Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide

Forwarding Requests to Back-End LDAP Servers

This section contains information about the various methods you can use to forward requests from Directory Proxy Server to back-end LDAP servers.

Forwarding Requests With Bind Replay

For information about bind replay for client credentials in Directory Proxy Server, see Directory Proxy Server Configured for BIND Replay in Sun Java System Directory Server Enterprise Edition 6.2 Reference. The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server by using bind replay.

ProcedureTo Forward Requests With Bind Replay

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the data source client credentials to authenticate to a back-end LDAP server by using the credentials provided by a client.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     client-cred-mode:use-client-identity

Forwarding Requests With Proxy Authorization

For information about proxy authorization in Directory Proxy Server, see Directory Proxy Server Configured for Proxy Authorization in Sun Java System Directory Server Enterprise Edition 6.2 Reference.

This section contains procedures for forwarding requests by using proxy authorization and by using a proxy authorization control.

ProcedureTo Forward Requests by Using Proxy Authorization

  1. Configure the data source to expect proxy authorization controls of either version 1 or version 2.

    For example, configure the data source to expect proxy authorization controls of version 1.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     proxied-auth-use-v1:true

    Alternatively, configure the data source to expect proxy authorization controls of version 2.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     proxied-auth-use-v1:false
  2. Configure the data source to authenticate to a back-end LDAP server by using proxy authorization.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     client-cred-mode:use-proxy-auth

    To configure a data source to authenticate to a back-end LDAP server by using proxy authorization for write operations only, run this command:


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     client-cred-mode:use-proxy-auth-for-write

    When write operations only are performed with a proxy authorization control, the client identity is not forwarded to the LDAP server for read requests. For more information about forwarding requests without the client identity, see Forwarding Requests Without the Client Identity.

  3. Configure the data source with the bind credentials of Directory Proxy Server.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     bind-dn:DPS-bind-dn bind-pwd-file:filename
    
  4. Configure the data source with the timeout.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     proxied-auth-check-timeout:value
    

    Directory Proxy Server verifies that the client DN has the relevant ACIs for proxy authorization by using the getEffectiveRights command. The result is cached in Directory Proxy Server and renewed when the proxied-auth-check-timeout expires.

  5. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

ProcedureTo Forward Requests by Using Proxy Authorization When the Request Contains a Proxy Authorization Control

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure Directory Proxy Server to accept proxy authorization controls of version 1, version 2, or both.


    $ dpconf set-server-prop -h host -p port allowed-ldap-controls:proxy-auth-v1 \
     allowed-ldap-controls:proxy-auth-v2

Forwarding Requests Without the Client Identity

The following procedure describes how to forward requests from Directory Proxy Server to a back-end LDAP server without forwarding the client identity.

ProcedureTo Forward Requests Without the Client Identity

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the data source to authenticate to a back-end LDAP server by using the credentials of Directory Proxy Server.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     client-cred-mode:use-specific-identity
  2. Configure the data source with the bind credentials of Directory Proxy Server.


    $ dpconf set-ldap-data-source-prop -h host -p port data-source-name \
     bind-dn:bind-dn-of-DPS bind-pwd-file:filename
    
  3. If necessary, restart the instance of Directory Proxy Server for the changes to take effect.

    For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.

Forwarding Requests as an Alternate User

This section contains information about how to forward requests as an alternate user.

ProcedureTo Configure Remote User Mapping

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Enable operations to be forwarded with an alternate user.


    $ dpconf set-server-prop -h host -p port enable-user-mapping:true
  2. Specify the name of the attribute that contains the ID for remote mapping.


    $ dpconf set-server-prop -h host -p port \
     remote-user-mapping-bind-dn-attr:attribute-name
    
  3. Enable Directory Proxy Server to map the client ID remotely.


    $ dpconf set-server-prop -h host -p port enable-remote-user-mapping:true
  4. Configure the default mapping.


    $ dpconf set-server-prop -h host -p port \
     user-mapping-default-bind-dn:default-mapping-bind-dn \
     user-mapping-default-bind-pwd-file:filename
    

    If the mapped identity is not found on the remote LDAP server, the client identity is mapped to the default identity.

  5. Configure the user mapping in the entry for the client on the remote LDAP server.

    For information about configuring user mapping in Directory Server, see Proxy Authorization.

ProcedureTo Configure Local User Mapping

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Enable operations to be forwarded with an alternate user.


    $ dpconf set-server-prop -h host -p port enable-user-mapping:true
  2. Ensure that Directory Proxy Server is not configured to map the client ID remotely.


    $ dpconf set-server-prop -h host -p port enable-remote-user-mapping:false
  3. Configure the default mapping.


    $ dpconf set-server-prop -h host -p port \
     user-mapping-default-bind-dn:default-mapping-bind-dn \
     user-mapping-default-bind-pwd-file:filename
    

    The client ID is mapped to this DN if the mapping on the remote LDAP server fails.

  4. If you permit unauthenticated users to perform operations, configure the mapping for unauthenticated clients.


    $ dpconf set-server-prop -h host -p port \
     user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \
     user-mapping-anonymous-bind-pwd-file:filename
    

    For information about how to permit unauthenticated users to perform operations, see To Configure Anonymous Access.

  5. Configure the ID of the client.


    $ dpconf set-user-mapping-prop -h host -p port \
     user-bind-dn:client-bind-dn user-bind-pwd-file:filename
    
  6. Configure the ID of the alternate user.


    $ dpconf set-user-mapping-prop -h host -p port \
     mapped-bind-dn:alt-user-bind-dn mapped-bind-pwd-file:filename
    

ProcedureTo Configure User Mapping for Anonymous Clients

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. Configure the mapping for unauthenticated clients.


    $ dpconf set-server-prop -h host -p port \
     user-mapping-anonymous-bind-dn:anonymous-mapping-bind-dn \
     user-mapping-anonymous-bind-pwd-file:filename
    

    The mapping for anonymous clients is configured in Directory Proxy Server because the remote LDAP server does not contain an entry for an anonymous client.

    For information about permitting unauthenticated users to perform operations, see To Configure Anonymous Access.