Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide

Mapping the Groups Configuration

Directory Proxy Server 5 uses groups to define how client connections are identified and what restrictions are placed on the client connections. In Directory Proxy Server 6.0, this functionality is achieved using connection handlers, data views and listeners.

Connection handlers, data views and listeners can be configured by using the Directory Service Control Center or by using the dpconf command. For more information, see Chapter 25, Directory Proxy Server Connection Handlers, in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide and Chapter 23, Directory Proxy Server Data Views, in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

Mapping the Group Object

In Directory Proxy Server 5, a group is defined by setting the attributes of the ids-proxy-sch-Group object class. Certain attributes of this object class can be mapped to Directory Proxy Server 6.0 connection handler properties. For a list of all the connection-handler properties, run the following command:

$ dpconf help-properties | grep connection-handler

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps version 5 group attributes to the corresponding connection handler properties.

Table 6–4 Mapping Between Version 5 Group Attributes and Version 6 Connection Handler Properties

Directory Proxy Server 5 Group Attribute 

Directory Proxy Server 6.0 Connection Handler Property 

ids-proxy-con-Name

cn

ids-proxy-con-Priority

priority

ids-proxy-sch-Enable

is-enabled

ids-proxy-sch-belongs-to

No equivalent 

ids-proxy-con-permit-auth-none:TRUE

ids-proxy-con-permit-auth-sasl:TRUE

ids-proxy-con-permit-auth-simple:TRUE

allowed-auth-methods:anonymous allowed-auth-methods:sasl allowed-auth-methods:simple

Mapping the Network Group Object

Directory Proxy Server 5 groups are configured by setting the attributes of the ids-proxy-sch-NetworkGroup object class. These attributes can be mapped to properties of Directory Proxy Server 6.0 connection handlers, data sources and listeners. For a list of all the properties related to these objects, run the dpconf help-properties command, and search for the object. For example, to locate all the properties of a connection handler, run the following command:

$ dpconf help-properties | grep connection-handler

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps Directory Proxy Server 5 network group attributes to the corresponding Directory Proxy Server 6.0 properties and describes how to set these properties by using the command line.

Table 6–5 Mapping Between Version 5 Network Group Attributes and 6.0 Properties

Directory Proxy Server 5 Network Group Attribute 

Directory Proxy Server 6.0 Property 

ids-proxy-con-Client

domain-name-filters and ip-address-filters properties of a connection handler

ids-proxy-con-include-property

No equivalent 

ids-proxy-con-include-rule

No equivalent 

ids-proxy-con-ssl-policy:ssl_required

Set this as a connection handler property by using the following command: 

$ dpconf set-connection-handler-prop CONNECTION-HANDLER-NAME is-ssl-mandatory:true

ids-proxy-con-ssl-policy:ssl_optional

Set this as an LDAP data source property by using the following command: 

$ dpconf set-ldap-data-source-prop ds1 ssl-policy:client

ids-proxy-con-ssl-policy:ssl_unavailable

Set this as a connection handler property by using the following command: 

$ dpconf set-connection-handler-prop CONNECTION-HANDLER-NAME is-ssl-mandatory:false

ids-proxy-con-tcp-no-delay

Set this as a property for a specific listener port by using the following command: 

$ dpconf set-ldap-listener-prop use-tcp-no-delay:true

ids-proxy-con-allow-multi-ldapv2–bind

No equivalent 

ids-proxy-con-reverse-dns-lookup

No equivalent 

ids-proxy-con-timeout

This functionality exists but with less granularity than in Directory Proxy Server 5. Set this limit as a property for a specific listener port by using the following command: 

$ dpconf set-ldap-listener-prop connection-idle-timeout:value

Mapping Bind Forwarding

Directory Proxy Server 5 bind forwarding is used to determine whether to pass a bind request on to an LDAP server or to reject the bind request and close the client's connection. Directory Proxy Server 6.0 forwards either all bind requests or no bind requests. However, by setting the allowed-auth-methods connection handler property, successful binds can be classified into connection handlers, according to the authentication criteria. Directory Proxy Server 6.0 can be configured to reject all requests from a specific connection handler, providing the same functionality as Directory Proxy Server 5 bind forwarding.

