Previous      Contents      Index      Next
Sun Java(TM) System Directory Proxy Server 5.2 2005Q1 Administration Guide

Chapter 7
Creating and Managing Groups

When an LDAP client requests a service from an LDAP directory, it connects to Directory Proxy Server, which identifies the client's access rights from the client profile, determines whether the client is allowed to request the service from the directory, imposes configured restrictions, and then forwards the request to the appropriate directory. This chapter explains how to configure Directory Proxy Server to identify clients and impose any restrictions using the Directory Proxy Server Configuration Editor Console.

The chapter has the following sections.

Overview of Groups
Creating Groups
Modifying Groups
Deleting Groups

---

Overview of Groups

Directory Proxy Server network groups are key to understanding how Directory Proxy Server works—they define how Directory Proxy Server should identify an LDAP client and what restrictions Directory Proxy Server should enforce on clients that match that group. It's important that you understand Directory Proxy Server groups clearly in order to use them to effectively control directory access by LDAP clients.

You use network groups to identify the following:

A client
A set of LDAP directories to which Directory Proxy Server can forward requests from a client.
A set of operations a client can perform while interacting with its set of directories.
The data accessible to a client while interacting with its set of directories. (Because Directory Proxy Server enables you to hide certain entries and rename attributes in a directory, you can effectively control which data contained within a directory is viewable by a client.)

Directory Proxy Server determines the group membership for a client by attempting to match the connection's origination attributes with a group's criteria. The server checks currently-configured groups in the descending order of priority, from the highest to the lowest priority. The first network group criteria to match the connection's origination attributes receives the connection. For this reason, it's important to create separate groups for generic and specific criteria, and prioritize the groups from most specific to most general.

If no groups are found to match a client, the client's request is rejected and the connection is closed. For this reason, there must be at least one group entry in the Directory Proxy Server configuration.

The order of priority for groups is specified by their placement in the Network Groups window of the Directory Proxy Server Configuration Editor Console (see Figure 7-1). In this window, groups on the bottom of the list have less priority than those towards the top. The order of evaluation of groups with equal priority is undefined.

Figure 7-1 Directory Proxy Server Configuration Editor Console: Network Groups

Note that clients are initially identified into a group based on the network address they connect from, for example, their IP address and/or domain name. They may change their group after a successful bind; for details, see Creating and Managing Event Objects." Once a client obtains membership in a group, it implies that all the properties of the group apply to the client.

Figure 7-2 illustrates how groups are evaluated by Directory Proxy Server in response to a client query.

Figure 7-2 Directory Proxy Server Decision Tree for Determining Group Membership

Network criteria for groups can be based on the following criteria:

IP address or network mask of the hosts
Single IP address (for example, 129.153.129.14)
IP quad/match bits (for example, 129.153.129.0/24)
IP quad/match quad (for example, 129.153.129.0/255.255.255.128)
Domain name of the hosts
Full name (for example, box.eng.sun.com)
Suffix name (for example, .eng.sun.com)

Note that if the domain name suffix rule is used to identify clients, make sure that DNS is set up to return fully qualified names to the DNS queries. this feature will not work if short names are returned.

Special
ALL (This is to be used for "catch-all" groups.)
0.0.0.0 (This is to be used for groups to which initial membership is not considered, for example, if a group is only used for clients to switch to when they bind.)

To further understand how Directory Proxy Server evaluates groups, take a look at the sample groups listed in Table 7-1. It shows five groups, created with specific to generic network criteria, and listed in the descending order of priority.

Table 7-1 Sample Groups  

Priority	Group Name	Network Criteria
5	Admin-machine	129.153.129.72
4	IT-management-subnet	129.153.120.0/24
3	Operations	.ops.sun.com
2	Catch-all	ALL
1	Trusted	0.0.0.0

When an LDAP client requests a service from an LDAP directory, Directory Proxy Server checks whether the request is from IP address 129.153.129.72. If it isn't, Directory Proxy Server checks whether the request matches 129.153.129.0/24. If it does not, Directory Proxy Server checks whether the request originated from .ops.sun.com. If it didn't, Directory Proxy Server places the connection in a catch-all group, and then moves to the next step in the decision tree (see Figure 7-2).

