|Sun Java(TM) System Directory Proxy Server 5.2 2005Q1 Administration Guide|
Directory Proxy Server Decision Functions
This appendix describes the flow of control in Directory Proxy Server for some specific functionalities. It includes:
Establishing Group on Connection
When a client makes a connection to Directory Proxy Server, it checks the ids-proxy-con-Client attribute in ids-proxy-sch-NetworkGroup object entries until it finds a match. The ids-proxy-sch-NetworkGroup objects are tried in highest to lowest priority defined by the ids-proxy-con-priority attribute. Directory Proxy Server places the client in the first group whose ids-proxy-con-client attribute matches the IP address of the client. If no matching groups are found, the connection is closed.
Change Group on Bind
When the client initially connects, it is placed in a group based on its IP address. The client can be moved to a different group with different access controls when it binds to a directory. To accomplish this, the initial group object must include a rule object that is evaluated on a successful bind operation. If the rule evaluates to TRUE, the change group action is taken to move the client to a different group. Figure A-1 illustrates this functionality.
Figure A-1 Change Group on Bind
Configuring Change Group On Bind
The following steps illustrate how to configure the Directory Proxy Server to change group upon a successful bind by "cn=Directory Manager" using the simple bind authentication mechanism.
To Configure Change Group On Bind
- Create a new Network Group to which the user cn="Directory Manager" will move upon a successful bind. For more information see Creating Groups. If a user can only be part of this group by changing into it, set "No IP Binding" in the Network tab of the Network Group panel. Also make sure this group come after all other Network Groups that allow some IP bindings.
- Create a new "Change Group" action. For more information see Creating Action Objects. Set changed to, to the name of the group you created in step 1. Set "if DN matches" to "cn=Directory Manager". You can also set "NONE" (do not change group) for all others, i.e. ".*".
- Create a On Bind Event. For more information see Creating Event Objects. On the actions tab set it to the change group action you created in step 2. On the condition tab select "Password based bind".
- Select the On Bind event you created in step 3 on the events tab in the Network Group you created in step 1. For more information see Modifying Groups.
Change Group on Establishment of TLS
Similar to the change group on bind mechanism is the change group on establishment of TLS, whereby a client can change group when it successfully establishes an TLS session. The SSL Established rule is evaluated when the client establishes TLS, following which the Change Group action follows. This functionality is illustrated in Figure A-2.
Figure A-2 Change Group on Establishment of TLS
High Availability Setup
If you have configured more than one backend directory server, then you can set up Directory Proxy Server to load balance across these and fail over to another if one of the backend servers goes down. In order to do this, you must create a Load Balance Property (see Load Balancing Property) and include it in the group object for which you want to load balance. You will also need to create LDAP Server Properties (see LDAP Server Property) for each of your backend servers and include it in the Load Balance Property. You must specify the amount of load in percentage of total load each of your backend servers should handle in the Load Balance Property object. With this setup, Directory Proxy Server will redistribute load across its backend directory servers if one of them goes down. It will fail over clients from one server to another in case the first goes down. Directory Proxy Server will also fail over if the network link between itself and the LDAP server is down or if the LDAP server becomes unresponsive.
Directory Proxy Server can be set up to follow referrals for LDAPv2 clients that cannot do so on their own. Your backend LDAP directory server must be capable of sending referrals, i.e., it must support LDAP v3 standards. Configure Directory Proxy Server to use LDAP v3 between itself and the backend LDAP server in order for Directory Proxy Server to receive referrals from the directory server. Then set your group's referral and continuation referral policy.