Directory Proxy Server 5.2 uses groups to define how client connections are identified and what restrictions are placed on the client connections. In Directory Proxy Server 7.0, this functionality is achieved using connection handlers, data views, and listeners.
Connection handlers, data views, and listeners can be configured by using the Directory Service Control Center or by using the dpconf command. For more information, see Chapter 25, Connections Between Clients and Directory Proxy Server , in Sun Directory Server Enterprise Edition 7.0 Administration Guide and Chapter 21, Directory Proxy Server Distribution, in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
In Directory Proxy Server 5.2, a group is defined by setting the attributes of the ids-proxy-sch-Group object class. Certain attributes of this object class can be mapped to Directory Proxy Server 7.0 connection handler properties. For a list of all the connection-handler properties, run the following command:
$ dpconf help-properties | grep connection-handler
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps version 5.2 group attributes to the corresponding connection handler properties.
Table 7–3 Mapping Between Group Attributes and Connection Handler Properties
Directory Proxy Server 5.2 Group Attribute |
Directory Proxy Server 7.0 Connection Handler Property |
---|---|
ids-proxy-con-Name |
cn |
ids-proxy-con-Priority |
priority |
ids-proxy-sch-Enable |
is-enabled |
ids-proxy-sch-belongs-to |
No equivalent |
ids-proxy-con-permit-auth-none:TRUE ids-proxy-con-permit-auth-sasl:TRUE ids-proxy-con-permit-auth-simple:TRUE |
allowed-auth-methods:anonymous allowed-auth-methods:sasl allowed-auth-methods:simple |
Directory Proxy Server 5.2 groups are configured by setting the attributes of the ids-proxy-sch-NetworkGroup object class. These attributes can be mapped to properties of Directory Proxy Server 7.0 connection handlers, data sources and listeners. For a list of all the properties related to these objects, run the dpconf help-properties command, and search for the object. For example, to locate all the properties of a connection handler, run the following command:
$ dpconf help-properties | grep connection-handler
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps Directory Proxy Server 5.2 network group attributes to the corresponding Directory Proxy Server 7.0 properties and describes how to set these properties by using the command line.
Table 7–4 Mapping of Network Group Attributes
Directory Proxy Server 5.2 Network Group Attribute |
Directory Proxy Server 7.0 Property |
---|---|
ids-proxy-con-Client |
domain-name-filters and ip-address-filters properties of a connection handler |
ids-proxy-con-include-property |
No equivalent |
ids-proxy-con-include-rule |
No equivalent |
ids-proxy-con-ssl-policy:ssl_required |
Set this as a connection handler property by using the following command: $ dpconf set-connection-handler-prop CONNECTION-HANDLER-NAME is-ssl-mandatory:true |
ids-proxy-con-ssl-policy:ssl_optional |
Set this as an LDAP data source property by using the following command: $ dpconf set-ldap-data-source-prop ds1 ssl-policy:client |
ids-proxy-con-ssl-policy:ssl_unavailable |
Set this as a connection handler property by using the following command: $ dpconf set-connection-handler-prop CONNECTION-HANDLER-NAME is-ssl-mandatory:false |
ids-proxy-con-tcp-no-delay |
Set this as a property for a specific listener port by using the following command: $ dpconf set-ldap-listener-prop use-tcp-no-delay:true |
ids-proxy-con-allow-multi-ldapv2–bind |
No equivalent |
ids-proxy-con-reverse-dns-lookup |
No equivalent |
ids-proxy-con-timeout |
This functionality exists but with less granularity than in Directory Proxy Server 5. Set this limit as a property for a specific listener port by using the following command: $ dpconf set-ldap-listener-prop connection-idle-timeout:value |
Directory Proxy Server 5.2 bind forwarding is used to determine whether to pass a bind request on to an LDAP server or to reject the bind request and close the client's connection. Directory Proxy Server 7.0 forwards either all bind requests or no bind requests. However, by setting the allowed-auth-methods connection handler property, successful binds can be classified into connection handlers, according to the authentication criteria. Directory Proxy Server 7.0 can be configured to reject all requests from a specific connection handler, providing the same functionality as Directory Proxy Server 5.2 bind forwarding.
