iPlanet Directory Access Router Administrator's Guide: Appendix A Sample Configuration Files

Previous Contents Index Next

iPlanet Directory Access Router Administrator's Guide

Appendix A Sample Configuration Files

iPlanet Directory Access Router (iDAR) provides a configuration tool named tailor that is capable of generating the tailor.ldif files for four different classes of configurations: straight through, load balancing, binding based operation filtering, and load balancing with binding based operation filtering. This appendix contains example configurations of all four types that were generated by the tailor configuration tool.
The appendix has the following sections:

Straight Through Configuration

Load Balancing Configuration

Binding Based Operation Filtering Configuration

Load Balancing With Binding Based Operation Filtering Configuration

Straight Through Configuration

Code Example A-1 shows a sample LDIF file generated by the tailor configuration tool in the "straight through configuration" mode.

Code Example A-1    Straight Through Configuration's LDIF

version: 1

dn: ou=actions

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: actions

dn: ou=global

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: global

dn: ou=groups

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: groups

dn: ou=properties

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: properties

dn: ou=rules

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: rules

#

# This bootstrap entry defines:

#

# 1) the name of the iDAR server set is: "iDAR"

# 2) the DN of the ids-proxy-sch-GlobalConfiguration object

# 3) the base DN of the Properties definitions

# 4) the base DN of the Groups definitions

#

# Note: iDAR learns this entry's DN via the startup configuration (tailor.txt).

#

dn: ids-proxy-con-Server-Name=iDAR

objectclass: ids-proxy-sch-LDAPProxy

objectclass: ids-proxy-top

ids-proxy-con-Server-Name: iDAR

ids-proxy-sch-Global-Config-Dn: ids-proxy-con-Config-Name=config,ou=global

ids-proxy-sch-Group-Base: ou=groups

ids-proxy-sch-Property-Base: ou=properties

ids-proxy-sch-Rule-Base: ou=rules

#

# This Global properties entry declares:

#

# 1) which port the proxy will listen on for connections

#

dn: ids-proxy-con-Config-Name=config,ou=global

objectclass: ids-proxy-sch-GlobalConfiguration

objectclass: ids-proxy-top

ids-proxy-con-Config-Name: config

ids-proxy-con-connection-pool: FALSE

ids-proxy-con-connection-pool-interval: 15

ids-proxy-con-connection-pool-timeout: 30

ids-proxy-con-include-logproperty: LogProperty

ids-proxy-con-listen-backlog: 128

ids-proxy-con-listen-host: localhost

ids-proxy-con-listen-port: 389

ids-proxy-con-one-thread-only: FALSE

ids-proxy-con-userid: nobody

ids-proxy-con-working-dir: /tmp

ou: global

#

# Here we stipulate to iDAR where to send its log file as well

# as what logging level to use.

#

dn: ids-proxy-con-Name=LogProperty,ou=properties

objectclass: ids-proxy-sch-LogProperty

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: LogProperty

ids-proxy-con-log-file: /opt/iDAR/logs/fwd.log

ids-proxy-con-log-level: warning

ids-proxy-con-stat-level: none

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# iDAR finds its group properties by essentially performing a one level search

# beneath the ids-proxy-sch-LDAPProxy stipulated ids-proxy-sch-Group-Base.

# (This is in contrast with all other entries which are "found" by an exact DN

# to utilize.) Since there could be more than one entry beneath the

# ids-proxy-sch-Group-Base, each group entry has an ids-proxy-con-Priority

# value to indicate their evaluation order. In addition, the

# ids-proxy-sch-belongs-to attribute allows entries at this level to exclude

# or include themselves based on if their ids-proxy-sch-belongs-to value

# matches the value asserted by the ids-proxy-con-Server-Name value found

# in the ids-proxy-sch-LDAPProxy objectclass entry.

#

# The following entry defines a group called "default" that:

#

# 1) assigns an evaluation priority of 33 (evaluates before 32, 31, 30, etc.)

# 2) declares the server configuration this entry belongs to as "iDAR"

# 3) allows all clients to be a member of the group as con-Client is ALL

# 4) allows all clients regardless of bind name (since it isn't enumerated)

# 5) allows all operations

# 6) stipulates that referrals are returned to the proxy's client

# 7) stipulates that the backend server for this group is described by the

# ids-proxy-sch-LDAPServer objectclass entry named server-1.

#

dn: ids-proxy-con-Name=default,ou=groups

objectclass: ids-proxy-sch-Group

objectclass: ids-proxy-sch-NetworkGroup

objectclass: ids-proxy-top

ids-proxy-con-Client: ALL

ids-proxy-con-Name: default

ids-proxy-con-Priority: 33

ids-proxy-con-Server: server-1

ids-proxy-con-allow-multi-ldapv2-bind: FALSE

ids-proxy-con-filter-inequality: TRUE

ids-proxy-con-max-refcount: 15

ids-proxy-con-max-scope: 2

ids-proxy-con-max-simultaneous-conns-from-ip: 0

ids-proxy-con-permit-auth-none: TRUE

ids-proxy-con-permit-auth-sasl: TRUE

ids-proxy-con-permit-auth-simple: TRUE

ids-proxy-con-permit-op-add: TRUE

ids-proxy-con-permit-op-compare: TRUE

ids-proxy-con-permit-op-delete: TRUE

ids-proxy-con-permit-op-extended: TRUE

ids-proxy-con-permit-op-modify: TRUE

ids-proxy-con-permit-op-modrdn: TRUE

ids-proxy-con-permit-op-search: TRUE

ids-proxy-con-reference: forward

ids-proxy-con-referral-bind-policy: bind_any

ids-proxy-con-referral-ssl-policy: ssl_unavailable

ids-proxy-con-search-reference: follow

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-con-timeout: 120

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: groups

#

# server enumeration

#

dn: ids-proxy-con-Name=server-1,ou=properties

objectclass: ids-proxy-sch-LDAPServer

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: server-1

ids-proxy-con-host: pink.iplanet.com

ids-proxy-con-link-security-policy: ssl_optional

ids-proxy-con-port: 10205

ids-proxy-con-supported-version: 23

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

Load Balancing Configuration

Code Example A-2 shows a sample LDIF file generated by the tailor configuration tool in the "load balancing configuration" mode.

Code Example A-2    Load Balancing Configuration's LDIF

version: 1

dn: ou=actions

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: actions

dn: ou=global

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: global

dn: ou=groups

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: groups

dn: ou=properties

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: properties

dn: ou=rules

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: rules

#

# This bootstrap entry defines:

#

# 1) the name of the iDAR server set is: "iDAR"

# 2) the DN of the ids-proxy-sch-GlobalConfiguration object

# 3) the base DN of the Properties definitions

# 4) the base DN of the Groups definitions

#

# Note: iDAR learns this entry's DN via the startup configuration (tailor.txt).

#

dn: ids-proxy-con-Server-Name=iDAR

objectclass: ids-proxy-sch-LDAPProxy

objectclass: ids-proxy-top

ids-proxy-con-Server-Name: iDAR

ids-proxy-sch-Global-Config-Dn: ids-proxy-con-Config-Name=config,ou=global

ids-proxy-sch-Group-Base: ou=groups

ids-proxy-sch-Property-Base: ou=properties

ids-proxy-sch-Rule-Base: ou=rules

#

# This Global properties entry declares:

#

# 1) which port the proxy will listen on for connections

#

dn: ids-proxy-con-Config-Name=config,ou=global

objectclass: ids-proxy-sch-GlobalConfiguration

objectclass: ids-proxy-top

ids-proxy-con-Config-Name: config

ids-proxy-con-connection-pool: FALSE

ids-proxy-con-connection-pool-interval: 15

ids-proxy-con-connection-pool-timeout: 30

ids-proxy-con-include-logproperty: LogProperty

ids-proxy-con-listen-backlog: 128

ids-proxy-con-listen-host: localhost

ids-proxy-con-listen-port: 389

ids-proxy-con-one-thread-only: FALSE

ids-proxy-con-userid: nobody

ids-proxy-con-working-dir: /tmp

ou: global

#

# Here we stipulate to iDAR where to send its log file as well

# as what logging level to use.

#

dn: ids-proxy-con-Name=LogProperty,ou=properties

objectclass: ids-proxy-sch-LogProperty

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: LogProperty

ids-proxy-con-log-file: /opt/iDAR/logs/fwd.log

ids-proxy-con-log-level: warning

ids-proxy-con-stat-level: none

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# iDAR finds its group properties by essentially performing a one level search

