Configuration

The object key is mandatory and must be the string LdapProxy.

The name key is mandatory and must be the LDAP configuration subentry name of the LDAP server to be configured as a DLP server. By default, this name is ldapConfiguration.

The LBservers key is mandatory and defines the target servers (1-n) to which the DLP server can forward requests from users that do not match any of the user-routing or operation-routing rules defined in the DLP server configuration file. Its value is an array of symbolic LDAP server names that must match the names of LdapServer objects defined in the same configuration file. Note that the value must be specified as an array even if only one LDAP server is listed or an error occurs and the LDAP server will not start. If a user is controlled by a user- or operation-routing rule, DLP server ignores the LBservers value(s). The method the DLP server uses to select from a list of LB-servers for forwarding depends on the settings of loadbalance and failover keys in the Defaults object definition. See the description of the Defaults object definition in this guide for details.

The object key is mandatory and must be the string LdapServer.

The name key is mandatory and can have any string value as long as the value is unique. The name is used in other objects in the configuration file (for example, in LdapProxy objects) to refer to a specific target server.

The protocol key is mandatory and defines how the request is forwarded to the target server. The value ldap results in unencrypted plain socket mode. The value ldaps results in an SSL connection to the target server. When ldaps is used, the DLP server must run in ProxyMode=2 and suitable TLS key material must be provided.

The host key is mandatory and defines the IP or DNS name of the target LDAP server.

The port key is mandatory and defines the port of the target LDAP server.

ssl_protocol – defines which SSL/TLS protocol to use. Possible values are TLSv10, TLSv11, TLSv12 or TLSv13. The value is case sensitive. Make sure that the target server supports and allows the selected protocol.

ssl_cipher – a string that defines the cipher list. The DLP server uses OpenSSL to contact target servers via SSL/TLS. The recommended value for TLS versions ⇐ TLSv12 is HIGH, which typically excludes unsafe ciphers from being selected. If TLSv13 is chosen special ciphers must be selected. See the OpenSSL documentation for information on possible cipher values.

trusted_ca_files – defines the full qualified PEM file name that contains the chains of trusted public CA certificates used to verify the received server certificates from the target servers during the SSL handshake.

The object key is mandatory and must be the string AttributeList.

The name key is mandatory and must be a unique string within multiple AttributeList definitions.

The attributes key is a list of LDAP attribute names separated by a comma (,) and enclosed in square brackets [ ]. If an attribute has multiple LDAP names, for example, telephoneNumber and tn, all LDAP names must be specified to ensure the visibility in the result. OIDs cannot be specified instead of the LDAP name.

LdapProxy.lb_failover, which determines whether or not the DLP server contacts the next server from the LBServer list defined in the LdapProxy object using a round-robin scheme. By default (LdapProxy.lb_failover is set to 1), if more than one LB-server is configured and an I/O error occurs to a selected target server, the DLP server fails over to the next server. If this one also fails, it fails over to the next, and so on until all servers have been tried. To change this behavior, set the property LdapProxy.lb_failover to 0. Now the operation returns an error if the selected target server raises an I/O error.

The LdapProxy.lb_balance, which determines whether or not the DLP server applies a round-robin scheme to select the primary server from the LBserver list specified in the LdapProxy object definition. By default (LdapProxy.lb_balance set to of 1), if more than one LB-server is configured, each user that has no other governing rule is forwarded to one of the LB-servers using round-robin selection. For example, suppose C1, C2, C3, C4 are LDAP client users that are not controlled by other rules (the numbers indicate the time sequence in which the users perform their binds) and LBservers lists LDAP1, LDAP2, and LDAP 3 servers. DLP server forwarding will be C1 to LDAP1, C2 to LDAP2, C3 to LDAP3, C4 to LDAP1. To change this default behavior, set the LdapProxy.lb_balance property to 0. Now the DLP server forwards every user request that has no governing rule to the same primary server (the first server in the LBserver list, which is LDAP1 in this case).

