Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory
11g Release 1 (11.1.1)

Part Number E10029-05
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
PDF · Mobi · ePub

38 Managing DIT Masking

DIT masking is the restriction of the DIT content that is exposed in an Oracle Internet Directory server instance. Masking restricts access by all users except the super user, cn=orcladmin. Typically, you use masking to prevent some users from seeing certain portions of the DIT, based on which instance of the Oracle Internet Directory server they connect to. Typical use cases for presenting different views of the DIT include test vs. production and internal vs. external users.

You could also restrict a user's view of the DIT by using Oracle Virtual Directory, but DIT masking has far less performance and administrative overhead.

38.1 Configuring Masking

By default, no masking is configured. You use the following configuration attributes of the instance-specific configuration entry to configure masking.

Table 38-1 Masking Configuration Attributes

Attribute Description


Contains the DIT subtrees that are exposed in an instance. The DN configured and its children are visible in the instance. Other entries in the DIT are masked (hidden) for all LDAP operations.


Filters the entries exposed in the instance. Entries matching the filter criteria are exposed. Other entries are hidden for all LDAP operations.

You modify these attributes in the same way as other attributes of the instance-specific configuration entry. See Section 9.4.1, "Setting System Configuration Attributes by Using ldapmodify."

38.2 Masking Examples

Masking is useful in scenarios where the administrator wants to selectively expose the entries present in the directory. The following examples illustrate this use case.

38.2.1 Restricting Access by Container Name

Consider a DIT setup with the following hierarchy:


The internal container contains entries internal to the organization and should have limited access. The external and public container contains data about external users and some public information that is accessible to all. An administrator wants to ensure that only the external and public data is available outside of the organization firewall. This can be achieved through masking. Create an Oracle Internet Directory instance, such as oid2, that runs on a port exposed through the firewall. To ensure applications and users connecting to this port see only publicly accessible content, create masking realms in cn=oid2 with ldapmodify, using the following LDIF file:

dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry
changetype: modify
add: orclmaskrealm
orclmaskrealm: cn=external,o=oracle
orclmaskrealm: cn=public,o=oracle

This ensures that only the entries in the configured containers public and external are seen through this instance. Applications and users connecting to this instance cannot see the Internal container and its entries.

38.2.2 Restricting Access by Entry Data

Another use case is restricting entries based on the data stored in them. An organization might have data about employees, contract workers and temp workers. A user lookup application such as an email client looks up data on the directory server to find out email addresses. An administrator wants to hide temp workers' information and only expose employees and contractor workers in the instance, say cn=oid2, that is accessed by the email client. This can be done by configuring masking filters with ldapmodify, using the following LDIF file:

dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry
changetype: modify
add: orclmaskfilter
orclmaskfilter: (usertype=employee)
orclmaskfilter: (usertype=contract)

This ensures that entries with usertype=employee or usertype=contract are exposed and others are not exposed.