Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) Part Number E28972-01 |
|
|
PDF · Mobi · ePub |
For an overview of the connections between clients and Directory Proxy Server, connection handlers, and a description of the criteria and policies used in connection handlers, see Chapter 20, Connections Between Clients and Directory Proxy Server, in the Reference for Oracle Directory Server Enterprise Edition.
This chapter covers the following topics:
Creating and Configuring Request Filtering Policies and Search Data Hiding Rules
Configuring Directory Proxy Server as a Connection Based Router
For information about how to create, configure, and delete connection handlers, and to configure affinity for data views, see the following procedures.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Create a connection handler.
$ dpconf create-connection-handler -h host -p port connection-handler-name
View the list of connection handlers.
$ dpconf list-connection-handlers -h host -p port
Before You Begin
The properties of a connection handler must be defined in relation to the properties of the other connection handlers that are defined for the Directory Proxy Server instance. Consider the properties of all of your connection handlers to ensure that they specify different sets of criteria and are prioritized correctly.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
View a verbose list of connection handlers to see their key properties and relative priorities.
$ dpconf list-connection-handlers -h host -p port -v Name is-enabled priority description --------------------------------- ---------- -------- --------------------------- anonymous false 99 unauthenticated connections default connection handler true 100 default connection handler directory services administrators true 1 Administrators connection handler
The connection handlers anonymous
and default connection handler
are created when you create an instance of Directory Proxy Server.
View all of the properties of one connection handler.
$ dpconf get-connection-handler-prop -h host -p port connection-handler-name
The default properties of a new connection handler are as follows:
aci-source : none allowed-auth-methods : anonymous allowed-auth-methods : sasl allowed-auth-methods : simple allowed-ldap-ports : ldap allowed-ldap-ports : ldaps bind-dn-filters : any close-client-connection : false data-view-routing-custom-list : none data-view-routing-policy : all-routable data-view-use-internal-client-identity : false description : - domain-name-filters : any enable-data-view-affinity : false group-dn-filters : any group-search-bind-dn : any group-search-bind-pwd : none ip-address-filters : any is-enabled : false is-ssl-mandatory : false priority : 99 request-filtering-policy : no-filtering require-data-view-availability : true resource-limits-policy : no-limits schema-check-enabled : false user-filter : any
Configure the priority of the connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name\ priority:value
The priority can be any number from 1 to 100, where 1 is the highest priority. For an instance of Directory Proxy Server, the connection handlers are evaluated in order of priority.
Note:
You cannot set the priority of a connection handler to 100
because 100
is already set as the priority of the default connection handler.
Specify the DN filtering property of the connection handler.
This property enables you to control access based on part or all of the bind DN. The value of the property is a regular expression.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ bind-dn-filters:regular-expression
The bind DN filter takes the form of a Java regular expression. For information about creating Java regular expressions, see http://download.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html
.
For example, to send all binds from users under ou=people,dc=example,dc=com
to a connection handler named secure-handler
, set the bind-dn-filters
property as follows:
$ dpconf set-connection-handler-prop -h host1 -p 1389 secure-handler \ bind-dn-filters:"uid=.*,ou=people,dc=example,dc=com"
Specify the name of a request filtering policy to use with this connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name
where policy-name is the name of an existing request filtering policy. For information about how to create and configure a request filtering policy, see Creating and Configuring Request Filtering Policies and Search Data Hiding Rules.
Specify the name of a resource limits policy to use with this connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name
where policy-name is the name of an existing resource limits policy. For information about how to create and configure a resource limits policy, see Creating and Configuring a Resource Limits Policy.
Configure any other properties that are listed in View all of the properties of one connection handler..
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ property:value [property:value ...]
For example, configure the connection handler to accept SSL connections only.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ is-ssl-mandatory:true
For a description of a property and a list of its valid values, run this command:
$ dpconf help-properties connection-handler
Configure group-dn-filters
, group-search-bind-dn
, group-search-bind-pwd
, and group-search-bind-pwd-file
to specify the criteria to select connection handlers. For more information, see the respective man pages.
