Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide

Chapter 25 Connections Between Directory Proxy Server and Back-End LDAP Servers

This chapter describes how to configure connections between Directory Proxy Server and back-end LDAP servers. The chapter covers the following topics:

Configuring Connections Between Directory Proxy Server and Back-End LDAP Servers

When an LDAP data source is created, the number of default connections opened for the LDAP data source are six, that is, two for each read, bind, and write operations respectively. To verify the default connections, type the following command:


dpconf get-ldap-data-source-prop src-name num-read-init num-write-init num-bind-init
num-bind-init   :  2
num-read-init   :  2
num-write-init  :  2

The number of connections increases automatically when the traffic increases.

For information about how to configure connections between Directory Proxy Server and back-end LDAP servers, see the following procedures:

ProcedureTo Configure the Number of Connections Between Directory Proxy Server and Back-End LDAP Servers


Note –

This procedure configures the number of connections for bind operations. To configure the number of connections for read or write operations, perform the same procedure but replace bind with read or write.


You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the initial number of connections between Directory Proxy Server and a back-end LDAP server for bind operations.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     num-bind-init:new-value
    
  2. Configure the increment of connections for bind operations.

    The increment is the number of connections that are added each time more than the current number of connections are requested.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     num-bind-incr:new-value
    
  3. Configure the maximum number of connections for bind operations.

    When this maximum number of connections is reached, no more connections can be added.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     num-bind-limit:new-value
    

ProcedureTo Configure Connection Timeout

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the maximum length of time that Directory Proxy Server can attempt to connect to a data source.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     connect-timeout:new-value
    

    For example, configure the connection timeout to 10 milliseconds.


    $ dpconf set-ldap-data-source-prop -h host1 -p 1389 data-source-name connect-timeout:10

ProcedureTo Configure Connection Pool Wait Timeout

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the maximum length of time that Directory Proxy Server can wait for an established connection in a connection pool to become available.


    $ dpconf set-server-prop -h host -p port data-source-name \
     connection-pool-wait-timeout:value
    

    For example, configure the timeout to 20 seconds.


    $ dpconf set-ldap-data-source-prop -h host1 -p 1389 data-source-name \
     connection-pool-wait-timeout:20000

Configuring SSL Between Directory Proxy Server and Back-End LDAP Servers

The following procedure describes how to configure SSL between Directory Proxy Server and back-end LDAP servers.

ProcedureTo Configure SSL Between Directory Proxy Server and a Back-End LDAP Server

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure a secure port between Directory Proxy Server and the back-end LDAP server.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     ldaps-port:port-number
    
  2. Configure when SSL is used for connections between Directory Proxy Server and the back-end LDAP server.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name ssl-policy:value
    
    • If value is always, SSL is always used for connections.

    • If value is client, SSL is used if the client is using SSL.

    If the connection is not using SSL, you can promote the connection to SSL by using the startTLS command.

    Transport Layer Security (TLS) is the standard version of SSL. TLS over LDAP is the IETF approved standard way of securing LDAP. LDAPS is a de facto standard but leads to some complexity such as having two ports instead of only one port for the service.

  3. Choose the protocols and ciphers for SSL as described in Choosing SSL Ciphers and SSL Protocols for Directory Proxy Server.

  4. Configure Directory Proxy Server to validate an SSL server certificate from the back-end LDAP server.

    For information, see To Add a Certificate From a Back-End Directory Server to the Certificate Database on Directory Proxy Server.

  5. If the back-end LDAP server requests a certificate from Directory Proxy Server, configure Directory Proxy Server to send an SSL client certificate.

    For information, see Exporting a Certificate to a Back-End LDAP Server.

  6. Restart the instance of Directory Proxy Server for the changes to take effect.

    For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Choosing SSL Ciphers and SSL Protocols for Directory Proxy Server

The ciphers and protocols that can be used by Directory Proxy Server depend on the JavaTM Virtual Machine (JVMTM) that is being used. By default, Directory Proxy Server uses the default ciphers and protocols that are enabled for the JVM machine.

ProcedureTo Choose the List of Ciphers and Protocols

Use this procedure to retrieve the supported ciphers and protocols, and the enabled ciphers and protocols. If a cipher or protocol is supported, you can enable or disable it.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. View the list of supported ciphers and protocols.


    $ dpconf get-server-prop -h host -p port supported-ssl-cipher-suites \
     supported-ssl-protocols
  2. View the list of enabled ciphers and protocols.


    $ dpconf get-server-prop -h host -p port enabled-ssl-cipher-suites \
     enabled-ssl-protocols
  3. Enable one or more supported ciphers or protocols.

    1. Enable one or more supported ciphers.


      $ dpconf set-server-prop -h host -p port \
       enabled-ssl-cipher-suites:supported-ssl-cipher-suite \
       [enabled-ssl-cipher-suites:supported-ssl-cipher-suite ...]

      To add a cipher to an existing list of supported ciphers, use this command:


      $ dpconf set-server-prop -h host -p port \
       enabled-ssl-cipher-suites+:supported-ssl-cipher-suite
      
    2. Enable one or more supported protocols.


      $ dpconf set-server-prop -h host -p port \
       enabled-ssl-cipher-protocols:supported-ssl-cipher-protocol \
       [enabled-ssl-cipher-protocols:supported-ssl-cipher-protocol ...]

      To add a protocol to an existing list of supported protocols, use this command:


      $ dpconf set-server-prop -h host -p port \
       enabled-ssl-cipher-protocols+:supported-ssl-cipher-protocol
      
  4. (Optional) Disable a supported cipher or protocol.


    $ dpconf set-server-prop -h host -p port \
     enabled-ssl-cipher-protocols-:supported-ssl-cipher-protocol
    

Forwarding Requests to Back-End LDAP Servers

This section contains information about the various methods you can use to forward requests from Directory Proxy Server to back-end LDAP servers.

