DIT masking is the restriction of the DIT content that is exposed in an Oracle Internet Directory server instance. Masking restricts access by all users except the super user, cn=orcladmin. Typically, you use masking to prevent some users from seeing certain portions of the DIT, based on which instance of the Oracle Internet Directory server they connect to. Typical use cases for presenting different views of the DIT include test vs. production and internal vs. external users.
You could also restrict a user's view of the DIT by using Oracle Virtual Directory, but DIT masking has far less performance and administrative overhead.
By default, no masking is configured. You use the following configuration attributes of the instance-specific configuration entry to configure masking.
Table 38-1 Masking Configuration Attributes
| Attribute | Description |
|---|---|
|
|
Contains the DIT subtrees that are exposed in an instance. The DN configured and its children are visible in the instance. Other entries in the DIT are masked (hidden) for all LDAP operations. |
|
|
Filters the entries exposed in the instance. Entries matching the filter criteria are exposed. Other entries are hidden for all LDAP operations. |
You modify these attributes in the same way as other attributes of the instance-specific configuration entry. See Section 9.4.1, "Setting System Configuration Attributes by Using ldapmodify."
Masking is useful in scenarios where the administrator wants to selectively expose the entries present in the directory. The following examples illustrate this use case.
Consider a DIT setup with the following hierarchy:
cn=internal,o=oracle cn=external,o=oracle cn=public,o=oracle
The internal container contains entries internal to the organization and should have limited access. The external and public container contains data about external users and some public information that is accessible to all. An administrator wants to ensure that only the external and public data is available outside of the organization firewall. This can be achieved through masking. Create an Oracle Internet Directory instance, such as oid2, that runs on a port exposed through the firewall. To ensure applications and users connecting to this port see only publicly accessible content, create masking realms in cn=oid2 with ldapmodify, using the following LDIF file:
dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry changetype: modify add: orclmaskrealm orclmaskrealm: cn=external,o=oracle orclmaskrealm: cn=public,o=oracle
This ensures that only the entries in the configured containers public and external are seen through this instance. Applications and users connecting to this instance cannot see the Internal container and its entries.
Another use case is restricting entries based on the data stored in them. An organization might have data about employees, contract workers and temp workers. A user lookup application such as an email client looks up data on the directory server to find out email addresses. An administrator wants to hide temp workers' information and only expose employees and contractor workers in the instance, say cn=oid2, that is accessed by the email client. This can be done by configuring masking filters with ldapmodify, using the following LDIF file:
dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry changetype: modify add: orclmaskfilter orclmaskfilter: (usertype=employee) orclmaskfilter: (usertype=contract)
This ensures that entries with usertype=employee or usertype=contract are exposed and others are not exposed.