Enable the connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name\ is-enabled:true
If necessary, restart the instance of Directory Proxy Server for the changes to take effect.
For information about restarting Directory Proxy Server, see To Restart Directory Proxy Server.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
(Optional) View the list of connection handlers.
$ dpconf list-connection-handlers -h host -p port
Delete one or more connection handlers.
$ dpconf delete-connection-handler -h host -p port connection-handler-name\ [connection-handler-name ... ]
When a connection is allocated to a connection handler, you can use affinity to expose the requests on that connection to the list of data views that are configured for that connection handler, or to all of the configured data views. Therefore, successive requests on that connection are exposed exclusively to the data view that is used for the first request.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Enable affinity for data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ enable-data-view-affinity:true
Configure the connection handler to route requests to a custom list of data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name\ data-view-routing-policy:custom
Configure the list of data views.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list:view-name [data-view-routing-custom-list:view-name ...]
To add a data view to an existing list of data views, use this command:
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list+:view-name
To remove a data view from an existing list of data views, use this command:
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ data-view-routing-custom-list-:view-name
For an overview of request filtering policies, see Request Filtering Policies for Connection Handlers in the Reference for Oracle Directory Server Enterprise Edition. For an overview of search data hiding rules, see Search Data Hiding Rules in the Request Filtering Policy in the Reference for Oracle Directory Server Enterprise Edition.
For information about how to create and configure request filtering policies and search data hiding rules, see the following procedures.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Create a request filtering policy.
$ dpconf create-request-filtering-policy policy-name
Associate the request filtering policy with a connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ request-filtering-policy:policy-name
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
View the properties of a request filtering policy.
$ dpconf get-request-filtering-policy-prop -h host -p port policy-name
The default properties of a request filtering policy are as follows:
allow-add-operations : true allow-bind-operations : true allow-compare-operations : true allow-delete-operations : true allow-extended-operations : true allow-inequality-search-operations : true allow-modify-operations : true allow-rename-operations : true allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : "" description : - prohibited-comparable-attrs : none prohibited-subtrees : none
Configure the request filtering policy by setting one ore more of the properties listed in View the properties of a request filtering policy..
$ dpconf set-request-filtering-policy-prop -h host -p port policy-name \ property:value [property:value ...]
By setting the properties listed in View the properties of a request filtering policy., you configure the following features of the request filtering policy:
The types of operations that clients are allowed to perform
The subtrees that are exposed to a client or hidden from a client
The scope for search operations
The types of search filters
The attribute types that can or cannot be compared in search and compare operations
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Create one or more search data hiding rules for a request filtering policy.
$ dpconf create-search-data-hiding-rule -h host -p port policy-name rule-name \ [rule-name ...]
View the properties of a search data hiding rule.
$ dpconf get-search-data-hiding-rule-prop policy-name rule-name
The default properties of a search data hiding rule are as follows:
attrs : none rule-action : hide-entry target-attr-value-assertions : none target-dn-regular-expressions : none target-dns : none
Configure a search data hiding rule by setting one or more of the properties listed in View the properties of a search data hiding rule..
$ dpconf set-search-data-hiding-rule-prop -h host -p port policy-name rule-name \ property:value [property:value ...]
One of the following rule actions can be used:
hide-entry
The target entry is not returned.
hide-attributes
The target entry is returned but the specified attributes are filtered out.
show-attributes
The target entry is returned but the unspecified attributes are filtered out.
The rule can be applied to the following entries:
target-dns
Entries with the specified DN
target-dn-regular-expressions
Entries with the specified DN pattern
target-attr-value-assertions
Entries with a specified attribute name and attribute value pair (attrName#
attrValue)
The following configuration defines a search data hiding rule that hides entries of type inetorgperson
.