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot

The following table maps the Directory Proxy Server 5 bind forwarding attributes to the corresponding Directory Proxy Server 6 connection handler property settings.

Table 6–6 Mapping of Directory Proxy Server 5 Bind Forwarding Attributes to Directory Proxy Server 6 Connection Handler Property Settings

Directory Proxy Server 5 Attribute 

Directory Proxy Server 6 Property 

ids-proxy-con-bind-name

No equivalent 

ids-proxy-con-permit-auth-none

allowed-auth-methods:anonymous

ids-proxy-con-permit-auth-simple

allowed-auth-methods:simple

ids-proxy-con-permit-auth-sasl

allowed-auth-methods:sasl

Mapping Operation Forwarding

Operation forwarding determines how Directory Proxy Server 5 handles requests after a successful bind. In Directory Proxy Server 6.0, this functionality is provided by setting the properties of a request filtering policy. For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. For a list of all the properties of a request filtering policy, run the following command:

$ dpconf help-properties | grep request-filtering-policy

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5 operation forwarding attributes to the corresponding Directory Proxy Server 6 request filtering properties.

Table 6–7 Mapping of Directory Proxy Server 5 Operation Forwarding Attributes to Directory Proxy Server 6 Request Filtering Properties

Directory Proxy Server 5 Attribute 

Directory Proxy Server 6 Property 

ids-proxy-con-permit-op-search

allow-search-operations

ids-proxy-con-permit-op-compare

allow-compare-operations

ids-proxy-con-permit-op-add

allow-add-operations

ids-proxy-con-permit-op-delete

allow-delete-operations

ids-proxy-con-permit-op-modify

allow-modify-operations

ids-proxy-con-permit-op-modrdn

allow-rename-operations

ids-proxy-con-permit-op-extended

allow-extended-operations

Mapping Subtree Hiding

Directory Proxy Server 5 uses the ids-proxy-con-forbidden-subtree attribute to specify a subtree of entries to be excluded in any client request. Directory Proxy Server 6.0 provides this functionality with the allowed-subtrees and prohibited-subtrees properties of a request filtering policy. For information on hiding subtrees in this way, see Creating and Configuring a Resource Limits Policy in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

If your subtrees are distributed across different backend servers, you can use the excluded-subtrees property of a data view to hide subtrees. For more information on hiding subtrees in this way, see Excluding a Subtree From a Data View in Sun Java System Directory Server Enterprise Edition 6.0 Reference and To Configure Data Views With Hierarchy and a Distribution Algorithm in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

Mapping Search Request Controls

In Directory Proxy Server 5, search request controls are used to prevent certain kinds of requests from reaching the LDAP server. In Directory Proxy Server 6.0, this functionality is provided by setting properties of a request filtering policy and a resource limits policy.

For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. For a list of all the properties associated with a request filtering policy, or a resource limits policy, run the dpadm help-properties command and search for the object. For example, to locate all properties associated with a resource limits policy, run the following command:

$ dpconf help-properties | grep resource-limits-policy

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5 search request control attributes to the corresponding Directory Proxy Server 6.0 properties.

Table 6–8 Mapping Directory Proxy Server 5 Search Request Control Attributes to Directory Proxy Server 6.0 Properties

Directory Proxy Server 5 Attribute 

Directory Proxy Server 6.0 Property 

ids-proxy-con-filter-inequality

allow-inequality-search-operations property of the request filtering policy

ids-proxy-con-min-substring-size

minimum-search-filter-substring-length property of the resource limits policy

Mapping Compare Request Controls

In Directory Proxy Server 5, compare request controls are used to prevent certain kinds of search and compare operations from reaching the LDAP server. In Directory Proxy Server 6.0, this functionality is provided by setting properties of a request filtering policy.

For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5 compare request control attributes to the corresponding Directory Proxy Server 6 properties.

