This section contains information about the various methods you can use to forward requests from Directory Proxy Server to back-end LDAP servers.
For information about bind replay for client credentials in Directory Proxy Server, see Directory Proxy Server Configured for BIND Replay in Sun Java System Directory Server Enterprise Edition 6.0 Reference. The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server by using bind replay.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Configure the data source client credentials to authenticate to a back-end LDAP server by using the credentials provided by a client.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-client-identity |
For information about proxy authorization in Directory Proxy Server, see Directory Proxy Server Configured for Proxy Authorization in Sun Java System Directory Server Enterprise Edition 6.0 Reference.
This section contains procedures for forwarding requests by using proxy authorization and by using a proxy authorization control.
Configure the data source to expect proxy authorization controls of either version 1 or version 2.
For example, configure the data source to expect proxy authorization controls of version 1.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-use-v1:true |
Alternatively, configure the data source to expect proxy authorization controls of version 2.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-use-v1:false |
Configure the data source to authenticate to a back-end LDAP server by using proxy authorization.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-proxy-auth |
To configure a data source to authenticate to a back-end LDAP server by using proxy authorization for write operations only, run this command:
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-proxy-auth-for-write |
When write operations only are performed with a proxy authorization control, the client identity is not forwarded to the LDAP server for read requests. For more information about forwarding requests without the client identity, see Forwarding Requests Without the Client Identity.
Configure the data source with the bind credentials of Directory Proxy Server.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ bind-dn:DPS-bind-dn bind-pwd-file:filename |
Configure the data source with the timeout.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ proxied-auth-check-timeout:value |
Directory Proxy Server verifies that the client DN has the relevant ACIs for proxy authorization by using the getEffectiveRights command. The result is cached in Directory Proxy Server and renewed when the proxied-auth-check-timeout expires.
If necessary, restart the instance of Directory Proxy Server for the changes to take effect.
For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Configure Directory Proxy Server to accept proxy authorization controls of version 1, version 2, or both.
$ dpconf set-server-prop -h host -p port allowed-ldap-controls:proxy-auth-v1 \ allowed-ldap-controls:proxy-auth-v2 |
The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server without forwarding the client identity.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Configure the data source to authenticate to a back-end LDAP server by using the credentials of Directory Proxy Server.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ client-cred-mode:use-specific-identity |
Configure the data source with the bind credentials of Directory Proxy Server.
$ dpconf set-ldap-data-source-prop -h host -p port data-source-name \ bind-dn:bind-dn-of-DPS bind-pwd-file:filename |
If necessary, restart the instance of Directory Proxy Server for the changes to take effect.
For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.
This section contains information about how to forward requests as an alternate user.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Enable operations to be forwarded with an alternate user.
$ dpconf set-server-prop -h host -p port enable-user-mapping:true |
Specify the name of the attribute that contains the ID for remote mapping.
$ dpconf set-server-prop -h host -p port \ remote-user-mapping-bind-dn-attr:attribute-name |
Enable Directory Proxy Server to map the client ID remotely.
$ dpconf set-server-prop -h host -p port enable-remote-user-mapping:true |
Configure the default mapping.
$ dpconf set-server-prop -h host -p port \ user-mapping-default-bind-dn:default-mapping-bind-dn \ user-mapping-default-bind-pwd-file:filename |
If the mapped identity is not found on the remote LDAP server, the client identity is mapped to the default identity.
Configure the user mapping in the entry for the client on the remote LDAP server.
For information about configuring user mapping in Directory Server, see Proxy Authorization.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Enable operations to be forwarded with an alternate user.
$ dpconf set-server-prop -h host -p port enable-user-mapping:true |
Ensure that Directory Proxy Server is not configured to map the client ID remotely.
$ dpconf set-server-prop -h host -p port enable-remote-user-mapping:false |
Configure the default mapping.
$ dpconf set-server-prop -h host -p port \ user-mapping-default-bind-dn:default-mapping-bind-dn \ user-mapping-default-bind-pwd-file:filename |
The client ID is mapped to this DN if the mapping on the remote LDAP server fails.
If you permit unauthenticated users to perform operations, configure the mapping for unauthenticated clients.
$ dpconf set-server-prop -h host -p port \ user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \ user-mapping-anonymous-bind-pwd-file:filename |
For information about how to permit unauthenticated users to perform operations, see To Configure Anonymous Access.
Configure the ID of the client.
$ dpconf set-user-mapping-prop -h host -p port \ user-bind-dn:client-bind-dn user-bind-pwd-file:filename |
Configure the ID of the alternate user.
$ dpconf set-user-mapping-prop -h host -p port \ mapped-bind-dn:alt-user-bind-dn mapped-bind-pwd-file:filename |
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Configure the mapping for unauthenticated clients.
$ dpconf set-server-prop -h host -p port \ user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \ user-mapping-anonymous-bind-pwd-file:filename |
The mapping for anonymous clients is configured in Directory Proxy Server because the remote LDAP server does not contain an entry for an anonymous client.
For information about permitting unauthenticated users to perform operations, see To Configure Anonymous Access.