10 Migrating Directory Proxy Server

There is no automatic migration path to move from a Directory Proxy Server 5.2 to Directory Proxy Server 11g Release 1 (11.1.1.7.0). Directory Proxy Server 11g Release 1 (11.1.1.7.0) provides much more functionality than the old versions. While a one to one mapping of configuration information is therefore not possible in most instances, it is possible to configure Directory Proxy Server 11g Release 1 (11.1.1.7.0) to behave like a version 5.2 server for compatibility.

This chapter describes how the configuration properties in Directory Proxy Server 11g Release 1 (11.1.1.7.0) can be used to simulate a version 5.2 configuration.

The chapter covers the following topics:

Mapping the Global Configuration
Mapping the Connection Pool Configuration
Mapping the Groups Configuration
Mapping the Properties Configuration
Mapping the Events Configuration
Mapping the Actions Configuration
Configuring Directory Proxy Server 11g Release 1 (11.1.1.7.0) as a Simple Connection-Based Router

10.1 Mapping the Global Configuration

Before you change the Directory Proxy Server 11g Release 1 (11.1.1.7.0) configuration, back up the configuration by using the dpadm backup command. For more information, see dpadm.

You can configure Directory Proxy Server 11g Release 1 (11.1.1.7.0) by using the Directory Service Control Center (DSCC) or the dpconf command-line utility. For more information, see dpconf.

Directory Proxy Server 11g Release 1 (11.1.1.7.0) configuration can be retrieved as a set of properties. For example, information about the port is returned in the listen-port property. This section describes how to map the version 5.2 global configuration attributes to the corresponding properties in Directory Proxy Server 11g Release 1 (11.1.1.7.0), where applicable. Not all functionality can be mapped directly.

The global Directory Proxy Server 5.2 configuration is specified by two object classes:

ids-proxy-sch-LDAPProxy. Contains the name of the Directory Proxy Server server and the DN of the global configuration object.
ids-proxy-sch-GlobalConfiguration. Contains various global configuration attributes.

Because of the way in which Directory Proxy Server11g Release 1 (11.1.1.7.0) is configured, Directory Proxy Server 11g Release 1 (11.1.1.7.0) has no equivalent for the ids-proxy-sch-LDAPProxy object class or its attributes.

In Directory Proxy Server 5.2, these configuration attributes are stored under ids-proxy-con-Config-Name=user-defined-name,ou=system,ou=dar-config,o=netscaperoot.

The functionality of the ids-proxy-sch-GlobalConfiguration is provided as properties of various elements in Directory Proxy Server 11g Release 1 (11.1.1.7.0). The following table maps the attributes of the ids-proxy-sch-GlobalConfiguration object class to the corresponding properties in Directory Proxy Server 11g Release 1 (11.1.1.7.0).

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0)) Property
`ids-proxy-con-Config-Name`	No equivalent
	Directory Proxy Server 11g Release 1 (11.1.1.7.0) has two listeners, a non-secure listener and a secure listener. The version 5.2 listen configuration attributes can be mapped to the following four listener properties. To configure listener properties, use the `dpconf` command as follows: `$ dpconf set-ldap-listener-prop` `PROPERTY` `$ dpconf set-ldaps-listener-prop` `PROPERTY` For more information, see Configuring Listeners Between Clients and Directory Proxy Server in Administrator's Guide for Oracle Directory Server Enterprise Edition.
`ids-proxy-con-listen-port`	`listen-port`
`ids-proxy-con-listen-host`	`listen-address`
`ids-proxy-con-listen-backlog`	`max-connection-queue-size`
`ids-proxy-con-ldaps-port`	`listen-port` (property of the `ldaps-listener`)
`ids-proxy-con-max-conns`	This attribute can be mapped to the `max-client-connections` property of a connection handler resource limit. To configure this property, use the `dpconf` command as follows: `$ dpconf set-resource-limit-policy-prop` `POLICY-NAME` `max-client-connections:VALUE` For more information, see Creating and Configuring a Resource Limits Policy in Administrator's Guide for Oracle Directory Server Enterprise Edition.
`ids-proxy-con-userid`	This attribute can be mapped to the user and group names specified when an instance is created by using the following command: `$ dpadm create [-u` `NAME` `-g` `NAME]` `INSTANCE-PATH` For more information, see Working With Directory Proxy Server Instances in Administrator's Guide for Oracle Directory Server Enterprise Edition.
`ids-proxy-con-working-dir`	This attribute can be mapped to the INSTANCE-PATH specified when an instance is created by using the following command: `$ dpadm create` `INSTANCE-PATH` For more information, see Working With Directory Proxy Server Instances in Administrator's Guide for Oracle Directory Server Enterprise Edition.
`ids-proxy-con-include-logproperty`	No equivalent. For information on configuring logging in Directory Proxy Server 11g Release 1 (11.1.1.7.0), see Chapter 27, Directory Proxy Server Logging, in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.1.1 Mapping the Global Security Configuration