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot
The following table maps the Directory Proxy Server 5.2 bind forwarding attributes to the corresponding Directory Proxy Server 7.0 connection handler property settings.
Table 7–5 Mapping of Bind Forwarding Attributes to Connection Handler Property Settings
Directory Proxy Server 5.2 Attribute |
Directory Proxy Server 7.0 Property |
---|---|
ids-proxy-con-bind-name |
No equivalent |
ids-proxy-con-permit-auth-none |
allowed-auth-methods:anonymous |
ids-proxy-con-permit-auth-simple |
allowed-auth-methods:simple |
ids-proxy-con-permit-auth-sasl |
allowed-auth-methods:sasl |
Operation forwarding determines how Directory Proxy Server 5.2 handles requests after a successful bind. In Directory Proxy Server 7.0, this functionality is provided by setting the properties of a request filtering policy. For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Directory Server Enterprise Edition 7.0 Administration Guide. For a list of all the properties of a request filtering policy, run the following command:
$ dpconf help-properties | grep request-filtering-policy
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps the Directory Proxy Server 5.2 operation forwarding attributes to the corresponding Directory Proxy Server 7.0 request filtering properties.
Table 7–6 Mapping of Operation Forwarding Attributes to Request Filtering Properties
Directory Proxy Server 5.2 Attribute |
Directory Proxy Server 7.0 Property |
---|---|
ids-proxy-con-permit-op-search |
allow-search-operations |
ids-proxy-con-permit-op-compare |
allow-compare-operations |
ids-proxy-con-permit-op-add |
allow-add-operations |
ids-proxy-con-permit-op-delete |
allow-delete-operations |
ids-proxy-con-permit-op-modify |
allow-modify-operations |
ids-proxy-con-permit-op-modrdn |
allow-rename-operations |
ids-proxy-con-permit-op-extended |
allow-extended-operations |
Directory Proxy Server 5.2 uses the ids-proxy-con-forbidden-subtree attribute to specify a subtree of entries to be excluded in any client request. Directory Proxy Server 7.0 provides this functionality with the allowed-subtrees and prohibited-subtrees properties of a request filtering policy. For information on hiding subtrees in this way, see Creating and Configuring a Resource Limits Policy in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
If your subtrees are distributed across different backend servers, you can use the excluded-subtrees property of a data view to hide subtrees. For more information on hiding subtrees in this way, see Excluding a Subtree From a Data View in Sun Directory Server Enterprise Edition 7.0 Reference and To Configure Data Views With Hierarchy and a Distribution Algorithm in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
In Directory Proxy Server 5.2, search request controls are used to prevent certain kinds of requests from reaching the LDAP server. In Directory Proxy Server 7.0, this functionality is provided by setting properties of a request filtering policy and a resource limits policy.
For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Directory Server Enterprise Edition 7.0 Administration Guide. For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Directory Server Enterprise Edition 7.0 Administration Guide. For a list of all the properties associated with a request filtering policy, or a resource limits policy, run the dpadm help-properties command and search for the object. For example, to locate all properties associated with a resource limits policy, run the following command:
$ dpconf help-properties | grep resource-limits-policy
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps the Directory Proxy Server 5.2 search request control attributes to the corresponding Directory Proxy Server 7.0 properties.
Table 7–7 Mapping of Search Request Control Attributes
Directory Proxy Server 5.2 Attribute |
Directory Proxy Server 7.0 Property |
---|---|
ids-proxy-con-filter-inequality |
allow-inequality-search-operations property of the request filtering policy |
ids-proxy-con-min-substring-size |
minimum-search-filter-substring-length property of the resource limits policy |
In Directory Proxy Server 5.2, compare request controls are used to prevent certain kinds of search and compare operations from reaching the LDAP server. In Directory Proxy Server 7.0, this functionality is provided by setting properties of a request filtering policy.
For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps the Directory Proxy Server 5.2 compare request control attributes to the corresponding Directory Proxy Server 7.0 properties.
