Request Filtering Policies for Connection Handlers

Request filtering policies control access of clients to data. A connection handler can reference zero or one request filtering policy.

The following aspects of client access can be defined by using this type of connection handler policy:

• The types of operation that clients are allowed to perform or are prohibited from performing.

  Each of the following types of operation can be allowed or prohibited: add, bind, compare, delete, extended operations, modify, modify DN, search, and search based on inequality filters.

• Attributes that are allowed or prohibited from being used in search filters and compare operations.

  All attributes can be permitted in search filters and compare operations, or a list of attributes can be permitted or prohibited.

• The scope of search operations.

  The scope can be the base DN, one level below the base DN, or the entire subtree below the base DN.

• The subtrees that clients are allowed to access or are prohibited from accessing.

  For information, see Subtrees in the Request Filtering Policy.

• Entries that can be accessed in search operations and data that can be returned by search operations.

  For information, see Search Data Hiding Rules in the Request Filtering Policy.

For information about how to configure a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Directory Server Enterprise Edition 7.0 Administration Guide.

Subtrees in the Request Filtering Policy

The request filtering policy is configured with one or more allowed subtrees and zero, one, or more prohibited subtrees. The subtrees identify the part of a data view that can be accessed by clients.

Allowed Subtrees

An allowed subtree is specified by a minimum base DN. Clients are permitted to perform operations on entries at the minimum base DN or below the minimum base DN. By default, the minimum base DN is the root DN.

If a client requests a search operation that is targeted at a DN superior to the minimum base DN, Directory Proxy Server rewrites the DN to target the minimum base DN. If a client performs any other operation that is targeted at a DN superior to the minimum base DN, the operation is denied.

Prohibited Subtrees

A prohibited subtree is a branch of the allowed subtree that cannot be accessed by the client. The base DN of a prohibited subtree must be subordinate to the minimum base DN of an allowed subtree. If a client performs an operation that is targeted at a prohibited subtree, the operation is denied.

Search Data Hiding Rules in the Request Filtering Policy

Rules that determine how to return the result of a search operation to a client are called search data hiding rules. For information about creating search data hiding rules, see To Create Search Data Hiding Rules in Sun Directory Server Enterprise Edition 7.0 Administration Guide.

The result of a search operation can be returned in one of the following ways:

• The target entry is not returned

• The target entry is returned but the specified attributes are filtered out

• The target entry is returned but the unspecified attributes are filtered out

Search data hiding rules can be applied to the following entries:

• Entries with the specified DN

• Entries with the specified DN pattern

• Entries with a specified attribute name/attribute value pair (attrName:attrValue)

Search data hiding rules are defined for a given request filtering policy and cannot be used by another request filtering policy. If a request filtering policy is deleted, its associated search data hiding rules are automatically deleted. Zero, one or multiple search data hiding rules can be defined in one request filtering policy.