In Directory Proxy Server 5.2, security is configured by using attributes of the global configuration object. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), you can configure security when you create the server instance by using the dpadm command. For more information, see Chapter 19, Directory Proxy Server Certificates, in Administrator's Guide for Oracle Directory Server Enterprise Edition.

In Directory Proxy Server 5.2, these configuration attributes are stored under ids-proxy-con-Config-Name=user-defined-name,ou=system,ou=dar-config,o=netscaperoot.

The following table maps the version 5.2 security attributes to the corresponding properties in Directory Proxy Server 11g Release 1 (11.1.1.7.0).

Table 10-1 Mapping of Security Configuration

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-ssl-key`	`ssl-key-pin`
`ids-proxy-con-ssl-cert`	`ssl-certificate-directory` `ssl-server-cert-alias`
`ids-proxy-con-send-cert-as-client` This attribute enables the proxy server to send its certificate to the LDAP server to allow the LDAP server to authenticate the proxy server as an SSL client.	`ssl-client-cert-alias` This property enables the proxy server to send a different certificate to the LDAP server, depending on whether it is acting as an SSL Server or an SSL Client.
`ids-proxy-con-server-ssl-version` `ids-proxy-con-client-ssl-version`	No equivalent
`ids-proxy-con-ssl-cert-required`	This feature can be achieved by setting the following server property: `$ dpconf set-server-prop` `linebreakallow-cert-based-auth:require`
`ids-proxy-con-ssl-cafile`	No equivalent

10.1.1.1 Managing Certificates

Directory Proxy Server 5.2 certificates were managed by using the certreq utility, or by using the console. In Directory Proxy Server 11g 11g Release 1 (11.1.1.7.0), certificates are managed by using the dpadm command, or by using the DSCC.

Certificates must be installed on each individual data source in Directory Proxy Server 11g Release 1 (11.1.1.7.0).

For information about managing certificates in Directory Proxy Server 11g 11g Release 1 (11.1.1.7.0), see Chapter 19, Directory Proxy Server Certificates, in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.1.1.2 Access Control on the Proxy Configuration

In Directory Proxy Server 5.2, access control on the proxy configuration is managed by ACIs in the configuration directory server. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), access to the configuration file is restricted to the person who created the proxy instance, or to the proxy manager if the configuration is accessed through Directory Proxy Server. Editing the configuration file directly is not supported.

10.2 Mapping the Connection Pool Configuration

Directory Proxy Server 5.2 can be configured to reuse existing connections to the backend LDAP servers. This can provide a significant performance gain if the backend servers are on a Wide Area Network (WAN). In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is provided with connection pools that are configured in the backend server itself. For more information, see Chapter 18, LDAP Data Views, in Administrator's Guide for Oracle Directory Server Enterprise Edition.

In Directory Proxy Server 5.2, these configuration attributes are stored under ids-proxy-con-Config-Name=user-defined-name,ou=system,ou=dar-config,o=netscaperoot.

The following table provides a mapping between Directory Proxy Server 5.2 connection configuration attributes and the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) properties.

Table 10-2 Mapping of Connection Pool Attributes

Directory Proxy Server 5.2 Attribute Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-connection-pool`	No equivalent
`ids-proxy-con-connection-pool-interval`	The connection pool grows automatically to a configured maximum. The maximum is configured by setting the following properties of an LDAP data source: `num-bind-init` `num-bin-incr` `num-bind-limit` `num-read-init` `num-read-incr` `num-read-limit` `num-write-init` `num-write-incr` `num-write-limit` For information about setting LDAP data source properties, see To Configure an LDAP Data Source in Administrator's Guide for Oracle Directory Server Enterprise Edition.
`ids-proxy-con-connection-pool-timeout`	`backendMaxReadWaitTimeInMilliSec`

ids-proxy-con-connection-pool

No equivalent

ids-proxy-con-connection-pool-interval

The connection pool grows automatically to a configured maximum. The maximum is configured by setting the following properties of an LDAP data source:

num-bind-init

num-bin-incr

num-bind-limit

num-read-init

num-read-incr

num-read-limit

num-write-init

num-write-incr

num-write-limit

For information about setting LDAP data source properties, see To Configure an LDAP Data Source in Administrator's Guide for Oracle Directory Server Enterprise Edition.

