Chapter 25 Directory Proxy Server Connection Handlers

For an overview of the role of connection handlers and a description of the criteria and policies used in connection handlers, see Chapter 21, Directory Proxy Server Connection Handlers, in Sun Java System Directory Server Enterprise Edition 6.0 Reference. F

This chapter covers the following topics:

• Creating, Configuring, and Deleting Connection Handlers

• Creating and Configuring Request Filtering Policies and Search Data Hiding Rules

• Creating and Configuring a Resource Limits Policy

• Configuring Directory Proxy Server as a Connection Based Router

Creating, Configuring, and Deleting Connection Handlers

For information about how to create, configure, and delete connection handlers, and to configure affinity for data views, see the following procedures.

To Create a Connection Handler

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Create a connection handler.

   $ dpconf create-connection-handler -h host -p port connection-handler-name

2. (Optional) View the list of connection handlers.

   $ dpconf list-connection-handlers -h host -p port

To Configure a Connection Handler

Before You Begin

The properties of a connection handler must be defined in relation to the properties of the other connection handlers that are defined for the Directory Proxy Server instance. Consider the properties of all of your connection handlers to ensure that they specify different sets of criteria and are prioritized correctly.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. View a verbose list of connection handlers to see their key properties and relative priorities.

   $ dpconf list-connection-handlers -h host -p port -v Name is-enabled priority description -------------------------- ---------- -------- --------------------------- anonymous false 99 unauthenticated connections default connection handler true 100 default connection handler

   The connection handlers anonymous and default connection handler are created when you create an instance of Directory Proxy Server.

2. View all of the properties of one connection handler.

   $ dpconf get-connection-handler-prop -h host -p port connection-handler-name

   The default properties of a new connection handler are as follows:

   aci-source : - allowed-auth-methods : anonymous allowed-auth-methods : sasl allowed-auth-methods : simple allowed-ldap-ports : ldap allowed-ldap-ports : ldaps bind-dn-filters : any data-view-routing-custom-list : - data-view-routing-policy : all-routable description : - domain-name-filters : any enable-data-view-affinity : false ip-address-filters : any is-enabled : false is-ssl-mandatory : false priority : 99 request-filtering-policy : no-filtering resource-limits-policy : no-limits schema-check-enabled : false user-filter : any

3. Configure the priority of the connection handler.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name priority:value

   The priority can be any number from 1 to 100, where 1 is the highest priority. For an instance of Directory Proxy Server, the connection handlers are evaluated in order of priority.

4. (Optional) Specify the DN filtering property of the connection handler.

   This property enables you to control access based on part or all of the bind DN. The value of the property is a regular expression.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ bind-dn-filters:regular-expression

   The bind DN filter takes the form of a Java^TM regular expression. For information about creating Java regular expressions, see http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html.

   For example, to send all binds from users under ou=people,dc=example,dc=com to a connection handler named secure-handler, set the bind-dn-filters property as follows:

   $ dpconf set-connection-handler-prop -h host1 -p 1389 secure-handler \ bind-dn-filters:"uid=.*,ou=people,dc=example,dc=com"

5. (Optional) Specify the name of a request filtering policy to use with this connection handler.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name

   where policy-name is the name of an existing request filtering policy. For information about how to create and configure a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules.

6. (Optional) Specify the name of a resource limits policy to use with this connection handler.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name

   where policy-name is the name of an existing resource limits policy. For information about how to create and configure a resource limits policy, see Creating and Configuring a Resource Limits Policy.

7. Configure any other properties that are listed in Step 2.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ property:value [property:value ...]

   For example, configure the connection handler to accept SSL connections only.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ is-ssl-mandatory:true

   For a description of a property and a list of its valid values, run this command:

   $ dpconf help-properties connection-handler

8. Enable the connection handler.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name is-enabled:true

9. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

   For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

To Delete a Connection Handler

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. (Optional) View the list of connection handlers.

   $ dpconf list-connection-handlers -h host -p port

2. Delete one or more connection handlers.

   $ dpconf delete-connection-handler -h host -p port connection-handler-name [connection-handler-name ... ]

To Configure Affinity for Data Views

When a connection is allocated to a connection handler, requests on that connection are exposed to the list of data views that are configured for that connection handler, or to all of the configured data views. Successive requests on that connection are exposed exclusively to the data view that is used for the first request.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Enable affinity for data views.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ enable-data-view-affinity:true

2. (Optional) Configure the connection handler to route requests to a custom list of data views.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name data-view-routing-policy:custom

3. (Optional) Configure the list of data views.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list:view-name [data-view-routing-custom-list:view-name ...]