Figure 7-3 shows that part of the Directory Proxy Server Configuration Editor Console where you are able to create groups.

Figure 7-3 Directory Proxy Server Network Group Definition

Table 7-2 summarizes the criteria that can be specified when a network group is created.

Table 7-2 List of Available Criteria for Network Groups  

Criteria	Description
Load Balancing	Enables you to specify a group of LDAP servers represented by a load balance property to which this group forwards LDAP requests. Load Balancing Property.
Network	Enables you to specify connection details and other network criteria for clients so that their requests get sorted or filtered into the appropriate groups.
Events	Enables you to specify which events, if any, to associate with a group, so that clients in the group can effectively change group after binding successfully to a specified directory. Shows the list of existing objects for events; for details, see Creating Groups.
Encryption	Enables you to specify encryption criteria for the group (for example, to specify whether clients can request an SSL session).
Compatibility	The LDAP v2 specification (RFC 1777) does not allow a client to bind multiple times in one session. However, some clients expect this functionality. This option can be set to interoperate with these clients.
Forwarding	Enables you to specify the criteria for passing the bind, compare, and other LDAP requests to the server.
Data Hiding	Enables you to specify which subtree, entries, or attributes of the entries in a directory are to be hidden from a group. Shows the list of existing objects for the Forbidden Entry property; for details, see Forbidden Entry Property.
Search	Enables you to specify the scope and size limit of searches for a group. Shows the list of existing objects for the Search Size Limit property; for details, see Search Size Limit Property.
Attributes	Enables you to specify rules for preventing certain kinds of search and compare operations from reaching the LDAP server. Shows the list of existing objects for the Attribute Renaming property; for details, see Attribute Renaming Property.
Referrals	Enables you to specify whether a group should forward, follow, or discard referrals returned by the server. Note that a client that does not implement LDAPv3 will not understand forwarded referrals. This setting applies to all referrals except for the search-continuation referrals.
Server Load	Enables you to specify details such as the total number of connections to a group, simultaneous and total operations per connection, simultaneous operations per IP address, and so on.

---

Creating Groups

This section explains how to create groups using the Directory Proxy Server Configuration Editor Console. Before you start creating a group, read Overview of Groups and understand the significance of Directory Proxy Server groups. After you create the required groups and prioritize them, test the configuration to see if the groups filter client requests as desired.

Notice that when creating a network group, you're given the opportunity to specify a variety of criteria. The instructions provided in this section present all these criteria in the order in which they appear on the UI, and rely on your judgement to set the appropriate criteria for a group.

To Create a Network Group in Directory Proxy Server

Access the Directory Proxy Server Configuration Editor Console as described in Accessing the Directory Proxy Server Consoles.
In the navigation tree, select Network Groups.

The right pane shows the list of existing groups.



Click New.

The Network Group window appears.



In the Name field, type a name for the group. The name must be a unique alphanumeric string.
Make sure that the Enabled option is selected; by default, it is selected. For a group to be part of an Directory Proxy Server configuration, this option must be selected. Deselect the option to disable the group in a configuration.
If desired, specify a load balancing property from the drop-down menu. This property identifies a group of LDAP servers to which this group will forward LDAP requests to use a Load Balance property to handle requests from clients. The associated drop-down list shows existing objects for the Load Balance property as described in Load Balancing Property. Select an appropriate object. By default, no (<NONE>) objects are selected. If there isn't an object, you can create one on the fly by clicking on the New button.

New. Displays a dialog to create a new Load Balance property.

Edit. Displays a dialog to edit an existing Load Balance property.

To specify network criteria for the group to sort or filter requests, select Network on the left frame. Then specify the appropriate network values as follows referring to the on-screen elements description:

Specify a connector timeout value. By default, no value is present, which also means to not timeout connections.

