Oracle Fusion Middleware Administration Guide for Oracle Directory Server Enterprise Edition

Creating and Configuring Request Filtering Policies and Search Data Hiding Rules

For an overview of request filtering policies, see Request Filtering Policies for Connection Handlers in Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition. For an overview of search data hiding rules, see Search Data Hiding Rules in the Request Filtering Policy in Oracle Fusion Middleware Reference for Oracle Directory Server Enterprise Edition.

For information about how to create and configure request filtering policies and search data hiding rules, see the following procedures.

ProcedureTo Create a Request Filtering Policy

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Create a request filtering policy.


    $ dpconf create-request-filtering-policy policy-name
    
  2. Associate the request filtering policy with a connection handler.


    $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \
     request-filtering-policy:policy-name
    

ProcedureTo Configure a Request Filtering Policy

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. View the properties of a request filtering policy.


    $ dpconf get-request-filtering-policy-prop -h host -p port policy-name
    

    The default properties of a request filtering policy are as follows:


    allow-add-operations                :  true
    allow-bind-operations               :  true
    allow-compare-operations            :  true
    allow-delete-operations             :  true
    allow-extended-operations           :  true
    allow-inequality-search-operations  :  true
    allow-modify-operations             :  true
    allow-rename-operations             :  true
    allow-search-operations             :  true
    allowed-comparable-attrs            :  all
    allowed-search-scopes               :  base
    allowed-search-scopes               :  one-level
    allowed-search-scopes               :  subtree
    allowed-subtrees                    :  ""
    description                         :  -
    prohibited-comparable-attrs         :  none
    prohibited-subtrees                 :  none
  2. Configure the request filtering policy by setting one ore more of the properties listed in Step 1.


    $ dpconf set-request-filtering-policy-prop -h host -p port policy-name \
      property:value [property:value ...]

    By setting the properties listed in Step 1, you configure the following features of the request filtering policy:

    • The types of operations that clients are allowed to perform

    • The subtrees that are exposed to a client or hidden from a client

    • The scope for search operations

    • The types of search filters

    • The attribute types that can or cannot be compared in search and compare operations

ProcedureTo Create Search Data Hiding Rules

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Create one or more search data hiding rules for a request filtering policy.


    $ dpconf create-search-data-hiding-rule -h host -p port policy-name rule-name \
     [rule-name ...]
  2. View the properties of a search data hiding rule.


    $ dpconf get-search-data-hiding-rule-prop policy-name rule-name
    

    The default properties of a search data hiding rule are as follows:


    attrs                              :  none
    rule-action                        :  hide-entry
    target-attr-value-assertions       :  none
    target-dn-regular-expressions      :  none
    target-dns                         :  none
  3. Configure a search data hiding rule by setting one or more of the properties listed in Step 2.


    $ dpconf set-search-data-hiding-rule-prop -h host -p port policy-name rule-name \
      property:value [property:value ...]

    One of the following rule actions can be used:

    hide-entry

    The target entry is not returned.

    hide-attributes

    The target entry is returned but the specified attributes are filtered out.

    show-attributes

    The target entry is returned but the unspecified attributes are filtered out.

    The rule can be applied to the following entries:

    target-dns

    Entries with the specified DN

    target-dn-regular-expressions

    Entries with the specified DN pattern

    target-attr-value-assertions

    Entries with a specified attribute name and attribute value pair (attrName#attrValue)

    The following configuration defines a search data hiding rule that hides entries of type inetorgperson.


    $ dpconf set-search-data-hiding-rule-prop -h host1 -p port my-policy my-rule \
      target-attr-value-assertions:objectclass#inetorgperson

Example Request Filtering Policy and Search Data Hiding Rule

The following examples contain a request filtering policy and a search data hiding rule. When the request filtering policy is combined with the search data hiding rule, access to data is limited as follows:


Example 25–1 Sample Request Filtering Policy


allow-add-operations                :  false
allow-bind-operations               :  true
allow-compare-operations            :  true
allow-delete-operations             :  false
allow-extended-operations           :  false
allow-inequality-search-operations  :  true
allow-modify-operations             :  false
allow-rename-operations             :  false
allow-search-operations             :  true
allowed-comparable-attrs            :  all
allowed-search-scopes               :  base
allowed-search-scopes               :  one-level
allowed-search-scopes               :  subtree
allowed-subtrees                    :  ou=people,dc=example,dc=com
description                         :  myRequestFilteringPolicy
prohibited-comparable-attrs         :  none
prohibited-subtrees                 :  none


Example 25–2 Sample Search Data Hiding Rule


attrs                              :  -
rule-action                        :  hide-entry
target-attr-value-assertions       :  objectclass:inetorgperson
target-dn-regular-expressions      :  -
target-dns                         :  -