Table 7–8 Mapping of Compare Request Control Attributes
Directory Proxy Server 5.2 Attribute |
Directory Proxy Server 7.0 Property |
---|---|
ids-proxy-con-forbidden-compare |
prohibited-comparable-attrs |
ids-proxy-con-permitted-compare |
allowed-comparable-attrs |
In Directory Proxy Server 5.2, these attributes are used to modify the search request before it is forwarded to the server. In Directory Proxy Server 7.0, this functionality is provided by setting properties of a request filtering policy and a resource limits policy.
For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Sun Directory Server Enterprise Edition 7.0 Administration Guide. For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps the Directory Proxy Server 5.2 search request modifying attributes to the corresponding Directory Proxy Server 7.0 properties.
Table 7–9 Mapping of Search Request Modifying Attributes
Directory Proxy Server 5.2 Attribute |
Directory Proxy Server 7.0 Property |
---|---|
ids-proxy-con-minimum-base |
allowed-subtrees property of the request filtering policy |
ids-proxy-con-max-scope |
allowed-search-scopes property of the request filtering policy |
ids-proxy-con-max-timelimit |
search-time-limit property of the resource limits policy |
In Directory Proxy Server 5.2, these attributes describe restrictions that are applied to search results being returned by the server, before they are forwarded to the client. In Directory Proxy Server 7.0, this functionality is provided by setting the properties of a resource limits policy and by configuring search data hiding rules.
For information about configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Directory Server Enterprise Edition 7.0 Administration Guide. For information about creating search data hiding rules, see To Create Search Data Hiding Rules in Sun Directory Server Enterprise Edition 7.0 Administration Guide. For a list of properties associated with a search data hiding rule, run the following command:
$ dpconf help-properties | grep search-data-hiding-rule |
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps the Directory Proxy Server 5.2 search response restriction attributes to the corresponding Directory Proxy Server 7.0 properties.
Table 7–10 Mapping of Search Response Restriction Attributes
Directory Proxy Server 5.2 Attributes |
Directory Proxy Server 7.0 Properties |
---|---|
ids-proxy-con-max-result-size |
search-size-limit property of the resource limits policy |
ids-proxy-con-forbidden-return |
To hide a subset of attributes: rule-action:hide-attributes attributes:attribute-name To hide an entire entry: rule-action:hide-entry |
ids-proxy-con-permitted-return |
rule-action:show-attributes attributes:attribute-name |
ids-proxy-con-search-reference |
No direct equivalent. Search continuation references are governed by the referral-policy property of the resource limits policy |
In Directory Proxy Server 5.2, these attributes determine what Directory Proxy Server should do with referrals. In Directory Proxy Server 7.0, this functionality is provided by setting properties of a resource limits policy.
For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps the Directory Proxy Server 5.2 referral configuration attributes to the corresponding Directory Proxy Server 7.0 resource limits properties.
Table 7–11 Mapping of Referral Configuration Attributes to Resource Limits Properties
Directory Proxy Server 5.2 Attribute |
Directory Proxy Server 7.0 Property |
---|---|
ids-proxy-con-reference |
referral-policy |
ids-proxy-con-referral-ssl-policy |
referral-policy |
ids-proxy-con-referral-bind-policy |
referral-bind-policy |
ids-proxy-con-max-refcount |
referral-hop-limit |
In Directory Proxy Server 5.2, these attributes are used to control the number of simultaneous operations and total number of operations a client can request on one connection. In Directory Proxy Server 7.0, this functionality is provided by setting properties of a resource limits policy.
For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Sun Directory Server Enterprise Edition 7.0 Administration Guide.
In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.
The following table maps the Directory Proxy Server 5.2 server load configuration attributes to the corresponding Directory Proxy Server 7.0 resource limits properties.
Table 7–12 Mapping of Server Load Configuration Attributes to Resource Limits Properties
Directory Proxy Server 5.2 Attribute |
Directory Proxy Server 7.0 Property |
---|---|
ids-proxy-con-max-simultaneous-operations-per-connection |
max-simultaneous-operations-per-connection |
ids-proxy-con-operations-per-connection |
max-total-operations-per-connection |
ids-proxy-con-max-conns |
max-connections |
ids-proxy-con-max-simultaneous-conns-from-ip |
max-client-connections |