An instance of Directory Proxy Server can have many connection handlers. When a client connects to Directory Proxy Server, the proxy evaluates whether the attributes of the connection match the criteria of one of the connection handlers. When a match is found, the connection is classified into that connection handler. All of the policies defined for that connection handler apply to the connection. Operations performed through that connection are exposed to all of the data views or to a list of data views defined by the connection handler.
After being classified into a connection handler, a connection can be automatically reclassified into another connection handler by Directory Proxy Server. For example, if a client connects anonymously, the connection is allocated to the connection handler configured for anonymous connections. If the client later provides a bind DN on the same connection, the connection can be reallocated to another connection handler. Similarly, a non-secure LDAP connection is initially classified into a connection handler for non-secure connections. If the client uses startTLS to promote the connection to secure mode, the connection is automatically reclassified into a connection handler for secure connections.
A connection is evaluated against connection handlers in order of the priority of the connection handler. Priority one is the highest priority connection handler. The connection is classified into the first connection handler for which there is a match. Connection handlers with the most specific criteria should have a higher priority than those with less specific or more general criteria. For example, a connection handler that specifies a bind DN should have a higher priority than a connection handler that specifies a simple bind.
If a connection does not match the criteria of any configured connection handler, the connection is allocated to the default connection handler. The criteria of the default connection handler cannot be modified. In addition, the default connection handler cannot be disabled or deleted. However, the policies and data views of the default connection handler can be changed.
The default connection handler is the lowest priority connection handler. If a new connection handler is created without a priority, the new connection handler is given a higher priority than the default connection handler. If two connection handlers have the same priority, the order in which the connection is evaluated against them is not specified.
The criteria expression of a connection handler is a logical AND between criteria of different types and a logical OR between criteria of the same type. For example, if a criteria is specified for client IP address and a criteria is set for client domain name, both of the criteria must be met. However, if two criteria are set for client IP address, either, not both, of the criteria must be met.
The following list summarizes the criteria used to classify connections into connection handlers. For information about how to configure the criteria, see Creating, Configuring, and Deleting Connection Handlers in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
Client IP address and mask. A set of IPv4 or IPv6 address masks. The IP address of a client connection must match at least one of the masks in order for the connection to be accepted by the connection handler.
The IP address can be in one of the following formats:
IP address in dotted decimal form. For example, 22.214.171.124.
IP address and bits, in the form of network number/mask bits. For example, 126.96.36.199/24.
IP address and quad, in the form of a pair of dotted-decimal quads. For example, 188.8.131.52/255.255.255.128.
All addresses:ALL, a catch-all for clients that are not placed into other, higher priority, groups.
0.0.0.0. This address is for groups for which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host. IP address 127.0.0.1 is the IP address of a client that is running on the same machine as Directory Proxy Server.
Client domain name. A set of domain names. A client network domain must match at least one of the suffixes in order for the connection to be accepted by the connection handler.
In order to be able to filter the client's domain name, Directory Proxy Server must be able to convert the incoming IP address into the fully qualified domain name. If the naming service returns a hostname without the domain name, Directory Proxy Server cannot filter the client's domain name.
Directory Proxy Server does not assume any domain suffix, therefore the fully qualified domain name must be provided. A domain name suffix with a leading period, for example, .sun.com, will cause all hosts with domain names that end in that suffix to match.
The domain name can be in one of the following formats:
Full name, for example, box.eng.sun.com.
Suffix name, for example, .eng.sun.com. If the suffix name is used to identify clients, ensure that DNS is set up to return fully qualified names to the DNS queries.
Fully qualified name of the local host. This criteria is for a client that is running on the same machine as Directory Proxy Server.
Bind DN. A regular expression that must be matched by the bind DN of a client.
For example, the following regular expression could be used as a bind DN criteria for a connection handler: uid=(.*),dc=example,dc=com. A client that binds with a uid such as uid=user1,dc=example,dc=com matches the criteria and can be allocated to the connection handler. A client that binds with another DN such as ou=accounts,dc=example,dc=com does not match the criteria and cannot be allocated to the connection handler.
Group DN Directory Proxy Server allocates the connection handler to a connection only if the user entry represented by the bind DN is a member of any of the groups specified in group DN criteria attribute. Directory Proxy Server searches for the group and the members in only the data views that are attached to the connection handler. The group DN criteria attribute does not accept regular expressions but only a proper group DN.
LDAP search filter. A search filter that the entry of a bound client must match.
For example, the following filter could be used as a criteria for a connection handler: uid>=1000. Bound clients with a uid that matches the filter can be allocated to the connection handler.
Authentication method. An authentication method that must match the client entry in order for the connection to be accepted by the connection handler.
The authentication method can be one of the following:
IP port. A set of IP port numbers. A client connection must come through one of the specified ports in order for the connection to be accepted by the connection handler.
SSL connection. A flag indicating whether or not client connections must use SSL in order to be accepted by the connection handler.