Chapter 17   Properties Configuration


Property objects are used to identify more specialized restrictions that the clients must follow. These properties can then be included in other entries where the restrictions need to be applied.

This chapter contains the following sections:

• ids-proxy-sch-Property Object Class

• ids-proxy-sch-LoadBalanceProperty Object Class

• ids-proxy-sch-SizeLimitProperty Object Class

• ids-proxy-sch-RenameAttributeProperty Object Class

• ids-proxy-sch-ForbiddenEntryProperty Object Class

• ids-proxy-sch-LDAPServer Object Class

• ids-proxy-sch-LogProperty Object Class

ids-proxy-sch-Property Object Class

---

This object class defines the property object attributes. It contains the following attributes:

ids-proxy-con-Name

The ids-proxy-con-Name attribute specifies the name of the property. This attribute value must be unique within the set of properties. This attribute must be present as it forms the RDN of entries of this class.

ids-proxy-con-Priority

The ids-proxy-con-Priority attribute is reserved for future versions of this product.

ids-proxy-sch-Enable

The ids-proxy-sch-Enable attribute specifies if this object entry is part of the configuration or not. For an entry to be part of an iDAR configuration, the ids-proxy-sch-Enable attribute must be present with a value TRUE. If the ids-proxy-sch-Enable attribute is not present or has the value FALSE, the entry is ignored.

ids-proxy-sch-belongs-to

This is a multi-valued attribute that specifies which server configuration(s) this object entry belongs to. Each value of this attribute should be the value of the ids-proxy-con-server-name attribute in the ids-proxy-sch-LDAPProxy object entry, defined in the section ids-proxy-con-Server-Name.

ids-proxy-sch-LoadBalanceProperty Object Class

---

This object class is sub-classed from the ids-proxy-sch-property object class and can be used to tell iDAR to load balance across multiple LDAP servers. Either this property can be included in a group using the ids-proxy-con-include-property attribute, or the group can have the ids-proxy-con-server attribute, but not both. The following attribute is mandatory for this object class.

Note that iDAR uses a monitor process to make health checks on its backend servers. This feature is automatically enabled if load balancing is used. iDAR makes an anonymous search operation for the Root DSE every 10 seconds for each of its backend directory servers. If one of them becomes unavailable or unresponsive, iDAR removes it from the active load balanced server set. When the server becomes available again, it is reintroduced in the set. In order for the monitoring feature to work efficiently, you must have configured the host on which iDAR is running according to the recommendations of the <code>idsktune</code> utility described in Chapter 2, "Computer System Requirements" of the iDAR Installation Guide.

ids-proxy-con-Server

The ids-proxy-con-Server attribute is used to specify the server name and the percentage of client connections to be served by it. Its value should have the following syntax:

<server-Property>[#<percentage>]

The server-Property is the value of ids-proxy-con-Name of an ids-proxy-sch-LDAPServer property object entry.

The percentage part is the percentage of total connections that this server should be sent.

The sum of all the percentage for the different servers specified must be 100. If the percentage is not specified, it is assumed to be zero. A server with zero percentage will be used as a failover server only.

For example, to load balance equally across three LDAP servers with ids-proxy-con-name, ldap1, ldap2, and ldap3, this attribute should have the following three values:

ids-proxy-con-Server: ldap1#33
ids-proxy-con-Server: ldap2#33
ids-proxy-con-Server: ldap3#34

ids-proxy-sch-SizeLimitProperty Object Class

---

This object class is sub-classed from the ids-proxy-sch-property object class. The ids-proxy-sch-SizeLimitProperty object class can be used to apply size limits based on the search base and search scope. If neither the search base nor search scope specified in this property object entry match a given search, the size limit defaults to the value of ids-proxy-con-max-result-size group attribute. This property class has the following three attributes.

ids-proxy-con-Size-Limit

The ids-proxy-con-Size-Limit attribute takes an integer value, specifying the size limit to enforce. This is a single valued attribute. The value of -1 implies that no size limit will be enforced. This attribute is mandatory. Note that this is different from the LDAP protocol.

ids-proxy-con-Dn-One

If the DN of the search base of a one level search matches one of the distinguished names specified for the ids-proxy-con-Dn-One attribute, the value of ids-proxy-con-Size-Limit is enforced as the size limit of that search. This attribute has dn syntax.

ids-proxy-con-Dn-Sub

If the DN of the search base of a subtree search matches on the distinguished names specified for the ids-proxy-con-Dn-Sub attribute, the value of ids-proxy-con-Size-Limit is enforced as the size limit of that search. This attribute has dn syntax.

