UnboundID Identity Proxy - Proxying Request Processor

Identity Proxy Documentation Index
Configuration Reference Home

Proxying Request Processor

The Proxying Request Processor may be used to forward requests for processing to a remote directory server over LDAP. Multiple servers may be configured to provide high availability and load balancing, and various transformations may be applied to requests and responses that are processed.

↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage

Parent Component

The Proxying Request Processor component inherits from the Request Processor

Relations from This Component

The following components have a direct aggregation relation from Proxying Request Processors:

Criteria Based Load Balancing Algorithm

Load Balancing Algorithm

Proxy Transformation

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	↓ assign-client-connection-policy-from-backend-server
↓ enabled
↓ allowed-operation
↓ load-balancing-algorithm
↓ criteria-based-load-balancing-algorithm
↓ transformation
↓ referral-behavior
↓ supported-control
↓ supported-control-oid

Basic Properties

description

Description	A description for this Request Processor
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

enabled

Description	Indicates whether this Request Processor is enabled for use in the Identity Proxy.
Default Value	true
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

allowed-operation

Description	Specifies the types of operations that this Request Processor may be requested to process.
Default Value	abandon add bind compare delete extended modify modify-dn search
Allowed Values	abandon - This Request Processor may be used to process abandon operations. add - This Request Processor may be used to process add operations. bind - This Request Processor may be used to process bind operations. compare - This Request Processor may be used to process compare operations. delete - This Request Processor may be used to process delete operations. extended - This Request Processor may be used to process extended operations. modify - This Request Processor may be used to process modify operations. modify-dn - This Request Processor may be used to process modify DN operations. search - This Request Processor may be used to process search operations.
Multi-Valued	Yes
Required	Yes
Admin Action Required	None. Modification requires no further action

load-balancing-algorithm

Description	Specifies the default load-balancing algorithm that will be used to select the backend server for each operation processed through this Proxying Request Processor. This load-balancing algorithm is used when there are no criteria-based load-balancing algorithms matching the operation.
Default Value	None
Allowed Values	The DN of any Load Balancing Algorithm. Load-balancing algorithms associated with Proxying Request Processors must be enabled.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

criteria-based-load-balancing-algorithm

Description	Specifies the criteria-based load-balancing algorithms that will be used to select a load-balancing algorithm for each operation processed through this Proxying Request Processor. The selected load-balancing algorithm is that of the first criteria-based load-balancing algorithm whose criteria match the request. If there are no criteria-based load-balancing algorithms, or none of them have criteria which match the request, then the default load-balancing algorithm (the one specified in the load-balancing-algorithm property) will be used.
Default Value	None
Allowed Values	The DN of any Criteria Based Load Balancing Algorithm.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

transformation

Description	Specifies the types of transformations that should be applied to requests and responses processed by this Proxying Request Processor. If multiple transformations are provided, then they will be invoked in the specified order for request transformations, and in the reverse order for response transformations.
Default Value	None
Allowed Values	The DN of any Proxy Transformation. Proxy transformations associated with the Proxying Request Processor must be enabled.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

referral-behavior

Description	Specifies how any referrals and search result references encountered during processing should be treated by the Identity Proxy.
Default Value	pass-through
Allowed Values	pass-through - Any referrals received by the Identity Proxy will be passed through to the client, which may decide how to handle them. follow - The Identity Proxy should attempt to follow any referrals itself on behalf of the client. discard - The Identity Proxy should silently discard any search result references returned during search processing, and any operation responses with a 'referral' result will be converted to a 'no-such-object' result.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