Forwarding Requests With Bind Replay

For information about bind replay for client credentials in Directory Proxy Server, see Directory Proxy Server Configured for BIND Replay in Sun Java System Directory Server Enterprise Edition 6.3 Reference. The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server by using bind replay.

ProcedureTo Forward Requests With Bind Replay

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the data source client credentials to authenticate to a back-end LDAP server by using the credentials provided by a client.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     client-cred-mode:use-client-identity

Forwarding Requests With Proxy Authorization

For information about proxy authorization in Directory Proxy Server, see Directory Proxy Server Configured for Proxy Authorization in Sun Java System Directory Server Enterprise Edition 6.3 Reference.

This section contains procedures for forwarding requests by using proxy authorization and by using a proxy authorization control.

ProcedureTo Forward Requests by Using Proxy Authorization

  1. Configure the data source to expect proxy authorization controls of either version 1 or version 2.

    For example, configure the data source to expect proxy authorization controls of version 1.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     proxied-auth-use-v1:true

    Alternatively, configure the data source to expect proxy authorization controls of version 2.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     proxied-auth-use-v1:false
  2. Configure the data source to authenticate to a back-end LDAP server by using proxy authorization.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     client-cred-mode:use-proxy-auth

    To configure a data source to authenticate to a back-end LDAP server by using proxy authorization for write operations only, run this command:


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     client-cred-mode:use-proxy-auth-for-write

    When write operations only are performed with a proxy authorization control, the client identity is not forwarded to the LDAP server for read requests. For more information about forwarding requests without the client identity, see Forwarding Requests Without the Client Identity.

  3. Configure the data source with the bind credentials of Directory Proxy Server.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     bind-dn:DPS-bind-dn bind-pwd-file:filename
    
  4. Configure the data source with the timeout.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     proxied-auth-check-timeout:value
    

    Directory Proxy Server verifies that the client DN has the relevant ACIs for proxy authorization by using the getEffectiveRights command. The result is cached in Directory Proxy Server and renewed when the proxied-auth-check-timeout expires.

  5. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

ProcedureTo Forward Requests by Using Proxy Authorization When the Request Contains a Proxy Authorization Control

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure Directory Proxy Server to accept proxy authorization controls of version 1, version 2, or both.


    $ dpconf set-server-prop -h host -p port allowed-ldap-controls:proxy-auth-v1 \
     allowed-ldap-controls:proxy-auth-v2

Forwarding Requests Without the Client Identity

The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server without forwarding the client identity.

ProcedureTo Forward Requests Without the Client Identity

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the data source to authenticate to a back-end LDAP server by using the credentials of Directory Proxy Server.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     client-cred-mode:use-specific-identity
  2. Configure the data source with the bind credentials of Directory Proxy Server.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     bind-dn:bind-dn-of-DPS bind-pwd-file:filename
    
  3. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Forwarding Requests as an Alternate User

This section contains information about how to forward requests as an alternate user.

ProcedureTo Configure Remote User Mapping

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Enable operations to be forwarded with an alternate user.


    $ dpconf set-server-prop -h host -p port enable-user-mapping:true
  2. Specify the name of the attribute that contains the ID for remote mapping.


    $ dpconf set-server-prop -h host -p port \
     remote-user-mapping-bind-dn-attr:attribute-name
    
  3. Enable Directory Proxy Server to map the client ID remotely.


    $ dpconf set-server-prop -h host -p port enable-remote-user-mapping:true
  4. Configure the default mapping.


    $ dpconf set-server-prop -h host -p port \
     user-mapping-default-bind-dn:default-mapping-bind-dn \
     user-mapping-default-bind-pwd-file:filename
    

    If the mapped identity is not found on the remote LDAP server, the client identity is mapped to the default identity.

  5. Configure the user mapping in the entry for the client on the remote LDAP server.

    For information about configuring user mapping in Directory Server, see Proxy Authorization.

ProcedureTo Configure Local User Mapping

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Enable operations to be forwarded with an alternate user.


    $ dpconf set-server-prop -h host -p port enable-user-mapping:true
  2. Ensure that Directory Proxy Server is not configured to map the client ID remotely.


    $ dpconf set-server-prop -h host -p port enable-remote-user-mapping:false
  3. Configure the default mapping.


    $ dpconf set-server-prop -h host -p port \
     user-mapping-default-bind-dn:default-mapping-bind-dn \
     user-mapping-default-bind-pwd-file:filename
    

    The client ID is mapped to this DN if the mapping on the remote LDAP server fails.

  4. If you permit unauthenticated users to perform operations, configure the mapping for unauthenticated clients.


    $ dpconf set-server-prop -h host -p port \
     user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \
     user-mapping-anonymous-bind-pwd-file:filename
    

    For information about how to permit unauthenticated users to perform operations, see To Configure Anonymous Access.

  5. Configure the ID of the client.


    $ dpconf set-user-mapping-prop -h host -p port \
     user-bind-dn:client-bind-dn user-bind-pwd-file:filename
    
  6. Configure the ID of the alternate user.


    $ dpconf set-user-mapping-prop -h host -p port \
     mapped-bind-dn:alt-user-bind-dn mapped-bind-pwd-file:filename
    

ProcedureTo Configure User Mapping for Anonymous Clients

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the mapping for unauthenticated clients.


    $ dpconf set-server-prop -h host -p port \
     user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \
     user-mapping-anonymous-bind-pwd-file:filename
    

    The mapping for anonymous clients is configured in Directory Proxy Server because the remote LDAP server does not contain an entry for an anonymous client.

    For information about permitting unauthenticated users to perform operations, see To Configure Anonymous Access.