The Global Configuration contains properties that affect the overall operation of the Identity Proxy.
↓Relations from This Component
↓Properties
↓dsconfig Usage
The following components have a direct aggregation relation from Global Configurations:
The properties supported by this managed object are as follows:
| Description | Specifies a name that may be used to uniquely identify this Identity Proxy instance among other instances in the environment. If no value is provided, then the instance name will be generated as a combination of the server host name followed by a colon and some other value to help ensure that the instance name is unique. The other value added will be one of the following (in order of priority):
|
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the location for this Identity Proxy. Operations performed which involve communication with other servers may prefer servers in the same location to help ensure low-latency responses. |
| Default Value | None |
| Allowed Values | The DN of any Location. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Identity Proxy must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted |
| Description | Specifies the maximum number of entries that the Identity Proxy should return to the client during a search operation. A value of 0 indicates that no size limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-size-limit operational attribute. |
| Default Value | 1000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the maximum length of time that the Identity Proxy should be allowed to spend processing a search operation. This primarily applies to operations processed locally, but may be used in computing the time limit included in search requests forwarded to backend servers. Other operation timeouts (e.g., as defined in the load-balancing algorithm configuration) may still apply to interrupt forwarded search operations before this time limit is reached. A value of 0 seconds indicates that no time limit is enforced. Note that this is the default server-wide time limit, but it may be overridden on a per-user basis using the ds-rlim-time-limit operational attribute. |
| Default Value | 60 seconds |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
proxied-authorization-identity-mapper
| Description | Specifies the name of the identity mapper to map authorization ID values (using the "u:" form) provided in the proxied authorization control to the corresponding user entry. |
| Default Value | cn=Exact Match,cn=Identity Mappers,cn=config |
| Allowed Values | The DN of any Identity Mapper. The referenced identity mapper must be enabled. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the Identity Proxy should reject any LDAP request (other than StartTLS) received from a client that is not using an encrypted connection. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allowed-insecure-request-criteria
| Description | A set of criteria that may be used to match LDAP requests that may be permitted over an insecure connection even if reject-insecure-requests is true. Note that some types of requests will always be permitted, including StartTLS and start administrative session requests. |
| Default Value | None |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
reject-unauthenticated-requests
| Description | Indicates whether the Identity Proxy should reject any LDAP request (other than bind or StartTLS requests) received from a client that has not yet been authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allowed-unauthenticated-request-criteria
| Description | A set of criteria that may be used to match LDAP requests that may be permitted over an unauthenticated connection even if reject-unauthenticated-requests is true. Note that some types of requests will always be permitted, including bind, StartTLS, and start administrative session requests. |
| Default Value | None |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
bind-with-dn-requires-password
| Description | Indicates whether the Identity Proxy should reject any simple bind request that contains a DN but no password. Although such bind requests are technically allowed by the LDAPv3 specification (and should be treated as anonymous simple authentication), they may introduce security problems in applications that do not verify that the client actually provided a password. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the set of servers that will be used to send email messages. |
| Default Value | If no values are defined, then the server cannot send email via SMTP. |
| Allowed Values | The DN of any SMTP External Server. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether responses for failed bind operations should include a message string providing the reason for the authentication failure. Note that these messages may include information that could potentially be used by an attacker. If this option is disabled, then these messages appears only in the server's access log. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the maximum length of time that a client connection may remain established since its last completed operation. A value of "0 seconds" indicates that no idle time limit is enforced. |
| Default Value | 0 seconds |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | When this property is set, changes made to this server using the console or dsconfig can be automatically applied to all servers in the specified server group. This property references the name of a server group stored in the administrative data of this Identity Proxy (cn=admin data). The dsframework command line utility is used to create, modify, and delete server groups (run 'dsframework --help-server-group' for more information). The special built-in server group 'all-servers' can be used to refer to all registered servers. This Identity Proxy must be a member of the selected group. Furthermore, all servers in the specified group should have the same value for this property. |
| Default Value | Since no value is specified, configuration changes made at this server are not automatically applied to other servers. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-concurrent-connections