Enable reverse DNS lookup for connecting clients.

Select Enable TCP no delay.

Define the Client Network Binding Criteria.



The description of the on-screen elements is as follows:

Specify connection timeout. Select this box to enter a period of client inactivity after which Directory Proxy Server may close the connection to the client. The value must be a number in seconds, typically 120 or more. By default, no value is present, which also means to not timeout connections. Note that if TCP keepalives are not enabled, this attribute must be present to keep Directory Proxy Server from being clogged by lost client connections.

Perform reverse DNS lookup of connecting clients. By default, this option is enabled.

If reverse DNS lookup is disabled, Directory Proxy Server will not perform a reverse DNS lookup to find the domain name of the connecting client.

If reverse DNS lookup is enabled, and the domain name of the connecting client is not in DNS, Directory Proxy Server closes the connection to the client.

Disabling reverse DNS lookup can sometimes significantly improve Directory Proxy Server performance. If you have used a domain name or a domain name suffix as a value in the "Client Network Binding Criteria," you must not disable reverse DNS lookup, otherwise Directory Proxy Server will not function properly. DNS must be configured to return full host names to lookup queries.

Enable TCP no delay. By default, this option is enabled. If the option is disabled, then Directory Proxy Server will disable the Nagle Algorithm for connections between itself and clients that fall into this group. "TCP no delay" should be disabled only if the network bandwidth between Directory Proxy Server and clients is small; however, it may create substantial performance degradation.

Client Network Binding Criteria. Use this section to specify which clients are able to bind in this network group.

No IP binding. Select this option if clients are to switch only when they bind to the group. By default, this option is selected. De-select the option if the group is only used for clients to switch to when they bind.

Bind from ANY network host. Select this option if all hosts are allowed to bind with this network group.

Bind with the following criteria. Select this option to specify the domain names or IP addresses of the hosts that match the network group; in this case, the group must specify the domain name or IP address of the host that will bind to it.

Add. Displays a dialog to add a network criteria. There are four options: "Domain Name," "IP address," "IP address and bits," and "IP address and quad."

Edit. Displays a dialog to edit a network criteria.

Remove. Displays a dialog to remove a network criteria.

Domain name dialog. Specify the domain name suffix or the full name of the client that can bind to a network group, for example, foo.sun.com. Note that Directory Proxy Server does not assume any domain suffix by default; hence, complete domain names must be provided. A domain name suffix with a leading period, for example, .sun.com will cause all hosts with domain names that end in that suffix to match.

Also note that if the domain name suffix rule is used to identify clients, make sure that DNS is set up to return fully qualified names to the DNS queries. this feature will not work if short names are returned.

IP address. Specify a single IP address in dotted decimal form, for example, 198.214.11.1.

IP address and bits. Specify an IP network mask, in the form of <network number>/<mask bits>, for example, 198.241.11.0/24. The first half is the network number and the second half indicates the number of bits of the network number necessary for matching.

IP address and quad. Specify an IP network mask, in the form of a pair of dotted decimal quads, for example, 198.241.11.0/255.255.255.128. The first half is a network number, the second half indicates the bits of the network number necessary for matching. For example, 198.214.11.0/255.255.255.128 will match a host with IP address 198.214.11.63 but not the one with IP address 198.214.11.191.

Note that use of domain names or domain name suffixes requires "Perform reverse DNS lookup of connecting client" to be enabled.

To associate an event-driven action with the group (for example, to change clients from one group to another), select Events on the left frame and specify the appropriate values on the right frame.



The description of the on-screen elements is as follows:

On bind. The drop-down list shows existing objects for OnBindSuccess events as described in Creating OnBindSuccess Event Objects. Select the name of an object that will be performed when a client successfully completes a bind operation. By default, no (<NONE>) objects are selected. If there isn't an object, you can create one on the fly by clicking on the New button.

On SSL. The drop-down list shows existing objects for OnSSLEstablished events as described in Creating OnSSLEstablished Event Objects. Select the name of an object that will be performed when a client successfully establishes an SSL session. If there isn't an object, you can create one on the fly by clicking on the New button.

