|Sun Java(TM) System Directory Proxy Server 5.2 2005Q1 Administration Guide|
Directory Proxy Server FAQ, Features, and Troubleshooting
This appendix contains useful information on Directory Proxy Server. It contains answers for frequently asked questions (FAQs), clarifications on certain Directory Proxy Server features, and troubleshooting information.
The appendix has the following sections:
Directory Proxy Server FAQ
What is Directory Proxy Server?
Directory Proxy Server is an LDAP proxy for LDAP clients and LDAP servers. Requests from LDAP clients are forwarded to LDAP servers based on rules defined in Directory Proxy Server configuration. Results from the server are passed back to clients, again based on rules defined in the configuration. This process is totally transparent to the clients, which connect to Directory Proxy Server just as they would to any LDAP server.
Why do I need Directory Proxy Server?
Many enterprises want to make some part of their directory information externally visible, while keeping other parts internally private. With Directory Proxy Server you can accomplish this goal easily, and without assigning directory passwords to external clients. Directory Proxy Server can also be used as a high availability solution for enterprise directory service with load balancing and failover features.
Additional security features such as protection from denial of service attacks and search limits are also provided.
What version of the LDAP protocol does Directory Proxy Server support?
Directory Proxy Server supports LDAP clients or chaining LDAP servers that use either the LDAPv2 or the LDAPv3 protocol.
Does Directory Proxy Server support secure authentication and encryption?
Directory Proxy Server supports SSLv3 services for public-key based data encryption using certificates. Secure authentication and encryption available to LDAP clients can use either the secure LDAP port or the Internet Transport Layer Security (TLS) model, which uses the Diffie-Hellman, Digital Signature Standard (DSA), and Triple-DES algorithms.
Does Directory Proxy Server work with any LDAP-enabled Directory Server?
Directory Proxy Server will work with any LDAP-conformant directory server. Some directory product vendors claim to implement LDAP in their marketing literature, but the reality is often a different story. Directory Proxy Server has been the most thoroughly tested with the Sun Java System Directory Server.
Is there a configuration utility available to configure Directory Proxy Server?
Directory Proxy Server includes a Java-based GUI (console) that can be used to configure Directory Proxy Server. The console uses the Directory Server to store the configuration it generates.
Can Directory Proxy Server prevent denial-of-service attacks?
Yes. You can limit the number of simultaneous operations processed per connection, number of operations allowed per connection, total number of concurrent connections, maximum concurrent connections per defined group (network, subnetwork or based on bind DN), and maximum concurrent connections for a single IP address.
Does Directory Proxy Server support "reverse" proxying?
In a strict sense, Directory Proxy Server is a reverse proxy; however, the LDAP protocol does not support the concept of reverse proxying.
Can Directory Proxy Server prevent "trawling" of an LDAP directory?
Yes. Trawling refers to very broad queries designed to download large portions of your directory, a practice many sites wish to prohibit. Directory Proxy Server can prohibit or limit trawling in a number of ways:
- The scope of searches can be limited to a single level of the directory tree, entire subtrees can be hidden, and a hard limit on the number of entries returned in response to a query can be set.
- Inequality searches can be forbidden, thus disallowing searches that return many results based on exclusion and substring searches can be restricted by length; for example, prohibiting searches for all entries with a surname starting with the letters A-Z.
- Directory Proxy Server can also be configured to deny un-indexed searches. Un-indexed searches are inefficient and can possibly have a negative impact in performance.
Does Directory Proxy Server automatically load balance queries?
Directory Proxy Server supports automatic server load balancing among a set of back-end LDAP servers. Directory Proxy Server also supports automatic fail-over to a secondary LDAP server if the primary LDAP server is down.
How many Directory Servers can one Directory Proxy Server load balance?
The performance needs of the directory server and the complexity of work being done by Directory Proxy Server determines the optimal number of directory servers that Directory Proxy Server should load balance. For example, if Directory Proxy Server is doing complicated work, such as attribute renaming, the number of directory servers Directory Proxy Server is configured to load balance should be reduced. Consider adding more Directory Proxy Server units to compensate for possible performance impacts of complex Directory Proxy Server configurations.
Can search requests be filtered?
Yes. You can configure Directory Proxy Server to refuse searches that attempt to search on a particular attribute. In addition, you can configure Directory Proxy Server to modify incoming search requests to conform to a designated minimum search base, search scope, and time limit.