| Description | Specifies the maximum number of LDAP client connections which may be established to this Identity Proxy at the same time. If the maximum number of concurrent LDAP connections for this Identity Proxy has been reached, then any subsequent connection attempts will be rejected until an existing client connection has been closed. A value of zero indicates that no limit will be imposed on the number of concurrent connections that may be established to this Identity Proxy. |
| Default Value | 0 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-concurrent-connections-per-ip-address
| Description | Specifies the maximum number of LDAP client connections originating from the same IP address which may be established to this Identity Proxy at the same time. If the maximum number of concurrent LDAP connections from the same client address has been reached, then any subsequent connection attempts from that client will be rejected until an existing connection from that same address has been closed. A value of zero indicates that no limit will be imposed on the number of concurrent connections from the same client address. |
| Default Value | 0 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-concurrent-connections-per-bind-dn
| Description | Specifies the maximum number of LDAP client connections which may be established to this Identity Proxy at the same time and authenticated as the same user. If the maximum number of concurrent LDAP connections authenticated as the same user has been reached, then any subsequent attempts to authenticate as that user will cause the associated client connection to be terminated. connection attempts from that client will be rejected until an existing connection from that same address has been closed. A value of zero indicates that no limit will be imposed on the number of concurrent connections from the same client address. |
| Default Value | 0 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies criteria for identifying specific applications that access the server to enable tracking throughput and latency of LDAP operations issued by an application. This property allows individual applications to be identified in the server by connection criteria. The name of the connection criteria configuration object is used within the server as the name of the application. The list of criteria is ordered, so the first criteria that a connection matches will be used to identify the application. Unidentified Proxy Application will be used for connections that do not match any of the criteria. Defining per-application connection criteria here is used primarily to track throughput and latency of LDAP operations on a per-application basis, but other configuration changes are necessary to take advantage of this. The separate-monitor-entry-per-tracked-application setting on the Processing Time Histogram Plugin configuration object must be set to expose per-application monitoring information under cn=monitor. The per-application-ldap-stats and included-ldap-application settings on the Periodic Stats Logger Plugin can also be set to log per-application statistics to a csv file on a periodic basis. Consult the product documentation for more details on configuring the Identity Proxy to track LDAP statistics on a per application basis. |
| Default Value | None |
| Allowed Values | The DN of any Connection Criteria. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
check-schema (Advanced Property)
| Description | Indicates whether schema enforcement is active, which is strongly advised. When schema enforcement is activated, the Identity Proxy ensures that all operations result in entries that are valid according to the defined server schema. It is strongly recommended that this option be left enabled to prevent the inadvertent addition of invalid data into the server and to avoid performance problems. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | Schema checking should only be disabled as a last resort since disabling schema checking harms performance and can lead to unexpected behavior in the server as well as the applications that access it. There are less severe options for addressing schema issues:
1. Update the data to conform to the server schema.
2. Modify the server schema to conform to the data. Contact support before modifying the server's default schema.
3. Change the single-structural-objectclass-behavior property to allow entries to have no structural object class or multiple structural object classes.
4. Change the invalid-attribute-syntax-behavior property to allow attribute values to violate their attribute syntax.
5. Change the allow-zero-length-values property of the Directory String Attribute Syntax configuration to allow attributes with this syntax to have a zero length value.
|
default-password-policy (Advanced Property)
| Description | Specifies the name of the password policy that is in effect for users whose entries do not specify an alternate password policy (either via a real or virtual attribute). |
| Default Value | cn=Default Password Policy,cn=Password Policies,cn=config |
| Allowed Values | The DN of any Password Policy. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
disable-password-policy-evaluation (Advanced Property)
| Description | Indicates whether the Identity Proxy should skip evaluation of non-essential password policy constraints |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
add-missing-rdn-attributes (Advanced Property)
| Description | Indicates whether the Identity Proxy should automatically add any attribute values contained in the entry's RDN into that entry when processing an add request. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allow-attribute-name-exceptions (Advanced Property)
| Description | Indicates whether the Identity Proxy should allow underscores in attribute names and allow attribute names to begin with numeric digits (both of which are violations of the LDAP standards). |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
invalid-attribute-syntax-behavior (Advanced Property)
| Description | Specifies how the Identity Proxy should handle operations whenever an attribute value violates the associated attribute syntax. |
| Default Value | reject |
| Allowed Values | accept - The Identity Proxy silently accepts attribute values that are invalid according to their associated syntax. Matching operations targeting those values may not behave as expected. reject - The Identity Proxy rejects attribute values that are invalid according to their associated syntax. warn - The Identity Proxy accepts attribute values that are invalid according to their associated syntax, but also logs a warning message to the error log. Matching operations targeting those values may not behave as expected. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
