39 Managing DIT Masking

DIT masking is the restriction of the DIT content that is exposed in an Oracle Internet Directory server instance. Masking restricts access by all users except the super user, cn=orcladmin. Typically, you use masking to prevent some users from seeing certain portions of the DIT, based on which instance of the Oracle Internet Directory server they connect to. Typical use cases for presenting different views of the DIT include test vs. production and internal vs. external users.

Beginning with Oracle Internet Directory 11g Release 1 (, you can also disallow access to one or more containers from the entire directory, as opposed to hiding the containers from a specific Oracle Internet Directory server instance.

You could also restrict a user's view of the DIT by using Oracle Virtual Directory, but DIT masking has far less performance and administrative overhead.

This chapter contains these topics:

39.1 Configuring Masking

By default, no masking is configured. You use the following configuration attributes of the instance-specific configuration entry to configure masking.

Table 39-1 Masking Configuration Attributes

Attribute Description


Contains the DIT subtrees that are exposed in an instance. The DN configured and its children are visible in the instance. Other entries in the DIT are masked (hidden) for all LDAP operations.


Contains DIT subtrees that are hidden in a container for an entire directory.


Filters the entries exposed in the instance. Entries matching the filter criteria are exposed. Other entries are hidden for all LDAP operations.

You modify these attributes in the same way as other attributes of the instance-specific configuration entry. See Section 9.4.1, "Setting System Configuration Attributes by Using ldapmodify."

39.2 Masking Examples

Masking is useful in scenarios where the administrator wants to selectively expose or hide the entries present in the directory. The following examples illustrate this use case.

39.2.1 Restricting Access by Container Name

Consider a DIT setup with the following hierarchy:


The internal container contains entries internal to the organization and should have limited access. The external and public container contains data about external users and some public information that is accessible to all. An administrator wants to ensure that only the external and public data is available outside of the organization firewall. This can be achieved through masking. Create an Oracle Internet Directory instance, such as oid2, that runs on a port exposed through the firewall. To ensure applications and users connecting to this port see only publicly accessible content, create masking realms in cn=oid2 with ldapmodify, using the following LDIF file:

dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry
changetype: modify
add: orclmaskrealm
orclmaskrealm: cn=external,o=oracle
orclmaskrealm: cn=public,o=oracle

This example ensures that only the entries in the configured containers public and external are seen through this instance. Applications and users connecting to this instance cannot see the Internal container and its entries.

39.2.2 Restricting Access by Entry Data

Another use case is restricting entries based on the data stored in them. An organization might have data about employees, contract workers and temp workers. A user lookup application such as an email client looks up data on the directory server to find out email addresses. An administrator wants to hide temp workers' information and only expose employees and contractor workers in the instance, say cn=oid2, that is accessed by the email client. This can be done by configuring masking filters with ldapmodify, using the following LDIF file:

dn: cn=oid2,cn=osdldapd,cn=subconfigsubentry
changetype: modify
add: orclmaskfilter
orclmaskfilter: (usertype=employee)
orclmaskfilter: (usertype=contract)

This example ensures that entries with usertype=employee or usertype=contract are exposed and others are not exposed.

39.2.3 Disallowing Access to Containers from the Entire Directory

Consider a DIT setup with the following container:


You can disallow access to this container from the entire directory (as opposed to hiding the container from a specific instance) with ldapmodify, using the following LDIF file:

dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory
changetype: modify
add: orclmaskrealm;disallowed
orclmaskrealm;disallowed: cn=internal,o=oracle

This example ensures that entries in the internal container are not accessible to users other than super user, cn=orcladmin, for all LDAP operations.