ids-proxy-con-connection-pool-timeout

backendMaxReadWaitTimeInMilliSec

10.3 Mapping the Groups Configuration

Directory Proxy Server 5.2 uses groups to define how client connections are identified and what restrictions are placed on the client connections. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is achieved using connection handlers, data views, and listeners.

Connection handlers, data views, and listeners can be configured by using the Directory Service Control Center or by using the dpconf command. For more information, see Chapter 25, Connections Between Clients and Directory Proxy Server , in Administrator's Guide for Oracle Directory Server Enterprise Edition and Chapter 21, Directory Proxy Server Distribution, in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.3.1 Mapping the Group Object

In Directory Proxy Server 5.2, a group is defined by setting the attributes of the ids-proxy-sch-Group object class. Certain attributes of this object class can be mapped to Directory Proxy Server 11g Release 1 (11.1.1.7.0) connection handler properties. For a list of all the connection-handler properties, run the following command:

$ dpconf help-properties | grep connection-handler

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps version 5.2 group attributes to the corresponding connection handler properties.

Table 10-3 Mapping Between Group Attributes and Connection Handler Properties

Directory Proxy Server 5.2 Group Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0)) Connection Handler Property
`ids-proxy-con-Name`	`cn`
`ids-proxy-con-Priority`	`priority`
`ids-proxy-sch-Enable`	`is-enabled`
`ids-proxy-sch-belongs-to`	No equivalent
`ids-proxy-con-permit-auth-none:TRUE` `ids-proxy-con-permit-auth-sasl:TRUE` `ids-proxy-con-permit-auth-simple:TRUE`	`allowed-auth-methods:anonymouslinebreak` `allowed-auth-methods:sasl allowed-auth-methods:simple`

10.3.2 Mapping the Network Group Object

Directory Proxy Server 5.2 groups are configured by setting the attributes of the ids-proxy-sch-NetworkGroup object class. These attributes can be mapped to properties of Directory Proxy Server11g Release 1 (11.1.1.7.0) connection handlers, data sources and listeners. For a list of all the properties related to these objects, run the dpconf help-properties command, and search for the object. For example, to locate all the properties of a connection handler, run the following command:

$ dpconf help-properties | grep connection-handler

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps Directory Proxy Server 5.2 network group attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) properties and describes how to set these properties by using the command line.

Table 10-4 Mapping of Network Group Attributes

Directory Proxy Server 5.2 Network Group Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0)
`ids-proxy-con-Client`	`domain-name-filters` and `ip-address-filters` properties of a connection handler
`ids-proxy-con-include-property`	No equivalent
`ids-proxy-con-include-rule`	No equivalent
`ids-proxy-con-ssl-policy:ssl_required`	Set this as a connection handler property by using the following command: `$ dpconf set-connection-handler-prop CONNECTION-HANDLER-NAME is-ssl-mandatory:true`
`ids-proxy-con-ssl-policy:ssl_optional`	Set this as an LDAP data source property by using the following command: `$ dpconf set-ldap-data-source-prop ds1 ssl-policy:client`
`ids-proxy-con-ssl-policy:ssl_unavailable`	Set this as a connection handler property by using the following command: `$ dpconf set-connection-handler-prop CONNECTION-HANDLER-NAME is-ssl-mandatory:false`
`ids-proxy-con-tcp-no-delay`	Set this as a property for a specific listener port by using the following command: `$ dpconf set-ldap-listener-prop use-tcp-no-delay:true`
`ids-proxy-con-allow-multi-ldapv2-bind`	No equivalent
`ids-proxy-con-reverse-dns-lookup`	No equivalent
`ids-proxy-con-timeout`	This functionality exists but with less granularity than in Directory Proxy Server 5. Set this limit as a property for a specific listener port by using the following command: `$ dpconf set-ldap-listener-prop connection-idle-timeout:value`

10.3.3 Mapping Bind Forwarding

Directory Proxy Server 5.2 bind forwarding is used to determine whether to pass a bind request on to an LDAP server or to reject the bind request and close the client's connection. Directory Proxy Server 11g Release 1 (11.1.1.7.0) forwards either all bind requests or no bind requests. However, by setting the allowed-auth-methods connection handler property, successful binds can be classified into connection handlers, according to the authentication criteria. Directory Proxy Server 11g Release 1 (11.1.1.7.0) can be configured to reject all requests from a specific connection handler, providing the same functionality as Directory Proxy Server 5.2 bind forwarding.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot

The following table maps the Directory Proxy Server 5.2 bind forwarding attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) connection handler property settings.