server-error-result-code (Advanced Property)
| Description | Specifies the numeric value of the result code when request processing fails due to an internal server error. |
| Default Value | 80 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
single-structural-objectclass-behavior (Advanced Property)
| Description | Specifies how the Identity Proxy should handle operations an entry does not contain a structural object class or contains multiple structural classes. |
| Default Value | reject |
| Allowed Values | accept - The Identity Proxy silently accepts entries that do not contain exactly one structural object class. Certain schema features that depend on the entry's structural class may not behave as expected. reject - The Identity Proxy rejects entries that do not contain exactly one structural object class. warn - The Identity Proxy accepts entries that do not contain exactly one structural object class, but also logs a warning message to the error log. Certain schema features that depend on the entry's structural class may not behave as expected. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
notify-abandoned-operations (Advanced Property)
| Description | Indicates whether the Identity Proxy should send a response to any operation that is interrupted via an abandon request. The LDAP specification states that abandoned operations should not receive any response, but this may cause problems with client applications that always expect to receive a response to each request. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
lookthrough-limit (Advanced Property)
| Description | Specifies the maximum number of entries that the Identity Proxy should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria. A value of 0 indicates that no lookthrough limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-lookthrough-limit operational attribute. |
| Default Value | 5000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allowed-task (Advanced Property)
| Description | Specifies the fully-qualified name of a Java class that may be invoked in the server. Any attempt to invoke a task not included in the list of allowed tasks is rejected. |
| Default Value | If no values are defined, then the server does not allow any tasks to be invoked. |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
disabled-privilege (Advanced Property)
| Description | Specifies the name of a privilege that should not be evaluated by the server. If a privilege is disabled, then it is assumed that all clients (including unauthenticated clients) have that privilege. |
| Default Value | If no values are defined, then the server enforces all privileges. |
| Allowed Values | audit-data-security - Allows the associated user to execute data security auditing tasks. bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation. bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations. modify-acl - Allows the associated user to modify the server's access control configuration. config-read - Allows the associated user to read the server configuration. config-write - Allows the associated user to update the server configuration. The config-read privilege is also required. jmx-read - Allows the associated user to perform JMX read operations. jmx-write - Allows the associated user to perform JMX write operations. jmx-notify - Allows the associated user to subscribe to receive JMX notifications. ldif-import - Allows the user to request that the server process LDIF import tasks. ldif-export - Allows the user to request that the server process LDIF export tasks. backend-backup - Allows the user to request that the server process backup tasks. backend-restore - Allows the user to request that the server process restore tasks. server-shutdown - Allows the user to request that the server shut down. server-restart - Allows the user to request that the server perform an in-core restart. proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity. disconnect-client - Allows the user to terminate other client connections. password-reset - Allows the user to reset user passwords. update-schema - Allows the user to make changes to the server schema. privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users. unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes. bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server. lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode. stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT. third-party-task - Allows the associated user to invoke tasks created by third-party developers. use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads. soft-delete-read - Allows the associated user access to soft-deleted entries. metrics-read - Allows the associated user access to data in the metrics backend. remote-log-read - Allows the associated user access to log files on remote servers over HTTP using the LogAccessService endpoint. This endpoint allows REST clients to list the contents of specific log directories and read the contents of individual log files. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
save-config-on-successful-startup (Advanced Property)
| Description | Indicates whether the Identity Proxy should save a copy of its configuration whenever the startup process completes successfully. This ensures that the server provides a "last known good" configuration, which can be used as a reference (or copied into the active config) if the server fails to start with the current "active" configuration. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
verify-entry-digests (Advanced Property)
| Description | Indicates whether the digest should always be verified whenever an entry containing a digest is decoded. If this is "true", then if a digest exists, it will always be verified. Otherwise, the digest will be written when encoding entries but ignored when decoding entries but may still be available for other verification processing. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
duplicate-error-log-limit (Advanced Property)
