A Client Connection Policy is used to classify a client connection based on the client address, protocol, identity, and whether it is using a secure communication mechanism. It may be used to control which types of operations that client may perform and the types of data that it may access.
Note that if the set of client connection policies is customized in order to introduce limits on what some clients may be allowed to access, it may be necessary to create an additional client connection policy for use in processing internal operations. If this is done, that policy should allow unrestricted access to any content which may need to be accessed through internal operations (e.g., as may be needed for things like plugins, identity mappers, and other extensions that need to perform internal reads or updates), and in the Directory Proxy Server this may include subtree views that allow access to backend servers. That policy does not need to be accessible to any external clients (e.g., it may have a high evaluation order index, and it may have a higher evaluation order index than a policy which matches all connections and has a terminate-connection value of true.
Support for different sensitive attributes per client requires the use of multiple Client Connection Policies on the Directory Server with different sensitive attribute configurations. Similar policies with the same name must be configured on the Directory Proxy Server. When a client request is processed by a Directory Proxy Server, the request forwarded to the Directory Server includes the name of the policy associated with the original client connection (provided the forward-to-backend-server property is set to true in the Directory Proxy Server configuration for the policy). The Directory Server looks for a policy in its own configuration with the same name as the one associated with the client connection in the Directory Proxy Server, and uses this policy rather than the one associated with the Directory Proxy Server's connection to the Directory Server.
↓Relations from This Component
↓Relations to This Component
↓Properties
↓dsconfig Usage
The following components have a direct aggregation relation from Client Connection Policies:
The following components have a direct aggregation relation to Client Connection Policies:
The properties supported by this managed object are as follows:
Property Group | General Configuration |
Description | Specifies a name which uniquely identifies this Client Connection Policy in the server. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | General Configuration |
Description | A description for this Client Connection Policy |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | General Configuration |
Description | Indicates whether this Client Connection Policy is enabled for use in the server. If a Client Connection Policy is disabled, then no new client connections will be associated with it. |
Default Value | None |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | General Configuration |
Description | Specifies the order in which Client Connection Policy definitions will be evaluated. A Client Connection Policy with a lower index will be evaluated before one with a higher index, and the first Client Connection Policy evaluated which may apply to a client connection will be used for that connection. Each Client Connection Policy must be assigned a unique evaluation order index value. |
Default Value | None |
Allowed Values | An integer value. Lower limit is 0. Upper limit is 2147483647 . |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | General Configuration |
Description | Specifies a set of connection criteria that must match the associated client connection for it to be associated with this Client Connection Policy. Note that if a client connection policy is associated with connection criteria that includes restrictions that may not be satisfied when a connection is initially established, it may be necessary to create an additional client connection policy with fewer restrictions that can be assigned to a newly-established connection and will allow it to undergo the transformation required to match the more restrictive criteria. For example, consider the case of a client connection policy that has criteria that will only match secure connections. If you wish to allow connections secured by StartTLS to be associated with that policy, it will also be necessary to have a client connection policy that allows insecure connections and permits them to issue the StartTLS extended request. |
Default Value | None |
Allowed Values | The DN of any Connection Criteria. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | General Configuration |
Description | Indicates whether any client connection for which this Client Connection Policy is selected should be terminated. This makes it possible to define fine-grained criteria for clients that should not be allowed to connect to this Directory Proxy Server. |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Data Accessibility |
Description | Specifies the set of backend base DNs for which subtree views should be included in this Client Connection Policy. If the include-backend-subtree-views property is set to false, then this setting will be ignored. If no values are configured, then client connections associated with this Client Connection Policy will be allowed to access all backends configured in the Directory Proxy Server except those in configured in the excluded-backend-base-dn property (subject to access control restrictions). If one or more base DN values are specified, then client connections associated with this Client Connection Policy will only be allowed to access content in the specified set of backends. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Data Accessibility |