Table 10-5 Mapping of Bind Forwarding Attributes to Connection Handler Property Settings

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-bind-name`	No equivalent
`ids-proxy-con-permit-auth-none`	`allowed-auth-methods:anonymous`
`ids-proxy-con-permit-auth-simple`	`allowed-auth-methods:simple`
`ids-proxy-con-permit-auth-sasl`	`allowed-auth-methods:sasl`

10.3.4 Mapping Operation Forwarding

Operation forwarding determines how Directory Proxy Server 5.2 handles requests after a successful bind. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is provided by setting the properties of a request filtering policy. For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Administrator's Guide for Oracle Directory Server Enterprise Edition. For a list of all the properties of a request filtering policy, run the following command:

$ dpconf help-properties | grep request-filtering-policy

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 operation forwarding attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) request filtering properties.

Table 10-6 Mapping of Operation Forwarding Attributes to Request Filtering Properties

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-permit-op-search`	`allow-search-operations`
`ids-proxy-con-permit-op-compare`	`allow-compare-operations`
`ids-proxy-con-permit-op-add`	`allow-add-operations`
`ids-proxy-con-permit-op-delete`	`allow-delete-operations`
`ids-proxy-con-permit-op-modify`	`allow-modify-operations`
`ids-proxy-con-permit-op-modrdn`	`allow-rename-operations`
`ids-proxy-con-permit-op-extended`	`allow-extended-operations`

10.3.5 Mapping Subtree Hiding

Directory Proxy Server 5.2 uses the ids-proxy-con-forbidden-subtree attribute to specify a subtree of entries to be excluded in any client request. Directory Proxy Server 11g Release 1 (11.1.1.7.0) provides this functionality with the allowed-subtrees and prohibited-subtrees properties of a request filtering policy. For information on hiding subtrees in this way, see Creating and Configuring a Resource Limits Policy in Administrator's Guide for Oracle Directory Server Enterprise Edition.

If your subtrees are distributed across different backend servers, you can use the excluded-subtrees property of a data view to hide subtrees. For more information on hiding subtrees in this way, see Excluding a Subtree From a Data View in Reference for Oracle Directory Server Enterprise Edition and To Configure Data Views With Hierarchy and a Distribution Algorithm in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.3.6 Mapping Search Request Controls

In Directory Proxy Server 5.2, search request controls are used to prevent certain kinds of requests from reaching the LDAP server. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is provided by setting properties of a request filtering policy and a resource limits policy.

For information on configuring a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules in Administrator's Guide for Oracle Directory Server Enterprise Edition. For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Administrator's Guide for Oracle Directory Server Enterprise Edition. For a list of all the properties associated with a request filtering policy, or a resource limits policy, run the dpadm help-properties command and search for the object. For example, to locate all properties associated with a resource limits policy, run the following command:

$ dpconf help-properties | grep resource-limits-policy

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 search request control attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0)) properties.

Table 10-7 Mapping of Search Request Control Attributes

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-filter-inequality`	`allow-inequality-search-operations` property of the request filtering policy
`ids-proxy-con-min-substring-size`	`minimum-search-filter-substring-length` property of the resource limits policy

10.3.7 Mapping Compare Request Controls

In Directory Proxy Server 5.2, compare request controls are used to prevent certain kinds of search and compare operations from reaching the LDAP server. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is provided by setting properties of a request filtering policy.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 compare request control attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) properties.

Table 10-8 Mapping of Compare Request Control Attributes

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-forbidden-compare`	`prohibited-comparable-attrs`
`ids-proxy-con-permitted-compare`	`allowed-comparable-attrs`

10.3.8 Mapping Attributes Modifying Search Requests

In Directory Proxy Server 5.2, these attributes are used to modify the search request before it is forwarded to the server. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is provided by setting properties of a request filtering policy and a resource limits policy.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 search request modifying attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) properties.

