Sun Directory Server Enterprise Edition 7.0 Administration Guide

Configuring Directory Proxy Server Instances

This section describes how to configure an instance of Directory Proxy Server. The procedures in this section use the dpadm and dpconf commands. For information about these commands, see the dpadm(1M) and dpconf(1M) man pages.

ProcedureTo Display the Configuration of Directory Proxy Server Instance

  1. Type dpconf info

    $ dpconf info -p port
    Instance Path           :  instance path
    Host Name               :  host
    Secure listen address   :  IP address
    Port                    :  port
    Secure port             :  secure port
    SSL server certificate  :  defaultServerCert
    Directory Proxy Server needs to be restarted.

    dpconf info displays Secure listen address and Non-secure listen address only if these properties are set to non-default values. The above output does not display Non-secure listen address, as this property is not set to a non-default value.

    dpconf info also reminds the user to restart the instance if it needs to be restarted.

    You can also use dpadm info INSTANCE_PATH to display Directory Proxy Server instance configuration information.

ProcedureTo Modify the Configuration of Directory Proxy Server

This section describes how to modify the configuration of Directory Proxy Server.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Find the current configuration of Directory Proxy Server.

    $ dpconf get-server-prop -h host -p port

    allow-cert-based-auth                      : allow
    allow-ldapv2-clients                       : true
    allow-persistent-searches                  : false
    allow-sasl-external-authentication         : true
    allow-unauthenticated-operations           : true
    allow-unauthenticated-operations-mode      : anonymous-and-dn-identified
    allowed-ldap-controls                      : -
    cert-data-view-routing-custom-list         : none
    cert-data-view-routing-policy              : all-routable
    cert-search-attr-mappings                  : none
    cert-search-base-dn                        : none
    cert-search-bind-dn                        : none
    cert-search-bind-pwd                       : none
    cert-search-user-attr                      : userCertificate
    compat-flag                                : none
    configuration-manager-bind-dn              : cn=proxy manager
    configuration-manager-bind-pwd             : {3DES}RPdIFbvoWdvhLR8lU43zCMZyKFGPxfFg
    connection-pool-wait-timeout               : 3s
    data-source-read-timeout                   : 20s
    data-view-automatic-routing-mode           : automatic
    email-alerts-enabled                       : false
    email-alerts-message-from-address          : local
    email-alerts-message-subject               : Proxy Server Administrative Alert
    email-alerts-message-subject-includes      : false
    email-alerts-message-to-address            : root@localhost
    email-alerts-smtp-host                     : localhost
    email-alerts-smtp-port                     : smtp
    enable-remote-user-mapping                 : false
    enable-user-mapping                        : false
    enabled-admin-alerts                       : all
    enabled-ssl-cipher-suites                  : JRE
    enabled-ssl-protocols                      : SSLv3
    enabled-ssl-protocols                      : TLSv1
    encrypt-configuration                      : true
    extension-jar-file-url                     : none
    is-restart-required                        : false
    number-of-search-threads                   : 20
    number-of-worker-threads                   : 50
    proxied-auth-check-timeout                 : 30m
    remote-user-mapping-bind-dn-attr           : none
    revert-add-on-failure                      : true
    scriptable-alerts-command                  : echo
    scriptable-alerts-enabled                  : false
    search-mode                                : sequential
    search-wait-timeout                        : 10s
    ssl-client-cert-alias                      : none
    ssl-server-cert-alias                      : defaultServerCert
    supported-ssl-cipher-suites                : SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DHE_DSS_WITH_DES_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DHE_RSA_WITH_DES_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
    supported-ssl-cipher-suites                : SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DH_anon_WITH_DES_CBC_SHA
    supported-ssl-cipher-suites                : SSL_DH_anon_WITH_RC4_128_MD5
    supported-ssl-cipher-suites                : SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    supported-ssl-cipher-suites                : SSL_RSA_EXPORT_WITH_RC4_40_MD5
    supported-ssl-cipher-suites                : SSL_RSA_WITH_3DES_EDE_CBC_SHA
    supported-ssl-cipher-suites                : SSL_RSA_WITH_DES_CBC_SHA
    supported-ssl-cipher-suites                : SSL_RSA_WITH_NULL_MD5
    supported-ssl-cipher-suites                : SSL_RSA_WITH_NULL_SHA
    supported-ssl-cipher-suites                : SSL_RSA_WITH_RC4_128_MD5
    supported-ssl-cipher-suites                : SSL_RSA_WITH_RC4_128_SHA
    supported-ssl-cipher-suites                : TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    supported-ssl-cipher-suites                : TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    supported-ssl-cipher-suites                : TLS_DH_anon_WITH_AES_128_CBC_SHA
    supported-ssl-cipher-suites                : TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
    supported-ssl-cipher-suites                : TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
    supported-ssl-cipher-suites                : TLS_KRB5_EXPORT_WITH_RC4_40_MD5
    supported-ssl-cipher-suites                : TLS_KRB5_EXPORT_WITH_RC4_40_SHA
    supported-ssl-cipher-suites                : TLS_KRB5_WITH_3DES_EDE_CBC_MD5
    supported-ssl-cipher-suites                : TLS_KRB5_WITH_3DES_EDE_CBC_SHA
    supported-ssl-cipher-suites                : TLS_KRB5_WITH_DES_CBC_MD5
    supported-ssl-cipher-suites                : TLS_KRB5_WITH_DES_CBC_SHA
    supported-ssl-cipher-suites                : TLS_KRB5_WITH_RC4_128_MD5
    supported-ssl-cipher-suites                : TLS_KRB5_WITH_RC4_128_SHA
    supported-ssl-cipher-suites                : TLS_RSA_WITH_AES_128_CBC_SHA
    supported-ssl-protocols                    : SSLv2Hello
    supported-ssl-protocols                    : SSLv3
    supported-ssl-protocols                    : TLSv1
    syslog-alerts-enabled                      : false
    syslog-alerts-facility                     : USER
    syslog-alerts-host                         : localhost
    time-resolution                            : 250ms
    time-resolution-mode                       : custome-resolution
    use-cert-subject-as-bind-dn                : true
    use-external-schema                        : false
    user-mapping-anonymous-bind-dn             : none
    user-mapping-anonymous-bind-pwd            : none
    user-mapping-default-bind-dn               : none
    user-mapping-default-bind-pwd              : none
    verify-certs                               : false