For example, to enforce a size limit of 50 for subtree searches with search base
dc=iplanet,dc=com and one level searches with search base ou=Development, dc=iplanet,dc=com, the following attribute/value pairs should be placed in the ids-proxy-sch-SizeLimitProperty object entry:

ids-proxy-con-Size-Limit: 50
ids-proxy-con-Dn-One: dc=iPlanet, dc=com
ids-proxy-con-Dn-Sub: ou=Development, dc=iPlanet, dc=com

ids-proxy-sch-RenameAttributeProperty Object Class

---

This object class is sub-classed from the ids-proxy-sch-property object class.
The ids-proxy-sch-RenameAttributeProperty object class can be used to rename attributes in client queries and in server results. This property has two mandatory single valued attributes.

ids-proxy-con-server-attr-name

The ids-proxy-con-server-attr-name attribute is used to specify the name of the attribute known to the server.

ids-proxy-con-client-attr-name

The ids-proxy-con-client-attr-name attribute is used to specify the name of the attribute known to the client.

If a client request contains an attribute name specified in ids-proxy-con-client-attr-name, it will be transformed to the value of ids-proxy-con-server-attr-name. Similarly, if a result sent by the server contains an attribute name specified in ids-proxy-con-server-attr-name, it will be transformed to the value of ids-proxy-con-client-attr-name.

ids-proxy-sch-ForbiddenEntryProperty Object Class

---

This object class is sub-classed from the ids-proxy-sch-property object class. The ids-proxy-sch-ForbiddenEntryProperty can be used to specify a list of entries or attributes in those entries that you want to hide. It has the following attributes.

ids-proxy-con-dn-exact

This is a multi-valued attribute that can be used to specify a list of DN's of entries or attributes in those entries that you want to hide.

ids-proxy-con-dn-regexp

This is a multi-valued attribute that can be used to specify a list of regular expressions of DN's of entries, or attributes in those entries that you want to hide. The regular expression of the DN should be specified in the normalized form, i.e., there should be no spaces between RDN components and the "=" sign, attribute names must be in all capital letters, and if the attribute values have the cis syntax, then they should also be capitalized.

For example, to match any DN with a RDN component of "ou=internal", you must specify the following:

ids-proxy-con-dn-regexp: .*OU=INTERNAL.*

If there are ids-proxy-con-permitted-return attributes present in the ids-proxy-sch-ForbiddenEntryProperty object entry, and an attribute does not match one of those listed, it is not returned. If there are no ids-proxy-con-permitted-return attribute values are present in an ids-proxy-sch-ForbiddenEntryProperty object entry, and no attributes match any ids-proxy-con-forbidden-return attribute values, then it is returned.

The following book can be used as a reference on regular expressions: Mastering Regular Expressions, by Friedl and Oram, published by O'Reilly, ISBN: 1565922573.

ids-proxy-con-ava

The ids-proxy-con-ava is a multi-valued attribute that can be used to specify a list of attribute name/value pairs. If an entry has an attribute name/value pair that matches any of the specified attribute name/value, then that entry or some of its content will be hidden. The ids-proxy-con-ava attribute has the following syntax:

<attribute-name>:<attribute-value>

For example if you want to restrict all entries which have either "ou=internal" or "secret=yes" as one if its attributes, then you can specify the following:

ids-proxy-con-ava: ou:internal
ids-proxy-con-ava: secret:yes

ids-proxy-con-forbidden-return

The ids-proxy-con-forbidden-return attribute specifies the name of an attribute that is to be excluded from the entry that has matched any of the above specifications. This is a multi-valued attribute. If this attribute is not present and the ids-proxy-con-permitted-return attribute is also not present in the ids-proxy-sch-ForbiddenEntryProperty, then the entire entry is hidden.

ids-proxy-con-permitted-return

The ids-proxy-con-permitted-return attribute specifies the name of an attribute that may be returned as part of the entry that has matched any of the above specifications. This is a multi-valued attribute.