Edit. Displays a dialog box for editing the behavior of an event.

New. Displays a dialog box for creating a new event.

To specify encryption criteria for the group (for example, to specify whether clients can request an SSL session), select Encryption on the left frame and specify the appropriate values on the right frame.



The description of the on-screen elements is as follows:

Client SSL Policy. Configure the client SSL policy.

Do not use SSL. Select this option if you do not wish to use SSL encryption.

Clients are able to request an SSL session. Select this option if the clients in the group will establish an SSL session requesting SSL.

Clients MUST establish an SSL session. Select this option if the clients in the group must establish an SSL session before performing any operation.

Referral SSL policy. Configure the SSL policy while following referrals.

Do not use SSL. Select this option if you do not wish to use SSL encryption.

Establish an SSL session if client has done so. If this option is enabled, Directory Proxy Server will only initiate SSL for clients in that group if the client already has an SSL session established with Directory Proxy Server.

Establish an SSL session for all referrals. Enable this option, if, upon a referral, Directory Proxy Server will initiate an SSL session before the operation is forwarded.

To specify compatibility criteria for the group (for example, to allow a client to bind multiple times in one session), select Compatibility on the left frame and specify the appropriate values on the right frame.



The description of the on-screen element is as follows:

Enable LDAP v2 clients to bind multiple times over a single session. The LDAP v2 specification (RFC 1777) does not allow a client to bind multiple times in one session. However, some clients expect this functionality. Select this if you want this group to allow clients to submit search request with one or more attributes in the attribute request list as NULL. This compatibility feature allows Directory Proxy Server to interoperate with some broken JAVA based clients. Note that NULL attribute names in attribute request list is in violation of the LDAP protocol. By default this option is set to TRUE.

Enable clients to submit requests with empty attribute type names. Select this if you want the group to allow a client to submit requests even if they do not identify their attribute type name.

To specify request-forwarding criteria for the group, select Forwarding on the left frame and specify the appropriate values on the right frame.

Once Directory Proxy Server has accepted a connection from the client and matched a group, it will wait for the client to send the LDAP operation. Directory Proxy Server uses the "Client DN," "Permit Anonymous binds," "Permit simple binds," and "Permit SASL binds" to determine whether to pass the bind request to the server, or reject the bind request and close the client's connection.

If the client's bind passes enabled tests, Directory Proxy Server will forward it to the server. If the server accepts the bind, the connection is established. If, however, the server returns an error indication for the bind request, Directory Proxy Server will forward the error indication to the client, and then close the connection to the client, if the client was using LDAPv2.



The description of the elements in the Binds tab is as follows:

Allow all clients. By default, this option is enabled, which permits access by all clients.

Reject clients whose DN is not subordinate to. Select this option if you want the group to check for a distinguished name (DN). Any client that provides a distinguished name in its bind that is not subordinate to a the specified DN will be rejected. Use the Browse button to browse an LDAP directory in order to construct a DN.

Permit anonymous binds. By default, this option is enabled, which permits a bind even if a client has not supplied a password. Disable the option to forbid anonymous binds.

Permit simple binds. By default, this option is enabled, which permits a client to supply a password in the clear. Disable the option to forbid clear text password authenticated bind requests.

Permit SASL binds. By default, this option is enabled, which specifies that SASL binds are permitted. Disable the option to forbid SASL authentication.

Select the Operations tab and specify which operations are to be forwarded.

Directory Proxy Server by default forwards search and compare requests. Directory Proxy Server also recognizes an unbind request and closes the connection to the LDAP server.



The description of the elements in the Operations tab is as follows:

Permit search operations. By default, this option is enabled. Disable the option to prevent Directory Proxy Server from forwarding search requests to the server.

Permit compare operations. By default, this option is enabled. Disable the option to prevent Directory Proxy Server from forwarding compare requests to the server.

