Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Configuring Directory Proxy Server Instances

This section describes how to configure an instance of Directory Proxy Server. The procedures in this section use the dpadm and dpconf commands. For information about these commands, see the dpadm(1M) and dpconf(1M) man pages.

To Display the Configuration of Directory Proxy Server Instance

Type dpconf info

$ dpconf info -p port
Instance Path           :  instance path
Host Name               :  host
Secure listen address   :  IP address
Port                    :  port
Secure port             :  secure port
SSL server certificate  :  defaultServerCert

Directory Proxy Server needs to be restarted.

dpconf info displays Secure listen address and Non-secure listen address only if these properties are set to non-default values. The above output does not display Non-secure listen address, as this property is not set to a non-default value.

dpconf info also reminds the user to restart the instance if it needs to be restarted.

You can also use dpadm info INSTANCE_PATH to display Directory Proxy Server instance configuration information.

To Modify the Configuration of Directory Proxy Server

This section describes how to modify the configuration of Directory Proxy Server.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Find the current configuration of Directory Proxy Server.

$ dpconf get-server-prop -h host -p port

allow-cert-based-auth                      : allow
allow-ldapv2-clients                       : true
allow-persistent-searches                  : false
allow-sasl-external-authentication         : true
allow-unauthenticated-operations           : true
allow-unauthenticated-operations-mode      : anonymous-and-dn-identified
allowed-ldap-controls                      : -
cert-data-view-routing-custom-list         : none
cert-data-view-routing-policy              : all-routable
cert-search-attr-mappings                  : none
cert-search-base-dn                        : none
cert-search-bind-dn                        : none
cert-search-bind-pwd                       : none
cert-search-user-attr                      : userCertificate
compat-flag                                : none
configuration-manager-bind-dn              : cn=proxy manager
configuration-manager-bind-pwd             : {3DES}RPdIFbvoWdvhLR8lU43zCMZyKFGPxfFg
connection-pool-wait-timeout               : 3s
data-source-read-timeout                   : 20s
data-view-automatic-routing-mode           : automatic
email-alerts-enabled                       : false
email-alerts-message-from-address          : local
email-alerts-message-subject               : Proxy Server Administrative Alert
email-alerts-message-subject-includes      : false
-alert-code
email-alerts-message-to-address            : root@localhost
email-alerts-smtp-host                     : localhost
email-alerts-smtp-port                     : smtp
enable-remote-user-mapping                 : false
enable-user-mapping                        : false
enabled-admin-alerts                       : all
enabled-ssl-cipher-suites                  : JRE
enabled-ssl-protocols                      : SSLv3
enabled-ssl-protocols                      : TLSv1
encrypt-configuration                      : true
extension-jar-file-url                     : none
is-restart-required                        : false
number-of-search-threads                   : 20
number-of-worker-threads                   : 50
proxied-auth-check-timeout                 : 30m
remote-user-mapping-bind-dn-attr           : none
revert-add-on-failure                      : true
scriptable-alerts-command                  : echo
scriptable-alerts-enabled                  : false
search-mode                                : sequential
search-wait-timeout                        : 10s
ssl-client-cert-alias                      : none
ssl-server-cert-alias                      : defaultServerCert
supported-ssl-cipher-suites                : SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
supported-ssl-cipher-suites                : SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supported-ssl-cipher-suites                : SSL_DHE_DSS_WITH_DES_CBC_SHA
supported-ssl-cipher-suites                : SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
supported-ssl-cipher-suites                : SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
supported-ssl-cipher-suites                : SSL_DHE_RSA_WITH_DES_CBC_SHA
supported-ssl-cipher-suites                : SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
supported-ssl-cipher-suites                : SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
supported-ssl-cipher-suites                : SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
supported-ssl-cipher-suites                : SSL_DH_anon_WITH_DES_CBC_SHA
supported-ssl-cipher-suites                : SSL_DH_anon_WITH_RC4_128_MD5
supported-ssl-cipher-suites                : SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
supported-ssl-cipher-suites                : SSL_RSA_EXPORT_WITH_RC4_40_MD5
supported-ssl-cipher-suites                : SSL_RSA_WITH_3DES_EDE_CBC_SHA
supported-ssl-cipher-suites                : SSL_RSA_WITH_DES_CBC_SHA
supported-ssl-cipher-suites                : SSL_RSA_WITH_NULL_MD5
supported-ssl-cipher-suites                : SSL_RSA_WITH_NULL_SHA
supported-ssl-cipher-suites                : SSL_RSA_WITH_RC4_128_MD5
supported-ssl-cipher-suites                : SSL_RSA_WITH_RC4_128_SHA
supported-ssl-cipher-suites                : TLS_DHE_DSS_WITH_AES_128_CBC_SHA
supported-ssl-cipher-suites                : TLS_DHE_RSA_WITH_AES_128_CBC_SHA
supported-ssl-cipher-suites                : TLS_DH_anon_WITH_AES_128_CBC_SHA
supported-ssl-cipher-suites                : TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
supported-ssl-cipher-suites                : TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
supported-ssl-cipher-suites                : TLS_KRB5_EXPORT_WITH_RC4_40_MD5
supported-ssl-cipher-suites                : TLS_KRB5_EXPORT_WITH_RC4_40_SHA
supported-ssl-cipher-suites                : TLS_KRB5_WITH_3DES_EDE_CBC_MD5
supported-ssl-cipher-suites                : TLS_KRB5_WITH_3DES_EDE_CBC_SHA
supported-ssl-cipher-suites                : TLS_KRB5_WITH_DES_CBC_MD5
supported-ssl-cipher-suites                : TLS_KRB5_WITH_DES_CBC_SHA
supported-ssl-cipher-suites                : TLS_KRB5_WITH_RC4_128_MD5
supported-ssl-cipher-suites                : TLS_KRB5_WITH_RC4_128_SHA
supported-ssl-cipher-suites                : TLS_RSA_WITH_AES_128_CBC_SHA
supported-ssl-protocols                    : SSLv2Hello
supported-ssl-protocols                    : SSLv3
supported-ssl-protocols                    : TLSv1
syslog-alerts-enabled                      : false
syslog-alerts-facility                     : USER
syslog-alerts-host                         : localhost
time-resolution                            : 250ms
time-resolution-mode                       : custome-resolution
use-cert-subject-as-bind-dn                : true
use-external-schema                        : false
user-mapping-anonymous-bind-dn             : none
user-mapping-anonymous-bind-pwd            : none
user-mapping-default-bind-dn               : none
user-mapping-default-bind-pwd              : none
verify-certs                               : false

