Designing Access Control With Directory Proxy Server

Directory Proxy Server connection handlers provide a method of access control that enables you to classify incoming client connections. In this way, you can restrict the operations that can be performed based on how the connection has been classified.

You can use this functionality, for example, to restrict access to clients that connect from a specified IP address only. The following figure shows how you can use Directory Proxy Server connection handlers to deny write operations from specific IP addresses.

Figure 7–2 Directory Proxy Server Connection Handler Logic

How Connection Handlers Work

A connection handler consists of a list of criteria and a list of policies. Directory Proxy Server determines a connection's class membership by matching the origination attributes of the connection with the criteria of the class. When the connection has been matched to a class, Directory Proxy Server applies the policies that are contained in that class to the connection.

Connection handler criteria can include the following:

• Client physical address

• Domain name or host name

• Client DN pattern

• Authentication method

• SSL

The following policies can be associated with a connection handler:

• Administrative limits policy. Enables you to set certain limits on, for example, the number of open connections from clients of a specific class.

• Content adaptation policy. Enables you to restrict the kind of operations a connection can perform, for example, attribute renaming.

• Data distribution policy. Enables you to use a specific distribution scheme for a connection.

For more information about Directory Proxy Server connection handlers and how to set them up, see Chapter 21, Directory Proxy Server Connection Handlers, in Sun Java System Directory Server Enterprise Edition 6.0 Reference.