|
| |
| Sun Java(TM) System Directory Proxy Server 5.2 2005Q1 Administration Guide | |
Appendix C
Directory Proxy Server Startup Configuration FileThis appendix contains information about the Directory Proxy Server configuration file. It includes:
Configuration File OverviewThe tailor.txt file contains the bootstrap information Directory Proxy Server needs to locate its main configuration. The directives in this file dictate if Directory Proxy Server will utilize an additional file for its main configuration or if Directory Proxy Server will solicit its main configuration from an LDAP server. By default, Directory Proxy Server expects to find the startup configuration file, tailor.txt, in the etc subdirectory of the installation's instance directory. Note: via the use of the command-line parameter -t, Directory Proxy Server can be instructed to use an alternate file as its startup configuration file.
As an aid in supporting high availability configurations, a startup configuration file may list several contact points for the main configuration's retrieval. Contact points are delineated within the startup configuration file by the use of two keywords: Begin and End. Directory Proxy Server will process the contact information one by one in the order given. Directory Proxy Server's actions on each contact point depends on the type of the given contact point (either an LDAP URL or an absolute path name to a file).
For LDAP-URL-based contact points, Directory Proxy Server will attempt to contact the given host. If the host is unwilling or unable to return a configuration, then Directory Proxy Server will proceed to its next contact point (if any). If the host returns a configuration, then Directory Proxy Server will edit the contents returned and will then either begin following the main configuration's directives or end its execution if the configuration was deemed invalid.
For file based contact points, Directory Proxy Server will attempt to load the given file as its main configuration. If the specified configuration is missing or is deemed invalid, Directory Proxy Server will end its execution. Directory Proxy Server will not attempt to move to the next contact point once it encounters a file based contact point.
In the case where Directory Proxy Server is retrieving its main configuration from an LDAP host, Directory Proxy Server can bind to the host using one of three methods: anonymous, simple, or by using SASL.
Anonymous binding is accomplished by omitting the configuration_bind_pw and configuration_bind_dn directives. In other words, your startup configuration's contact information would specify a configuration_url directive and nothing else.
Simple binding is supported through the use of both the configuration_bind_pw and the configuration_bind_dn directives.
SASL binding requires the specification of the sasl_bind_mechanism, conguration_bind_pw and one (and only one) of the following directives: either configuration_bind_dn or configuration_username.
Startup Configuration KeywordsEach enumerated contact point uses the keyword Begin to signify the start of a contact point entry. Conversely, each contact point entry is terminated by the keyword End. Every directive stipulated in a startup configuration file is expressed on a line by itself. Line continuation within the startup configuration is not recognized nor supported. The configuration's options are specified via an option, followed by a colon, and a value triplet.
configuration_url
The configuration_url option specifies either an LDAP directory server and the distinguished name of the entry in that directory where the Directory Proxy Server configuration is stored, or a local file in LDIF format. For example, if the Directory Proxy Server configuration is stored in an LDAP directory on host ldap.sun.com with the LDAP service running on port 389 and the distinguished name of the Directory Proxy Server entry is "ids-proxy-con-Server-Name=Directory Proxy Server", then the following should be added to the configuration file:
Begin
configuration_url:
ldap://ldap.sun.com:389/ids-proxy-con-Server-Name=Directory Proxy Server
EndIf the configuration is to be kept in an LDAP server, you would probably need to specify a suffix following the ids-proxy-con-Server-Name=Directory Proxy Server in order to maintain compatibility with the host directory's naming context. For example:
Begin
configuration_url:
ldap://ldap.sun.com:389/ids-proxy-con-Server-Name=Directory Proxy Server,
ou=services, dc=sun, dc=com
EndEach startup configuration directive should be specified as one contiguous line within the configuration file.
Note
Do not interpret the line wrapping in the configuration_url examples as an instruction to insert a line break into your configuration file.
In the case where the configuration is stored in a LDIF formatted file, i.e., <server-root>/dps-<hostname>/etc/tailor.ldif, the following should be added to the configuration file:
Begin
configuration_url:
file://<server-root>/dps-<hostname>/etc/tailor.ldif#ids-proxy-con-S erver-Name=Directory Proxy Server
Endconfiguration_bind_dn
The configuration_bind_dn option specifies the distinguished name to use when Directory Proxy Server binds to the LDAP server specified in the configuration_url option. Directory Proxy Server will perform a simple bind with this distinguished name and the value of configuration_bind_pw as the password. For example:
Begin
configuration_url:
ldap://ldap.sun.com:389/ids-proxy-con-Server-Name=Directory Proxy Server
configuration_bind_dn: cn=Directory Manager
configuration_bind_pw: encrypte
EndThe configuration_bind_dn option is not needed and ignored if configuration_url is of the "file" form. Note: the configuration_bind_dn and configuration_username directives are mutually exclusive.
configuration_bind_pw
The configuration_bind_pw option is used to specify the password to use when binding to the LDAP directory. The directive is used to specify the password to use for either simple or SASL based binding. In order to preserve security, the configuration file must be protected against unauthorized reading. The configuration_bind_pw option is not needed and ignored if configuration_url is of the "file" form. (See configuration_bind_dn for an example.)
configuration_username
The configuration_username option specifies the username to use when Directory Proxy Server binds to the LDAP server specified in the configuration_url option. This option is used only if SASL bind mechanism is used. Note: the configuration_bind_dn and configuration_username directives are mutually exclusive.
Begin
configuration_url:
ldap://ldap.sun.com:389/ids-proxy-con-Server-Name=Directory Proxy Server
configuration_username: administrator
configuration_bind_pw: encrypte
sasl_bind_mechanism: CRAM-MD5
Endsasl_bind_mechanism
The sasl_bind_mechanism option can be set to either CRAM-MD5 or DIGEST-MD5 depending on which SASL bind mechanism you want Directory Proxy Server to use. Directory Proxy Server will perform either a simple bind or an anonymous bind if this option is absent. DIGEST-MD5 provides a higher level of security than CRAM-MD5 but DIGEST-MD5 has not been as widely adopted as CRAM-MD5.