Table 10-9 Mapping of Search Request Modifying Attributes

Directory Proxy Server 5.2 Attribute	Directory Proxy Server11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-minimum-base`	`allowed-subtrees` property of the request filtering policy
`ids-proxy-con-max-scope`	`allowed-search-scopes` property of the request filtering policy
`ids-proxy-con-max-timelimit`	`search-time-limit` property of the resource limits policy

10.3.9 Mapping Attributes Restricting Search Responses

In Directory Proxy Server 5.2, these attributes describe restrictions that are applied to search results being returned by the server, before they are forwarded to the client. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is provided by setting the properties of a resource limits policy and by configuring search data hiding rules.

For information about configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Administrator's Guide for Oracle Directory Server Enterprise Edition. For information about creating search data hiding rules, see To Create Search Data Hiding Rules in Administrator's Guide for Oracle Directory Server Enterprise Edition. For a list of properties associated with a search data hiding rule, run the following command:

$ dpconf help-properties | grep search-data-hiding-rule

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 search response restriction attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) properties.

Table 10-10 Mapping of Search Response Restriction Attributes

Directory Proxy Server 5.2 Attributes	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Properties
`ids-proxy-con-max-result-size`	`search-size-limit` property of the resource limits policy
`ids-proxy-con-forbidden-return`	To hide a subset of attributes: `rule-action:hide-attributes` `attributes:attribute-name` To hide an entire entry: `rule-action:hide-entry`
`ids-proxy-con-permitted-return`	`rule-action:show-attributes` `attributes:attribute-name`
`ids-proxy-con-search-reference`	No direct equivalent. Search continuation references are governed by the `referral-policy` property of the resource limits policy

10.3.10 Mapping the Referral Configuration Attributes

In Directory Proxy Server 5.2, these attributes determine what Directory Proxy Server should do with referrals. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is provided by setting properties of a resource limits policy.

For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Administrator's Guide for Oracle Directory Server Enterprise Edition.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 referral configuration attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) resource limits properties.

Table 10-11 Mapping of Referral Configuration Attributes to Resource Limits Properties

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-reference`	`referral-policy`
`ids-proxy-con-referral-ssl-policy`	`referral-policy`
`ids-proxy-con-referral-bind-policy`	`referral-bind-policy`
`ids-proxy-con-max-refcount`	`referral-hop-limit`

10.3.11 Mapping the Server Load Configuration

In Directory Proxy Server 5.2, these attributes are used to control the number of simultaneous operations and total number of operations a client can request on one connection. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is provided by setting properties of a resource limits policy.

For information on configuring a resource limits policy, see Creating and Configuring a Resource Limits Policy in Administrator's Guide for Oracle Directory Server Enterprise Edition.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the Directory Proxy Server 5.2 server load configuration attributes to the corresponding Directory Proxy Server 11g Release 1 (11.1.1.7.0) resource limits properties.

Table 10-12 Mapping of Server Load Configuration Attributes to Resource Limits Properties

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-max-simultaneous-operations-per-connection`	`max-simultaneous-operations-per-connection`
`ids-proxy-con-operations-per-connection`	`max-total-operations-per-connection`
`ids-proxy-con-max-conns`	`max-connections`
`ids-proxy-con-max-simultaneous-conns-from-ip`	`max-client-connections`

10.4 Mapping the Properties Configuration

The Directory Proxy Server 5.2 property objects enable you to specify specialized restrictions that LDAP clients must follow. Most of the functionality of property objects is available in Directory Proxy Server 11g Release 1 (11.1.1.7.0), although it is supplied by various elements of the new architecture. The following sections describe how to map the Directory Proxy Server 5.2 property objects to the corresponding 11g Release 1 (11.1.1.7.0) functionality.

10.4.1 Attribute Renaming Property

In Directory Proxy Server 5.2, attribute renaming is defined by the ids-proxy-sch-RenameAttribute object class. This object uses the ids-proxy-con-server-attr-name and ids-proxy-con-client-attr-name attributes to specify which attributes must be renamed by Directory Proxy Server.

This attribute renaming functionality is replaced by the attr-name-mappings property of an LDAP data source. This property is multi-valued, and takes values of the form client-attribute-name#server-attribute-name. In a client request, Directory Proxy Server renames the client-attribute-name to the server-attribute-name. In a response, Directory Proxy Server renames the server-attribute-name to the client-attribute-name.