Creating and Configuring Request Filtering Policies and Search Data Hiding Rules

For an overview of request filtering policies, see Request Filtering Policies for Connection Handlers in Sun Java System Directory Server Enterprise Edition 6.0 Reference. For an overview of search data hiding rules, see Search Data Hiding Rules in the Request Filtering Policy in Sun Java System Directory Server Enterprise Edition 6.0 Reference.

For information about how to create and configure request filtering policies and search data hiding rules, see the following procedures.

To Create a Request Filtering Policy

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Create a request filtering policy.

   $ dpconf create-request-filtering-policy policy-name

2. Associate the request filtering policy with a connection handler.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name

To Configure a Request Filtering Policy

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. View the properties of a request filtering policy.

   $ dpconf get-request-filtering-policy-prop -h host -p port policy-name

   The default properties of a request filtering policy are as follows:

   allow-add-operations : true allow-bind-operations : true allow-compare-operations : true allow-delete-operations : true allow-extended-operations : true allow-inequality-search-operations : true allow-modify-operations : true allow-rename-operations : true allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : "" description : - prohibited-comparable-attrs : none prohibited-subtrees : none

2. Configure the request filtering policy by setting one ore more of the properties listed in Step 1.

   $ dpconf set-request-filtering-policy-prop -h host -p port policy-name \ property:value [property:value ...]

   By setting the properties listed in Step 1, you configure the following features of the request filtering policy:

   • The types of operations that clients are allowed to perform

   • The subtrees that are exposed to a client or hidden from a client

   • The scope for search operations

   • The types of search filters

   • The attribute types that can or cannot be compared in search and compare operations

To Create Search Data Hiding Rules

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Create one or more search data hiding rules for a request filtering policy.

   $ dpconf create-search-data-hiding-rule -h host -p port policy-name rule-name \ [rule-name ...]

2. View the properties of a search data hiding rule.

   $ dpconf get-search-data-hiding-rule-prop policy-name rule-name

   The default properties of a search data hiding rule are as follows:

   attrs : - rule-action : hide-entry target-attr-value-assertions : - target-dn-regular-expressions : - target-dns : -

3. Configure a search data hiding rule by setting one or more of the properties listed in Step 2.

   $ dpconf set-search-data-hiding-rule-prop -h host -p port policy-name rule-name \ property:value [property:value ...]

   One of the following rule actions can be used:

   hide-entry

   The target entry is not returned.

   hide-attributes

   The target entry is returned but the specified attributes are filtered out.

   show-attributes

   The target entry is returned but the unspecified attributes are filtered out.

   The rule can be applied to the following entries:

   target-dns

   Entries with the specified DN

   target-dn-regular-expressions

   Entries with the specified DN pattern

   target-attr-value-assertions

   Entries with a specified attribute name and attribute value pair (attrName#attrValue)

   The following configuration defines a search data hiding rule that hides entries of type inetorgperson.

   $ dpconf set-search-data-hiding-rule-prop -h host1 -p port my-policy my-rule \ target-attr-value-assertions:objectclass#inetorgperson

Example Request Filtering Policy and Search Data Hiding Rule

The following examples contain a request filtering policy and a search data hiding rule. When the request filtering policy is combined with the search data hiding rule, access to data is limited as follows:

• The following types of operations are disallowed: add, delete, extended, modify, and rename.

• Only the ou=people,dc=sun,dc=com subtree can be accessed.

• Only entries of type inetorgperson can be returned by search operations.

Example 25–1 Sample Request Filtering Policy

allow-add-operations                :  false
allow-bind-operations               :  true
allow-compare-operations            :  true
allow-delete-operations             :  false
allow-extended-operations           :  false
allow-inequality-search-operations  :  true
allow-modify-operations             :  false
allow-rename-operations             :  false
allow-search-operations             :  true
allowed-comparable-attrs            :  all
allowed-search-scopes               :  base
allowed-search-scopes               :  one-level
allowed-search-scopes               :  subtree
allowed-subtrees                    :  ou=people,dc=sun,dc=com
description                         :  myRequestFilteringPolicy
prohibited-comparable-attrs         :  none
prohibited-subtrees                 :  none

Example 25–2 Sample Search Data Hiding Rule

attrs                              :  -
rule-action                        :  hide-entry
target-attr-value-assertions       :  objectclass:inetorgperson
target-dn-regular-expressions      :  -
target-dns                         :  -

Creating and Configuring a Resource Limits Policy

For an overview of resource limits policies, see Resource Limits Policies for Connection Handlers in Sun Java System Directory Server Enterprise Edition 6.0 Reference. For information about how to create and configure resource limits policies and to customize search limits, see the following procedures.