TLSLogging, which controls whether (1) or not (0) the DLP server generates a readable log file install_path*/ldap/log/proxyssl*pid*.txt* where pid is the PID of the DLP server process. (The default value is 0.) Note that enabling TLSLogging will slow down performance significantly and is only intended for error analysis.

Tracing, which controls whether (1, 2 or 3) or not (0) tracing information is sent to stderr and the verbosity of tracing information sent (1, 2 or 3). The higher the value, the more verbose the tracing information generated. (The default value is 0.) Enabling Tracing will slow down performance noticeably.

ConnectTimeout, which defines the number of seconds the DLP server waits for a TCP connect to succeed before it tries another server (if available and failover is allowed) or the operation fails. The default value is 5 seconds. Be careful not to supply a value that’s too low, as it may lead to frequent timeouts when network performance is poor or the contacted target server is under high load. For a description of how this setting affects DLP server operation, see the section "Connect Timeout".

OfflineRetryTimeout, which defines the number of seconds for which the DLP server disables a failed target server for further selection. The default value is 60 seconds. For a description of how this setting affects DLP server operation, see the section "Offline Handling and Server Retry".

JSONCodeSet, which specifies the code set in which the DLP server configuration file is encoded (the configuration file is a JSON file, as described in the “Configuration” chapter). A value of 0 indicates to the DLP server that the configuration file is encoded in Latin-1 and needs to be converted to UTF-8 format for LDAP, which only supports the UTF-8 code set. A value of 1 indicates that the configuration file is encoded in UTF-8 and needs no conversion. The default value is 1 (UTF-8). For a description of how this setting affects DLP server operation, see the “Operations” chapter.

NotifyRewrite, which controls whether (1) or not (0) notification of request/result rewriting is included in the LDAP response error message. When set to 1, the client receives a string like Proxy-Modified=yes, which indicates that the DLP server has modified the request or the result. Set this key to 0 to hide information from clients about DLP server changes to requests and results.

NullParamStr, which defines a placeholder string for an empty rewrite action parameter in a DLP server rewriting rule. The default placeholder string is NULL. For a description of how this setting applies to DLP server rewriting rules, see the section “Protocol-Specific Actions” in the chapter “Proxy Rules”.

DiscloseTarget, which controls whether (1) or not (0) the DLP server identifies the target server that processed the LDAP request in the LDAP response message. For example, when set to 1, the following output is returned for the following dirxcp command:

Rules for operation forwarding based on the user’s DN or on the operation type

Rules for rewriting an LDAP client request or the result returned by the target LDAP server.

The object key is mandatory and must be the string ProxyRule.

The ruleType key is mandatory and must be one of the following strings:

UserRouting - defines a rule for operation forwarding based on the user’s DN

OprRouting - defines a rule for operation forwarding based on the operation type

ReqRewrite – defines a rule for modifying the data in an incoming client request

ResRewrite – defines a rule for modifying the data in an outgoing result of a client request

The name key is mandatory and can have any string value as long as the value is unique.

The condition key is mandatory and specifies the selection criteria that an LDAP operation must satisfy in order for the actions specified in the actions key to be executed on the operation. Condition values are specified in LDAP filter string format; the value depends on the value of the ruleType key:

UserRouting, OprRouting - the condition value selects for forwarding the LDAP operation to a target server

ReqRewrite, ResRewrite - the condition value selects for modifying a component of the LDAP operation

The actions key is mandatory and defines the operations to be performed on the LDAP operation if it matches the rule condition selection criteria. An action is defined as a JSON array; the value depends on the ruleType value:

UserRouting, OprRouting – the action is a forwarding operation to a selected set of LDAP servers or a general action, such as denying the request. See the descriptions of the user- and operation-routing rules in the chapter “Proxy Rules” for details on how to specify a forwarding action.

ReqRewrite, ResRewrite – the action is a rewriting operation for a specific component of an LDAP operation – for example, to change the base object of an incoming search request - or a general action, such as denying the request. Multiple actions can be defined for an individual rule and are executed in the order in which they are defined. See the description of the rewriting rules in the chapter “Proxy Rules” for details on how to specify rewriting actions.