$ dpconf set-search-data-hiding-rule-prop -h host1 -p port my-policy my-rule \ target-attr-value-assertions:objectclass#inetorgperson
The following examples contain a request filtering policy and a search data hiding rule. When the request filtering policy is combined with the search data hiding rule, access to data is limited as follows:
The following types of operations are disallowed: add, delete, extended, modify, and rename.
Only the ou=people,dc=sun,dc=com
subtree can be accessed.
Entries other than inetorgperson
type are returned by search operations.
Example 25-1 Sample Request Filtering Policy
allow-add-operations : false allow-bind-operations : true allow-compare-operations : true allow-delete-operations : false allow-extended-operations : false allow-inequality-search-operations : true allow-modify-operations : false allow-rename-operations : false allow-search-operations : true allowed-comparable-attrs : all allowed-search-scopes : base allowed-search-scopes : one-level allowed-search-scopes : subtree allowed-subtrees : ou=people,dc=sun,dc=com description : myRequestFilteringPolicy prohibited-comparable-attrs : none prohibited-subtrees : none
For an overview of resource limits policies, see Resource Limits Policies for Connection Handlers in the Reference for Oracle Directory Server Enterprise Edition. For information about how to create and configure resource limits policies and to customize search limits, see the following procedures.
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
Create a resource limits policy.
$ dpconf create-resource-limits-policy -h host -p port policy-name
For information about how to modify the properties of a resource limits policy, see To Configure a Resource Limits Policy.
Associate the resource limits policy to a connection handler.
$ dpconf set-connection-handler-prop -h host -p port connection-handler-name \ resource-limits-policy:policy-name
You can use the web interface Directory Service Control Center (DSCC) to perform this task.
View the properties of a resource limits policy.
$ dpconf get-resource-limits-policy-prop -h host -p port policy-name
The default properties of a resource limits policy are as follows:
connection-idle-timeout : 1h denied-presence-filter-attr : all denied-presence-filter-enabled : false description : - max-client-connections : unlimited max-connections : unlimited max-op-count-per-interval : unlimited max-simultaneous-operations-per-connection : unlimited max-total-operations-per-connection : unlimited minimum-search-filter-substring-length : unlimited op-count-per-interval-timeout : 1s referral-bind-policy : default referral-hop-limit : default referral-policy : default search-size-limit : unlimited search-time-limit : unlimited warning-op-count-per-interval : unlimited
Configure the resource limits policy by setting one or more of the properties that are listed in View the properties of a resource limits policy.:
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ property:value [property:value ...]
To specify the threshold number of operations per time interval at which a warning is raised, run the following command:
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ warning-op-count-per-interval:1500
When the specified number of operations exceed in a specified time interval, the warning-resource-limit-exceeded alert is raised. For more information on warning-resource-limit-exceeded, see Configuring Administrative Alerts for Directory Proxy Server.
Configure denied-presence-filter-attr
to deny access when search operation contains at least one of the attributes in the list of denied filter attributes.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ denied-presence-filter-attr:attribute-name
Turn on denied-presence-filter-enabled
to indicate whether to deny access when the search filter contains specified attributes.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name\ denied-presence-filter-enabled:on
Customized limits can be defined for search operations according to the search base and search scope. If the target DN and scope of a search operation matches the specified criteria, the maximum size of the search result is limited.
You can use the web interface Directory Service Control Center (DSCC) to perform this task. To see the DSCC procedure for this task, open the DSCC online help. For more information about DSCC, see Directory Service Control Center Interface.
Create one or more custom search limits.
$ dpconf create-custom-search-size-limit -h host -p port policy-name \ custom-search-limit-name [custom-search-limit-name ...]
Set the criteria for the custom search limit.
$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name one-level-search-base-dn:value subtree-search-base-dn:value
Set the limit for the number of results that are returned when a search meets one of the criteria in Set the criteria for the custom search limit..
$ dpconf set-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name search-size-limit:value
View the properties of a custom search limit.