To configure this property, use the following command:

$ dpconf set-ldap-data-source-prop data-source-name \
 attr-name-mappings:client-attribute-name#server-attribute-name

10.4.2 Forbidden Entry Property

In Directory Proxy Server 5.2, the ids-proxy-sch-ForbiddenEntryProperty object is used to specify a list of entries or attributes that are hidden from client applications. In Directory Proxy Server 11g Release 1 (11.1.1.7.0) this functionality is achieved by creating a search-data-hiding-rule for a request filtering policy.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the attributes of the ids-proxy-sch-ForbiddenEntryProperty object to the corresponding properties of a search data hiding rule in Directory Proxy Server 11g Release 1 (11.1.1.7.0). For information about creating search data hiding rules, see To Create Search Data Hiding Rules in Administrator's Guide for Oracle Directory Server Enterprise Edition.

Table 10-13 Mapping of Server Load Configuration Attributes to Resource Limits Properties

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 111g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-dn-exact`	`target-dns`
`ids-proxy-con-dn-regexp`	`target-dn-regular-expressions`
`ids-proxy-con-ava`	`target-attr-value-assertions`
`ids-proxy-con-forbidden-return`	To hide a subset of attributes: `rule-action:hide-attributes` `attrs:attribute-name` To hide an entire entry: `rule-action:hide-entry`
`ids-proxy-con-permitted-return`	`rule-action:show-attributes` `attrs:attribute-name`

10.4.3 LDAP Server Property

In Directory Proxy Server 5.2, the ids-proxy-sch-LDAPServer property is used to define the backend LDAP servers to which Directory Proxy Server sends requests. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), this functionality is achieved by using LDAP data sources. You can set properties for LDAP data sources by using the Directory Service Control Center or by using the command line. For more information, see Creating and Configuring LDAP Data Sources in Administrator's Guide for Oracle Directory Server Enterprise Edition.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the attributes of the ids-proxy-sch-LDAPServer object class to the corresponding data source properties in Directory Proxy Server 11g Release 1 (11.1.1.7.0). Data sources provide additional functionality that was not provided in Directory Proxy Server 5.2. Not all data source properties are listed here. For a list of all the properties that can be configured for a data source, run the following command:

$ dpconf help-properties | grep ldap-data-source

Table 10-14 Mapping of ids-proxy-sch-LDAPServer Attributes to Data Source Properties

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-host`	`ldap-address`
`ids-proxy-con-port`	`ldap-port`
`ids-proxy-con-sport`	`ldaps-port`
`ids-proxy-con-supported-version`	No equivalent Directory Proxy Server 11g Release 1 (11.1.1.7.0) supports LDAP v3 back ends for both version 2 and version 3 clients. Directory Proxy Server 11g 11g Release 1 (11.1.1.7.0) supports the proxy authorization control version 1 and version 2.
`ids-proxy-con-use-version`	No equivalent Directory Proxy Server 11g Release 1 (11.1.1.7.0) supports LDAP v3 back ends for both v2 and v3 clients. Directory Proxy Server 11g Release 1 (11.1.1.7.0) supports the proxy authorization control version 1 and version 2.
`ids-proxy-con-tcp-no-delay`	`use-tcp-no-delay`
`ids-proxy-con-link-security-policy`	`ssl-policy`
`ids-proxy-con-x509cert-subject`	No equivalent. Directory Proxy Server 11g Release 1 (11.1.1.7.0) does not check the subject of the certificate provided by the backend server.
`ids-proxy-con-keepalive-interval`	This functionality is achieved by setting the following properties of the LDAP data source: `monitoring-bind-timeout` `monitoring-entry-timeout` `monitoring-inactivity-timeout` `monitoring-interval` For information about setting LDAP data source properties, see To Configure an LDAP Data Source in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.4.4 Load Balancing Property

In Directory Proxy Server 5.2, the ids-proxy-sch-LoadBalanceProperty is used to configure load balancing across multiple LDAP servers. Directory Proxy Server 5.2 supports proportional load balancing only, that is, each LDAP server is allotted a certain percentage of the total load. The ids-proxy-sch-LoadBalanceProperty object class has one attribute, ids-proxy-con-Server, whose value has the following syntax:

server-name[#percentage]

In Directory Proxy Server 5.2, these configuration attributes are stored under ids-proxy-con-name=load-balancing-1,ou=properties,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