Alternatively, view the current setting of one or more configuration properties.

$ dpconf get-server-prop -h host -p port property-name ...

For example, find whether unauthenticated operations are allowed by running this command:

$ dpconf get-server-prop -h host -p port allow-unauthenticated-operations
allow-unauthenticated-operations  :  true

Change one or more of the configuration parameters.

$ dpconf set-server-prop -h host -p port property:value ...

For example, disallow unauthenticated operations by running this command:

$ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false

If you attempt to perform an illegal change, the change is not made. For example, if you set the allow-unauthenticated-operations parameter to f instead of false, the following error is produced:

$ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:f
The value "f" is not a valid value for the property "allow-unauthenticated-operations".
Allowed property values: BOOLEAN
The "set-server-prop" operation failed.

If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Configuring the Proxy Manager

The Proxy Manager is the privileged administrator, comparable to the root user on UNIX systems. The Proxy Manager entry is defined when an instance of Directory Proxy Server is created. The default DN of the Proxy Manager is cn=Proxy Manager.

You can view and change the Proxy Manager DN and password, as shown in the following procedure.

To Configure the Proxy Manager

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Find the configuration of the Proxy Manager.

$ dpconf get-server-prop -h host -p port configuration-manager-bind-dn\
 configuration-manager-bind-pwd


configuration-manager-bind-dn   :  cn=proxy manager
configuration-manager-bind-pwd  :  {3DES}U77v39WX8MDpcWVrueetB0lfJlBc6/5n

The default value for the Proxy Manager is cn=proxy manager. A hashed value is returned for the configuration manager password.

Change the DN of the Proxy Manager.

$ dpconf set-server-prop -h host -p port configuration-manager-bind-dn:bindDN

Create a file that contains the password for the Proxy Manager and set the property that points to that file.
$ dpconf set-server-prop -h host -p port configuration-manager-bind-pwd-file:filename

Configuration Changes Requiring Server Restart

Most configuration changes to Directory Proxy Server and its entities can be made online. Certain changes require that the server be restarted before the changes take effect. If you make configuration changes to any properties in the following list, the server must be restarted:

custom-distribution-algorithm
distribution-algorithm
db-name
db-url
db-user
custom-distribution-algorithm
distribution-algorithm
custom-distribution-algorithm
distribution-algorithm
bind-dn
client-cred-mode
ldap-address
ldap-port
ldaps-port
num-bind-init
num-read-init
num-write-init
ssl-policy
load-balancing-algorithm
custom-distribution-algorithm
distribution-algorithm
listen-address
listen-port
number-of-threads
listen-address
listen-port
number-of-threads
custom-distribution-algorithm
distribution-algorithm
compat-flag
number-of-search-threads
number-of-worker-threads
syslog-alerts-enabled
syslog-alerts-host
time-resolution
use-external-schema
aci-data-view

The rws and rwd keywords of a property indicate whether changes to the property require the server to be restarted.

If a property has an rws (read, write, static) keyword, the server must be restarted when the property is changed.
If a property has an rwd (read, write, dynamic) keyword, modifications to the property are implemented dynamically (without restarting the server).

To determine whether a change to a property requires the server to be restarted, run the following command:

$ dpconf help-properties | grep property-name

For example, to determine whether changing the bind DN of an LDAP data source requires the server to be restarted, run the following command:

$ dpconf help-properties | grep bind-dn
connection-handler   	bind-dn-filters        rwd  STRING | any
This property specifies a set of regular expressions. The bind DN 
of a client must match at least one regular expression in order for 
the connection to be accepted by the connection handler. (Default: any)
ldap-data-source      bind-dn               rws  DN | ""
This property specifies the DN to use when binding to the LDAP data 
source. (Default: undefined)

To determine whether the server must be restarted following a configuration change, run the following command:

$ dpconf get-server-prop -h host -p port is-restart-required