Description | Specifies the set of backend base DNs for which subtree views should be excluded from this Client Connection Policy. If the include-backend-subtree-views property is set to false, then this setting will be ignored. If no values are configured for this property, and no included-backend-base-dn values are configured, then client connections associated with this Client Connection Policy will be allowed to access all backends configured in the (subject to access control restrictions). If one or more base DN values are specified, then client connections associated with this Client Connection Policy will not be allowed to access content in the specified set of backends. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Data Accessibility |
Description | Specifies the set of manually-configured subtree views that will be accessible to clients associated with this Client Connection Policy. If the base DN for a manually-configured subtree view conflicts with the base DN for an automatically-included backend subtree view (if the include-backend-subtree-views property has a value of true), then the manually-configured subtree view will be used rather than the automatically-included backend subtree view. |
Default Value | None |
Allowed Values | The DN of any Subtree View. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Data Accessibility |
Description | Indicates whether this Client Connection Policy should automatically include subtree views for backends defined in the Directory Proxy Server. The set of backend subtree views that will be included may be customized using the included-backend-base-dn property. If there is a conflict between the base DN of a manually-configured subtree view and a generated backend subtree view, then the manually-configured view will take precedence. If this property is set to false, then at least one subtree view must be manually configured. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
include-backend-server-passthrough-subtree-views
Property Group | Data Accessibility |
Description | Indicates whether this Client Connection Policy should automatically include subtree views for all LDAP external servers defined in the Directory Proxy Server. The generated subtree views will have a base DN of "ds-backend-server={serverName}", where "{serverName}" is the name assigned to the LDAP external server. Requests to that base DN will be forwarded to the specified backend server, and in the process the base DN will be remapped to remove the "ds-backend-server={serverName}" component (e.g., "dc=example,dc=com,ds-backend-server=server.example.com:389" will be remapped to "dc=example,dc=com"). |
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Data Accessibility |
Description | Indicates whether the Directory Proxy Server should provide the name of this Client Connection Policy to the backend Directory Server when processing a request received on a connection associated with this policy. If the Directory Server doesn't have a client connection policy with the same name as the one from the Directory Proxy Server, then the Proxy User's client connection policy is used. The following properties are taken from the policy that was passed through from the Directory Proxy Server:
|
Default Value | false |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | When this property is enabled, the Proxy User must have the permit-forwarding-client-connection-policy privilege in the Directory Server. Run the prepare-external-server tool to add the required privilege if necessary. |
Property Group | Allowed Request Types |
Description | Specifies the types of operations that clients associated with this Client Connection Policy will be allowed to request. |
Default Value | abandon add bind compare delete extended modify modify-dn search |
Allowed Values | abandon - Client connections associated with this Client Connection Policy may request abandon operations. add - Client connections associated with this Client Connection Policy may request add operations. bind - Client connections associated with this Client Connection Policy may request bind operations. compare - Client connections associated with this Client Connection Policy may request compare operations. delete - Client connections associated with this Client Connection Policy may request delete operations. extended - Client connections associated with this Client Connection Policy may request extended operations. modify - Client connections associated with this Client Connection Policy may request modify operations. modify-dn - Client connections associated with this Client Connection Policy may request modify DN operations. search - Client connections associated with this Client Connection Policy may request search operations. |
Multi-Valued | Yes |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
required-operation-request-criteria
Property Group | Allowed Request Types |
Description | Specifies a request criteria object that will be required to match all requests submitted by clients associated with this Client Connection Policy. If a client submits a request that does not satisfy this request criteria object, then that request will be rejected. |
Default Value | None |
Allowed Values | The DN of any Request Criteria. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
prohibited-operation-request-criteria
Property Group | Allowed Request Types |
Description | Specifies a request criteria object that must not match any requests submitted by clients associated with this Client Connection Policy. If a client submits a request that satisfies this request criteria object, then that request will be rejected. |
Default Value | None |
