-bind-pwd-file to specify the criteria to select connection handlers. For more information, see the respective man pages.
Enable the connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name\ is-enabled:true |
If necessary, restart the instance of Directory Proxy Server for the changes to take effect.
For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
(Optional) View the list of connection handlers.
$ dpconf list-connection-handlers -h host -p port |
Delete one or more connection handlers.
$ dpconf delete-connection-handler -h host -p port connection-handler-name\ [connection-handler-name ... ] |
When a connection is allocated to a connection handler, you can use affinity to expose the requests on that connection to the list of data views that are configured for that connection handler, or to all of the configured data views. Therefore, successive requests on that connection are exposed exclusively to the data view that is used for the first request.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Enable affinity for data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ enable-data-view-affinity:true |
(Optional) Configure the connection handler to route requests to a custom list of data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name\ data-view-routing-policy:custom |
(Optional) Configure the list of data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list:view-name [data-view-routing-custom-list:view-name ...] |
To add a data view to an existing list of data views, use this command:
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list+:view-name |
To remove a data view from an existing list of data views, use this command:
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list-:view-name |
For an overview of request filtering policies, see Request Filtering Policies for Connection Handlers in Sun Directory Server Enterprise Edition 7.0 Reference. For an overview of search data hiding rules, see Search Data Hiding Rules in the Request Filtering Policy in Sun Directory Server Enterprise Edition 7.0 Reference.
For information about how to create and configure request filtering policies and search data hiding rules, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create a request filtering policy.
$ dpconf create-request-filtering-policy policy-name |
Associate the request filtering policy with a connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name |
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
View the properties of a request filtering policy.
$ dpconf get-request-filtering-policy-prop -h host -p port policy-name |
The default properties of a request filtering policy are as follows:
allow-add-operations : true allow-bind-operations : true allow-compare-operations : true allow-delete-operations : true allow-extended-operations : true allow-inequality-search-operations : true allow-modify-operations : true allow-rename-operations : true allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : "" description : - prohibited-comparable-attrs : none prohibited-subtrees : none |
Configure the request filtering policy by setting one ore more of the properties listed in Step 1.
$ dpconf set-request-filtering-policy-prop -h host -p port policy-name \ property:value [property:value ...] |
By setting the properties listed in Step 1, you configure the following features of the request filtering policy:
The types of operations that clients are allowed to perform
The subtrees that are exposed to a client or hidden from a client
The scope for search operations
The types of search filters
The attribute types that can or cannot be compared in search and compare operations
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create one or more search data hiding rules for a request filtering policy.
$ dpconf create-search-data-hiding-rule -h host -p port policy-name rule-name \ [rule-name ...] |
View the properties of a search data hiding rule.
$ dpconf get-search-data-hiding-rule-prop policy-name rule-name |
The default properties of a search data hiding rule are as follows:
attrs : none rule-action : hide-entry target-attr-value-assertions : none target-dn-regular-expressions : none target-dns : none |
Configure a search data hiding rule by setting one or more of the properties listed in Step 2.
$ dpconf set-search-data-hiding-rule-prop -h host -p port policy-name rule-name \ property:value [property:value ...] |
One of the following rule actions can be used:
The target entry is not returned.
The target entry is returned but the specified attributes are filtered out.
The target entry is returned but the unspecified attributes are filtered out.
The rule can be applied to the following entries:
Entries with the specified DN
Entries with the specified DN pattern
Entries with a specified attribute name and attribute value pair (attrName#attrValue)
The following configuration defines a search data hiding rule that hides entries of type inetorgperson.
$ dpconf set-search-data-hiding-rule-prop -h host1 -p port my-policy my-rule \ target-attr-value-assertions:objectclass#inetorgperson |
The following examples contain a request filtering policy and a search data hiding rule. When the request filtering policy is combined with the search data hiding rule, access to data is limited as follows:
The following types of operations are disallowed: add, delete, extended, modify, and rename.
Only the ou=people,dc=sun,dc=com subtree can be accessed.
Entries other than inetorgperson type are returned by search operations.
allow-add-operations : false allow-bind-operations : true allow-compare-operations : true allow-delete-operations : false allow-extended-operations : false allow-inequality-search-operations : true allow-modify-operations : false allow-rename-operations : false allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : ou=people,dc=sun,dc=com description : myRequestFilteringPolicy prohibited-comparable-attrs : none prohibited-subtrees : none |
attrs : - rule-action : hide-entry target-attr-value-assertions : objectclass:inetorgperson target-dn-regular-expressions : - target-dns : - |
For an overview of resource limits policies, see Resource Limits Policies for Connection Handlers in Sun Directory Server Enterprise Edition 7.0 Reference. For information about how to create and configure resource limits policies and to customize search limits, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create a resource limits policy.
$ dpconf create-resource-limits-policy -h host -p port policy-name |
For information about how to modify the properties of a resource limits policy, see To Configure a Resource Limits Policy.
Associate the resource limits policy to a connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name |
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
View the properties of a resource limits policy.