supported-control

Description	Specifies the names of any request controls that the Identity Proxy should allow to be forwarded to backend servers. Any request that contains a critical control not in this list, and whose OID is not included in the set of supported-control-oid values will be rejected. Any non-critical request control which is not supported by the Identity Proxy will be removed from the request before that request is forwarded to backend servers.
Default Value	account-usable assertion authorization-identity get-authorization-entry get-effective-rights get-server-id hard-delete ignore-no-user-modification intermediate-client join manage-dsa-it matched-values matching-entry-count no-op operation-purpose password-policy permissive-modify post-read pre-read proxied-authorization-v1 proxied-authorization-v2 purge-password real-attributes-only retain-identity retire-password simple-paged-results soft-delete soft-deleted-entry-access subentries subtree-delete transaction-settings undelete virtual-attributes-only
Allowed Values	account-usable - The account usable request control (OID 1.3.6.1.4.1.42.2.27.9.5.8) as used in the UnboundID Identity Data Store. assertion - The LDAP assertion request control (OID 1.3.6.1.1.12) as defined in RFC 4528. authorization-identity - The authorization identity request control (OID 2.16.840.1.113730.3.4.16) as defined in RFC 3829. get-authorization-entry - The get authorization entry request control (OID 1.3.6.1.4.1.30221.2.5.6) as used in the UnboundID Identity Data Store. get-effective-rights - The get effective rights request control (OID 1.3.6.1.4.1.42.2.27.9.5.2) as used in the UnboundID Identity Data Store. get-server-id - The get server ID request control (OID 1.3.6.1.4.1.30221.2.5.14). hard-delete - The hard delete request control (OID 1.3.6.1.4.1.30221.2.5.22). ignore-no-user-modification - The ignore NO-USER-MODIFICATION request control (OID 1.3.6.1.4.1.30221.2.5.5) as used in the UnboundID Identity Data Store. intermediate-client - The intermediate client request control (OID 1.3.6.1.4.1.30221.2.5.2) as used in the UnboundID Identity Data Store. join - The join request control (OID 1.3.6.1.4.1.30221.2.5.9). manage-dsa-it - The ManageDsaIT request control (OID 2.16.840.1.113730.3.4.2) as defined in RFC 3296. matched-values - The matched values request control (OID 1.2.826.0.1.3344810.2.3) as defined in RFC 3876. matching-entry-count - The matching entry count request control (OID 1.3.6.1.4.1.30221.2.5.36). no-op - The LDAP no-op request control (OID 1.3.6.1.4.1.4203.1.10.2) as used in the UnboundID Identity Data Store. operation-purpose - The operation purpose request control (OID 1.3.6.1.4.1.30221.2.5.19). password-policy - The password policy request control (OID 1.3.6.1.4.1.42.2.27.8.5.1) as defined in draft-behera-ldap-password-policy. permissive-modify - The permissive modify request control (OID 1.2.840.113556.1.4.1413), which can be used to allow a modify operation to attempt to add attribute values which already exist or remove values which do not exist. post-read - The post-read request control (OID 1.3.6.1.1.13.2) as defined in RFC 4527. pre-read - The pre-read request control (OID 1.3.6.1.1.13.1) as defined in RFC 4527. proxied-authorization-v1 - The proxied authorization v1 request control (OID 2.16.840.1.113730.3.4.12) as defined in draft-weltman-ldapv3-proxy. proxied-authorization-v2 - The proxied authorization v2 request control (OID 2.16.840.1.113730.3.4.18) as defined in RFC 4370. purge-password - The purge password request control (OID 1.3.6.1.4.1.30221.2.5.32), which may be used to indicate that the user's current password should be purged rather than retired. real-attributes-only - The real attributes only request control (OID 2.16.840.1.113730.3.4.17) as used in the UnboundID Identity Data Store. retain-identity - The retain identity request control (OID 1.3.6.1.4.1.30221.2.5.3) as used in the UnboundID Identity Data Store. retire-password - The retire password request control (OID 1.3.6.1.4.1.30221.2.5.31), which may be used to indicate that the user's current password should be retired. simple-paged-results - The simple paged results request control (OID 1.2.840.113556.1.4.319) as defined in RFC 2696. soft-delete - The soft delete request control (OID 1.3.6.1.4.1.30221.2.5.20). soft-deleted-entry-access - The soft-deleted entry access request control (OID 1.3.6.1.4.1.30221.2.5.23). subentries - The LDAP subentries request control (OID 1.3.6.1.4.1.7628.5.101.1) as defined in draft-ietf-ldup-subentry. subtree-delete - The subtree delete request control (OID 1.2.840.113556.1.4.805) as defined in draft-armijo-ldap-treedelete. transaction-settings - The transaction settings request control (OID 1.3.6.1.4.1.30221.2.5.38). undelete - The undelete request control (OID 1.3.6.1.4.1.30221.2.5.23). virtual-attributes-only - The virtual attributes only request control (OID 2.16.840.1.113730.3.4.19) as used in the UnboundID Identity Data Store.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

supported-control-oid

Description	Specifies the OIDs of any request controls that the Identity Proxy should allow to be forwarded to backend servers. Any request that contains a critical control whose OID is not in this list and is also not allowed by the predefined set of controls contained in the list of supported-control values will be rejected. Any non-critical request control which is not supported by the Identity Proxy will be removed from the request before that request is forwarded to backend servers. Note that the Identity Proxy may be configured to explicitly prohibit the use of some controls which may require special intermediate processing not currently supported by the Identity Proxy. Further, any controls which are not explicitly forbidden by the Identity Proxy but do require special intermediate processing may not work as expected. Contact an Identity Proxy support representative if you are uncertain about whether a particular request control may be used with the Identity Proxy.
Default Value	None
Allowed Values	A string
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

Advanced Properties

assign-client-connection-policy-from-backend-server (Advanced Property)

Description	Indicates whether a client connection to the Identity Proxy should use the matching Client Connection Policy from the backend server. This functionality assumes the Identity Proxy is configured with the same Client Connection Policies as the backend servers are. On a bind operation, the Identity Proxy will assign a client connection policy to the connection based on the policy selected by the backend server. If this property is set to true and a Client Connection Policy cannot be found in the Identity Proxy which matches the one returned by the backend server, or if the backend server does not support the use of the get user resource limits control, then the bind will fail.
Default Value	false
Allowed Values	true false
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Request Processors:

dsconfig list-request-processors
     [--property {propertyName}] ...

To view the configuration for an existing Request Processor:

dsconfig get-request-processor-prop
     --processor-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Request Processor:

dsconfig set-request-processor-prop
     --processor-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Proxying Request Processor:

dsconfig create-request-processor
     --processor-name {name}
     --type proxying
     --set load-balancing-algorithm:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Request Processor:

dsconfig delete-request-processor
     --processor-name {name}