Can search results be filtered?
Yes. Results can be filtered both in terms of number of entries returned and the attributes that are included in the result set. Search result entries can also be filtered based on the entry DN or content.
How are access groups defined?
Varying levels of access to the directory are provided to clients based on the network address of the client. Thus, different levels of access can be granted to clients outside the corporate firewall, inside the firewall, on the executive subnetwork, and even to individual machines. Further, access level can be changed upon a successful completion of a LDAP Bind operation by the client or when a SSL session is established.
Does Directory Proxy Server support protected password authentication?
Yes. Through the use of the SASL mechanism a variety of protected password authentication schemes can be implemented. These mechanisms must be supported by the back-end directory server. Directory Proxy Server does not support SASL mechanisms with connection protection and SASL EXTERNAL mechanism.
Does Directory Proxy Server automatically follow referrals?
The following of referrals is configurable based on access group. Various access groups can be configured to automatically follow referrals, return referrals, or discard referrals.
Does Directory Proxy Server cache search result information?
Directory Proxy Server does not support search result caching.
Can Directory Proxy Server rename attributes?
Directory Proxy Server can transparently rename attribute names between clients and servers.
How can I analyze logs of connection attempts?
Directory Proxy Server can be configured to either use syslog or write to a specified log file. A popular UNIX utility known as swatch is freely available from Stanford University via ftp at (ftp://ftp.stanford.edu/general/security-tools/swatch). Swatch can be used to monitor the log files generated by Directory Proxy Server and to notify the administrator when defined events occur.
I have configured Directory Proxy Server to follow referrals. However, when I perform a search with a LDAPv2 client I get error 32 (No such object) or some other error.
In order for Directory Proxy Server to receive referrals from the back-end servers, it must use LDAPv3. Make sure you have selected "LDAP version 3 only" on each of your LDAP server properties.
I notice in the log files that some idle client connections are routinely failed over even though all my back-end servers are up.
Your back-end directory server is timing out idle connections and closing them. Directory Proxy Server fails over these closed connections. You must set an idle connection timeout for Directory Proxy Server as well. This will clean up idle and leaked client connections and also guard against one form denial of service attack.
Is there a way to restrict search requests containing the presence filter?
Directory Proxy Server does not restrict clients from using the presence filter. There are two indirect ways to address this issue:
- Set the ids-proxy-con-forbidden-compare attribute to the name of the attribute that you do not want to be compared. This method is over restrictive, as it will reject searches containing both (mail=*) and (mail=Andy*) filters.
- Use the ids-proxy-con-size-limit attribute and the ids-proxy-sch-SizeLimitProperty. Because presence filters (attrName=*) always generate the same result (assuming the data did not change), the ids-proxy-con-size-limit and ids-proxy-sch-SizeLimitProperty can be used to limit the damage. Although LDAP does not require entries to be returned in a given order, under most (all) implementations, the set of results will either be returned in sorted order or unsorted order, and these will be the same every time. Hence, if Directory Proxy Server is configured with a size limit, (using the size-limit attribute or the SizeLimitProperty) only the first 'n' of these sets will be returned every time. Because there can only be two sets of these 'n' entries, the risk of trawling the directory is greatly reduced.
Note that Directory Proxy Server tries to set this size limit in the request itself when possible, and therefore the directory server will not be burdened with sending all the entries.
The size limit property gives you the option of applying exceptions to size limits imposed when necessary. Suppose, for example, that you have an entry of o=A, under which there are 400 organization units. Under each of those OU's there are people. If you want clients to see all the OU's but only see 5 people at a time, you can set up the SizeLimitProperty such that no limit is applied for a search with base o=A and one level scope. For all other searches a limit of 5 applies.
When I try to execute a task or perform some console function, I get an error message saying I need to make sure the Administration Server is running properly and that this host is permitted to connect to the Administration Server.
Log in to the Administration Server that is managing the Directory Proxy Server whose console produced the error messages. It may be necessary to start the Sun Java System Console on the host machine of the Administration Server. Open the server console for the Administration Server that is managing the Directory Proxy Server on which you are unsuccessfully trying to invoke tasks. Click the Configuration tab and then the Network tab. Under Connection Restrictions, make sure that the host machine of the Sun Java System Console that is unsuccessfully trying to manage Directory Proxy Server is not restricted from accessing the Administration Server. See the Sun Java System Console Server Management Guide for more information.