Chapter 35 Policy Configuration Service Attributes

The Policy Configuration Service attributes consist of global and organization attributes.The values applied to the global attributes are applied across the Sun ONE Identity Server configuration and are inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application.) The values applied to the organization attributes under Service Management become the default values for Policy configuration. The service template needs to be created after registering the service for the organization. The default values can be changed after registration by the organization’s administrator. Organization attributes are not inherited by entries in the organization. The Policy Configuration attributes are separated into:

Global Attribute

Resource Comparator

This attribute specifies the resource comparator information, which is used to compare resources specified in a Policy rule definition. Resource comparison is used for both policy creation and evaluation. This attribute contains the following values:



serviceType	Specifies the service to which the comparator should be used.
class	Defines the java class that implements the resource comparison algorithm.
wildcard	Specifies the wildcard that can be defined in resource names
delimiter	Specifies the delimiter to be used in the resource name.
caseSensitivity	Specifies if the comparison of the two resources should consider or ignore case. False ignores case, True considers case.

Organization Attributes

LDAP Server and Port

This field specifies the host name and port number of the primary LDAP server specified during Identity Server installation that will be used to search for Policy subjects, such as LDAP users, LDAP roles, LDAP groups, etc. The format is hostname:port For example:

For failover configuration to multiple LDAP server hosts, this value can be a space-delimited list of hosts. The format is hostname1:port1 hostname2:port2...

Multiple entries must be prefixed by the local server name. This is to allow specific Identity Servers to be configured to talk to specific Directory Servers.



Note	This attribute has changed to accept a list of values to support multiple servers. In the 6.0 SP1 release, this attribute only accepted a single value. This may cause a problem if you attempt to make 6.0SP1 and 6.1 to co-exist in a single deployment environment, specifically for the scenario in which an Identity Server 6.0 SP1 instance points to a 6.1 DIT. For successful co-existence, ensure that there is only a a single LDAP server for this attribute.

LDAP Base DN

This field specifies the base DN in the LDAP server from which to begin the search. By default, it is the top-level organization of the Identity Server installation.

LDAP Users Base DN

This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level organization of the Identity Server installation base.

Identity Server Roles Base DN

This attribute specifies the base DN used by the Identity Server Roles subject in the LDAP server from which to begin the search. By default, it is the top-level organization of the Identity Server installation base.

LDAP Bind DN

LDAP Bind Password

This attribute defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

LDAP Bind Password (Confirm)

LDAP Org Search Filter

Specifies the search filter to be used to find organization entries. The default is (objectclass=sunMangagedOrganization).

LDAP Org Search Scope

This attribute defines the scope to be used to find organization entries. The scope must be one of the following:

LDAP Groups Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Groups Search Scope

This attribute defines the scope to be used to find group entries. The scope must be one of the following:

LDAP Users Search Filter

Specifies the search filter to be used to find user entries. The default is (objectclass=inetorgperson).

LDAP Users Search Scope

This attribute defines the scope to be used to find user entries. The scope must be one of the following:

LDAP Roles Search Filter

Specifies the search filter to be used to find entries for roles. The default is (&(objectclass=ldapsubentry)(objectclass=nsroledefinitions))

LDAP Roles Search Scope

This attribute defines the scope to be used to find entries for roles. The scope must be one of the following:

Identity Server Roles Search Scope

This attribute defines the scope to be used to find entries for Identity Server Roles subject. The scope must be one of the following:

LDAP Organization Search Attribute

This field defines the attribute type for which to conduct a search on an organization. The default is o.

LDAP Groups Search Attribute

This field defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Users Search Attribute

This field defines the attribute type for which to conduct a search on a user. The default is uid.

LDAP Roles Search Attribute

This field defines the attribute type for which to conduct a search on a role. The default is cn.

Maximum Results Returned From Search

This field defines the maximum number of results returned from a search. The default value is 100. If the search limit exceeds the amount specified, the entries that have been found to that point will be returned.

Timeout For Search (seconds)

This attribute specifies the amount of time before a timeout on a search occurs. If the search exceeds the specified time, the entries that have been found to that point will be returned

LDAP SSL Enabled

This attribute specifies whether or not the LDAP server is running SSL. Selected enables SSL, unselected (default) disables SSL.

LDAP Connection Pool Minimal Size

This attribute specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.

LDAP Connection Pool Maximum Size

This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.

Selected Policy Subjects

This attribute allows you to select a set of subject types available to be used for policy definition in the organization.

Selected Policy Conditions

This attribute allows you to select a set of conditions types available to be used for policy definition in the organization.

Selected Policy Referrals

This attribute allows you to select a set of referral types available to be used for policy definition in the organization.

Subjects Result Time To Live

This attribute specifies the amount of time (in minutes) that a cached subject result can be used to evaluate the same policy request based on an single sign-on token.

When a policy is initially evaluated for an SSO token, the subject instances in the policy are evaluated to determine whether the policy is applicable to a given user. The subject result, which is keyed by the SSO token ID, is cached in the policy. If another evaluation occurs for the same policy for the same SSO token ID within the time specified in the Subject Result Time To Live attribute, the policy framework retrieves the cached subjects result, instead of evaluating the subject instances. This significantly reduces the time for policy evaluation.

User Alias Enabled

This attribute must be enabled if you create a policy to protect a resource whose subject's member in a remote Directory Server aliases a local user.

This attribute must be enabled, for example, if you create uid=rmuser in the remote Directory Server and then add rmuser as an alias to a local user (such as uid=luser) in Identity Server. When you login as rmuser, a session is created with the local user (luser) and policy enforcement is successful.