Permit add, delete, modify, modify DN, and extended operations. By default, Directory Proxy Server does not forward add, modify, delete, modify DN, or extended operations requests. To permit forwarding of these operations, enable the appropriate operation to be allowed.

Note that you must enable "Permit extended operations" if you want your clients to be able to negotiate Start TLS.

To specify data hiding criteria for the group, select Data Hiding on the left frame and specify the appropriate values on the right frame.

Use the Subtree tab to specify which part of the directory tree is to be hidden and Entry tab to specify entries or attributes to be hidden.



The description of the elements in the Subtree tab is as follows:

Hiding a subtree of entries. Operations that request entries at or below a forbidden subtree will be rejected with an insufficient access error. Entries that match a search filter and are inside a forbidden subtree are dropped. Note that this option does not remove DN syntax attributes whose values fall under the subtree from entries that are being returned as part of the result.

Add. Displays a dialog box to add a distinguished name to a list of the base of a subtree of entries to be excluded. The default, if distinguished names are not present in a network group, is to allow access to all entries in the directory. An entry in the list has dn syntax.

Edit. Displays a dialog box to edit a distinguished name.

Remove. Removes a distinguished name from the list.

Select the Entry tab and specify which entries or attributes are to be hidden.



The description of the elements in the Entry tab is as follows:

Specifies an entry hiding property currently in use by this group. The drop-down list shows existing objects for the Forbidden Entry property as described in Creating Forbidden Entry Property Objects. Select the name of an object. By default, no (<NONE>) objects are selected. If there isn't an object, you can create one on the fly by clicking on the New button.

New. Displays a dialog to create a new Forbidden Entry property.

Edit. Displays a dialog to edit an existing Forbidden Entry property.

To specify search attributes for the group, select Search on the left frame and specify the appropriate values on the right frame.



The description of the elements in the Size tab is as follows:

Restrict maximum number of result entries. Enable this option to specify the maximum number of result entries that may be returned to a client at one time from a single search operation. The value may be any number greater than zero, and if reached, will cause an administrativeLimitExceeded error to be indicated to the client and subsequent entries will be discarded. The default, if this property is disabled, is to not discard entries.

Add. Displays a dialog to add a Search Size Limit property. For details, see Creating Search Size Limit Property Objects.

Edit. Displays a dialog to edit a Search Size Limit property.

Remove. Displays a dialog to remove a Search Size Limit property. (This action removes the property from the group without displaying a dialog.)

Select the Control tab and specify the criteria for controlling search filters.



The description of the elements in the Control tab is as follows:

Permit inequality filters. By default, this option is enabled. Permit inequality filters specifies whether clients are permitted to request searches that contain inequality filters (attr>=value) and (attr<=value). Disable this option if a network group does not permit inequality searches to be performed.

Restrict time limit for searches. Enable this option and enter a value in seconds for a network group to specify a maximum time limit in seconds for search operations. If the client specifies a time limit that is larger than the value given in this option, the value specified for this network group will override the client's request. By default, this option is disabled and a network group will allow the client to set any time limit, including no limit.

Specify minimum search filter substring. Enable this option and enter a value to specify the minimum permissible length of a substring in a search filter. The value is a number greater than one. The default, if this option is disabled, is to allow any size of substring in a search filter. This option should be enabled in the network group if you wish to restrict the kinds of searches that may be performed by web robots. For example, a value of 2 will block searches like (cn=A*).

Note	This attribute does not affect presence filters (attrname=*). To disallow certain presence filters use the forbidden compare configuration.

Restrict to subtree with DN. Enable this option and specify the base of a subtree for all operations. This option has dn syntax. If this option is disabled, then there is no restriction to a minimum base.

Operations whose target entry is at or below the minimum base entry are not affected by this option. If the target entry is superior to the minimum base entry, and the operation is a subtree search, then the query will be rewritten before being sent to the server, to change the target entry to be the minimum base. If the target entry is not below the minimum base or a superior of it, the request will be rejected with a no such object error.

