Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide

Chapter 18 Directory Proxy Server Configuration

This chapter describes how to configure an instance of Directory Proxy Server. The procedures in this chapter use the dpadm and dpconf commands. For information about these commands, see the dpadm(1M) and dpconf(1M) man pages.

The chapter covers the following topics:

Modifying the Configuration of Directory Proxy Server

This section describes how to modify the configuration of Directory Proxy Server.

To Modify the Configuration of Directory Proxy Server

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Find the current configuration of Directory Proxy Server.

$ dpconf get-server-prop -h host -p port

Alternatively, view the current setting of one or more configuration properties.

$ dpconf get-server-prop -h host -p port property-name ...

For example, find whether unauthenticated operations are allowed by running this command:

$ dpconf get-server-prop -h host -p port allow-unauthenticated-operations
allow-unauthenticated-operations  :  true

Change one or more of the configuration parameters.

$ dpconf set-server-prop -h host -p port property:value ...

For example, disallow unauthenticated operations by running this command:

$ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:false

If you attempt to perform an illegal change, the change is not made. For example, if you set the allow-unauthenticated-operations parameter to f instead of false, the following error is produced:

$ dpconf set-server-prop -h host -p port allow-unauthenticated-operations:f
The value "f" is not a valid value for the property "allow-unauthenticated-operations".
Allowed property values: BOOLEAN
The "set-server-prop" operation failed.

If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Backing Up and Restoring a Directory Proxy Server Instance

When you use dpadm to back up Directory Proxy Server, the configuration files and server certificates are backed up. If you have implemented Directory Proxy Server virtual ACIs, the ACIs are also backed up.

Directory Proxy Server automatically backs up the conf.ldif file whenever the server starts successfully.

To Back Up a Directory Proxy Server Instance

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Stop the instance of Directory Proxy Server.
$ dpadm stop instance-path

Back up the instance of Directory Proxy Server.
$ dpadm backup instance-path archive-dir
The archive-dir directory is created by the backup command and must not exist before you run the command. This directory contains a backup of each of the configuration files and the certificates.

To Restore a Directory Proxy Server Instance

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Stop the instance of Directory Proxy Server.
$ dpadm stop instance-path

Restore the instance of Directory Proxy Server.
$ dpadm restore instance-path archive-dir
- If the instance path exists, the restore operation is performed silently. The configuration files and the certificates in the archive-dir directory replace those in the instance-path directory.
- If the instance path does not exist, the restore operation fails.

Configuring the Proxy Manager

The Proxy Manager is the privileged administrator, comparable to the root user on UNIX® systems. The Proxy Manager entry is defined when an instance of Directory Proxy Server is created. The default DN of the Proxy Manager is cn=Proxy Manager.

You can view and change the Proxy Manager DN and password, as shown in the following procedure.

To Configure the Proxy Manager

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Find the configuration of the Proxy Manager.

$ dpconf get-server-prop -h host -p port configuration-manager-bind-dn configuration-manager-bind-pwd
configuration-manager-bind-dn   :  cn=proxy manager
configuration-manager-bind-pwd  :  {3DES}U77v39WX8MDpcWVrueetB0lfJlBc6/5n

The default value for the Proxy Manager is cn=proxy manager. A hashed value is returned for the configuration manager password.

Change the DN of the Proxy Manager.

$ dpconf set-server-prop -h host -p port configuration-manager-bind-dn:bindDN

Create a file that contains the password for the Proxy Manager and set the property that points to that file.
$ dpconf set-server-prop -h host -p port configuration-manager-bind-pwd-file:filename

Configuration Changes Requiring Server Restart

Most configuration changes to Directory Proxy Server and its entities can be made online. Certain changes require that the server be restarted before the changes take effect. If you make configuration changes to any properties in the following list, the server must be restarted:

bind-dn
client-cred-mode
db-name
db-pwd
db-url
db-user
distribution-algorithm
ldap-address
ldap-port
ldaps-port
lexicographic-attrs
lexicographic-lower-bound
lexicographic-upper-bound
listen-address
listen-port
load-balancing-algorithm
num-bind-init
num-read-init
num-write-init
number-of-search-threads
number-of-threads
number-of-worker-threads
numeric-attrs
numeric-default-data-view
numeric-lower-bound
numeric-upper-bound
pattern-matching-base-object-search-filter
pattern-matching-dn-regular-expression
pattern-matching-one-level-search-filter
pattern-matching-subtree-search-filter
replication-role
ssl-policy
use-external-schema

The rws and rwd keywords of a property indicate whether changes to the property require the server to be restarted.

If a property has an rws (read, write, static) keyword, the server must be restarted when the property is changed.
If a property has an rwd (read, write, dynamic) keyword, modifications to the property are implemented dynamically (without restarting the server).

To determine whether a change to a property requires the server to be restarted, run the following command:

$ dpconf help-properties | grep property-name

For example, to determine whether changing the bind DN of an LDAP data source requires the server to be restarted, run the following command:

$ dpconf help-properties | grep bind-dn
connection-handler   	bind-dn-filters        rwd  STRING | any
This property specifies a set of regular expressions. The bind DN 
of a client must match at least one regular expression in order for 
the connection to be accepted by the connection handler. (Default: any)
ldap-data-source      bind-dn               rws  DN | ""
This property specifies the DN to use when binding to the LDAP data 
source. (Default: undefined)

To determine whether the server must be restarted following a configuration change, run the following command:

$ dpconf get-server-prop -h host -p port is-restart-required

Accessing Configuration Entries for a Directory Server by Using Directory Proxy Server

The configuration entries for Directory Proxy Server are in cn=config. When you use Directory Proxy Server to access configuration entries, by default, you access the configuration entries of Directory Proxy Server.

To access the configuration entries of a directory server, use Directory Server, not Directory Proxy Server. For information about how to configure Directory Server, see Chapter 3, Directory Server Configuration.

Caution –

If you reconfigure Directory Proxy Server to access the configuration entries of a directory server, you are likely to break the administration framework of Directory Proxy Server.

To use Directory Proxy Server to access the configuration entries of a directory server, take special steps to ensure that you do not break the administration framework of Directory Proxy Server. This section describes how to access the configuration entries of a directory server by using Directory Proxy Server.

To Access the Configuration Entries of a Directory Server by Using Directory Proxy Server

Create one or more data sources as described in Creating and Configuring LDAP Data Sources.

Create an LDAP data source pool as described in Creating and Configuring LDAP Data Source Pools.

Attach one or more data sources to the data source pool as described in Attaching LDAP Data Sources to a Data Source Pool.
- To expose the configuration entries of one specific data source, attach only one LDAP data source to the LDAP data source pool.
  $ dpconf attach-ldap-data-source -h host -p port pool-name data-source-name
  After performing this step, a client can access the configuration entries of the data source that is connected to Directory Proxy Server.
- To expose the configuration entries of any data source, attach more than one LDAP data source to the LDAP data source pool.
  $ dpconf attach-ldap-data-source -h host -p port pool-name data-source-name \ data-source-name ...
  After performing this step, a client can access the configuration entries of one of the data sources connected to Directory Proxy Server. However, the client cannot know which data source the configuration entries belong to.

Create an LDAP data view to expose cn=config.

$ dpconf create-ldap-data-view -h host -p port view-name pool-name cn=dir-config