Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
Configuring Connections Between Directory Proxy Server and Back-End LDAP Servers
To Configure the Number of Connections Between Directory Proxy Server and Back-End LDAP Servers
To Configure Connection Timeout
To Configure Connection Pool Wait Timeout
Configuring SSL Between Directory Proxy Server and Back-End LDAP Servers
To Configure SSL Between Directory Proxy Server and a Back-End LDAP Server
Choosing SSL Ciphers and SSL Protocols for Directory Proxy Server
To Choose the List of Ciphers and Protocols
Forwarding Requests to Back-End LDAP Servers
Forwarding Requests With Bind Replay
To Forward Requests With Bind Replay
Forwarding Requests With Proxy Authorization
To Forward Requests by Using Proxy Authorization
Forwarding Requests Without the Client Identity
To Forward Requests Without the Client Identity
Forwarding Requests as an Alternate User
To Configure Remote User Mapping
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
This section contains information about the various methods you can use to forward requests from Directory Proxy Server to back-end LDAP servers.
For information about bind replay for client credentials in Directory Proxy Server, see Directory Proxy Server Configured for BIND Replay in Oracle Directory Server Enterprise Edition Reference. The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server by using bind replay.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-client-identity
For information about proxy authorization in Directory Proxy Server, see Directory Proxy Server Configured for Proxy Authorization in Oracle Directory Server Enterprise Edition Reference.
This section contains procedures for forwarding requests by using proxy authorization and by using a proxy authorization control.
For example, configure the data source to expect proxy authorization controls of version 1.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-use-v1:true
Alternatively, configure the data source to expect proxy authorization controls of version 2.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-use-v1:false
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-proxy-auth
To configure a data source to authenticate to a back-end LDAP server by using proxy authorization for write operations only, run this command:
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-proxy-auth-for-write
When write operations only are performed with a proxy authorization control, the client identity is not forwarded to the LDAP server for read requests. For more information about forwarding requests without the client identity, see Forwarding Requests Without the Client Identity.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ bind-dn:DPS-bind-dn bind-pwd-file:filename
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-check-timeout:value
Directory Proxy Server verifies that the client DN has the relevant ACIs for proxy authorization by using the getEffectiveRights command. The result is cached in Directory Proxy Server and renewed when the proxied-auth-check-timeout expires.
For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf set-server-prop -h host -p port allowed-ldap-controls:proxy-auth-v1 \ allowed-ldap-controls:proxy-auth-v2
The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server without forwarding the client identity.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-specific-identity
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ bind-dn:bind-dn-of-DPS bind-pwd-file:filename
For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.
This section contains information about how to forward requests as an alternate user.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf set-server-prop -h host -p port enable-user-mapping:true
$ dpconf set-server-prop -h host -p port \ remote-user-mapping-bind-dn-attr:attribute-name
$ dpconf set-server-prop -h host -p port enable-remote-user-mapping:true
$ dpconf set-server-prop -h host -p port \ user-mapping-default-bind-dn:default-mapping-bind-dn \ user-mapping-default-bind-pwd-file:filename
If the mapped identity is not found on the remote LDAP server, the client identity is mapped to the default identity.
For information about configuring user mapping in Directory Server, see Proxy Authorization.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf set-server-prop -h host -p port enable-user-mapping:true
$ dpconf set-server-prop -h host -p port enable-remote-user-mapping:false
$ dpconf set-server-prop -h host -p port \ user-mapping-default-bind-dn:default-mapping-bind-dn \ user-mapping-default-bind-pwd-file:filename
The client ID is mapped to this DN if the mapping on the remote LDAP server fails.
$ dpconf set-server-prop -h host -p port \ user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \ user-mapping-anonymous-bind-pwd-file:filename
For information about how to permit unauthenticated users to perform operations, see To Configure Anonymous Access.
$ dpconf set-user-mapping-prop -h host -p port \ user-bind-dn:client-bind-dn user-bind-pwd-file:filename
$ dpconf set-user-mapping-prop -h host -p port \ mapped-bind-dn:alt-user-bind-dn mapped-bind-pwd-file:filename
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
$ dpconf set-server-prop -h host -p port \ user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \ user-mapping-anonymous-bind-pwd-file:filename
The mapping for anonymous clients is configured in Directory Proxy Server because the remote LDAP server does not contain an entry for an anonymous client.
For information about permitting unauthenticated users to perform operations, see To Configure Anonymous Access.