For example, if the "Restrict to subtree with DN" is set as:

o=sun, st=California, c=US

and a subtree search of st=California, c=US is received, the search will be rewritten such that the server performs a subtree search of

o=sun, st=California, c=US

Browse. Displays a dialog to aid in constructing a valid DN.

Select the Scope tab and specify the search scope (that a client may specify in a search request).



The description of the elements in the Scope tab are as follows:

Permit all search scopes. By default, this option is enabled, permitting all search scopes by a client.

Only `base' search scope is permitted. Enable this option to permit only base search scope.

Only `base' and `one level' searches are permitted. Enable this option to permit only base and one level searches.

Select the References tab and specify what to do if a search-continuation reference is generated during a search.



The description of the elements in the References tab is as follows:

Discard the reference. By default, this option is enabled, which will discard a reference if it is generated during a search.

Forward the reference to the client. Enable this option only to forward a search continuation reference.

Follow the reference and return result to client. Enable this option to follow and return the result for a search continuation reference. A search continuation referral is a special case of a referral whereby part of the query has been satisfied by the original directory server queried but that directory server has a reference to another directory server with more data satisfying the query. This option can be used to hide the part of your Directory Information Tree whose naming context is mastered by another LDAP server. It also prevents clients from finding out the network address and port on which this server runs.

To specify attribute criteria for the group, select Attributes on the left frame and specify the appropriate values on the right frame.



The description of the elements in the Search tab is as follows:

This tab is used to prevent certain kinds of search and compare operations from reaching the LDAP server. If the client's request falls under this restriction, Directory Proxy Server will return an insufficient access error to the client.

Allow any attribute. By default, this option is enabled to permit all attributes to be used for search filters and comparisons.

Forbid the following attributes. Enable this option to specify the name of an attribute or attributes that cannot be used by a client in a search filter or compare request.

Only allow the following attributes. Enable this option to specify the name of an attribute or attributes that may be used in a search filter or compare request. If there is one or more attributes values present in a network group table and a compare does not match one of these, the request will be rejected by Directory Proxy Server. If there are no attributes present in a network group table, and an attribute does not match any attributes, then it may be used by clients. For example, if you want only the cn, dn, and mail attributes to be searchable by the client, add these attributes to the table.

Add. Displays a dialog box that allows an attribute to be added to the table. You must specify whether these attributes are to be forbidden or permitted.

Edit. Displays a dialog box to edit a selected attribute in the table.

Remove. Removes an attribute from the table.

Select the Renaming tab and specify the rules for renaming of attributes.



The description of the elements in the Renaming tab is as follows:

Add. Displays a dialog box to add one or more existing attribute renaming properties to the following table that will be used by this network group. (See Creating Attribute Renaming Property Objects.)

Edit. Displays a dialog box to edit a selected attribute renaming property.

Remove. Remove an attribute renaming property from the table.

Select the Return tab and specify restrictions that are to be applied to search results being returned by the server, before they are forwarded to the client.



The description of the elements in the Return tab is as follows:

Return all attributes. This option is enabled by default, and it will permit all attributes to be returned.

Exclude the following attributes. Enable this option to specify the name of the attributes that are to be excluded from search result entries.

Only return the following attributes. Enable this option to specify the name of attributes that may be returned from a search result, if present.

If attributes returned as part of a search result are not present in the "Only return the following attributes" table, they are not returned. If the table is empty and they are not in the "exclude the following attributes" table, they are returned.

Add. Displays a dialog box that allows an attribute to be added to the table. You must specify above whether these attributes are to be forbidden or permitted.

Edit. Displays a dialog box to edit a selected attribute in the table.

Remove. Removes an attribute from the table.

To specify referrals for the group (for example, whether the group will forward, follow, or discard referrals returned by the server), select Referrals on the left frame and specify the appropriate values on the right frame.



The description of the on-screen elements is as follows:

Discard the referral. Enable this option if a network group will discard all referrals returned by the server.

Forward the referral to the client. By default, this option is enabled, which will forward referrals returned by the server.

Follow the referral and return result to client. Enable this option if a network group will forward referrals returned by the server and return results to the client.