| Description | Specifies the maximum number of duplicate error log messages that should be logged in the time window specified by the duplicate-error-log-time-limit property. This property works in conjunction with duplicate-error-log-time-limit to prevent duplicate log messages from filling up the error log. For instance, a misbehaving client might cause the server to generate many duplicate error log messages because each operation it sends is malformed. With the default value of 5 duplicates every 10 seconds, a specific log message will appear at most 6 times in any 10 second window -- once for the original message plus five more duplicates. After this limit is reached, the server will keep track of the number of additional duplicate messages logged during this interval. If when the time limit expires, this count is greater than zero, it will log an additional message including the original message and the number of additional times it was suppressed. A value of "unlimited" implies that the server should not suppress any duplicate messages. The number of duplicate messages is reset each time the server restarts. See also the duplicate-alert-limit property which serves the same purpose for administrative alerts. |
| Default Value | 200 |
| Allowed Values | An integer value. Lower limit is 0. A value of "-1" or "unlimited" for no limit. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
duplicate-error-log-time-limit (Advanced Property)
| Description | Specifies the length of time that must expire before duplicate log messages above the duplicate-error-log-limit threshold are logged again to the error log. This property works in conjunction with duplicate-error-log-limit to prevent duplicate log messages from filling up the error log. See the description of that property for more details. See also the duplicate-alert-time-limit property which serves the same purpose for administrative alerts. |
| Default Value | 5 minutes |
| Allowed Values | A duration. Maximum unit is "hours". Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
duplicate-alert-limit (Advanced Property)
| Description | Specifies the maximum number of duplicate alert messages that should be sent via the administrative alert framework in the time window specified by the duplicate-alert-time-limit property. This property works in conjunction with duplicate-alert-time-limit to prevent duplicate alert messages from overloading an email server or filling up an administrator's inbox. For instance, a series of duplicate alerts might be sent by the logging framework if the file system fills up -- each audit log message will fail to be written and an alert will be generated. With this duplicate suppression enabled, only the first few alert messages will be sent. With the default value of 20 duplicates every 1 hour, a specific alert message will be sent at most 21 times in any 1 hour period -- once for the original message plus twenty more duplicates. After this limit is reached, the server will keep track of the number of additional duplicate alert messages during this interval. If when the time limit expires, this count is greater than zero, it will send an additional alert message including the original message and the number of additional times it was suppressed. A value of "unlimited" implies that the server should not suppress any duplicate messages. The number of duplicate messages is reset each time the server restarts. See also the duplicate-error-log-limit property which serves the same purpose for messages written to the error log. |
| Default Value | 10 |
| Allowed Values | An integer value. Lower limit is 0. A value of "-1" or "unlimited" for no limit. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
duplicate-alert-time-limit (Advanced Property)
| Description | Specifies the length of time that must expire before duplicate messages are sent via the administrative alert framework. This property works in conjunction with duplicate-alert-limit to prevent duplicate alert messages from being sent too frequently. See the description of that property for more details. See also the duplicate-error-log-time-limit property which serves the same purpose for messages written to the error log. |
| Default Value | 10 minutes |
| Allowed Values | A duration. Maximum unit is "hours". Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
forced-gc-prime-duration (Advanced Property)
| Description | Specifies the minimum length of time required for backend or request processor initialization that will trigger the server to force an explicit garbage collection. A value of "0 seconds" indicates that the server should never invoke an explicit garbage collection regardless of the length of time required to initialize the server backends. Invoking an explicit garbage collection after backend or request processor priming has completed may allow the server to exhibit better and more consistent behavior after startup because information stored in the tenured generation will be organized in a more compact manner. |
| Default Value | 10 seconds |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-shutdown-time (Advanced Property)
| Description | Specifies the maximum amount of time the shutdown of Identity Proxy may take. Identity Proxy can usually shutdown in a short amount of time. If the shutdown was received while long running database operations are active, then instances that are busy or that have large database backends may require more time to stop. Stopping these operations prematurely may result in a significantly longer startup time. To avoid a potentially long time required for a subsequent startup, increase the maximum time allowed for shutdown to complete. |
| Default Value | 5 minutes |
| Allowed Values | A duration. Lower limit is 60 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
network-address-cache-ttl (Advanced Property)
| Description | Specifies the length of time that the Identity Proxy should cache the IP addresses associated with the names of systems with which it interacts. It may be desirable to alter this value if you expect to change the IP address(es) associated with the names of systems referenced by the Identity Proxy and you want the server to be able to recognize those changes quickly. Restarting the Identity Proxy would also allow it to recognize address changes. A value of "0 seconds" should be used to indicate that no caching should be performed. |
| Default Value | 3600 seconds |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
network-address-outage-cache-enabled (Advanced Property)