# beneath the ids-proxy-sch-LDAPProxy stipulated ids-proxy-sch-Group-Base.

# (This is in contrast with all other entries which are "found" by an exact DN

# to utilize.) Since there could be more than one entry beneath the

# ids-proxy-sch-Group-Base, each group entry has an ids-proxy-con-Priority

# value to indicate their evaluation order. In addition, the

# ids-proxy-sch-belongs-to attribute allows entries at this level to exclude

# or include themselves based on if their ids-proxy-sch-belongs-to value

# matches the value asserted by the ids-proxy-con-Server-Name value found

# in the ids-proxy-sch-LDAPProxy objectclass entry.

#

# The following entry defines a group called "default" that:

#

# 1) assigns an evaluation priority of 33 (evaluates before 32, 31, 30, etc.)

# 2) declares the server configuration this entry belongs to as "iDAR"

# 3) allows all clients to be a member of the group as con-Client is ALL

# 4) allows all clients regardless of bind name (since it isn't enumerated)

# 5) allows all operations

# 6) stipulates that referrals are returned to the proxy's client

# 7) stipulates that this group is to use load balancing.

#

dn: ids-proxy-con-Name=default,ou=groups

objectclass: ids-proxy-sch-Group

objectclass: ids-proxy-sch-NetworkGroup

objectclass: ids-proxy-top

ids-proxy-con-Client: ALL

ids-proxy-con-Name: default

ids-proxy-con-Priority: 33

ids-proxy-con-allow-multi-ldapv2-bind: FALSE

ids-proxy-con-filter-inequality: TRUE

ids-proxy-con-include-property: load-balance

ids-proxy-con-max-refcount: 15

ids-proxy-con-max-scope: 2

ids-proxy-con-max-simultaneous-conns-from-ip: 0

ids-proxy-con-permit-auth-none: TRUE

ids-proxy-con-permit-auth-sasl: TRUE

ids-proxy-con-permit-auth-simple: TRUE

ids-proxy-con-permit-op-add: TRUE

ids-proxy-con-permit-op-compare: TRUE

ids-proxy-con-permit-op-delete: TRUE

ids-proxy-con-permit-op-extended: TRUE

ids-proxy-con-permit-op-modify: TRUE

ids-proxy-con-permit-op-modrdn: TRUE

ids-proxy-con-permit-op-search: TRUE

ids-proxy-con-reference: forward

ids-proxy-con-referral-bind-policy: bind_any

ids-proxy-con-referral-ssl-policy: ssl_unavailable

ids-proxy-con-search-reference: follow

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-con-timeout: 120

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: groups

#

# The following entry defines the property used to stipulate which servers

# will be contacted. It also apportions the servers.

#

# Note: it is assumed that the load balanced servers are equal in content

# and in capability.

#

dn: ids-proxy-con-Name=load-balance,ou=properties

objectclass: ids-proxy-sch-LoadBalanceProperty

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: load-balance

ids-proxy-con-Server: server-1#34

ids-proxy-con-Server: server-2#33

ids-proxy-con-Server: server-3#33

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# server enumeration

#

dn: ids-proxy-con-Name=server-1,ou=properties

objectclass: ids-proxy-sch-LDAPServer

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: server-1

ids-proxy-con-host: pink

ids-proxy-con-link-security-policy: ssl_optional

ids-proxy-con-port: 10205

ids-proxy-con-supported-version: 23

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# server enumeration

#

dn: ids-proxy-con-Name=server-2,ou=properties

objectclass: ids-proxy-sch-LDAPServer

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: server-2

ids-proxy-con-host: red

ids-proxy-con-link-security-policy: ssl_optional

ids-proxy-con-port: 10389

ids-proxy-con-supported-version: 23

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# server enumeration

#

dn: ids-proxy-con-Name=server-3,ou=properties

objectclass: ids-proxy-sch-LDAPServer

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: server-3

ids-proxy-con-host: blue

ids-proxy-con-link-security-policy: ssl_optional

ids-proxy-con-port: 389

ids-proxy-con-supported-version: 23

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

Binding Based Operation Filtering Configuration

Code Example A-3 shows a sample LDIF file generated by the tailor configuration tool in the "binding based operation filtering configuration" mode.

Code Example A-3    Binding Based Operation Filtering's LDIF

version: 1

dn: ou=actions

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: actions

dn: ou=global

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: global

dn: ou=groups

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: groups

dn: ou=properties

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: properties

dn: ou=rules

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: rules

#

# This bootstrap entry defines:

#

# 1) the name of the iDAR server set is: "iDAR"

# 2) the DN of the ids-proxy-sch-GlobalConfiguration object

# 3) the base DN of the Properties definitions

# 4) the base DN of the Groups definitions

#

# Note: iDAR learns this entry's DN via the startup configuration (tailor.txt).

#

dn: ids-proxy-con-Server-Name=iDAR

objectclass: ids-proxy-sch-LDAPProxy

objectclass: ids-proxy-top

ids-proxy-con-Server-Name: iDAR

ids-proxy-sch-Action-Base: ou=actions

ids-proxy-sch-Global-Config-Dn: ids-proxy-con-Config-Name=config,ou=global

ids-proxy-sch-Group-Base: ou=groups

ids-proxy-sch-Property-Base: ou=properties

ids-proxy-sch-Rule-Base: ou=rules

#

# This Global properties entry declares:

#

# 1) which port the proxy will listen on for connections

#

dn: ids-proxy-con-Config-Name=config,ou=global

objectclass: ids-proxy-sch-GlobalConfiguration

objectclass: ids-proxy-top

ids-proxy-con-Config-Name: config

ids-proxy-con-connection-pool: FALSE

ids-proxy-con-connection-pool-interval: 15

ids-proxy-con-connection-pool-timeout: 30

ids-proxy-con-include-logproperty: LogProperty

ids-proxy-con-listen-backlog: 128

ids-proxy-con-listen-host: localhost

ids-proxy-con-listen-port: 389

ids-proxy-con-one-thread-only: FALSE

ids-proxy-con-userid: nobody

ids-proxy-con-working-dir: /tmp

ou: global

#

# Here we stipulate to iDAR where to send its log file as well

# as what logging level to use.

#

dn: ids-proxy-con-Name=LogProperty,ou=properties

objectclass: ids-proxy-sch-LogProperty

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: LogProperty

ids-proxy-con-log-file: /opt/iDAR/logs/fwd.log

ids-proxy-con-log-level: warning

ids-proxy-con-stat-level: none

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# note that we change group on bind

