For an overview of request filtering policies, see Request Filtering Policies for Connection Handlers in Sun Java System Directory Server Enterprise Edition 6.2 Reference. For an overview of search data hiding rules, see Search Data Hiding Rules in the Request Filtering Policy in Sun Java System Directory Server Enterprise Edition 6.2 Reference.
For information about how to create and configure request filtering policies and search data hiding rules, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create a request filtering policy.
$ dpconf create-request-filtering-policy policy-name |
Associate the request filtering policy with a connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name |
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
View the properties of a request filtering policy.
$ dpconf get-request-filtering-policy-prop -h host -p port policy-name |
The default properties of a request filtering policy are as follows:
allow-add-operations : true allow-bind-operations : true allow-compare-operations : true allow-delete-operations : true allow-extended-operations : true allow-inequality-search-operations : true allow-modify-operations : true allow-rename-operations : true allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : "" description : - prohibited-comparable-attrs : none prohibited-subtrees : none |
Configure the request filtering policy by setting one ore more of the properties listed in Step 1.
$ dpconf set-request-filtering-policy-prop -h host -p port policy-name \ property:value [property:value ...] |
By setting the properties listed in Step 1, you configure the following features of the request filtering policy:
The types of operations that clients are allowed to perform
The subtrees that are exposed to a client or hidden from a client
The scope for search operations
The types of search filters
The attribute types that can or cannot be compared in search and compare operations
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create one or more search data hiding rules for a request filtering policy.
$ dpconf create-search-data-hiding-rule -h host -p port policy-name rule-name \ [rule-name ...] |
View the properties of a search data hiding rule.
$ dpconf get-search-data-hiding-rule-prop policy-name rule-name |
The default properties of a search data hiding rule are as follows:
attrs : - rule-action : hide-entry target-attr-value-assertions : - target-dn-regular-expressions : - target-dns : - |
Configure a search data hiding rule by setting one or more of the properties listed in Step 2.
$ dpconf set-search-data-hiding-rule-prop -h host -p port policy-name rule-name \ property:value [property:value ...] |
One of the following rule actions can be used:
The target entry is not returned.
The target entry is returned but the specified attributes are filtered out.
The target entry is returned but the unspecified attributes are filtered out.
The rule can be applied to the following entries:
Entries with the specified DN
Entries with the specified DN pattern
Entries with a specified attribute name and attribute value pair (attrName#attrValue)
The following configuration defines a search data hiding rule that hides entries of type inetorgperson.
$ dpconf set-search-data-hiding-rule-prop -h host1 -p port my-policy my-rule \ target-attr-value-assertions:objectclass#inetorgperson |
The following examples contain a request filtering policy and a search data hiding rule. When the request filtering policy is combined with the search data hiding rule, access to data is limited as follows:
The following types of operations are disallowed: add, delete, extended, modify, and rename.
Only the ou=people,dc=sun,dc=com subtree can be accessed.
Entries other than inetorgperson type are returned by search operations.
allow-add-operations : false allow-bind-operations : true allow-compare-operations : true allow-delete-operations : false allow-extended-operations : false allow-inequality-search-operations : true allow-modify-operations : false allow-rename-operations : false allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : ou=people,dc=sun,dc=com description : myRequestFilteringPolicy prohibited-comparable-attrs : none prohibited-subtrees : none |
attrs : - rule-action : hide-entry target-attr-value-assertions : objectclass:inetorgperson target-dn-regular-expressions : - target-dns : - |