| Description | Specifies whether the Identity Proxy should cache the last valid IP addresses associated with the names of systems with which it interacts when the domain name service returns an unknown host exception. It may be desirable to alter this value if you want to protect the Identity Proxy from unexpected interruptions in domain name services. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
enable-sub-operation-timer (Advanced Property)
| Description | Indicates whether the Identity Proxy should attempt to record information about the length of time required to process various phases of an operation. Enabling this feature may impact performance, but could make it easier to identify potential bottlenecks in operation processing. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
external-server-schema-refresh-interval (Advanced Property)
| Description | The maximum length of time between attempts to refresh the schema from external servers. |
| Default Value | 5 minutes |
| Allowed Values | A duration. Lower limit is 1 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
exit-on-jvm-error (Advanced Property)
| Description | Indicates whether the Identity Proxy should be shut down if a severe error is raised (e.g., an out of memory error) which may prevent the JVM from continuing to run properly. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
result-code-map (Advanced Property)
| Description | Specifies a result code map that should be used for clients that do not have a map associated with their client connection policy. If the associated client connection policy has a result code map, then that map will be used instead. If no map is associated either with the client connection policy or the global configuration, then an internal default will be used. |
| Default Value | None |
| Allowed Values | The DN of any Result Code Map. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
unique-to-single-subtree-view-search-attribute (Advanced Property)
| Description | Provides the ability for the Identity Proxy to optimize equality searches for attributes with unique values when a search operation spans multiple subtree views. This requires that each value for an attribute listed here must appear in only one subtree view. This can help to reduce proxying searches to servers that do not contain data that matches the search. The global index provides this capability when a search is based at the entry balancing point, but in environments that include multiple subtree views that are subordinate to a single search base, all subtree views will be searched. If an attribute has values that are known to be unique to all subtree views, then listing it here has two benefits: 1) if a global index on an entry balancing request processor contains values for this attribute, then that subtree view is searched first, and 2) once one or more entries are returned from any subtree view, no more subtree views are searched. |
| Default Value | None |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
default-internal-operation-client-connection-policy (Advanced Property)
| Description | Specifies the client connection policy that will be used by default for internal operations. If no value is specified, a private internal client connection policy will be used which includes access to all local backends but will not have knowledge of subtree views not associated with local backends (e.g., those which may be used to access backend servers in the Identity Proxy). |
| Default Value | None |
| Allowed Values | The DN of any Client Connection Policy. The referenced client connection policy must be enabled. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
jmx-value-behavior (Advanced Property)
| Description | Specifies how a Java type is chosen for monitor attributes exposed as JMX attribute values. With the default setting, the Identity Proxy infers an appropriate Java type from the LDAP attribute type and value. The type is determined dynamically and in theory could change from one invocation to the next. For example, an attribute could be a Long in one call and then a Float in the next. Integer syntax values are returned as Long, Boolean syntax as Boolean, and GeneralizedTime syntax as Date. String syntax values that can be parsed as floating point numbers are returned as Float, and values that can be parsed as integers are returned as Long. In all other cases, values are returned as String. |
| Default Value | inferred |
| Allowed Values | inferred - The Identity Proxy infers an appropriate Java type (e.g. Boolean, Long, Float, Date, or String) from the LDAP attribute type and value. string - The Identity Proxy returns all values as String. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allowed-insecure-tls-protocol (Advanced Property)
| Description | Specifies a set of TLS protocols that will be permitted for use in the server even though there may be known vulnerabilities that could cause their use to be unsafe in some conditions. Enabling support for insecure TLS protocols is discouraged, and is generally recommended only as a short-term measure to permit legacy clients to interact with the server util they can be updated to support more secure communication protocols. |
| Default Value | No known-insecure TLS protocols will be allowed by default. |
| Allowed Values | sslv3 - Allow TLS communication secured with SSLv3. There are known vulnerabilities that can allow a network attacker to compute the plaintext of an SSLv3-encrypted session, as described athttp://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allow-insecure-local-jmx-connections (Advanced Property)
| Description | Indicates that processes attaching to this server's local JVM are allowed to access internal data through JMX without the authentication requirements that remote JMX connections are subject to. Please review and understand the data that this option will expose (such as cn=monitor) to client applications to ensure there are no security concerns. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Identity Proxy must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted |
To view the Global Configuration configuration:
dsconfig get-global-configuration-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Global Configuration configuration:
dsconfig set-global-configuration-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...