Table 6–9 Mapping of Directory Proxy Server 5 Compare Request Control Attributes to Directory Proxy Server 6 Properties

Directory Proxy Server 5 Attribute 

Directory Proxy Server 6 Property 

ids-proxy-con-forbidden-compare

prohibited-comparable-attrs

ids-proxy-con-permitted-compare

allowed-comparable-attrs

Mapping Attributes Modifying Search Requests

In Directory Proxy Server 5, these attributes are used to modify the search request before it is forwarded to the server. In Directory Proxy Server 6, this functionality is provided by setting properties of a request filtering policy and a resource limits policy.

For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5 search request modifying attributes to the corresponding Directory Proxy Server 6 properties.

Table 6–10 Mapping of Directory Proxy Server 5 Search Request Modifying Attributes to Directory Proxy Server 6 Properties

Directory Proxy Server 5 Attribute 

Directory Proxy Server 6 Property 

ids-proxy-con-minimum-base

allowed-subtrees property of the request filtering policy

ids-proxy-con-max-scope

allowed-search-scopes property of the request filtering policy

ids-proxy-con-max-timelimit

search-time-limit property of the resource limits policy

Mapping Attributes Restricting Search Responses

In Directory Proxy Server 5, these attributes describe restrictions that are applied to search results being returned by the server, before they are forwarded to the client. In Directory Proxy Server 6, this functionality is provided by setting the properties of a resource limits policy and by configuring search data hiding rules.

For information about configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. For information about creating search data hiding rules, see To Create Search Data Hiding Rules in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide. For a list of properties associated with a search data hiding rule, run the following command:


$ dpconf help-properties | grep search-data-hiding-rule

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5 search response restriction attributes to the corresponding Directory Proxy Server 6.0 properties.

Table 6–11 Mapping of Directory Proxy Server 5 Search Response Restriction Attributes to Directory Proxy Server 6.0 Properties

Directory Proxy Server 5 Attributes 

Directory Proxy Server 6.0 Properties 

ids-proxy-con-max-result-size

search-size-limit property of the resource limits policy

ids-proxy-con-forbidden-return

To hide a subset of attributes: 

rule-action:hide-attributes

attributes:attribute-name

To hide an entire entry: 

rule-action:hide-entry

ids-proxy-con-permitted-return

rule-action:show-attributes

attributes:attribute-name

ids-proxy-con-search-reference

No direct equivalent. Search continuation references are governed by the referral-policy property of the resource limits policy

Mapping the Referral Configuration Attributes

In Directory Proxy Server 5, these attributes determine what Directory Proxy Server should do with referrals. In Directory Proxy Server 6.0, this functionality is provided by setting properties of a resource limits policy.

For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5 referral configuration attributes to the corresponding Directory Proxy Server 6 resource limits properties.

Table 6–12 Mapping of Directory Proxy Server 5 Referral Configuration Attributes to Directory Proxy Server 6 resource limits Properties

Directory Proxy Server 5 Attribute 

Directory Proxy Server 6 Property 

ids-proxy-con-reference

referral-policy

ids-proxy-con-referral-ssl-policy

referral-policy

ids-proxy-con-referral-bind-policy

referral-bind-policy

ids-proxy-con-max-refcount

referral-hop-limit

Mapping the Server Load Configuration

In Directory Proxy Server 5, these attributes are used to control the number of simultaneous operations and total number of operations a client can request on one connection. In Directory Proxy Server 6, this functionality is provided by setting properties of a resource limits policy.

For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

In Iplanet Directory Access Router 5.0 (IDAR) these configuration attributes are stored under ids-proxy-con-Name=group-name,ou=groups,ou=pd2,ou=iDAR,o=services. In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5 server load configuration attributes to the corresponding Directory Proxy Server 6.0 resource limits properties.

Table 6–13 Mapping of Directory Proxy Server 5 Server Load Configuration Attributes to Directory Proxy Server 6.0 Resource Limits Properties

Directory Proxy Server 5 Attribute 

Directory Proxy Server 6.0 Property 

ids-proxy-con-max-simultaneous-operations-per-connection

max-simultaneous-operations-per-connection

ids-proxy-con-operations-per-connection

max-total-operations-per-connection

ids-proxy-con-max-conns

max-connections

ids-proxy-con-max-simultaneous-conns-from-ip

max-client-connections