Allowed Values | The DN of any Request Criteria. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the OIDs of the controls that clients associated with this Client Connection Policy will be allowed to include in requests. If one or more request control OIDs are specified, then only those types of controls may be included in requests. If no allowed request control OIDs are specified, then any request control whose OID is not included in the set of denied request controls may be requested. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the OIDs of the controls that clients associated with this Client Connection Policy will not be allowed to include in requests. If one or more denied request control OIDs are specified, then clients will not be allowed to use request controls with any of those OIDs. If no denied request control OIDs are specified and no allowed request control OIDs are specified, then clients will be allowed to include any request controls. If no denied request control OIDs are specified but one or more allowed request control OIDs are specified, then clients will only be allowed to include those controls in requests. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the OIDs of the extended operations that clients associated with this Client Connection Policy will be allowed to request. This setting will only be used if "extended" is included in the set of allowed operation types. If one or more extended operation OIDs are specified, then only those types of extended operations will be allowed for client connections associated with this Client Connection Policy. If no extended operation OIDs are specified, then any extended operation type not included in the set of denied extended operations may be requested. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the OIDs of the extended operations that clients associated with this Client Connection Policy will not be allowed to request. This setting will only be used if "extended" is included in the set of allowed operation types. If one or more denied extended operation OIDs are specified, then clients will not be allowed to request extended operations with those OIDs. If no denied extended operation OIDs are specified and no allowed extended operation OIDs are specified, then clients connections associated with this Client Connection Policy will be allowed to request any type of extended operation. If no denied extended operation OIDs are specified but one or more allowed extended operation OIDs are specified, then only those types of extended operations in the set of allowed OIDs may be requested. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the types of authentication that clients associated with this Client Connection Policy will be allowed to request. |
Default Value | simple sasl |
Allowed Values | simple - Client connections associated with this Client Connection Policy may request bind operations using simple authentication. sasl - Client connections associated with this Client Connection Policy may request bind operations using SASL authentication. |
Multi-Valued | Yes |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the names of the SASL mechanisms that clients associated with this Client Connection Policy will be allowed to request. This setting will only be used if "bind" is included in the set of allowed operation types and "sasl" is included in the set of allowed authentication types. If one or more allowed SASL mechanism names are provided, then client connections associated with this Client Connection Policy will only be allowed to request SASL binds with one of the specified mechanisms. If no allowed SASL mechanism names are provided, then all SASL mechanisms which are not present in the set of denied sasl mechanisms may be requested. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the names of the SASL mechanisms that clients associated with this Client Connection Policy will not be allowed to request. This setting will only be used if "bind" is included in the set of allowed operation types and "sasl" is included in the set of allowed authentication types. If one or more denied SASL mechanism names are provided, then clients associated with this Client Connection Policy will not be allowed to use any of those types of SASL authentication. If no denied SASL mechanisms are defined and no allowed SASL mechanisms are defined, then clients associated with this Client Connection Policy will be allowed to request any form of SASL authentication. If there are no denied SASL mechanisms but one or more allowed SASL mechanisms are defined, then client connections associated with this Client Connection Policy will only be allowed to request SASL binds with one of the allowed mechanisms. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the types of filter components that may be included in search requests from clients associated with this Client Connection Policy which have a non-baseObject scope. This setting will only be used if "search" is included in the set of allowed operation types. The restriction defined in this property will only be applied to searches with a scope other than baseObject (i.e., searches with a scope of singleLevel, wholeSubtree, or subordinateSubtree). Searches with a baseObject scope will be allowed to use filter components with any type of element. |
Default Value | and or not equality sub-initial sub-any sub-final greater-or-equal less-or-equal present approximate-match extensible-match |
