For an overview of the connections between clients and Directory Proxy Server, connection handlers, and a description of the criteria and policies used in connection handlers, see Chapter 20, Connections Between Clients and Directory Proxy Server, in Sun Java System Directory Server Enterprise Edition 6.1 Reference.
This chapter covers the following topics:
Creating and Configuring Request Filtering Policies and Search Data Hiding Rules
Configuring Directory Proxy Server as a Connection Based Router
For information about how to create, configure, and delete connection handlers, and to configure affinity for data views, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create a connection handler.
$ dpconf create-connection-handler -h host -p port connection-handler-name |
(Optional) View the list of connection handlers.
$ dpconf list-connection-handlers -h host -p port |
The properties of a connection handler must be defined in relation to the properties of the other connection handlers that are defined for the Directory Proxy Server instance. Consider the properties of all of your connection handlers to ensure that they specify different sets of criteria and are prioritized correctly.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
View a verbose list of connection handlers to see their key properties and relative priorities.
$ dpconf list-connection-handlers -h host -p port -v Name is-enabled priority description -------------------------- ---------- -------- --------------------------- anonymous false 99 unauthenticated connections default connection handler true 100 default connection handler |
The connection handlers anonymous and default connection handler are created when you create an instance of Directory Proxy Server.
View all of the properties of one connection handler.
$ dpconf get-connection-handler-prop -h host -p port connection-handler-name |
The default properties of a new connection handler are as follows:
aci-source : - allowed-auth-methods : anonymous allowed-auth-methods : sasl allowed-auth-methods : simple allowed-ldap-ports : ldap allowed-ldap-ports : ldaps bind-dn-filters : any data-view-routing-custom-list : - data-view-routing-policy : all-routable description : - domain-name-filters : any enable-data-view-affinity : false ip-address-filters : any is-enabled : false is-ssl-mandatory : false priority : 99 request-filtering-policy : no-filtering resource-limits-policy : no-limits schema-check-enabled : false user-filter : any |
Configure the priority of the connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name priority:value |
The priority can be any number from 1 to 100, where 1 is the highest priority. For an instance of Directory Proxy Server, the connection handlers are evaluated in order of priority.
(Optional) Specify the DN filtering property of the connection handler.
This property enables you to control access based on part or all of the bind DN. The value of the property is a regular expression.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ bind-dn-filters:regular-expression |
The bind DN filter takes the form of a JavaTM regular expression. For information about creating Java regular expressions, see http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html.
For example, to send all binds from users under ou=people,dc=example,dc=com to a connection handler named secure-handler, set the bind-dn-filters property as follows:
$ dpconf set-connection-handler-prop -h host1 -p 1389 secure-handler \ bind-dn-filters:"uid=.*,ou=people,dc=example,dc=com" |
(Optional) Specify the name of a request filtering policy to use with this connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name |
where policy-name is the name of an existing request filtering policy. For information about how to create and configure a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules.
(Optional) Specify the name of a resource limits policy to use with this connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name |
where policy-name is the name of an existing resource limits policy. For information about how to create and configure a resource limits policy, see Creating and Configuring a Resource Limits Policy.
Configure any other properties that are listed in Step 2.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ property:value [property:value ...] |
For example, configure the connection handler to accept SSL connections only.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ is-ssl-mandatory:true |
For a description of a property and a list of its valid values, run this command:
$ dpconf help-properties connection-handler |
Enable the connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name is-enabled:true |
If necessary, restart the instance of Directory Proxy Server for the changes to take effect.
For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
(Optional) View the list of connection handlers.
$ dpconf list-connection-handlers -h host -p port |
Delete one or more connection handlers.
$ dpconf delete-connection-handler -h host -p port connection-handler-name [connection-handler-name ... ] |
When a connection is allocated to a connection handler, requests on that connection are exposed to the list of data views that are configured for that connection handler, or to all of the configured data views. Successive requests on that connection are exposed exclusively to the data view that is used for the first request.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Enable affinity for data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ enable-data-view-affinity:true |
(Optional) Configure the connection handler to route requests to a custom list of data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name data-view-routing-policy:custom |
(Optional) Configure the list of data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list:view-name [data-view-routing-custom-list:view-name ...] |
To add a data view to an existing list of data views, use this command:
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list+:view-name |
To remove a data view from an existing list of data views, use this command:
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list-:view-name |
For an overview of request filtering policies, see Request Filtering Policies for Connection Handlers in Sun Java System Directory Server Enterprise Edition 6.1 Reference. For an overview of search data hiding rules, see Search Data Hiding Rules in the Request Filtering Policy in Sun Java System Directory Server Enterprise Edition 6.1 Reference.
For information about how to create and configure request filtering policies and search data hiding rules, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create a request filtering policy.
$ dpconf create-request-filtering-policy policy-name |
Associate the request filtering policy with a connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name |
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
View the properties of a request filtering policy.
$ dpconf get-request-filtering-policy-prop -h host -p port policy-name |
The default properties of a request filtering policy are as follows:
allow-add-operations : true allow-bind-operations : true allow-compare-operations : true allow-delete-operations : true allow-extended-operations : true allow-inequality-search-operations : true allow-modify-operations : true allow-rename-operations : true allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : "" description : - prohibited-comparable-attrs : none prohibited-subtrees : none |
Configure the request filtering policy by setting one ore more of the properties listed in Step 1.
$ dpconf set-request-filtering-policy-prop -h host -p port policy-name \ property:value [property:value ...] |
By setting the properties listed in Step 1, you configure the following features of the request filtering policy:
The types of operations that clients are allowed to perform
The subtrees that are exposed to a client or hidden from a client
The scope for search operations
The types of search filters
The attribute types that can or cannot be compared in search and compare operations
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create one or more search data hiding rules for a request filtering policy.