$ dpconf get-custom-search-size-limit-prop -h host -p port policy-name \ custom-search-limit-name
The default properties of a custom search limit are as follows:
one-level-search-base-dn : none search-size-limit : unlimited subtree-search-base-dn : none
Directory Proxy Server lets you set a threshold for the maximum number of LDAP operations allowed in a given time period. You set the operations rate limit per connection handler using a resource limits policy. The settings effectively allow you to limit the LDAP operation rate for an LDAP client application. For example you can use this capability to ensure that one LDAP client application can perform a maximum of 2500 LDAP operations per second, whereas another LDAP client operation is limited to a maximum of 1200 operations per second.
First set up a connection handler to describe connections from the client application whose LDAP operation rate you want to limit. Then create a resource limits policy for the connection handler. Finally follow the steps here to limit the operation rate using the resource limits policy on the connection handler.
Enable the operations rate limit counters.
$ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ max-op-count-per-interval:2500 $ dpconf set-resource-limits-policy-prop -h host -p port policy-name \ op-count-per-interval-timeout:1s
When an LDAP client exceeds the operation rate limit you set, Directory Proxy Server can raise an alert provided you set up Directory Proxy Server as described in the Configuring Administrative Alerts for Directory Proxy Server section.
To add an alert about operation rate limits being reached, run this command:
$ dpconf set-server-prop -h host -p port\ enabled-admin-alerts+:error-resource-limit-exceeded
Directory Proxy Server raises an alert when the operations rate limit is exceeded. Directory Proxy Server also writes a message in the access log each time an operation is refused because the application exceeds its limit.
This attribute has the same meaning as the attribute in the LDAP and LDAPS listeners but, if set to something different from the default inherited, has precedence over them.
Configure connection-idle-timeout to change the default timeout for idle connections.
After the specified time without activity, the client connection will be closed. See Directory Proxy Server Client Listeners in the Reference for Oracle Directory Server Enterprise Edition.
$ dpconf get-resource-limits-policy-prop -h host -p port policy-name \ connection-idle-timeout:new-timeout
Directory Proxy Server 5.2 is a connection based router. In Directory Proxy Server 5.2, a client connection is routed to a specific directory server. All requests on that client connection are sent to the same directory server until the connection is broken or until the client unbinds.
Directory Proxy Server 11g Release 1 (11.1.1.6) is an operation based router. However, for compatibility, this version of Directory Proxy Server can be configured as a connection based router, as described in the following procedure.
Create and configure one or more connection handlers as described in Creating, Configuring, and Deleting Connection Handlers.
You can also use the default connection handler.
Configure all connection handlers to route requests to the root data view
only.
For example:
$ dpconf set-connection-handler-prop -h host1 -p 1389 myConnectionHandler \ data-view-routing-policy:custom data-view-routing-custom-list:"root data view"
Create and configure a data source for each back-end LDAP server as described in Creating and Configuring LDAP Data Sources.
For example:
$ dpconf create-ldap-data-source -h host1 -p 1389 myDataSource host2:2389
Create and configure a data source pool as described in Creating and Configuring LDAP Data Source Pools.
For example:
$ dpconf create-ldap-data-source-pool -h host1 -p 1389 myDataSourcePool
Attach all of the data sources to the data source pool as described in Attaching LDAP Data Sources to a Data Source Pool.
For example,
$ dpconf attach-ldap-data-source -h host1 -p 1389 myDataSourcePool myDataSource
Configure each data source to authenticate clients by using BIND replay as described in Forwarding Requests With Bind Replay.
For example:
$ dpconf set-ldap-data-source-prop -h host1 -p 1389 myDataSource \ client-cred-mode:use-client-identity
Configure affinity between the client connection and the data source pool as described in Configuring Client Affinity.
For example:
$ dpconf set-ldap-data-source-pool-prop -h host1 -p 1389 myDataSourcePool \ enable-client-affinity:true client-affinity-policy:read-write-affinity-after-write