Allowed Values | and - Client connections associated with this Client Connection Policy may request search operations with filters containing AND components. or - Client connections associated with this Client Connection Policy may request search operations with filters containing OR components. not - Client connections associated with this Client Connection Policy may request search operations with filters containing NOT components. equality - Client connections associated with this Client Connection Policy may request search operations with filters containing equality components. sub-initial - Client connections associated with this Client Connection Policy may request search operations with filters containing substring components with subInitial elements. sub-any - Client connections associated with this Client Connection Policy may request search operations with filters containing substring components with subAny elements. sub-final - Client connections associated with this Client Connection Policy may request search operations with filters containing substring components with subFinal elements. greater-or-equal - Client connections associated with this Client Connection Policy may request search operations with filters containing greater-or-equal components. less-or-equal - Client connections associated with this Client Connection Policy may request search operations with filters containing less-or-equal components. present - Client connections associated with this Client Connection Policy may request search operations with filters containing present components. approximate-match - Client connections associated with this Client Connection Policy may request search operations with filters containing approximate match components. extensible-match - Client connections associated with this Client Connection Policy may request search operations with filters containing extensible match components. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Indicates whether clients will be allowed to request search operations that cannot be efficiently processed using the set of indexes defined in the corresponding backend. Note that even if this is false, some clients may be able to request unindexed searches if the allow-unindexed-searches-with-control property has a value of true and the necessary conditions are satisfied. This setting will only be used if "search" is included in the set of allowed operation types, and if the search request does not include a reject unindexed search request control. If this property has a value of "true", then any client associated with this Client Connection Policy will be allowed to request an unindexed search under any of the following conditions:
If this property has a value of "false", then all unindexed search requests submitted through this Client Connection Policy will be rejected unless the request also includes the permit unindexed search request control, the requester has the unindexed-search-with control privilege (or that privilege is disabled in the global configuration), and the allow-unindexed-searches-with-control global configuration property has a value of true. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
allow-unindexed-searches-with-control
Property Group | Allowed Request Types |
Description | Indicates whether clients will be allowed to request search operations that cannot be efficiently processed using the set of indexes defined in the corresponding backend, as long as the search request also includes the permit unindexed search request control and the requester has the unindexed-search-with-control privilege (or that privilege is disabled in the global configuration). This setting will only be used if "search" is included in the set of allowed operation types. This property may be used to permit unindexed searches matching these conditions even if the allow-unindexed-searches property has a value of false. This behavior makes it possible to configure this Client Connection Policy to permit unindexed searches only if the client explicitly indicates that it wants to allow an unindexed search and meets the necessary conditions for doing so. |
Default Value | If this property is not assigned a value, it will default to having the same value as the allow-unindexed-searches property. |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Allowed Request Types |
Description | Specifies the minimum number of consecutive bytes that must be present in any subInitial, subAny, or subFinal element of a substring filter component (i.e., the minimum number of consecutive bytes between wildcard characters in a substring filter). Any attempt to use a substring search with an element containing fewer than this number of bytes will be rejected. This setting will only be used if "search" is included in the set of allowed operation types and at least one of "sub-initial", "sub-any", or "sub-final" is included in the set of allowed filter types. |
Default Value | 1 |
Allowed Values | An integer value. Lower limit is 1. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-concurrent-connections
Property Group | Connection Concurrency Limits |
Description | Specifies the maximum number of client connections which may be associated with this Client Connection Policy at any given time. If the maximum number of client connections for this Client Connection Policy has been reached, then any further attempts to associate a connection with this Client Connection Policy (until an existing connection is closed or associated with a different Client Connection Policy) will result in the termination of that connection. A value of zero indicates that no limit will be imposed on the number of concurrent connections that may be associated with this Client Connection Policy. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Connection Concurrency Limits |