#

dn: ids-proxy-con-Name=successfulBind,ou=rules

objectclass: ids-proxy-sch-OnBindSuccessRule

objectclass: ids-proxy-sch-Rule

objectclass: ids-proxy-top

ids-proxy-con-Name: successfulBind

ids-proxy-con-bind-anonymous: FALSE

ids-proxy-con-bind-sasl: TRUE

ids-proxy-con-bind-simple: TRUE

ids-proxy-con-execute: change#100

ids-proxy-con-ssl-required: FALSE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: rules

#

# this is the group we changeto on successful bind

#

dn: ids-proxy-con-Name=change,ou=actions

objectclass: ids-proxy-sch-Action

objectclass: ids-proxy-sch-ChangeGroupAction

objectclass: ids-proxy-top

ids-proxy-con-Name: change

ids-proxy-con-to-group: onbind#.*#5

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: actions

#

# iDAR finds its group properties by essentially performing a one level search

# beneath the ids-proxy-sch-LDAPProxy stipulated ids-proxy-sch-Group-Base.

# (This is in contrast with all other entries which are "found" by an exact DN

# to utilize.) Since there could be more than one entry beneath the

# ids-proxy-sch-Group-Base, each group entry has an ids-proxy-con-Priority

# value to indicate their evaluation order. In addition, the

# ids-proxy-sch-belongs-to attribute allows entries at this level to exclude

# or include themselves based on if their ids-proxy-sch-belongs-to value

# matches the value asserted by the ids-proxy-con-Server-Name value found

# in the ids-proxy-sch-LDAPProxy objectclass entry.

#

# The following entry defines a group called "onbind" that:

#

# 1) assigns an evaluation priority of 10 (evaluates before 9, 8, 7, etc.)

# 2) declares the server configuration this entry belongs to as "iDAR"

# 3) uses a con-Client value that FAILS matching during priority scanning

# 4) allows all clients regardless of bind name (since it isn't enumerated)

# 5) allows all operations

# 6) stipulates that referrals are returned to the proxy's client

# 7) stipulates that the backend server for this group is described by the

# ids-proxy-sch-LDAPServer objectclass entry named server-1.

#

dn: ids-proxy-con-Name=onbind,ou=groups

objectclass: ids-proxy-sch-Group

objectclass: ids-proxy-sch-NetworkGroup

objectclass: ids-proxy-top

ids-proxy-con-Client: 0.0.0.0

ids-proxy-con-Name: onbind

ids-proxy-con-Priority: 10

ids-proxy-con-Server: server-1

ids-proxy-con-allow-multi-ldapv2-bind: FALSE

ids-proxy-con-filter-inequality: TRUE

ids-proxy-con-max-refcount: 15

ids-proxy-con-max-scope: 2

ids-proxy-con-max-simultaneous-conns-from-ip: 0

ids-proxy-con-permit-auth-none: TRUE

ids-proxy-con-permit-auth-sasl: TRUE

ids-proxy-con-permit-auth-simple: TRUE

ids-proxy-con-permit-op-add: TRUE

ids-proxy-con-permit-op-compare: TRUE

ids-proxy-con-permit-op-delete: TRUE

ids-proxy-con-permit-op-extended: TRUE

ids-proxy-con-permit-op-modify: TRUE

ids-proxy-con-permit-op-modrdn: TRUE

ids-proxy-con-permit-op-search: TRUE

ids-proxy-con-reference: forward

ids-proxy-con-referral-bind-policy: bind_any

ids-proxy-con-referral-ssl-policy: ssl_unavailable

ids-proxy-con-search-reference: follow

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-con-timeout: 120

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: groups

#

# The following entry defines a group called "default" that:

#

# 1) assigns an evaluation priority of 33 (evaluates before 32, 31, 30, etc.)

# 2) declares the server configuration this entry belongs to as "iDAR"

# 3) allows all clients to be a member of the group as con-Client is ALL

# 4) allows all clients regardless of bind name (since it isn't enumerated)

# 5) disallows add, compare, delete, modify, modrdn and extended operations

# 6) stipulates that referrals are returned to the proxy's client

# 7) stipulates that the backend server for this group is described by the

# ids-proxy-sch-LDAPServer objectclass entry named server-1.

#

dn: ids-proxy-con-Name=default,ou=groups

objectclass: ids-proxy-sch-Group

objectclass: ids-proxy-sch-NetworkGroup

objectclass: ids-proxy-top

ids-proxy-con-Client: ALL

ids-proxy-con-Name: default

ids-proxy-con-Priority: 33

ids-proxy-con-Server: server-1

ids-proxy-con-allow-multi-ldapv2-bind: FALSE

ids-proxy-con-filter-inequality: TRUE

ids-proxy-con-include-rule: successfulBind

ids-proxy-con-max-refcount: 15

ids-proxy-con-max-scope: 2

ids-proxy-con-max-simultaneous-conns-from-ip: 0

ids-proxy-con-permit-auth-none: TRUE

ids-proxy-con-permit-auth-sasl: TRUE

ids-proxy-con-permit-auth-simple: TRUE

ids-proxy-con-permit-op-add: FALSE

ids-proxy-con-permit-op-compare: FALSE

ids-proxy-con-permit-op-delete: FALSE

ids-proxy-con-permit-op-extended: FALSE

ids-proxy-con-permit-op-modify: FALSE

ids-proxy-con-permit-op-modrdn: FALSE

ids-proxy-con-permit-op-search: TRUE

ids-proxy-con-reference: forward

ids-proxy-con-referral-bind-policy: bind_any

ids-proxy-con-referral-ssl-policy: ssl_unavailable

ids-proxy-con-search-reference: follow

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-con-timeout: 120

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: groups

#

# server enumeration

#

dn: ids-proxy-con-Name=server-1,ou=properties

objectclass: ids-proxy-sch-LDAPServer

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: server-1

ids-proxy-con-host: blue

ids-proxy-con-link-security-policy: ssl_optional

ids-proxy-con-port: 389

ids-proxy-con-supported-version: 23

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

Load Balancing With Binding Based Operation Filtering Configuration

Code Example A-4 shows a sample LDIF file generated by the tailor configuration tool in the "load balancing with binding based operation filtering configuration" mode.

Code Example A-4    Load Balancing and Binding Based Filtering's LDIF

version: 1

dn: ou=actions

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: actions

dn: ou=global

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: global

dn: ou=groups

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: groups

dn: ou=properties

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: properties

dn: ou=rules

objectclass: ids-proxy-top

objectclass: organizationalUnit

ou: rules

#

# This bootstrap entry defines:

#

# 1) the name of the iDAR server set is: "iDAR"

# 2) the DN of the ids-proxy-sch-GlobalConfiguration object

# 3) the base DN of the Properties definitions

# 4) the base DN of the Groups definitions

#

# Note: iDAR learns this entry's DN via the startup configuration (tailor.txt).

#

dn: ids-proxy-con-Server-Name=iDAR

objectclass: ids-proxy-sch-LDAPProxy

objectclass: ids-proxy-top

ids-proxy-con-Server-Name: iDAR

ids-proxy-sch-Action-Base: ou=actions

ids-proxy-sch-Global-Config-Dn: ids-proxy-con-Config-Name=config,ou=global

ids-proxy-sch-Group-Base: ou=groups

ids-proxy-sch-Property-Base: ou=properties

ids-proxy-sch-Rule-Base: ou=rules

#

# This Global properties entry declares:

#

# 1) which port the proxy will listen on for connections

#

dn: ids-proxy-con-Config-Name=config,ou=global

objectclass: ids-proxy-sch-GlobalConfiguration

objectclass: ids-proxy-top

ids-proxy-con-Config-Name: config

ids-proxy-con-connection-pool: FALSE

ids-proxy-con-connection-pool-interval: 15

ids-proxy-con-connection-pool-timeout: 30

ids-proxy-con-include-logproperty: LogProperty

ids-proxy-con-listen-backlog: 128

ids-proxy-con-listen-host: localhost

ids-proxy-con-listen-port: 389

ids-proxy-con-one-thread-only: FALSE

ids-proxy-con-userid: nobody

ids-proxy-con-working-dir: /tmp

ou: global

#

# Here we stipulate to iDAR where to send its log file as well

# as what logging level to use.

#

dn: ids-proxy-con-Name=LogProperty,ou=properties

objectclass: ids-proxy-sch-LogProperty

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: LogProperty

ids-proxy-con-log-file: /opt/iDAR/logs/fwd.log

ids-proxy-con-log-level: warning

ids-proxy-con-stat-level: none

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# note that we change group on bind

