The Version 6 CLI: First Steps With Directory Proxy

Once you start using multiple Directory Server replica, you realize it can become painful for LDAP client applications to keep track of all the host names and port numbers to contact each Directory Server instance. You may want to protect your Directory Server instances from direct access. You also probably want to balance LDAP client requests across your Directory Server instances. You may want to scale update capacity by using data distribution, or add a virtual directory front end to relational database content. Directory Proxy Server 6 makes all these jobs possible.

This entry shows you the most basic steps to getting a Directory Proxy Server instance running on your system, and answering requests for LDAP information in a directory behind the proxy. If you have not yet installed Directory Server Enterprise Edition 6.0 software, see Installing Directory Server Enterprise Edition 6.0.

To use Directory Proxy Server 6.0, there are a three key concepts you need to know. First, Directory Proxy Server lets you configure data views to the underlying data. Depending on the type of data view, you can see LDAP data behind the proxy exactly as it appears in Directory Server, or you can see a modified view with renamed DNs and attributes, or you can even see and LDAP representation of SQL data. Second, Directory Proxy Server attaches data views to data source pools. Data source pools consist of equivalent data sources, each of which can service an equivalent request. Third, the data sources are the configuration objects that hold information about the connections to actual sources of data, such as servers, databases, or LDIF files.

For this entry, I start with the Directory Server instance set up in The Version 6 CLI: Getting Started. The directory listens for LDAP requests on port 1389, and already contains sample data. (To keep things simple, I set up the proxy on the same host system, and so use a different port.) We can see entries in the directory with ldapsearch.

$ ldapsearch -p 1389 -b dc=example,dc=com uid=bjensen
version: 1
dn: uid=bjensen, ou=People, dc=example,dc=com
description: This is a new description.
givenName: Barbara
sn: Jensen
telephoneNumber: +1 408 555 1862
ou: Product Development
ou: People
l: Cupertino
roomNumber: 0209
mail: bjensen@example.com
uid: bjensen
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
facsimileTelephoneNumber: +1 408 555 1992
cn: Barbara Jensen
cn: Babs Jensen

Creating a Directory Proxy Server Instance

With Directory Server Enterprise Edition 6.0 software installed, you can use the dpadm and dpconf commands to create and configure Directory Proxy Server 6.0. Creating a Directory Proxy Server instance is a two-step process.

First, you use dpadm create to create the proxy instance on the local file system. Here, I use port 2389 for LDAP and port 2636 for LDAP/SSL. If the proxy is the LDAP access point for client applications, you may want to use the defaults, 389 for LDAP and 636 for LDAP/SSL.

$ dpadm create -p 2389 -P 2636 /local/dps
Choose the Proxy Manager password:
Confirm the Proxy Manager password:
Use 'dpadm start /local/dps' to start the instance

Second, you use dpadm start to start Directory Proxy Server so you can configure the proxy.

$ dpadm start /local/dps                      
...
Directory Proxy Server instance '/local/dps' started: pid=26315

After you start the newly created proxy, it can respond to LDAP requests. But the newly created instance cannot send requests to any data sources, yet.

Proxying for Directory Server

In order for the server instance to work as a proxy, you must configure a data source, a data source pool, and a data view. This may seem like overkill to proxy for one Directory Server instance. Keep in mind that most of the time a proxy accesses multiple data sources, in multiple data source pools, through multiple data views.

The following code excerpt shows how I create a data source pointing to the Directory Server instance listening on port 1389, a data source pool containing only that server, a data view into the data source pool. I have environment variables set as described in the Installation Guide so I do not have repeatedly to type port numbers and passwords.

$ dpconf create-ldap-data-source "My DS" localhost:1389
Certificate "CN=hostname:2389" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
$ dpconf create-ldap-data-source-pool "My Pool"
$ dpconf attach-ldap-data-source "My Pool" "My DS"
$ dpconf create-ldap-data-view "My View" "My Pool" dc=example,dc=com

Now I must enable the data source and restart the server for the connection from the proxy to the directory to work.

$ dpconf set-ldap-data-source-prop "My DS" is-enabled:true
$ dpadm restart /local/dps          
Directory Proxy Server instance '/local/dps' stopped
...
Directory Proxy Server instance '/local/dps' started: pid=26373

I must also assign a (load balancing) weight to the LDAP operation that I want to do. By default, no operations are routed from the proxy to the directory. The values used for LDAP operation weights only matter compared to each other. Here, I arbitrarily assign the value 100 to search operations. As long as I assign no other values, this only means that searches get routed from the proxy to the directory.

$ dpconf set-attached-ldap-data-source-prop "My Pool" "My DS" search-weight:100

At this point, the proxy is connected to the directory for LDAP searches. You can see that it works when I run the same search I ran against the directory earlier, this time on port 2389 where the proxy is listening.