Description | Specifies the maximum length of time that a connection associated with this Client Connection Policy may be established. Any connection which is associated with this Client Connection Policy and has been established for longer than this period of time may be terminated. A value of zero seconds indicates that no maximum duration will be imposed for connections associated with this Client Connection Policy. |
Default Value | 0 seconds |
Allowed Values | A duration. Lower limit is 0 milliseconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-idle-connection-duration
Property Group | Connection Concurrency Limits |
Description | Specifies the maximum length of time that a connection associated with this Client Connection Policy may remain established after the completion of the last operation processed on that connection. Any new operation requested on the connection will reset this timer. Any connection associated with this Client Connection Policy which has been idle for longer than this length of time may be terminated. A value of zero seconds indicates that no maximum duration will be imposed for connections associated with this Client Connection Policy. |
Default Value | 0 seconds |
Allowed Values | A duration. Lower limit is 0 milliseconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-operation-count-per-connection
Property Group | Connection Concurrency Limits |
Description | Specifies the maximum number of operations that may be requested by any client connection associated with this Client Connection Policy. If an attempt is made to process more than this number of operations on a client connection, then that connection will be terminated. A value of zero indicates that no limit will be imposed on the number of requests that may be processed on a client connection. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-concurrent-operations-per-connection
Property Group | Connection Concurrency Limits |
Description | Specifies the maximum number of concurrent operations that can be in progress for any connection. This can help prevent a single client connection from monopolizing server processing resources by sending a large number of concurrent asynchronous requests. A value of zero indicates that no limit will be placed on the number of concurrent requests for a single client. If a nonzero value is provided for this option and more than this number of concurrent operations are requested on a single connection, then the server will use the value of the maximum-concurrent-operation-wait-time-before-rejecting property to determine how long (if at all) to wait for an outstanding operation on that connection to complete so the operation can be processed, at which point the server will take the action indicated by the maximum-concurrent-operations-per-connection-exceeded-behavior property. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-concurrent-operation-wait-time-before-rejecting
Property Group | Connection Concurrency Limits |
Description | Specifies the maximum length of time that the server should wait for an outstanding operation to complete before rejecting a new request received when the maximum number of outstanding operations are already in progress on that connection. If an existing outstanding operation on the connection completes before this time, then the operation will be processed. Otherwise, the operation will be rejected with a "busy" result. A value of 0 seconds indicates that there should be no delay and any requests received on a connection that already has the maximum number of outstanding operation should be immediately rejected. |
Default Value | 0 seconds |
Allowed Values | A duration. Lower limit is 0 milliseconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-concurrent-operations-per-connection-exceeded-behavior
Property Group | Connection Concurrency Limits |
Description | Specifies the behavior that the Directory Proxy Server should exhibit if a client attempts to invoke more concurrent operations on a single connection than allowed by the maximum-concurrent-operations-per-connection property. |
Default Value | reject-busy |
Allowed Values | disconnect - Indicates that the Directory Proxy Server should terminate the connection to any client which attempts to exceed the maximum concurrent operations per connection. reject-admin-limit-exceeded - Indicates that any operations requested by the client in excess of the maximum concurrent operations per connection will be rejected with a result of "admin limit exceeded". reject-constraint-violation - Indicates that any operations requested by the client in excess of the maximum concurrent operations per connection will be rejected with a result of "constraint violation". reject-busy - Indicates that any operations requested by the client in excess of the maximum concurrent operations per connection will be rejected with a result of "busy". reject-unavailable - Indicates that any operations requested by the client in excess of the maximum concurrent operations per connection will be rejected with a result of "unavailable". reject-unwilling-to-perform - Indicates that any operations requested by the client in excess of the maximum concurrent operations per connection will be rejected with a result of "unwilling to perform". reject-other - Indicates that any operations requested by the client in excess of the maximum concurrent operations per connection will be rejected with a result of "other". |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-connection-operation-rate
Property Group | Connection Concurrency Limits |