#

dn: ids-proxy-con-Name=successfulBind,ou=rules

objectclass: ids-proxy-sch-OnBindSuccessRule

objectclass: ids-proxy-sch-Rule

objectclass: ids-proxy-top

ids-proxy-con-Name: successfulBind

ids-proxy-con-bind-anonymous: FALSE

ids-proxy-con-bind-sasl: TRUE

ids-proxy-con-bind-simple: TRUE

ids-proxy-con-execute: change#100

ids-proxy-con-ssl-required: FALSE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: rules

#

# this is the group we changeto on successful bind

#

dn: ids-proxy-con-Name=change,ou=actions

objectclass: ids-proxy-sch-Action

objectclass: ids-proxy-sch-ChangeGroupAction

objectclass: ids-proxy-top

ids-proxy-con-Name: change

ids-proxy-con-to-group: onbind#.*#5

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: actions

#

# iDAR finds its group properties by essentially performing a one level search

# beneath the ids-proxy-sch-LDAPProxy stipulated ids-proxy-sch-Group-Base.

# (This is in contrast with all other entries which are "found" by an exact DN

# to utilize.) Since there could be more than one entry beneath the

# ids-proxy-sch-Group-Base, each group entry has an ids-proxy-con-Priority

# value to indicate their evaluation order. In addition, the

# ids-proxy-sch-belongs-to attribute allows entries at this level to exclude

# or include themselves based on if their ids-proxy-sch-belongs-to value

# matches the value asserted by the ids-proxy-con-Server-Name value found

# in the ids-proxy-sch-LDAPProxy objectclass entry.

#

# The following entry defines a group called "onbind" that:

#

# 1) assigns an evaluation priority of 10 (evaluates before 9, 8, 7, etc.)

# 2) declares the server configuration this entry belongs to as "iDAR"

# 3) uses a con-Client value that FAILS matching during priority scanning

# 4) allows all clients regardless of bind name (since it isn't enumerated)

# 5) allows all operations

# 6) stipulates that referrals are returned to the proxy's client

# 7) stipulates that this group is to use load balancing.

#

dn: ids-proxy-con-Name=onbind,ou=groups

objectclass: ids-proxy-sch-Group

objectclass: ids-proxy-sch-NetworkGroup

objectclass: ids-proxy-top

ids-proxy-con-Client: 0.0.0.0

ids-proxy-con-Name: onbind

ids-proxy-con-Priority: 10

ids-proxy-con-allow-multi-ldapv2-bind: FALSE

ids-proxy-con-filter-inequality: TRUE

ids-proxy-con-include-property: load-balance

ids-proxy-con-max-refcount: 15

ids-proxy-con-max-scope: 2

ids-proxy-con-max-simultaneous-conns-from-ip: 0

ids-proxy-con-permit-auth-none: TRUE

ids-proxy-con-permit-auth-sasl: TRUE

ids-proxy-con-permit-auth-simple: TRUE

ids-proxy-con-permit-op-add: TRUE

ids-proxy-con-permit-op-compare: TRUE

ids-proxy-con-permit-op-delete: TRUE

ids-proxy-con-permit-op-extended: TRUE

ids-proxy-con-permit-op-modify: TRUE

ids-proxy-con-permit-op-modrdn: TRUE

ids-proxy-con-permit-op-search: TRUE

ids-proxy-con-reference: forward

ids-proxy-con-referral-bind-policy: bind_any

ids-proxy-con-referral-ssl-policy: ssl_unavailable

ids-proxy-con-search-reference: follow

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-con-timeout: 120

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: groups

#

# The following entry defines a group called "default" that:

#

# 1) assigns an evaluation priority of 33 (evaluates before 32, 31, 30, etc.)

# 2) declares the server configuration this entry belongs to as "iDAR"

# 3) allows all clients to be a member of the group as con-Client is ALL

# 4) allows all clients regardless of bind name (since it isn't enumerated)

# 5) disallows add, compare, delete, modify, modrdn and extended operations

# 6) stipulates that referrals are returned to the proxy's client

# 7) stipulates that this group is to use load balancing.

#

dn: ids-proxy-con-Name=default,ou=groups

objectclass: ids-proxy-sch-Group

objectclass: ids-proxy-sch-NetworkGroup

objectclass: ids-proxy-top

ids-proxy-con-Client: ALL

ids-proxy-con-Name: default

ids-proxy-con-Priority: 33

ids-proxy-con-allow-multi-ldapv2-bind: FALSE

ids-proxy-con-filter-inequality: TRUE

ids-proxy-con-include-property: load-balance

ids-proxy-con-include-rule: successfulBind

ids-proxy-con-max-refcount: 15

ids-proxy-con-max-scope: 2

ids-proxy-con-max-simultaneous-conns-from-ip: 0

ids-proxy-con-permit-auth-none: TRUE

ids-proxy-con-permit-auth-sasl: TRUE

ids-proxy-con-permit-auth-simple: TRUE

ids-proxy-con-permit-op-add: FALSE

ids-proxy-con-permit-op-compare: FALSE

ids-proxy-con-permit-op-delete: FALSE

ids-proxy-con-permit-op-extended: FALSE

ids-proxy-con-permit-op-modify: FALSE

ids-proxy-con-permit-op-modrdn: FALSE

ids-proxy-con-permit-op-search: TRUE

ids-proxy-con-reference: forward

ids-proxy-con-referral-bind-policy: bind_any

ids-proxy-con-referral-ssl-policy: ssl_unavailable

ids-proxy-con-search-reference: follow

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-con-timeout: 120

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: groups

#

# The following entry defines the property used to stipulate which servers

# will be contacted. It also apportions the servers.

#

# Note: it is assumed that the load balanced servers are equal in content

# and in capability.

#

dn: ids-proxy-con-Name=load-balance,ou=properties

objectclass: ids-proxy-sch-LoadBalanceProperty

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: load-balance

ids-proxy-con-Server: server-1#34

ids-proxy-con-Server: server-2#33

ids-proxy-con-Server: server-3#33

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# server enumeration

#

dn: ids-proxy-con-Name=server-1,ou=properties

objectclass: ids-proxy-sch-LDAPServer

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: server-1

ids-proxy-con-host: pink

ids-proxy-con-link-security-policy: ssl_optional

ids-proxy-con-port: 10205

ids-proxy-con-supported-version: 23

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# server enumeration

#

dn: ids-proxy-con-Name=server-2,ou=properties

objectclass: ids-proxy-sch-LDAPServer

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: server-2

ids-proxy-con-host: red

ids-proxy-con-link-security-policy: ssl_optional

ids-proxy-con-port: 10389

ids-proxy-con-supported-version: 23

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

#

# server enumeration

#

dn: ids-proxy-con-Name=server-3,ou=properties

objectclass: ids-proxy-sch-LDAPServer

objectclass: ids-proxy-sch-Property

objectclass: ids-proxy-top

ids-proxy-con-Name: server-3

ids-proxy-con-host: blue

ids-proxy-con-link-security-policy: ssl_optional

ids-proxy-con-port: 389

ids-proxy-con-supported-version: 23

ids-proxy-con-tcp-no-delay: TRUE

ids-proxy-sch-Enable: TRUE

ids-proxy-sch-belongs-to: iDAR

ou: properties

version: 1

dn: ou=actions
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: actions

dn: ou=global
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: global

dn: ou=groups
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: groups

dn: ou=properties
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: properties