Bind policy. This option controls the bind policy when an operation is referred and the referral is being followed.

Note that Directory Proxy Server cannot replay binds for clients bound using a SASL mechanism. Thus the referral operation will be rejected if "Required" is specified and the client used a SASL mechanism to bind.

Always. Select this option if Directory Proxy Server should always bind anonymous while following a referral for a client connected to this network group.

Any. Select this option if a network group should use simple bind if the client had used password-based bind, else bind as anonymous. This is the default.

Required. Select this option if a network group should reject the referred operation if the client is not password-based bound.

Maximum referrals per operation. Enter an integer value greater or equal to zero. This will limit the maximum number of references that will be followed for a single operation. The default is 15. A value of zero indicates that no limit will be applied.

Referral SSL Policy. In order to enable the Referral SSL Policy Panel, "SSL is available" option must be enabled on the encryption view.

If client has an SSL session established. Enable this option if a network group will only initiate SSL if the client already has SSL session established with Directory Proxy Server. This is the default.

For all referrals. Enable "For all referrals" if, upon a referral, a group will initiate an SSL session before the operation is forwarded.

To specify server load criteria for the group, select Server Load on the left frame and specify the appropriate values on the right frame.



The description of the on-screen elements is as follows:

Simultaneous operations per connection. Select this option to limit the number of simultaneous operations Directory Proxy Server will process per connection in that group. The value is an integer greater than zero. If this attribute is not present, then no limit is enforced. For example, if you set this value to 1, all the clients in that group will be forced to perform synchronous LDAP operations. Additional simultaneous requests, except for requests to abandon an operation, will fail with Server Busy error.

Total operations per connection. Select this option to limit the total number of operations that Directory Proxy Server will allow per connection in a group. The value is an integer greater than zero. If a client exceeds the maximum number of operations allowed for its group on one connection, then that connection will be closed by Directory Proxy Server. If this attribute is not present, then no limit is set.

Connections to this group. Select this option to limit the number of simultaneous connections to this network group, and specify the number.

Simultaneous connections per IP address. Select this option to restrict the number of simultaneous connections clients can make from a single IP address. By default, any number of connections are allowed.

Click Save to create the group.

The Directory Proxy Server configuration is modified, and you are prompted to restart the servers that rely on this configuration. Don't restart the servers yet. You can do this after you've completed all the configuration changes.

Repeat Step 3 through Step 24 to create any additional groups.
Go to the Network Groups window (see Step 2) and prioritize the groups appropriately.
Restart the servers as described in Restarting Directory Proxy Server.

---

Modifying Groups

To Modify a Group

Access the Directory Proxy Server Configuration Editor Console as described in Accessing the Directory Proxy Server Consoles.
In the navigation tree, select Network Groups.

The right pane shows the list of existing groups.



In the list, select the group you want to modify and click Edit.
Make the required modifications.
Click Save to save your changes.

The Directory Proxy Server configuration is modified, and you are prompted to restart the servers that rely on this configuration. Don't restart the servers yet. You can do this after you've completed all the configuration changes.

Repeat Step 3 through Step 5 to modify any additional groups.
Restart the servers as described in Restarting Directory Proxy Server.

---

Deleting Groups

You can delete any unwanted network groups from the Directory Proxy Server configuration.

To Delete a Group

Access the Directory Proxy Server Configuration Editor Console as described in Accessing the Directory Proxy Server Consoles.
In the navigation tree, select Network Groups.

The right pane shows the list of existing groups.



In the list, select the group you want to delete and click Delete.
Confirm your action.

The name of the group you deleted is now removed from the list. The Directory Proxy Server configuration is modified, and you are prompted to restart the servers that rely on this configuration. Don't restart the servers yet. You can do this after you've completed all the configuration changes.

Repeat Step 3 and Step 4 to delete any additional groups.
Restart the servers as described in Restarting Directory Proxy Server.

Previous      Contents      Index      Next

---

Part No: 817-7615-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.