$ dpconf create-search-data-hiding-rule -h host -p port policy-name rule-name \ [rule-name ...] |
View the properties of a search data hiding rule.
$ dpconf get-search-data-hiding-rule-prop policy-name rule-name |
The default properties of a search data hiding rule are as follows:
attrs : - rule-action : hide-entry target-attr-value-assertions : - target-dn-regular-expressions : - target-dns : - |
Configure a search data hiding rule by setting one or more of the properties listed in Step 2.
$ dpconf set-search-data-hiding-rule-prop -h host -p port policy-name rule-name \ property:value [property:value ...] |
One of the following rule actions can be used:
The target entry is not returned.
The target entry is returned but the specified attributes are filtered out.
The target entry is returned but the unspecified attributes are filtered out.
The rule can be applied to the following entries:
Entries with the specified DN
Entries with the specified DN pattern
Entries with a specified attribute name and attribute value pair (attrName#attrValue)
The following configuration defines a search data hiding rule that hides entries of type inetorgperson.
$ dpconf set-search-data-hiding-rule-prop -h host1 -p port my-policy my-rule \ target-attr-value-assertions:objectclass#inetorgperson |
The following examples contain a request filtering policy and a search data hiding rule. When the request filtering policy is combined with the search data hiding rule, access to data is limited as follows:
The following types of operations are disallowed: add, delete, extended, modify, and rename.
Only the ou=people,dc=sun,dc=com subtree can be accessed.
Entries other than inetorgperson type are returned by search operations.
allow-add-operations : false allow-bind-operations : true allow-compare-operations : true allow-delete-operations : false allow-extended-operations : false allow-inequality-search-operations : true allow-modify-operations : false allow-rename-operations : false allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : ou=people,dc=sun,dc=com description : myRequestFilteringPolicy prohibited-comparable-attrs : none prohibited-subtrees : none |
attrs : - rule-action : hide-entry target-attr-value-assertions : objectclass:inetorgperson target-dn-regular-expressions : - target-dns : - |
For an overview of resource limits policies, see Resource Limits Policies for Connection Handlers in Sun Java System Directory Server Enterprise Edition 6.1 Reference. For information about how to create and configure resource limits policies and to customize search limits, see the following procedures.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create a resource limits policy.
$ dpconf create-resource-limits-policy -h host -p port policy-name |
For information about how to modify the properties of a resource limits policy, see To Configure a Resource Limits Policy.
Associate the resource limits policy to a connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name |
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
View the properties of a resource limits policy.
$ dpconf get-resource-limits-policy-prop -h host -p port policy-name |
The default properties of a resource limits policy are as follows:
description : - max-client-connections : unlimited max-connections : unlimited max-simultaneous-operations-per-connection : unlimited max-total-operations-per-connection : unlimited minimum-search-filter-substring-length : unlimited referral-bind-policy : default referral-hop-limit : default referral-policy : default search-size-limit : unlimited search-time-limit : unlimited |
Configure the resource limits policy by setting one or more of the properties that are listed in Step 1:
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ property:value [property:value ...] |
Customized limits can be defined for search operations according to the search base and search scope. If the target DN and scope of a search operation matches the specified criteria, the maximum size of the search result is limited.
You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.
Create one or more custom search limits.
$ dpconf create-custom-search-size-limit -h host -p port policy-name \ custom-search-limit-name [custom-search-limit-name ...] |
Set the criteria for the custom search limit.
$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name one-level-search-base-dn:value subtree-search-base-dn:value |
Set the limit for the number of results that are returned when a search meets one of the criteria in Step 2.
$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name search-size-limit:value |
View the properties of a custom search limit.
$ dpconf get-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name |
The default properties of a custom search limit are as follows:
one-level-search-base-dn : - search-size-limit : unlimited subtree-search-base-dn : - |
Directory Proxy Server 5.2 is a connection based router. In Directory Proxy Server 5.2, a client connection is routed to a specific directory server. All requests on that client connection are sent to the same directory server until the connection is broken or until the client unbinds.
Directory Proxy Server 6.1 is an operation based router. However, for compatibility, this version of Directory Proxy Server can be configured as a connection based router, as described in the following procedure.
Create and configure one or more connection handlers as described in Creating, Configuring, and Deleting Connection Handlers.
You can also use the default connection handler.
Configure all connection handlers to route requests to the root data view only.
For example:
$ dpconf set-connection-handler-prop -h host1 -p 1389 myConnectionHandler \ data-view-routing-policy:custom data-view-routing-custom-list:"root data view" |
Create and configure a data source for each backend LDAP server as described in Creating and Configuring LDAP Data Sources.
For example:
$ dpconf create-ldap-data-source -h host1 -p 1389 myDataSource host2:2389 |
Create and configure a data source pool as described in Creating and Configuring LDAP Data Source Pools.
For example:
$ dpconf create-ldap-data-source-pool -h host1 -p 1389 myDataSourcePool |
Attach all of the data sources to the data source pool as described in Attaching LDAP Data Sources to a Data Source Pool.
For example,
$ dpconf attach-ldap-data-source -h host1 -p 1389 myDataSourcePool myDataSource |
Configure each data source to authenticate clients by using BIND replay as described in Forwarding Requests With Bind Replay.
For example:
$ dpconf set-ldap-data-source-prop -h host1 -p 1389 myDataSource \ client-cred-mode:use-client-identity |
Configure affinity between the client connection and the data source pool as described in Configuring Client Affinity.
For example:
$ dpconf set-ldap-data-source-pool-prop -h host1 -p 1389 myDataSourcePool \ enable-client-affinity:true client-affinity-policy:read-write-affinity-after-write |