dn: ou=rules
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: rules

#
# This bootstrap entry defines:
#
# 1) the name of the iDAR server set is: "iDAR"
# 2) the DN of the ids-proxy-sch-GlobalConfiguration object
# 3) the base DN of the Properties definitions
# 4) the base DN of the Groups definitions
#
# Note: iDAR learns this entry's DN via the startup configuration (tailor.txt).
#
dn: ids-proxy-con-Server-Name=iDAR
objectclass: ids-proxy-sch-LDAPProxy
objectclass: ids-proxy-top
ids-proxy-con-Server-Name: iDAR
ids-proxy-sch-Global-Config-Dn: ids-proxy-con-Config-Name=config,ou=global
ids-proxy-sch-Group-Base: ou=groups
ids-proxy-sch-Property-Base: ou=properties
ids-proxy-sch-Rule-Base: ou=rules

#
# This Global properties entry declares:
#
# 1) which port the proxy will listen on for connections
#
dn: ids-proxy-con-Config-Name=config,ou=global
objectclass: ids-proxy-sch-GlobalConfiguration
objectclass: ids-proxy-top
ids-proxy-con-Config-Name: config
ids-proxy-con-connection-pool: FALSE
ids-proxy-con-connection-pool-interval: 15
ids-proxy-con-connection-pool-timeout: 30
ids-proxy-con-include-logproperty: LogProperty
ids-proxy-con-listen-backlog: 128
ids-proxy-con-listen-host: localhost
ids-proxy-con-listen-port: 389
ids-proxy-con-one-thread-only: FALSE
ids-proxy-con-userid: nobody
ids-proxy-con-working-dir: /tmp
ou: global

#
# Here we stipulate to iDAR where to send its log file as well
# as what logging level to use.
#
dn: ids-proxy-con-Name=LogProperty,ou=properties
objectclass: ids-proxy-sch-LogProperty
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: LogProperty
ids-proxy-con-log-file: /opt/iDAR/logs/fwd.log
ids-proxy-con-log-level: warning
ids-proxy-con-stat-level: none
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# iDAR finds its group properties by essentially performing a one level search
# beneath the ids-proxy-sch-LDAPProxy stipulated ids-proxy-sch-Group-Base.
# (This is in contrast with all other entries which are "found" by an exact DN
# to utilize.) Since there could be more than one entry beneath the
# ids-proxy-sch-Group-Base, each group entry has an ids-proxy-con-Priority
# value to indicate their evaluation order. In addition, the
# ids-proxy-sch-belongs-to attribute allows entries at this level to exclude
# or include themselves based on if their ids-proxy-sch-belongs-to value
# matches the value asserted by the ids-proxy-con-Server-Name value found
# in the ids-proxy-sch-LDAPProxy objectclass entry.
#
# The following entry defines a group called "default" that:
#
# 1) assigns an evaluation priority of 33 (evaluates before 32, 31, 30, etc.)
# 2) declares the server configuration this entry belongs to as "iDAR"
# 3) allows all clients to be a member of the group as con-Client is ALL
# 4) allows all clients regardless of bind name (since it isn't enumerated)
# 5) allows all operations
# 6) stipulates that referrals are returned to the proxy's client
# 7) stipulates that the backend server for this group is described by the
# ids-proxy-sch-LDAPServer objectclass entry named server-1.
#
dn: ids-proxy-con-Name=default,ou=groups
objectclass: ids-proxy-sch-Group
objectclass: ids-proxy-sch-NetworkGroup
objectclass: ids-proxy-top
ids-proxy-con-Client: ALL
ids-proxy-con-Name: default
ids-proxy-con-Priority: 33
ids-proxy-con-Server: server-1
ids-proxy-con-allow-multi-ldapv2-bind: FALSE
ids-proxy-con-filter-inequality: TRUE
ids-proxy-con-max-refcount: 15
ids-proxy-con-max-scope: 2
ids-proxy-con-max-simultaneous-conns-from-ip: 0
ids-proxy-con-permit-auth-none: TRUE
ids-proxy-con-permit-auth-sasl: TRUE
ids-proxy-con-permit-auth-simple: TRUE
ids-proxy-con-permit-op-add: TRUE
ids-proxy-con-permit-op-compare: TRUE
ids-proxy-con-permit-op-delete: TRUE
ids-proxy-con-permit-op-extended: TRUE
ids-proxy-con-permit-op-modify: TRUE
ids-proxy-con-permit-op-modrdn: TRUE
ids-proxy-con-permit-op-search: TRUE
ids-proxy-con-reference: forward
ids-proxy-con-referral-bind-policy: bind_any
ids-proxy-con-referral-ssl-policy: ssl_unavailable
ids-proxy-con-search-reference: follow
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-con-timeout: 120
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: groups

#
# server enumeration
#
dn: ids-proxy-con-Name=server-1,ou=properties
objectclass: ids-proxy-sch-LDAPServer
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: server-1
ids-proxy-con-host: pink.iplanet.com
ids-proxy-con-link-security-policy: ssl_optional
ids-proxy-con-port: 10205
ids-proxy-con-supported-version: 23
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

version: 1

dn: ou=actions
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: actions

dn: ou=global
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: global

dn: ou=groups
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: groups

dn: ou=properties
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: properties

dn: ou=rules
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: rules

#
# This bootstrap entry defines:
#
# 1) the name of the iDAR server set is: "iDAR"
# 2) the DN of the ids-proxy-sch-GlobalConfiguration object
# 3) the base DN of the Properties definitions
# 4) the base DN of the Groups definitions
#
# Note: iDAR learns this entry's DN via the startup configuration (tailor.txt).
#
dn: ids-proxy-con-Server-Name=iDAR
objectclass: ids-proxy-sch-LDAPProxy
objectclass: ids-proxy-top
ids-proxy-con-Server-Name: iDAR
ids-proxy-sch-Global-Config-Dn: ids-proxy-con-Config-Name=config,ou=global
ids-proxy-sch-Group-Base: ou=groups
ids-proxy-sch-Property-Base: ou=properties
ids-proxy-sch-Rule-Base: ou=rules

#
# This Global properties entry declares:
#
# 1) which port the proxy will listen on for connections
#
dn: ids-proxy-con-Config-Name=config,ou=global
objectclass: ids-proxy-sch-GlobalConfiguration
objectclass: ids-proxy-top
ids-proxy-con-Config-Name: config
ids-proxy-con-connection-pool: FALSE
ids-proxy-con-connection-pool-interval: 15
ids-proxy-con-connection-pool-timeout: 30
ids-proxy-con-include-logproperty: LogProperty
ids-proxy-con-listen-backlog: 128
ids-proxy-con-listen-host: localhost
ids-proxy-con-listen-port: 389
ids-proxy-con-one-thread-only: FALSE
ids-proxy-con-userid: nobody
ids-proxy-con-working-dir: /tmp
ou: global