Description | Specifies the maximum rate at which a client associated with this Client Connection Policy may issue requests to the Directory Proxy Server. If any client attempts to request operations at a rate higher than this limit, then the server will exhibit the behavior described in the connection-operation-rate-exceeded-behavior property. Multiple operation rate limit values may be provided to define different rates over different intervals. For example, you may wish to define a lower limit over a longer period of time (1M/day), but a higher limit over a short period of time (1000/second) to allow for bursts of activity. Each operation rate limit value should consist of a count and a duration, separated by a slash character (/). The count must include an integer and may include an optional multiplier value of 'k' (to indicate that the integer portion is in thousands), 'm' (to indicate that the integer portion is in millions), or 'g' (to indicate that the integer portion is in billions). The duration should specify at least a time unit of ms (for milliseconds), s (for seconds), m (for minutes), h (for hours), d (for days), or w (for weeks). The unit may optionally be preceded by an integer multiplier. The following are examples of valid rate limit values:
|
Default Value | None |
Allowed Values | A rate |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
connection-operation-rate-exceeded-behavior
Property Group | Connection Concurrency Limits |
Description | Specifies the behavior that the Directory Proxy Server should exhibit if a client connection attempts to exceed a rate defined in the maximum-connection-operation-rate property. If the configured behavior is one that will reject requested operations, then that behavior will persist until the end of the corresponding interval. The server will resume allowing that client to perform operations when that interval expires, as long as no other operation rate limits have been exceeded. |
Default Value | reject-busy |
Allowed Values | disconnect - Indicates that the Directory Proxy Server should terminate the connection to any client which attempts to exceed the maximum connection operation rate. reject-admin-limit-exceeded - Indicates that any operations requested by the client in excess of the maximum rate will be rejected with a result of "admin limit exceeded". reject-constraint-violation - Indicates that any operations requested by the client in excess of the maximum rate will be rejected with a result of "constraint violation". reject-busy - Indicates that any operations requested by the client in excess of the maximum rate will be rejected with a result of "busy". reject-unavailable - Indicates that any operations requested by the client in excess of the maximum rate will be rejected with a result of "unavailable". reject-unwilling-to-perform - Indicates that any operations requested by the client in excess of the maximum rate will be rejected with a result of "unwilling to perform". reject-other - Indicates that any operations requested by the client in excess of the maximum rate will be rejected with a result of "other". |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Connection Concurrency Limits |
Description | Specifies the maximum rate at which all clients associated with this Client Connection Policy, as a collective set, may issue requests to the Directory Proxy Server. If this limit is exceeded, then the server will exhibit the behavior described in the policy-operation-rate-exceeded-behavior property. Multiple operation rate limit values may be provided to define different rates over different intervals. For example, you may wish to define a lower limit over a longer period of time (1M/day), but a higher limit over a short period of time (1000/second) to allow for bursts of activity. Each operation rate limit value should consist of a count and a duration, separated by a slash character (/). The count must include an integer and may include an optional multiplier value of 'k' (to indicate that the integer portion is in thousands), 'm' (to indicate that the integer portion is in millions), or 'g' (to indicate that the integer portion is in billions). The duration should specify at least a time unit of ms (for milliseconds), s (for seconds), m (for minutes), h (for hours), d (for days), or w (for weeks). The unit may optionally be preceded by an integer multiplier. The following are examples of valid rate limit values:
|
Default Value | None |
Allowed Values | A rate |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
policy-operation-rate-exceeded-behavior
Property Group | Connection Concurrency Limits |
Description | Specifies the behavior that the Directory Proxy Server should exhibit if a client connection attempts to exceed a rate defined in the maximum-policy-operation-rate property. If the configured behavior is one that will reject requested operations, then that behavior will persist until the end of the corresponding interval. The server will resume allowing clients associated with this Client Connection Policy to perform operations when that interval expires, as long as no other operation rate limits have been exceeded. |
Default Value | reject-busy |
Allowed Values | disconnect - Indicates that the Directory Proxy Server should terminate the connection to any client which attempts to exceed the maximum policy operation rate. reject-admin-limit-exceeded - Indicates that any operations requested by clients in excess of the maximum rate will be rejected with a result of "admin limit exceeded". reject-constraint-violation - Indicates that any operations requested by clients in excess of the maximum rate will be rejected with a result of "constraint violation". reject-busy - Indicates that any operations requested by clients in excess of the maximum rate will be rejected with a result of "busy". reject-unavailable - Indicates that any operations requested by clients in excess of the maximum rate will be rejected with a result of "unavailable". reject-unwilling-to-perform - Indicates that any operations requested by clients in excess of the maximum rate will be rejected with a result of "unwilling to perform". reject-other - Indicates that any operations requested by clients in excess of the maximum rate will be rejected with a result of "other". |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Connection Resource Limits |
