Previous Contents Index Next |
iPlanet Directory Access Router Administrator's Guide |
Chapter 15 Global Configuration
iPlanet Directory Access Router (iDAR) configuration can be represented as entries either in an LDAP directory or in a file in LDIF format. This chapter describes the schema for storing the iDAR global configuration information.Throughout the remainder of this document, all configuration attributes are assumed to have a syntax of a case-insensitive UTF-8 string (cis) unless explicitly stated otherwise. Attribute names follow one of the following two conventions: ids-proxy-sch-* attributes are those that are part of iDAR configuration schema but do not have a direct effect on iDAR functionality; ids-proxy-con-* attributes directly affect iDAR functional behavior.
This chapter contains the following sections:
ids-proxy-sch-LDAPProxy Object Class
ids-proxy-sch-LDAPProxy Object Class
The ids-proxy-sch-LDAPProxy object contains information about the name of the iDAR server and the distinguished name (DN) of the ids-proxy-sch-GlobalConfiguration object. iDAR finds this object using the DN specified in the configuration_url attribute in the startup configuration file. This object contains the following mandatory attributes.
ids-proxy-sch-Global-Config-Dn
The ids-proxy-sch-Global-Config-Dn attribute specifies the distinguished name of the ids-proxy-sch-Global-Configuration object entry. This attribute must be present and has dn syntax.
ids-proxy-con-Server-Name
The ids-proxy-con-Server-Name attribute specifies the string name of the server. This attribute must be present, as it is used to form the Relative Distinguished Name (RDN) of entries of this class, as well as to locate group and property entries.
Locating Group, Property, Rule, and Action Objects
ids-proxy-sch-Group-Base, ids-proxy-sch-Property-Base, ids-proxy-sch-Rule-Base, ids-proxy-sch-Action-Base
These attributes specify the DN of the entries under which the group and property object entries reside. iDAR performs a one-level search with the respective attribute value as the base of the search and one of the following filters.
<Server-Name> is the name of the server as specified in the ids-proxy-con-Server-Name attribute. The ids-proxy-sch-Group-Base attribute must be present in every entry of this class. The other three attributes are optional and may be omitted if no entries of that type are used.
ids-proxy-sch-GlobalConfiguration Object Class
The ids-proxy-sch-GlobalConfiguration object contains various global configuration attributes. Each configuration must have one entry of this object class.
ids-proxy-con-Config-Name
The ids-proxy-con-config-Name attribute specifies the string name of the configuration. This attribute must be present, as it is used to form the RDN of entries of this class.
ids-proxy-con-listen-port
The ids-proxy-con-listen-port attribute takes a value of the port number, 1 through 65535, on which to listen for incoming connections. The default, if this attribute is not present, is TCP port 389, as specified for LDAP. This port number must be different from that used by any other LDAP server running on the same host. On UNIX platforms the server must be started as root to listen on a port number below 1024.For example, to have iDAR listen on port 10389, the following attribute/value pair should be in the ids-proxy-sch-GlobalConfiguration object entry:
ids-proxy-con-listen-port: 10389
ids-proxy-con-listen-host
The ids-proxy-con-listen-host attribute takes a value of the name or the IP address of the host interface on which the iDAR will listen for connections. This attribute is needed only if there are multiple network interfaces on the host running iDAR. If this attribute is not present or has the value "localhost", iDAR will listen on all available network interfaces.
ids-proxy-con-max-conns
The ids-proxy-con-max-conns attribute takes a value (greater than zero) of the maximum number of simultaneous client connections that iDAR will accept. For example, if you want to allow only ten simultaneous connections, the following attribute/value pair should be in the ids-proxy-sch-GlobalConfiguration object entry:To allow an unlimited number of simultaneous connections, do not specify this attribute.
ids-proxy-con-listen-backlog
The ids-proxy-con-listen-backlog attribute takes a value (greater than zero) of the maximum number of outstanding connections in the listening socket's queue. The default is 128 if the attribute is absent. This attribute should be present if more than 128 clients could attempt to contact iDAR simultaneously.The maximum value depends on the underlying operating system configuration.
ids-proxy-con-ldaps-port
The ids-proxy-con-ldaps-port attribute takes as a value the port number on which to listen for LDAPS (LDAP over SSL) connections. By default, iDAR does not listen for connections from LDAPS clients. This attribute must be present to enable LDAPS connections from clients using this nonstandard function, with a value such as 636. This value must be different from the ids-proxy-con-listen-port value. This option also requires TLS/SSL configuration (see Chapter 12 "Configuring Security").