#
# Here we stipulate to iDAR where to send its log file as well
# as what logging level to use.
#
dn: ids-proxy-con-Name=LogProperty,ou=properties
objectclass: ids-proxy-sch-LogProperty
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: LogProperty
ids-proxy-con-log-file: /opt/iDAR/logs/fwd.log
ids-proxy-con-log-level: warning
ids-proxy-con-stat-level: none
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# iDAR finds its group properties by essentially performing a one level search
# beneath the ids-proxy-sch-LDAPProxy stipulated ids-proxy-sch-Group-Base.
# (This is in contrast with all other entries which are "found" by an exact DN
# to utilize.) Since there could be more than one entry beneath the
# ids-proxy-sch-Group-Base, each group entry has an ids-proxy-con-Priority
# value to indicate their evaluation order. In addition, the
# ids-proxy-sch-belongs-to attribute allows entries at this level to exclude
# or include themselves based on if their ids-proxy-sch-belongs-to value
# matches the value asserted by the ids-proxy-con-Server-Name value found
# in the ids-proxy-sch-LDAPProxy objectclass entry.
#
# The following entry defines a group called "default" that:
#
# 1) assigns an evaluation priority of 33 (evaluates before 32, 31, 30, etc.)
# 2) declares the server configuration this entry belongs to as "iDAR"
# 3) allows all clients to be a member of the group as con-Client is ALL
# 4) allows all clients regardless of bind name (since it isn't enumerated)
# 5) allows all operations
# 6) stipulates that referrals are returned to the proxy's client
# 7) stipulates that this group is to use load balancing.
#
dn: ids-proxy-con-Name=default,ou=groups
objectclass: ids-proxy-sch-Group
objectclass: ids-proxy-sch-NetworkGroup
objectclass: ids-proxy-top
ids-proxy-con-Client: ALL
ids-proxy-con-Name: default
ids-proxy-con-Priority: 33
ids-proxy-con-allow-multi-ldapv2-bind: FALSE
ids-proxy-con-filter-inequality: TRUE
ids-proxy-con-include-property: load-balance
ids-proxy-con-max-refcount: 15
ids-proxy-con-max-scope: 2
ids-proxy-con-max-simultaneous-conns-from-ip: 0
ids-proxy-con-permit-auth-none: TRUE
ids-proxy-con-permit-auth-sasl: TRUE
ids-proxy-con-permit-auth-simple: TRUE
ids-proxy-con-permit-op-add: TRUE
ids-proxy-con-permit-op-compare: TRUE
ids-proxy-con-permit-op-delete: TRUE
ids-proxy-con-permit-op-extended: TRUE
ids-proxy-con-permit-op-modify: TRUE
ids-proxy-con-permit-op-modrdn: TRUE
ids-proxy-con-permit-op-search: TRUE
ids-proxy-con-reference: forward
ids-proxy-con-referral-bind-policy: bind_any
ids-proxy-con-referral-ssl-policy: ssl_unavailable
ids-proxy-con-search-reference: follow
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-con-timeout: 120
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: groups

#
# The following entry defines the property used to stipulate which servers
# will be contacted. It also apportions the servers.
#
# Note: it is assumed that the load balanced servers are equal in content
# and in capability.
#
dn: ids-proxy-con-Name=load-balance,ou=properties
objectclass: ids-proxy-sch-LoadBalanceProperty
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: load-balance
ids-proxy-con-Server: server-1#34
ids-proxy-con-Server: server-2#33
ids-proxy-con-Server: server-3#33
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# server enumeration
#
dn: ids-proxy-con-Name=server-1,ou=properties
objectclass: ids-proxy-sch-LDAPServer
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: server-1
ids-proxy-con-host: pink
ids-proxy-con-link-security-policy: ssl_optional
ids-proxy-con-port: 10205
ids-proxy-con-supported-version: 23
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# server enumeration
#
dn: ids-proxy-con-Name=server-2,ou=properties
objectclass: ids-proxy-sch-LDAPServer
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: server-2
ids-proxy-con-host: red
ids-proxy-con-link-security-policy: ssl_optional
ids-proxy-con-port: 10389
ids-proxy-con-supported-version: 23
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# server enumeration
#
dn: ids-proxy-con-Name=server-3,ou=properties
objectclass: ids-proxy-sch-LDAPServer
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: server-3
ids-proxy-con-host: blue
ids-proxy-con-link-security-policy: ssl_optional
ids-proxy-con-port: 389
ids-proxy-con-supported-version: 23
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

version: 1

dn: ou=actions
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: actions

dn: ou=global
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: global

dn: ou=groups
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: groups

dn: ou=properties
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: properties

dn: ou=rules
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: rules

#
# This bootstrap entry defines:
#
# 1) the name of the iDAR server set is: "iDAR"
# 2) the DN of the ids-proxy-sch-GlobalConfiguration object
# 3) the base DN of the Properties definitions
# 4) the base DN of the Groups definitions
#
# Note: iDAR learns this entry's DN via the startup configuration (tailor.txt).
#
dn: ids-proxy-con-Server-Name=iDAR
objectclass: ids-proxy-sch-LDAPProxy
objectclass: ids-proxy-top
ids-proxy-con-Server-Name: iDAR
ids-proxy-sch-Action-Base: ou=actions
ids-proxy-sch-Global-Config-Dn: ids-proxy-con-Config-Name=config,ou=global
ids-proxy-sch-Group-Base: ou=groups
ids-proxy-sch-Property-Base: ou=properties
ids-proxy-sch-Rule-Base: ou=rules

#
# This Global properties entry declares:
#
# 1) which port the proxy will listen on for connections
#
dn: ids-proxy-con-Config-Name=config,ou=global
objectclass: ids-proxy-sch-GlobalConfiguration
objectclass: ids-proxy-top
ids-proxy-con-Config-Name: config
ids-proxy-con-connection-pool: FALSE
ids-proxy-con-connection-pool-interval: 15
ids-proxy-con-connection-pool-timeout: 30
ids-proxy-con-include-logproperty: LogProperty
ids-proxy-con-listen-backlog: 128
ids-proxy-con-listen-host: localhost
ids-proxy-con-listen-port: 389
ids-proxy-con-one-thread-only: FALSE
ids-proxy-con-userid: nobody
ids-proxy-con-working-dir: /tmp
ou: global

#
# Here we stipulate to iDAR where to send its log file as well
# as what logging level to use.
#
dn: ids-proxy-con-Name=LogProperty,ou=properties
objectclass: ids-proxy-sch-LogProperty
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: LogProperty
ids-proxy-con-log-file: /opt/iDAR/logs/fwd.log
ids-proxy-con-log-level: warning
ids-proxy-con-stat-level: none
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# note that we change group on bind
#
dn: ids-proxy-con-Name=successfulBind,ou=rules
objectclass: ids-proxy-sch-OnBindSuccessRule
objectclass: ids-proxy-sch-Rule
objectclass: ids-proxy-top
ids-proxy-con-Name: successfulBind
ids-proxy-con-bind-anonymous: FALSE
ids-proxy-con-bind-sasl: TRUE
ids-proxy-con-bind-simple: TRUE
ids-proxy-con-execute: change#100
ids-proxy-con-ssl-required: FALSE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: rules