In Directory Proxy Server 11g 11g Release 1 (11.1.1.7.0), load balancing is configured as a property of a data source pool. A data source pool is essentially a collection of LDAP servers to which Directory Proxy Server can route requests. For information about setting up a data source pool, see Creating and Configuring LDAP Data Source Pools in Administrator's Guide for Oracle Directory Server Enterprise Edition. For a list of properties associated with a data source pool, run the following command:

$ dpconf help-properties | grep ldap-data-source-pool

Directory Proxy Server 11g Release 1 (11.1.1.7.0) supports proportional load balancing but also supports additional load balancing algorithms. To configure proportional load balancing, set the property of the data source pool as follows:

$ dpconf set-ldap-data-source-pool-prop data-source-pool-name \
  load-balancing-algorithm:proportional

The percentage of load allotted to each server is configured by setting various properties of an attached data source. An attached data source is a data source that has been attached to a specific data source pool. To configure proportional load, set the weight properties of the attached data source for each operation type as follows:

$ dpconf set-attached-ldap-data-source-prop data-source-pool-name attached-data-source-name
 add-weight:value
 bind-weight:value
 compare-weight:value
 delete-weight:value
 modify-dn-weight:value
 modify-weight:value
 search-weight:value

For more information, see Configuring Load Balancing in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.4.4.1 Monitoring Backend Servers

To monitor the state of its backend LDAP servers, Directory Proxy Server 5.2 performs an anonymous search operation on the Root DSE of each server every ten seconds. Directory Proxy Server 11g Release 1 (11.1.1.7.0) has a number of properties that can be configured to monitor its backend servers. For more information, see Retrieving Monitored Data About Data Sources in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.4.5 Search Size Limit Property

Directory Proxy Server 5.2 uses the ids-proxy-sch-SizeLimitProperty to apply size limits based on the base and scope of search operations. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), the search size limit can be configured by setting a property of the resource limits policy. A resource limits policy defines the maximum resource that Directory Proxy Server can process for a given connection handler. Use the dpconfcommand to set the search size limit for a resource policy, as follows:

$ dpconf set-resource-limits-policy-prop policy-name search-size-limit:number-of-entries

Resource limits policies control much more than just search size limit. For information on configuring resource limits policies, see Creating and Configuring a Resource Limits Policy in Administrator's Guide for Oracle Directory Server Enterprise Edition.

In Directory Proxy Server 5.2, these configuration attributes are stored under ou=groups,cn=user-defined-name,ou=dar-config,o=NetscapeRoot.

The following table maps the attributes of a version 5.2 size limit property to the corresponding properties in Directory Proxy Server 11g Release 1 (11.1.1.7.0).

Table 10-15 Mapping of Search Size Limit Attributes

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-con-Size-Limit`	`search-size-limit`
`ids-proxy-con-Dn-One`	`one-level-search-base-dn`
`ids-proxy-con-Dn-Sub`	No equivalent

10.4.6 Log Property

The logging functionality available in Directory Proxy Server 5.2 differs substantially from the functionality available in Directory Proxy Server 11g Release 1 (11.1.1.7.0).

In Directory Proxy Server 5.2, the following logs were maintained:

System log. Includes log records of system events and errors.
Audit log. Includes audit trails for all events and errors.

Directory Proxy Server 11g Release 1 (11.1.1.7.0) maintains an errors log file, an access log file, and administrative alerts.

The errors log and administrative alerts are equivalent to the version 5.2 system log. Administrative alerts are events raised by Directory Proxy Server. These events can be sent to the syslog daemon or to an administrator through email.

The Directory Proxy Server 11g Release 1 (11.1.1.7.0) access log is equivalent to the version 5.2 audit log.

Logs in version 5.2 were configured by using the ids-proxy-sch-LogProperty object class. Logs in Directory Proxy Server 11g Release 1 (11.1.1.7.0) are configured by setting properties for the access and error log, using the dpconf command. For example, to set properties for the access log, use the following command:

$ dpconf set-access-log-prop PROPERTY:VALUE

Directory Proxy Server 11g Release 1 (11.1.1.7.0) provides new log features, such as log file rotation, and enables log configuration to be fine tuned. For example, one log level can be set per message category.

In Directory Proxy Server 5.2, log configuration attributes are stored under ids-proxy-con-Config-Name=user-defined-name,ou=system,ou=dar-config,o=netscaperoot.

It is not really possible to map the log configuration between Directory Proxy Server 5.2 and Directory Proxy Server 11g Release 1 (11.1.1.7.0) because the logging models between these two versions are very different. The Directory Proxy Server 5.2 log model combines what is logged with where it is logged. In Directory Proxy Server 11g Release 1 (11.1.1.7.0), the model is cleaner. One set of properties describes what is logged, and a separate set of properties describes where log messages are sent.