ids-proxy-con-userid
This option specifies the userid under which iDAR will run. If iDAR was run as root then it will change its uid to the one specified here. The default is to switch to nobody. This option is not applicable on Windows NT.
ids-proxy-con-working-dir
This attribute specifies the directory from which iDAR should run. On startup, iDAR will change its working directory to the directory specified as value for this attribute. The default is /tmp. This attribute only takes effect on platforms other than Windows NT.
ids-proxy-con-include-logproperty
This attribute specifies the value of the ids-proxy-con-name attribute of the ids-proxy-sch-LogProperty property entry. This property should be defined by an entry if you want to customize logging. Refer to Chapter 20 "Logging" for details.
TLS/SSL Configuration Attributes
The ids-proxy-con-ssl-cert and ids-proxy-con-ssl-key attributes must be present in the ids-proxy-sch-GlobalConfiguration object entry if the Start TLS extended operation or ids-proxy-con-ldaps-port option is to be supported. The TLS policy of each group can be configured using the group attribute ids-proxy-con-ssl-policy.
ids-proxy-con-ssl-key
The ids-proxy-con-ssl-key attribute specifies the pathname of the file on disk containing the private key associated with the server's certificate. Refer to the section Generating a TLS Key Pair for more details.
ids-proxy-con-ssl-cert
The ids-proxy-con-ssl-cert attribute specifies the path name of the file on disk containing the server's own certificate signed by the CA. The certificate in the file must conform to the Public Key Cryptography Standards (PKCS#10) format. Refer to the section Generating a TLS Key Pair for more details.
ids-proxy-con-send-cert-as-client
This attribute has a boolean syntax and specifies whether iDAR will send its server certificate when making a TLS connection to an LDAP directory server. Set it to TRUE if you want iDAR to send its certificate to the backend LDAP directory server when making a TLS connection. The default is FALSE.
ids-proxy-con-server-ssl-version, ids-proxy-con-client-ssl-version
These options specify the version of SSL that iDAR will use. ids-proxy-con-server-ssl-version specifies the version of SSL it will use for connections between itself and backend LDAP servers while ids-proxy-con-client-ssl-version specifies the version between itself and the clients. Permitted values are 20 for SSL version 2 only, 30 for SSL version 3 only, 23 for SSL version 2 or SSL version 3, and 31 for TLS version 1 only. The default for both is 23.
ids-proxy-con-ssl-cert-required
If the ids-proxy-con-ssl-cert-required attribute is set to TRUE, iDAR will require all clients that establish an SSL session to submit a certificate chain. iDAR will close the connection if a certificate chain is not submitted. Note that this option does not effect SSL sessions between iDAR and the backend servers. The default value for this attribute is FALSE.
ids-proxy-con-ssl-cafile
The ids-proxy-con-ssl-cafile attribute specifies the path of the file on disk containing trusted root certificates. These certificates must be in the PEM format.
Connection Pool Configuration Attributes
If the connection pool is enabled, iDAR will try to reuse existing connections to the backend LDAP servers. Switching on this option can give significant performance gain if the backend server is on a Wide Area Network (WAN).
ids-proxy-con-connection-pool
The ids-proxy-con-connection-pool attribute enables or disables the connection pool module. If this attribute is present with the value TRUE iDAR will preconnect to the directory servers. The default is FALSE.
ids-proxy-con-connection-pool-interval
The ids-proxy-con-connection-pool-interval attribute takes an integer value greater or equal to one. It specifies the interval in seconds at which iDAR will sample the incoming requests to anticipate future activity. The default is 15.
ids-proxy-con-connection-pool-timeout
The ids-proxy-con-connection-pool-timeout attribute takes an integer value greater or equal to zero. It specifies the period of time in seconds after which an idle connection to an LDAP server will be terminated. If a zero value is specified, no timeout will be applied. The default is 30. This value should be less than the idle connection timeout value of the backend LDAP server.
Debugging
This attribute is useful when debugging iDAR. It is available on UNIX platforms only.
ids-proxy-con-foreground
The ids-proxy-con-foreground attribute specifies whether the iDAR should remain in the foreground or detach from the controlling terminal. The default is FALSE, and the iDAR will detach. This attribute should not be specified in the ids-proxy-sch-GlobalConfiguration object entry except when debugging.
Previous Contents Index Next
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.
Last Updated July 26, 2001