JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

Configuring Connections Between Directory Proxy Server and Back-End LDAP Servers

To Configure the Number of Connections Between Directory Proxy Server and Back-End LDAP Servers

To Configure Connection Timeout

To Configure Connection Pool Wait Timeout

Configuring SSL Between Directory Proxy Server and Back-End LDAP Servers

To Configure SSL Between Directory Proxy Server and a Back-End LDAP Server

Choosing SSL Ciphers and SSL Protocols for Directory Proxy Server

To Choose the List of Ciphers and Protocols

Forwarding Requests to Back-End LDAP Servers

Forwarding Requests With Bind Replay

To Forward Requests With Bind Replay

Forwarding Requests With Proxy Authorization

To Forward Requests by Using Proxy Authorization

To Forward Requests by Using Proxy Authorization When the Request Contains a Proxy Authorization Control

Forwarding Requests Without the Client Identity

To Forward Requests Without the Client Identity

Forwarding Requests as an Alternate User

To Configure Remote User Mapping

To Configure Local User Mapping

To Configure User Mapping for Anonymous Clients

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration

Index

Forwarding Requests to Back-End LDAP Servers

This section contains information about the various methods you can use to forward requests from Directory Proxy Server to back-end LDAP servers.

Forwarding Requests With Bind Replay

For information about bind replay for client credentials in Directory Proxy Server, see Directory Proxy Server Configured for BIND Replay in Oracle Directory Server Enterprise Edition Reference. The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server by using bind replay.

To Forward Requests With Bind Replay

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Forwarding Requests With Proxy Authorization

For information about proxy authorization in Directory Proxy Server, see Directory Proxy Server Configured for Proxy Authorization in Oracle Directory Server Enterprise Edition Reference.

This section contains procedures for forwarding requests by using proxy authorization and by using a proxy authorization control.

To Forward Requests by Using Proxy Authorization

  1. Configure the data source to expect proxy authorization controls of either version 1 or version 2.

    For example, configure the data source to expect proxy authorization controls of version 1.

    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
 proxied-auth-use-v1:true

    Alternatively, configure the data source to expect proxy authorization controls of version 2.

    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
 proxied-auth-use-v1:false
  2. Configure the data source to authenticate to a back-end LDAP server by using proxy authorization.
    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
 client-cred-mode:use-proxy-auth

    To configure a data source to authenticate to a back-end LDAP server by using proxy authorization for write operations only, run this command:

    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
 client-cred-mode:use-proxy-auth-for-write

    When write operations only are performed with a proxy authorization control, the client identity is not forwarded to the LDAP server for read requests. For more information about forwarding requests without the client identity, see Forwarding Requests Without the Client Identity.

  3. Configure the data source with the bind credentials of Directory Proxy Server.
    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
 bind-dn:DPS-bind-dn bind-pwd-file:filename
  4. Configure the data source with the timeout.
    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
 proxied-auth-check-timeout:value

    Directory Proxy Server verifies that the client DN has the relevant ACIs for proxy authorization by using the getEffectiveRights command. The result is cached in Directory Proxy Server and renewed when the proxied-auth-check-timeout expires.

  5. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

To Forward Requests by Using Proxy Authorization When the Request Contains a Proxy Authorization Control

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Forwarding Requests Without the Client Identity

The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server without forwarding the client identity.

To Forward Requests Without the Client Identity

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the data source to authenticate to a back-end LDAP server by using the credentials of Directory Proxy Server.
    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
 client-cred-mode:use-specific-identity
  2. Configure the data source with the bind credentials of Directory Proxy Server.
    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
 bind-dn:bind-dn-of-DPS bind-pwd-file:filename
  3. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Forwarding Requests as an Alternate User

This section contains information about how to forward requests as an alternate user.

To Configure Remote User Mapping

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Enable operations to be forwarded with an alternate user.
    $ dpconf set-server-prop -h host -p port enable-user-mapping:true
  2. Specify the name of the attribute that contains the ID for remote mapping.
    $ dpconf set-server-prop -h host -p port \
 remote-user-mapping-bind-dn-attr:attribute-name
  3. Enable Directory Proxy Server to map the client ID remotely.
    $ dpconf set-server-prop -h host -p port enable-remote-user-mapping:true
  4. Configure the default mapping.
    $ dpconf set-server-prop -h host -p port \
 user-mapping-default-bind-dn:default-mapping-bind-dn \
 user-mapping-default-bind-pwd-file:filename

    If the mapped identity is not found on the remote LDAP server, the client identity is mapped to the default identity.

  5. Configure the user mapping in the entry for the client on the remote LDAP server.

    For information about configuring user mapping in Directory Server, see Proxy Authorization.

To Configure Local User Mapping

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Enable operations to be forwarded with an alternate user.
    $ dpconf set-server-prop -h host -p port enable-user-mapping:true
  2. Ensure that Directory Proxy Server is not configured to map the client ID remotely.
    $ dpconf set-server-prop -h host -p port enable-remote-user-mapping:false
  3. Configure the default mapping.
    $ dpconf set-server-prop -h host -p port \
 user-mapping-default-bind-dn:default-mapping-bind-dn \
 user-mapping-default-bind-pwd-file:filename

    The client ID is mapped to this DN if the mapping on the remote LDAP server fails.

  4. If you permit unauthenticated users to perform operations, configure the mapping for unauthenticated clients.
    $ dpconf set-server-prop -h host -p port \
 user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \
 user-mapping-anonymous-bind-pwd-file:filename

    For information about how to permit unauthenticated users to perform operations, see To Configure Anonymous Access.

  5. Configure the ID of the client.
    $ dpconf set-user-mapping-prop -h host -p port \
 user-bind-dn:client-bind-dn user-bind-pwd-file:filename
  6. Configure the ID of the alternate user.
    $ dpconf set-user-mapping-prop -h host -p port \
 mapped-bind-dn:alt-user-bind-dn mapped-bind-pwd-file:filename

To Configure User Mapping for Anonymous Clients

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next