Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
Creating, Configuring, and Deleting Connection Handlers
To Create a Connection Handler
To Configure a Connection Handler
To Delete a Connection Handler
To Configure Affinity for Data Views
Creating and Configuring Request Filtering Policies and Search Data Hiding Rules
To Create a Request Filtering Policy
To Configure a Request Filtering Policy
To Create Search Data Hiding Rules
Example Request Filtering Policy and Search Data Hiding Rule
Creating and Configuring a Resource Limits Policy
To Create a Resource Limits Policy
To Configure a Resource Limits Policy
To Block Presence Filters in the Search Operation
To Limit LDAP Operations Rates
To Disconnect Idle Connections
Configuring Directory Proxy Server as a Connection Based Router
To Configure Directory Proxy Server as a Connection Based Router
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
For an overview of request filtering policies, see Request Filtering Policies for Connection Handlers in Oracle Directory Server Enterprise Edition Reference. For an overview of search data hiding rules, see Search Data Hiding Rules in the Request Filtering Policy in Oracle Directory Server Enterprise Edition Reference.
For information about how to create and configure request filtering policies and search data hiding rules, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf create-request-filtering-policy policy-name
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf get-request-filtering-policy-prop -h host -p port policy-name
The default properties of a request filtering policy are as follows:
allow-add-operations : true allow-bind-operations : true allow-compare-operations : true allow-delete-operations : true allow-extended-operations : true allow-inequality-search-operations : true allow-modify-operations : true allow-rename-operations : true allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : "" description : - prohibited-comparable-attrs : none prohibited-subtrees : none
$ dpconf set-request-filtering-policy-prop -h host -p port policy-name \ property:value [property:value ...]
By setting the properties listed in Step 1, you configure the following features of the request filtering policy:
The types of operations that clients are allowed to perform
The subtrees that are exposed to a client or hidden from a client
The scope for search operations
The types of search filters
The attribute types that can or cannot be compared in search and compare operations
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf create-search-data-hiding-rule -h host -p port policy-name rule-name \ [rule-name ...]
$ dpconf get-search-data-hiding-rule-prop policy-name rule-name
The default properties of a search data hiding rule are as follows:
attrs : none rule-action : hide-entry target-attr-value-assertions : none target-dn-regular-expressions : none target-dns : none
$ dpconf set-search-data-hiding-rule-prop -h host -p port policy-name rule-name \ property:value [property:value ...]
One of the following rule actions can be used:
The target entry is not returned.
The target entry is returned but the specified attributes are filtered out.
The target entry is returned but the unspecified attributes are filtered out.
The rule can be applied to the following entries:
Entries with the specified DN
Entries with the specified DN pattern
Entries with a specified attribute name and attribute value pair (attrName#attrValue)
The following configuration defines a search data hiding rule that hides entries of type inetorgperson.
$ dpconf set-search-data-hiding-rule-prop -h host1 -p port my-policy my-rule \ target-attr-value-assertions:objectclass#inetorgperson
The following examples contain a request filtering policy and a search data hiding rule. When the request filtering policy is combined with the search data hiding rule, access to data is limited as follows:
The following types of operations are disallowed: add, delete, extended, modify, and rename.
Only the ou=people,dc=sun,dc=com subtree can be accessed.
Entries other than inetorgperson type are returned by search operations.
Example 25-1 Sample Request Filtering Policy
allow-add-operations : false allow-bind-operations : true allow-compare-operations : true allow-delete-operations : false allow-extended-operations : false allow-inequality-search-operations : true allow-modify-operations : false allow-rename-operations : false allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : ou=people,dc=sun,dc=com description : myRequestFilteringPolicy prohibited-comparable-attrs : none prohibited-subtrees : none
Example 25-2 Sample Search Data Hiding Rule
attrs : - rule-action : hide-entry target-attr-value-assertions : objectclass:inetorgperson target-dn-regular-expressions : - target-dns : -