Description | Specifies the maximum number of entries that may be returned for a search performed by a client associated with this Client Connection Policy. This setting will only be used if "search" is included in the set of allowed operation types. Note that this is only an upper limit. It may be used to reduce the size limit for any clients which may have a higher limit through other means, but it will never increase the limit that would otherwise be imposed for a client. A value of zero indicates that no additional maximum size limit will be imposed by this Client Connection Policy. Note that search requests will not be rejected if they include a size limit which exceeds the effective size limit for the user. Instead, the server will merely interpret the request as if it had a size limit of the maximum allowed value for that client. If a search request includes a size limit which is smaller than the maximum allowed for the client, then the size limit included in that search request will be used. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Connection Resource Limits |
Description | Specifies the maximum length of time that the server should spend processing search operations requested by clients associated with this Client Connection Policy. This setting will only be used if "search" is included in the set of allowed operation types. Note that this is only an upper limit. It may be used to reduce the time limit for any clients which may have a higher limit through other means, but it will never increase the limit that would otherwise be imposed for a client. A value of zero seconds indicates that no maximum time limit will be imposed for this Client Connection Policy. Note that search requests will not be rejected if they include a time limit which exceeds the effective time limit for the user. Instead, the server will merely interpret the request as if it had a time limit of the maximum allowed value for that client. If a search request includes a time limit which is smaller than the maximum allowed for the client, then the time limit included in that search request will be used. |
Default Value | 0 seconds |
Allowed Values | A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-search-lookthrough-limit
Property Group | Connection Resource Limits |
Description | Specifies the maximum number of entries that may be examined by a backend in the course of processing a search requested by clients associated with this Client Connection Policy. This setting will only be used if "search" is included in the set of allowed operation types. Note that this is only an upper limit. It may be used to reduce the lookthrough limit for any clients which may have a higher limit through other means, but it will never increase the limit that would otherwise be imposed for a client. A value of zero indicates that no maximum lookthrough limit will be imposed for this Client Connection Policy. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Property Group | Connection Resource Limits |
Description | Specifies the maximum number of entries that may be joined with any single search result entry for a search request performed by a client associated with this Client Connection Policy. This setting will only be used if "search" is included in the set of allowed operation types. Note that this is only an upper limit. It may be used to reduce the LDAP join size limit for any clients which may have a higher limit through other means, but it will never increase the limit that would otherwise be imposed for a client. A value of zero indicates that no additional maximum LDAP join size limit will be imposed by this Client Connection Policy. Note that search requests will not be rejected if they include a join request control with a size limit that exceeds the effective LDAP join size limit for the user. Instead, the server will merely interpret the request as if it had an LDAP join size limit of the maximum allowed value for that client. If an LDAP join request control includes a size limit that is smaller than the maximum allowed for the client, then the size limit included in that search request will be used. |
Default Value | 0 |
Allowed Values | An integer value. Lower limit is 0. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
result-code-map (Advanced Property)
Property Group | General Configuration |
Description | Specifies the result code map that should be used for clients associated with this Client Connection Policy. If a value is defined for this property, then it will override any result code map referenced in the global configuration. |
Default Value | None |
Allowed Values | The DN of any Result Code Map. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Client Connection Policies:
dsconfig list-client-connection-policies [--property {propertyName}] ...
To view the configuration for an existing Client Connection Policy:
dsconfig get-client-connection-policy-prop --policy-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Client Connection Policy:
dsconfig set-client-connection-policy-prop --policy-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Client Connection Policy:
dsconfig create-client-connection-policy --policy-name {name} --set enabled:{propertyValue} --set evaluation-order-index:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Client Connection Policy:
dsconfig delete-client-connection-policy --policy-name {name}