ids-proxy-sch-LDAPServer Object Class

---

This object class is sub-classed from the ids-proxy-sch-property object class. The ids-proxy-sch-LDAPServer property is used to define the backend LDAP servers. In order to reduce DNS lookup overhead, iDAR caches the DNS entry of the LDAP server host. Thus, if the IP address of your backend server changes, you must either restart iDAR or send it a HUP signal (UNIX only) so that it rereads its configuration.

ids-proxy-con-host

The ids-proxy-con-host attribute specifies the full DNS or IP address name of the host where the backend LDAP server is running. This attribute is mandatory.

ids-proxy-con-port

The ids-proxy-con-port attribute specifies the port number on which the backend LDAP server is running. The default port used if this attribute is absent is 389.

ids-proxy-con-sport

The ids-proxy-con-sport attribute takes as a value the port number on which the backend server listens for LDAPS (LDAP over SSL) connections. Note that this is the non standard mechanism for supporting LDAP over SSL. Do not set any value for this attribute if the backend LDAP server does not support LDAPS.

ids-proxy-con-supported-version

The ids-proxy-con-supported-version specifies if the server defined by this entry supports only LDAP version 2 (2) or both LDAP version 2 and LDAP version 3 (23). The default is 23.

ids-proxy-con-use-version

This attribute tells iDAR the preferred LDAP protocol version to use when talking to the backend server this entry defines. Permitted values are:

2    Only use LDAPv2
3    Only use LDAPv3
23    Use the version that the client is using. This is also the default.

This option is useful when you have an LDAPv2 client for which iDAR needs to follow referrals. In this case iDAR itself needs to connect as LDAPv3 client to the backend server in order for the backend server to send referrals back to it. This attribute value should be set to 3 if the attribute ids-proxy-con-allow-multi-ldapv2-bind in object class ids-proxy-sch-GlobalConfiguration is set to TRUE.

ids-proxy-con-tcp-no-delay

If the ids-proxy-con-tcp-no-delay attribute is set to FALSE, then iDAR will enable the Nagel Algorithm on connections to this server. This option must be set to FALSE only if the network bandwidth between iDAR and the server defined by this object entry is very limited. The default is TRUE.

ids-proxy-con-link-security-policy

The ids-proxy-con-link-security-policy defines the security policy for connections between iDAR and the backend server. If it is set to ssl_always, iDAR will establish a TLS session with the backend server before performing any operation. If it is set to ssl_never, then iDAR will not establish a TLS session with the backend server. Finally, if ssl_optional is specified, iDAR will only establish a TLS session with the backend server when the client establishes one with iDAR. This is the default behavior.

ids-proxy-con-x509cert-subject

The ids-proxy-con-x509cert-subject specifies the name of the LDAP server as specified by the subject field of its certificate. This attribute has a dn syntax. If this attribute is specified, iDAR will match it with the value of subject attribute present in the server certificate. iDAR will reject a TLS session with the LDAP server in case of a mismatch.

This attribute allows iDAR to authenticate the LDAP server it is connecting to.

ids-proxy-con-keepalive-interval

The value of ids-proxy-con-keepalive-interval is used by iDAR to determine if the network link to an LDAP directory server is down or if the LDAP directory server has become unresponsive. If the client connected to iDAR has pending operations and if iDAR has not received any data from the connection's LDAP server for the number of seconds specified by ids-proxy-con-keepalive-interval attribute, then iDAR will test the availability of the LDAP server by opening another communication channel to it. If iDAR is unsuccessful in doing so, it will fail over to another LDAP server if available. If it is successful in establishing a second channel, iDAR will wait for another interval to receive data from the LDAP server. If iDAR has still not received any data from the LDAP directory server, it will assume that the LDAP server is in an unresponsive state and will fail over to another directory server if available. The default value for this attribute is 180 seconds. It is recommended that you increase this value if the LDAP server is not on the same local network as iDAR.

ids-proxy-sch-LogProperty Object Class

---

This object class is sub-classed from the ids-proxy-sch-property object class. The ids-proxy-sch-LogProperty object class can be used to define the logging characteristics of iDAR. This property can only be referred by the ids-proxy-sch-GlobalConfiguration object entry, using the ids-proxy-con-include-logproperty attribute.

Please refer to the section ids-proxy-sch-LogProperty Object Class for more details of this property.