#
# this is the group we changeto on successful bind
#
dn: ids-proxy-con-Name=change,ou=actions
objectclass: ids-proxy-sch-Action
objectclass: ids-proxy-sch-ChangeGroupAction
objectclass: ids-proxy-top
ids-proxy-con-Name: change
ids-proxy-con-to-group: onbind#.*#5
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: actions

#
# iDAR finds its group properties by essentially performing a one level search
# beneath the ids-proxy-sch-LDAPProxy stipulated ids-proxy-sch-Group-Base.
# (This is in contrast with all other entries which are "found" by an exact DN
# to utilize.) Since there could be more than one entry beneath the
# ids-proxy-sch-Group-Base, each group entry has an ids-proxy-con-Priority
# value to indicate their evaluation order. In addition, the
# ids-proxy-sch-belongs-to attribute allows entries at this level to exclude
# or include themselves based on if their ids-proxy-sch-belongs-to value
# matches the value asserted by the ids-proxy-con-Server-Name value found
# in the ids-proxy-sch-LDAPProxy objectclass entry.
#
# The following entry defines a group called "onbind" that:
#
# 1) assigns an evaluation priority of 10 (evaluates before 9, 8, 7, etc.)
# 2) declares the server configuration this entry belongs to as "iDAR"
# 3) uses a con-Client value that FAILS matching during priority scanning
# 4) allows all clients regardless of bind name (since it isn't enumerated)
# 5) allows all operations
# 6) stipulates that referrals are returned to the proxy's client
# 7) stipulates that the backend server for this group is described by the
# ids-proxy-sch-LDAPServer objectclass entry named server-1.
#
dn: ids-proxy-con-Name=onbind,ou=groups
objectclass: ids-proxy-sch-Group
objectclass: ids-proxy-sch-NetworkGroup
objectclass: ids-proxy-top
ids-proxy-con-Client: 0.0.0.0
ids-proxy-con-Name: onbind
ids-proxy-con-Priority: 10
ids-proxy-con-Server: server-1
ids-proxy-con-allow-multi-ldapv2-bind: FALSE
ids-proxy-con-filter-inequality: TRUE
ids-proxy-con-max-refcount: 15
ids-proxy-con-max-scope: 2
ids-proxy-con-max-simultaneous-conns-from-ip: 0
ids-proxy-con-permit-auth-none: TRUE
ids-proxy-con-permit-auth-sasl: TRUE
ids-proxy-con-permit-auth-simple: TRUE
ids-proxy-con-permit-op-add: TRUE
ids-proxy-con-permit-op-compare: TRUE
ids-proxy-con-permit-op-delete: TRUE
ids-proxy-con-permit-op-extended: TRUE
ids-proxy-con-permit-op-modify: TRUE
ids-proxy-con-permit-op-modrdn: TRUE
ids-proxy-con-permit-op-search: TRUE
ids-proxy-con-reference: forward
ids-proxy-con-referral-bind-policy: bind_any
ids-proxy-con-referral-ssl-policy: ssl_unavailable
ids-proxy-con-search-reference: follow
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-con-timeout: 120
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: groups

#
# The following entry defines a group called "default" that:
#
# 1) assigns an evaluation priority of 33 (evaluates before 32, 31, 30, etc.)
# 2) declares the server configuration this entry belongs to as "iDAR"
# 3) allows all clients to be a member of the group as con-Client is ALL
# 4) allows all clients regardless of bind name (since it isn't enumerated)
# 5) disallows add, compare, delete, modify, modrdn and extended operations
# 6) stipulates that referrals are returned to the proxy's client
# 7) stipulates that the backend server for this group is described by the
# ids-proxy-sch-LDAPServer objectclass entry named server-1.
#
dn: ids-proxy-con-Name=default,ou=groups
objectclass: ids-proxy-sch-Group
objectclass: ids-proxy-sch-NetworkGroup
objectclass: ids-proxy-top
ids-proxy-con-Client: ALL
ids-proxy-con-Name: default
ids-proxy-con-Priority: 33
ids-proxy-con-Server: server-1
ids-proxy-con-allow-multi-ldapv2-bind: FALSE
ids-proxy-con-filter-inequality: TRUE
ids-proxy-con-include-rule: successfulBind
ids-proxy-con-max-refcount: 15
ids-proxy-con-max-scope: 2
ids-proxy-con-max-simultaneous-conns-from-ip: 0
ids-proxy-con-permit-auth-none: TRUE
ids-proxy-con-permit-auth-sasl: TRUE
ids-proxy-con-permit-auth-simple: TRUE
ids-proxy-con-permit-op-add: FALSE
ids-proxy-con-permit-op-compare: FALSE
ids-proxy-con-permit-op-delete: FALSE
ids-proxy-con-permit-op-extended: FALSE
ids-proxy-con-permit-op-modify: FALSE
ids-proxy-con-permit-op-modrdn: FALSE
ids-proxy-con-permit-op-search: TRUE
ids-proxy-con-reference: forward
ids-proxy-con-referral-bind-policy: bind_any
ids-proxy-con-referral-ssl-policy: ssl_unavailable
ids-proxy-con-search-reference: follow
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-con-timeout: 120
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: groups

#
# server enumeration
#
dn: ids-proxy-con-Name=server-1,ou=properties
objectclass: ids-proxy-sch-LDAPServer
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: server-1
ids-proxy-con-host: blue
ids-proxy-con-link-security-policy: ssl_optional
ids-proxy-con-port: 389
ids-proxy-con-supported-version: 23
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

version: 1

dn: ou=actions
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: actions

dn: ou=global
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: global

dn: ou=groups
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: groups

dn: ou=properties
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: properties

dn: ou=rules
objectclass: ids-proxy-top
objectclass: organizationalUnit
ou: rules

#
# This bootstrap entry defines:
#
# 1) the name of the iDAR server set is: "iDAR"
# 2) the DN of the ids-proxy-sch-GlobalConfiguration object
# 3) the base DN of the Properties definitions
# 4) the base DN of the Groups definitions
#
# Note: iDAR learns this entry's DN via the startup configuration (tailor.txt).
#
dn: ids-proxy-con-Server-Name=iDAR
objectclass: ids-proxy-sch-LDAPProxy
objectclass: ids-proxy-top
ids-proxy-con-Server-Name: iDAR
ids-proxy-sch-Action-Base: ou=actions
ids-proxy-sch-Global-Config-Dn: ids-proxy-con-Config-Name=config,ou=global
ids-proxy-sch-Group-Base: ou=groups
ids-proxy-sch-Property-Base: ou=properties
ids-proxy-sch-Rule-Base: ou=rules

#
# This Global properties entry declares:
#
# 1) which port the proxy will listen on for connections
#
dn: ids-proxy-con-Config-Name=config,ou=global
objectclass: ids-proxy-sch-GlobalConfiguration
objectclass: ids-proxy-top
ids-proxy-con-Config-Name: config
ids-proxy-con-connection-pool: FALSE
ids-proxy-con-connection-pool-interval: 15
ids-proxy-con-connection-pool-timeout: 30
ids-proxy-con-include-logproperty: LogProperty
ids-proxy-con-listen-backlog: 128
ids-proxy-con-listen-host: localhost
ids-proxy-con-listen-port: 389
ids-proxy-con-one-thread-only: FALSE
ids-proxy-con-userid: nobody
ids-proxy-con-working-dir: /tmp
ou: global