$ ldapsearch -p 2389 -b dc=example,dc=com uid=bjensen
version: 1
dn: uid=bjensen, ou=People, dc=example,dc=com
description: This is a new description.
givenName: Barbara
sn: Jensen
telephoneNumber: +1 408 555 1862
ou: Product Development
ou: People
l: Cupertino
roomNumber: 0209
mail: bjensen@example.com
uid: bjensen
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
facsimileTelephoneNumber: +1 408 555 1992
cn: Barbara Jensen
cn: Babs Jensen

For more instructions on configuring Directory Proxy Server, see the Administration Guide. For background information on Directory Proxy Server, see the Reference.

Comments:

i want to know the proxy codes for dps

Posted by nichole green on May 29, 2007 at 11:45 AM CEST #

Basically, to set up the proxy functionality, you point Directory Proxy to the directories serving up the data, and set the operational weights to have LDAP operations (bind, search, modify, add, delete, etc.) sent to the directories.

Posted by Mark on July 30, 2007 at 03:27 AM CEST #

So with above configuration in mind, I can refer a client to DPS? Which in turn will forward it to DS. I have Access Manager I want to point to DPS, where should I change so that AM will query through DPS?

Thanks

Posted by vicky on August 07, 2007 at 08:36 PM CEST #

When you refer a client to DPS set up as shown above, your operation gets sent back to the date source, such as DS, in proportion to the weights.

Regarding Access Manager, the theory is that you should be able to point Access Manager to DPS in the same way that you point it to DS. Two caveats, however, because I'm not expert enough on Access Manager to give you the whole story without asking for help: 1) Access Manager may be doing more than just anonymous lookups, so you may need to work out how Access Manager binds through DPS to DS. DPS typically uses proxy authorization with DS, but you can also use the bind DN from the application such as Access Manager; 2) It's possible that Access Manager depends on something that is not there when you use DPS. In http://docs.sun.com/app/docs/doc/819-0991/6n3cm98f4?a=view, the release notes, you'll find mention of an issue with Access Manager, CR 6490763, for example. There could be other things I've not heard about, yet.

Posted by Mark on August 08, 2007 at 03:15 AM CEST #

This example would be more helpfull if it included debug info for when the proxy can't status the directory server.

Posted by Jay Biddle on April 10, 2008 at 02:08 PM CEST #

Jay, thanks for your comment. I've written a short rainy-day entry at http://blogs.sun.com/marginNotes/entry/cannot_get_through_directory_proxy

Posted by Mark on April 14, 2008 at 03:58 AM CEST #

One problem. When you use this setup, the proxy server instance created, it's data sources, pools and views do not show up in the DSCC. Bummer

Posted by Darryl Price on October 25, 2009 at 06:11 PM CET #

Right. I probably should've added this before, but as shown in the Install Guide, http://docs.sun.com/app/docs/doc/820-2761/create-dps-instance-cli, you'll need to run the dsccreg add-server command to register the DPS instance with DSCC.

Something like the following command:
dsccreg add-server -h dscchost --description "My Proxy" /local/dps

Posted by Mark Craig on October 26, 2009 at 02:52 AM CET #

Yes, ldapsearch works. But if you bind a Solaris 10 client to DPS password policy is ignored. If you bind same Solaris 10 client to DS password policy it's working.

Posted by Cristian Burcus on November 12, 2009 at 04:08 AM CET #

Cristian, could you describe the issue in a bit more detail?
Which element of the password policy is ignored? Expiration? Expiration warnings? Account Usable control?
How is DPS configured with regards to processing Binds and then authorized requests (use Bind vs use AuthZID)?

Posted by Mark Craig on November 18, 2009 at 08:54 AM CET #

The ignored element is pwdReset. I didn't test other elements.
DPS data sources are configured to Bind and forward requests using identity provided by client. When I login in DPS access logs appears this:
SEARCH base="ou=people,dc=exampl,dc=ro" scope=1 controls="" filter="(&(objectClass=posixAccount)(uid=cristian.burcus))" attrs="cn uid uidnumber gidnumber gecos description homedirectory loginshell "
SEARCH base="ou=people,dc=example,dc=ro" scope=1 filter="(&(objectClass=posixAccount)(uid=cristian.burcus))" attrs="cn uid uidnumber gidnumber gecos description homedirectory loginshell " s_msgid=152 s_conn=nd1_ldap:10
If you need more info, please tell me.

Thank you,
Cristian

Posted by Cristian Burcus on November 19, 2009 at 08:09 AM CET #

Thanks, Cristian. We've been able to reproduce the problem with pwdReset here in engineering, and have logged CR 6902986 to track the issue until we have a fix.

Posted by Mark Craig on November 20, 2009 at 01:45 AM CET #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Mark Craig writes about Directory Services products and technologies. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today