To Create a Resource Limits Policy

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Create a resource limits policy.

   $ dpconf create-resource-limits-policy -h host -p port policy-name

   For information about how to modify the properties of a resource limits policy, see To Configure a Resource Limits Policy.

2. Associate the resource limits policy to a connection handler.

   $ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name

To Configure a Resource Limits Policy

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. View the properties of a resource limits policy.

   $ dpconf get-resource-limits-policy-prop -h host -p port policy-name

   The default properties of a resource limits policy are as follows:

   description : - max-client-connections : unlimited max-connections : unlimited max-simultaneous-operations-per-connection : unlimited max-total-operations-per-connection : unlimited minimum-search-filter-substring-length : unlimited referral-bind-policy : default referral-hop-limit : default referral-policy : default search-size-limit : unlimited search-time-limit : unlimited

2. Configure the resource limits policy by setting one or more of the properties that are listed in Step 1:

   $ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ property:value [property:value ...]

To Customize Search Limits

Customized limits can be defined for search operations according to the search base and search scope. If the target DN and scope of a search operation matches the specified criteria, the maximum size of the search result is limited.

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

1. Create one or more custom search limits.

   $ dpconf create-custom-search-size-limit -h host -p port policy-name \ custom-search-limit-name [custom-search-limit-name ...]

2. Set the criteria for the custom search limit.

   $ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name one-level-search-base-dn:value subtree-search-base-dn:value

3. Set the limit for the number of results that are returned when a search meets one of the criteria in Step 2.

   $ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name search-size-limit:value

4. View the properties of a custom search limit.

   $ dpconf get-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name

   The default properties of a custom search limit are as follows:

   one-level-search-base-dn : - search-size-limit : unlimited subtree-search-base-dn : -

Configuring Directory Proxy Server as a Connection Based Router

Directory Proxy Server 5.2 is a connection based router. In Directory Proxy Server 5.2, a client connection is routed to a specific directory server. All requests on that client connection are sent to the same directory server until the connection is broken or until the client unbinds.

Directory Proxy Server 6.0 is an operation based router. However, for compatibility, this version of Directory Proxy Server can be configured as a connection based router, as described in the following procedure.

To Configure Directory Proxy Server as a Connection Based Router

1. Create and configure one or more connection handlers as described in Creating, Configuring, and Deleting Connection Handlers.

   You can also use the default connection handler.

2. Configure all connection handlers to route requests to the root data view only.

   For example:

   $ dpconf set-connection-handler-prop -h host1 -p 1389 myConnectionHandler \ data-view-routing-policy:custom data-view-routing-custom-list:"root data view"

3. Create and configure a data source for each backend LDAP server as described in Creating and Configuring LDAP Data Sources.

   For example:

   $ dpconf create-ldap-data-source -h host1 -p 1389 myDataSource host2:2389

4. Create and configure a data source pool as described in Creating and Configuring LDAP Data Source Pools.

   For example:

   $ dpconf create-ldap-data-source-pool -h host1 -p 1389 myDataSourcePool

5. Attach all of the data sources to the data source pool as described in Attaching LDAP Data Sources to a Data Source Pool.

   For example,

   $ dpconf attach-ldap-data-source -h host1 -p 1389 myDataSourcePool myDataSource

6. Configure each data source to authenticate clients by using BIND replay as described in Forwarding Requests With Bind Replay.

   For example:

   $ dpconf set-ldap-data-source-prop -h host1 -p 1389 myDataSource \ client-cred-mode:use-client-identity

7. Configure affinity between the client connection and the data source pool as described in Configuring Client Affinity.

   For example:

   $ dpconf set-ldap-data-source-pool-prop -h host1 -p 1389 myDataSourcePool \ enable-client-affinity:true client-affinity-policy:read-write-affinity-after-write