$ dpconf get-resource-limits-policy-prop -h host -p port policy-name |
The default properties of a resource limits policy are as follows:
denied-presence-filter-attr : all denied-presence-filter-attr-enabled : false description : - max-client-connections : unlimited max-connections : unlimited max-op-count-per-interval : inlimited max-simultaneous-operations-per-connection : unlimited max-total-operations-per-connection : unlimited minimum-search-filter-substring-length : unlimited op-count-per-interval-timeout : 1s referral-bind-policy : default referral-hop-limit : default referral-policy : default search-size-limit : unlimited search-time-limit : unlimited warning-op-count-per-interval : unlimited |
Configure the resource limits policy by setting one or more of the properties that are listed in Step 1:
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ property:value [property:value ...] |
To specify the threshold number of operations per time interval at which a warning is raised, run the following command:
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ warning-op-count-per-interval:1500 |
When the specified number of operations exceed in a specified time interval, the warning-resource-limit-exceeded alert is raised. For more information on warning-resource-limit-exceeded, see Configuring Administrative Alerts for Directory Proxy Server.
Configure denied-presence-filter-attr to deny access when search operation contains at least one of the attributes in the list of denied filter attributes.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ denied-presence-filter-attr:attribute-name |
Turn on denied-presence-filter-enabled to indicate whether to deny access when the search filter contains specified attributes.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name\ denied-presence-filter-enabled:on |
Customized limits can be defined for search operations according to the search base and search scope. If the target DN and scope of a search operation matches the specified criteria, the maximum size of the search result is limited.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create one or more custom search limits.
$ dpconf create-custom-search-size-limit -h host -p port policy-name \ custom-search-limit-name [custom-search-limit-name ...] |
Set the criteria for the custom search limit.
$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name one-level-search-base-dn:value subtree-search-base-dn:value |
Set the limit for the number of results that are returned when a search meets one of the criteria in Step 2.
$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name search-size-limit:value |
View the properties of a custom search limit.
$ dpconf get-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name |
The default properties of a custom search limit are as follows:
one-level-search-base-dn : none search-size-limit : unlimited subtree-search-base-dn : none |
Directory Proxy Server lets you set a threshold for the maximum number of LDAP operations allowed in a given time period. You set the operations rate limit per connection handler using a resource limits policy. The settings effectively allow you to limit the LDAP operation rate for an LDAP client application. For example you can use this capability to ensure that one LDAP client application can perform a maximum of 2500 LDAP operations per second, whereas another LDAP client operation is limited to a maximum of 1200 operations per second.
First set up a connection handler to describe connections from the client application whose LDAP operation rate you want to limit. Then create a resource limits policy for the connection handler. Finally follow the steps here to limit the operation rate using the resource limits policy on the connection handler.
Enable the operations rate limit counters.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ max-op-count-per-interval:2500 $ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ op-count-per-interval-timeout:1s |
When an LDAP client exceeds the operation rate limit you set, Directory Proxy Server can raise an alert provided you set up Directory Proxy Server as described in the Configuring Administrative Alerts for Directory Proxy Server section.
To add an alert about operation rate limits being reached, run this command:
$ dpconf set-server-prop -h host -p port\ enabled-admin-alerts+:error-resource-limit-exceeded |
Directory Proxy Server raises an alert when the operations rate limit is exceeded. Directory Proxy Server also writes a message in the access log each time an operation is refused because the application exceeds its limit.
Directory Proxy Server 5.2 is a connection based router. In Directory Proxy Server 5.2, a client connection is routed to a specific directory server. All requests on that client connection are sent to the same directory server until the connection is broken or until the client unbinds.
Directory Proxy Server 7.0 is an operation based router. However, for compatibility, this version of Directory Proxy Server can be configured as a connection based router, as described in the following procedure.
Create and configure one or more connection handlers as described in Creating, Configuring, and Deleting Connection Handlers.
You can also use the default connection handler.
Configure all connection handlers to route requests to the root data view only.
For example:
$ dpconf set-connection-handler-prop -h host1 -p 1389 myConnectionHandler \ data-view-routing-policy:custom data-view-routing-custom-list:"root data view" |
Create and configure a data source for each back-end LDAP server as described in Creating and Configuring LDAP Data Sources.
For example:
$ dpconf create-ldap-data-source -h host1 -p 1389 myDataSource host2:2389 |
Create and configure a data source pool as described in Creating and Configuring LDAP Data Source Pools.
For example:
$ dpconf create-ldap-data-source-pool -h host1 -p 1389 myDataSourcePool |
Attach all of the data sources to the data source pool as described in Attaching LDAP Data Sources to a Data Source Pool.
For example,
$ dpconf attach-ldap-data-source -h host1 -p 1389 myDataSourcePool myDataSource |
Configure each data source to authenticate clients by using BIND replay as described in Forwarding Requests With Bind Replay.
For example:
$ dpconf set-ldap-data-source-prop -h host1 -p 1389 myDataSource \ client-cred-mode:use-client-identity |
Configure affinity between the client connection and the data source pool as described in Configuring Client Affinity.
For example:
$ dpconf set-ldap-data-source-pool-prop -h host1 -p 1389 myDataSourcePool \ enable-client-affinity:true client-affinity-policy:read-write-affinity-after-write |