#
# Here we stipulate to iDAR where to send its log file as well
# as what logging level to use.
#
dn: ids-proxy-con-Name=LogProperty,ou=properties
objectclass: ids-proxy-sch-LogProperty
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: LogProperty
ids-proxy-con-log-file: /opt/iDAR/logs/fwd.log
ids-proxy-con-log-level: warning
ids-proxy-con-stat-level: none
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# note that we change group on bind
#
dn: ids-proxy-con-Name=successfulBind,ou=rules
objectclass: ids-proxy-sch-OnBindSuccessRule
objectclass: ids-proxy-sch-Rule
objectclass: ids-proxy-top
ids-proxy-con-Name: successfulBind
ids-proxy-con-bind-anonymous: FALSE
ids-proxy-con-bind-sasl: TRUE
ids-proxy-con-bind-simple: TRUE
ids-proxy-con-execute: change#100
ids-proxy-con-ssl-required: FALSE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: rules

#
# this is the group we changeto on successful bind
#
dn: ids-proxy-con-Name=change,ou=actions
objectclass: ids-proxy-sch-Action
objectclass: ids-proxy-sch-ChangeGroupAction
objectclass: ids-proxy-top
ids-proxy-con-Name: change
ids-proxy-con-to-group: onbind#.*#5
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: actions

#
# iDAR finds its group properties by essentially performing a one level search
# beneath the ids-proxy-sch-LDAPProxy stipulated ids-proxy-sch-Group-Base.
# (This is in contrast with all other entries which are "found" by an exact DN
# to utilize.) Since there could be more than one entry beneath the
# ids-proxy-sch-Group-Base, each group entry has an ids-proxy-con-Priority
# value to indicate their evaluation order. In addition, the
# ids-proxy-sch-belongs-to attribute allows entries at this level to exclude
# or include themselves based on if their ids-proxy-sch-belongs-to value
# matches the value asserted by the ids-proxy-con-Server-Name value found
# in the ids-proxy-sch-LDAPProxy objectclass entry.
#
# The following entry defines a group called "onbind" that:
#
# 1) assigns an evaluation priority of 10 (evaluates before 9, 8, 7, etc.)
# 2) declares the server configuration this entry belongs to as "iDAR"
# 3) uses a con-Client value that FAILS matching during priority scanning
# 4) allows all clients regardless of bind name (since it isn't enumerated)
# 5) allows all operations
# 6) stipulates that referrals are returned to the proxy's client
# 7) stipulates that this group is to use load balancing.
#
dn: ids-proxy-con-Name=onbind,ou=groups
objectclass: ids-proxy-sch-Group
objectclass: ids-proxy-sch-NetworkGroup
objectclass: ids-proxy-top
ids-proxy-con-Client: 0.0.0.0
ids-proxy-con-Name: onbind
ids-proxy-con-Priority: 10
ids-proxy-con-allow-multi-ldapv2-bind: FALSE
ids-proxy-con-filter-inequality: TRUE
ids-proxy-con-include-property: load-balance
ids-proxy-con-max-refcount: 15
ids-proxy-con-max-scope: 2
ids-proxy-con-max-simultaneous-conns-from-ip: 0
ids-proxy-con-permit-auth-none: TRUE
ids-proxy-con-permit-auth-sasl: TRUE
ids-proxy-con-permit-auth-simple: TRUE
ids-proxy-con-permit-op-add: TRUE
ids-proxy-con-permit-op-compare: TRUE
ids-proxy-con-permit-op-delete: TRUE
ids-proxy-con-permit-op-extended: TRUE
ids-proxy-con-permit-op-modify: TRUE
ids-proxy-con-permit-op-modrdn: TRUE
ids-proxy-con-permit-op-search: TRUE
ids-proxy-con-reference: forward
ids-proxy-con-referral-bind-policy: bind_any
ids-proxy-con-referral-ssl-policy: ssl_unavailable
ids-proxy-con-search-reference: follow
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-con-timeout: 120
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: groups

#
# The following entry defines a group called "default" that:
#
# 1) assigns an evaluation priority of 33 (evaluates before 32, 31, 30, etc.)
# 2) declares the server configuration this entry belongs to as "iDAR"
# 3) allows all clients to be a member of the group as con-Client is ALL
# 4) allows all clients regardless of bind name (since it isn't enumerated)
# 5) disallows add, compare, delete, modify, modrdn and extended operations
# 6) stipulates that referrals are returned to the proxy's client
# 7) stipulates that this group is to use load balancing.
#
dn: ids-proxy-con-Name=default,ou=groups
objectclass: ids-proxy-sch-Group
objectclass: ids-proxy-sch-NetworkGroup
objectclass: ids-proxy-top
ids-proxy-con-Client: ALL
ids-proxy-con-Name: default
ids-proxy-con-Priority: 33
ids-proxy-con-allow-multi-ldapv2-bind: FALSE
ids-proxy-con-filter-inequality: TRUE
ids-proxy-con-include-property: load-balance
ids-proxy-con-include-rule: successfulBind
ids-proxy-con-max-refcount: 15
ids-proxy-con-max-scope: 2
ids-proxy-con-max-simultaneous-conns-from-ip: 0
ids-proxy-con-permit-auth-none: TRUE
ids-proxy-con-permit-auth-sasl: TRUE
ids-proxy-con-permit-auth-simple: TRUE
ids-proxy-con-permit-op-add: FALSE
ids-proxy-con-permit-op-compare: FALSE
ids-proxy-con-permit-op-delete: FALSE
ids-proxy-con-permit-op-extended: FALSE
ids-proxy-con-permit-op-modify: FALSE
ids-proxy-con-permit-op-modrdn: FALSE
ids-proxy-con-permit-op-search: TRUE
ids-proxy-con-reference: forward
ids-proxy-con-referral-bind-policy: bind_any
ids-proxy-con-referral-ssl-policy: ssl_unavailable
ids-proxy-con-search-reference: follow
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-con-timeout: 120
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: groups

#
# The following entry defines the property used to stipulate which servers
# will be contacted. It also apportions the servers.
#
# Note: it is assumed that the load balanced servers are equal in content
# and in capability.
#
dn: ids-proxy-con-Name=load-balance,ou=properties
objectclass: ids-proxy-sch-LoadBalanceProperty
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: load-balance
ids-proxy-con-Server: server-1#34
ids-proxy-con-Server: server-2#33
ids-proxy-con-Server: server-3#33
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# server enumeration
#
dn: ids-proxy-con-Name=server-1,ou=properties
objectclass: ids-proxy-sch-LDAPServer
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: server-1
ids-proxy-con-host: pink
ids-proxy-con-link-security-policy: ssl_optional
ids-proxy-con-port: 10205
ids-proxy-con-supported-version: 23
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# server enumeration
#
dn: ids-proxy-con-Name=server-2,ou=properties
objectclass: ids-proxy-sch-LDAPServer
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: server-2
ids-proxy-con-host: red
ids-proxy-con-link-security-policy: ssl_optional
ids-proxy-con-port: 10389
ids-proxy-con-supported-version: 23
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

#
# server enumeration
#
dn: ids-proxy-con-Name=server-3,ou=properties
objectclass: ids-proxy-sch-LDAPServer
objectclass: ids-proxy-sch-Property
objectclass: ids-proxy-top
ids-proxy-con-Name: server-3
ids-proxy-con-host: blue
ids-proxy-con-link-security-policy: ssl_optional
ids-proxy-con-port: 389
ids-proxy-con-supported-version: 23
ids-proxy-con-tcp-no-delay: TRUE
ids-proxy-sch-Enable: TRUE
ids-proxy-sch-belongs-to: iDAR
ou: properties

Previous Contents Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated July 26, 2001