The following table lists the attributes of the ids-proxy-sch-LogProperty object class and describes at a high level how the corresponding functionality is achieved in Directory Proxy Server 11g Release 1 (11.1.1.7.0).

Table 10-16 Version 5.2 and Version 11g Release 1 (11.1.1.7.0) Log Functionality

Directory Proxy Server 5.2 Attribute	Purpose	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Equivalent
`ids-proxy-con-log-level`	Level of logging	Global log level
`ids-proxy-con-stat-level`	Kinds of statistics logged	Monitoring data
`ids-proxy-con-log-syslog`	Syslog facility code	`syslog` output for administrative alerts No equivalent for error messages
`ids-proxy-con-log-file`	Path to log file	`log-file-name` of the `error-log` object
`ids-proxy-con-audit-syslog`	Syslog facility code for audit log	No equivalent
`ids-proxy-con-audit-file`	Path to audit log file	`log-file-name` of the `access-log` object

Because a one to one mapping of log configuration is not possible between the two versions, you need to understand the new logging model and then configure your new logs accordingly, rather than migrating your old log configuration. For more information, see Chapter 27, Directory Proxy Server Logging, in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.5 Mapping the Events Configuration

Directory Proxy Server 5.2 event objects are used to specify conditions that Directory Proxy Server should evaluate at predetermined states.

Two types of event objects are supported:

OnBindSuccess. Evaluated when a client successfully completes a bind operation.
OnSSLEstablished. Evaluated when a client successfully established an SSL session.

In Directory Proxy Server 11g Release 1 (11.1.1.7.0), events are implemented as properties of a connection handler. Use the dpconf command to set these properties. For example, run the following command to set the authentication methods for the connection handler:

$ dpconf set-connection-handler-prop connection-handler-name \ 
 allowed-auth-methods:anonymous allowed-auth-methods:sasl allowed-auth-methods:simple

In Directory Proxy Server 5.2, these configuration attributes are stored under ids-proxy-con-Config-Name=user-defined-name,ou=system,ou=dar-config,o=netscaperoot.

The following table maps the version 5.2 event configuration attributes to the corresponding properties in Directory Proxy Server 11g Release 1 (11.1.1.7.0).

Table 10-17 Mapping Between Event Attributes and Connection Handler Properties

Directory Proxy Server 5.2 Attribute	Directory Proxy Server 11g Release 1 (11.1.1.7.0) Property
`ids-proxy-sch-OnBindSuccessRule`	`bind-dn-filters`
`ids-proxy-con-ssl-required`	`is-ssl-mandatory`
`ids-proxy-con-bind-anonymous`	`allowed-auth-methods:anonymous`
`ids-proxy-con-bind-simple`	`allowed-auth-methods:simple`
`ids-proxy-con-bind-sasl`	`allowed-auth-methods:sasl`

10.6 Mapping the Actions Configuration

Directory Proxy Server 5.2 supports only one action, specified by the ids-proxy-sch-ChangeGroupAction object class. This action enables you to configure Directory Proxy Server to change a client from one access group to another based on the evaluation of a rule. The action uses the multi-valued ids-proxy-con-to-group attribute to specify the groups to which the client can change.

Directory Proxy Server11g Release 1 (11.1.1.7.0) connection handlers provide this functionality. After being classified into a connection handler, a connection can be automatically reclassified into another connection handler. For example, if a client connects anonymously, the connection is allocated to the connection handler configured for anonymous connections. If the client later provides a bind DN on the same connection, the connection can be reallocated to another connection handler.

For information on how to configure this functionality in Directory Proxy Server 11g Release 1 (11.1.1.7.0), see Creating, Configuring, and Deleting Connection Handlers in Administrator's Guide for Oracle Directory Server Enterprise Edition.

10.7 Configuring Directory Proxy Server 11g Release 1 (11.1.1.7.0) as a Simple Connection-Based Router

It is possible to configure an instance of Directory Proxy Server 11g Release 1 (11.1.1.7.0) to behave as a simple connection-based router, with the same functionality as Directory Proxy Server 5.2. To do this, map the configuration attributes described previously and follow the procedure describe in "Configuring Directory Proxy Server as a Connection Based" Router in Administrator's Guide for Oracle Directory Server Enterprise Edition.