    Alternatively, view the current setting of one or more configuration properties.

    $ dpconf get-server-prop -h host -p port property-name ...

    For example, find whether unauthenticated operations are allowed by running this command:

    $ dpconf get-server-prop -h host -p port allow-unauthenticated-operations
    allow-unauthenticated-operations  :  true
  2. Change one or more of the configuration parameters.

    $ dpconf set-server-prop -h host -p port property:value ...

    For example, disallow unauthenticated operations by running this command:

    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false

    If you attempt to perform an illegal change, the change is not made. For example, if you set the allow-unauthenticated-operations parameter to f instead of false, the following error is produced:

    $ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:f
    The value "f" is not a valid value for the property "allow-unauthenticated-operations".
    Allowed property values: BOOLEAN
    The "set-server-prop" operation failed.
  3. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Configuring the Proxy Manager

The Proxy Manager is the privileged administrator, comparable to the root user on UNIX® systems. The Proxy Manager entry is defined when an instance of Directory Proxy Server is created. The default DN of the Proxy Manager is cn=Proxy Manager.

You can view and change the Proxy Manager DN and password, as shown in the following procedure.

ProcedureTo Configure the Proxy Manager

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Find the configuration of the Proxy Manager.

    $ dpconf get-server-prop -h host -p port configuration-manager-bind-dn\
    configuration-manager-bind-dn   :  cn=proxy manager
    configuration-manager-bind-pwd  :  {3DES}U77v39WX8MDpcWVrueetB0lfJlBc6/5n

    The default value for the Proxy Manager is cn=proxy manager. A hashed value is returned for the configuration manager password.

  2. Change the DN of the Proxy Manager.

    $ dpconf set-server-prop -h host -p port configuration-manager-bind-dn:bindDN
  3. Create a file that contains the password for the Proxy Manager and set the property that points to that file.

    $ dpconf set-server-prop -h host -p port configuration-manager-bind-pwd-file:filename

Configuration Changes Requiring Server Restart

Most configuration changes to Directory Proxy Server and its entities can be made online. Certain changes require that the server be restarted before the changes take effect. If you make configuration changes to any properties in the following list, the server must be restarted:


The rws and rwd keywords of a property indicate whether changes to the property require the server to be restarted.

To determine whether a change to a property requires the server to be restarted, run the following command:

$ dpconf help-properties | grep property-name

For example, to determine whether changing the bind DN of an LDAP data source requires the server to be restarted, run the following command:

$ dpconf help-properties | grep bind-dn
connection-handler   	bind-dn-filters        rwd  STRING | any
This property specifies a set of regular expressions. The bind DN 
of a client must match at least one regular expression in order for 
the connection to be accepted by the connection handler. (Default: any)
ldap-data-source      bind-dn               rws  DN | ""
This property specifies the DN to use when binding to the LDAP data 
source. (Default: undefined)

To determine whether the server must be restarted following a configuration change, run the following command:

$ dpconf get-server-prop -h host -p port is-restart-required