Ping Identity Directory Proxy Server - Proxying Request Processor

Directory Proxy Server Documentation Index
Configuration Reference Home

Proxying Request Processor

The Proxying Request Processor may be used to forward requests for processing to a remote directory server over LDAP. Multiple servers may be configured to provide high availability and load balancing, and various transformations may be applied to requests and responses that are processed.

↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage

Parent Component

The Proxying Request Processor component inherits from the Request Processor

Relations from This Component

The following components have a direct aggregation relation from Proxying Request Processors:

Criteria Based Load Balancing Algorithm

Load Balancing Algorithm

Proxy Transformation

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	↓ assign-client-connection-policy-from-backend-server
↓ enabled
↓ allowed-operation
↓ load-balancing-algorithm
↓ criteria-based-load-balancing-algorithm
↓ transformation
↓ referral-behavior
↓ supported-control
↓ supported-control-oid

Basic Properties

description

Description	A description for this Request Processor
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

enabled

Description	Indicates whether this Request Processor is enabled for use in the Directory Proxy Server.
Default Value	true
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

allowed-operation

Description	Specifies the types of operations that this Request Processor may be requested to process.
Default Value	abandon add bind compare delete extended modify modify-dn search
Allowed Values	abandon - This Request Processor may be used to process abandon operations. add - This Request Processor may be used to process add operations. bind - This Request Processor may be used to process bind operations. compare - This Request Processor may be used to process compare operations. delete - This Request Processor may be used to process delete operations. extended - This Request Processor may be used to process extended operations. modify - This Request Processor may be used to process modify operations. modify-dn - This Request Processor may be used to process modify DN operations. search - This Request Processor may be used to process search operations.
Multi-Valued	Yes
Required	Yes
Admin Action Required	None. Modification requires no further action

load-balancing-algorithm

Description	Specifies the default load-balancing algorithm that will be used to select the backend server for each operation processed through this Proxying Request Processor. This load-balancing algorithm is used when there are no criteria-based load-balancing algorithms matching the operation.
Default Value	None
Allowed Values	The DN of any Load Balancing Algorithm. Load-balancing algorithms associated with Proxying Request Processors must be enabled.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

criteria-based-load-balancing-algorithm

Description	Specifies the criteria-based load-balancing algorithms that will be used to select a load-balancing algorithm for each operation processed through this Proxying Request Processor. The selected load-balancing algorithm is that of the first criteria-based load-balancing algorithm whose criteria match the request. If there are no criteria-based load-balancing algorithms, or none of them have criteria which match the request, then the default load-balancing algorithm (the one specified in the load-balancing-algorithm property) will be used.
Default Value	None
Allowed Values	The DN of any Criteria Based Load Balancing Algorithm.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

transformation

Description	Specifies the types of transformations that should be applied to requests and responses processed by this Proxying Request Processor. If multiple transformations are provided, then they will be invoked in the specified order for request transformations, and in the reverse order for response transformations.
Default Value	None
Allowed Values	The DN of any Proxy Transformation. Proxy transformations associated with the Proxying Request Processor must be enabled.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

referral-behavior

Description	Specifies how any referrals and search result references encountered during processing should be treated by the Directory Proxy Server.
Default Value	pass-through
Allowed Values	pass-through - Any referrals received by the Directory Proxy Server will be passed through to the client, which may decide how to handle them. follow - The Directory Proxy Server should attempt to follow any referrals itself on behalf of the client. discard - The Directory Proxy Server should silently discard any search result references returned during search processing, and any operation responses with a 'referral' result will be converted to a 'no-such-object' result.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

supported-control

Description	Specifies the names of any request controls that the Directory Proxy Server should allow to be forwarded to backend servers. Any request that contains a critical control not in this list, and whose OID is not included in the set of supported-control-oid values will be rejected. Any non-critical request control which is not supported by the Directory Proxy Server will be removed from the request before that request is forwarded to backend servers.
Default Value	account-usable assertion authorization-identity get-authorization-entry get-effective-rights get-password-policy-state-issues get-server-id get-user-resource-limits hard-delete ignore-no-user-modification intermediate-client join manage-dsa-it matched-values matching-entry-count name-with-entryuuid no-op operation-purpose override-search-limits password-policy password-update-behavior password-validation-details permissive-modify permit-unindexed-search post-read pre-read proxied-authorization-v1 proxied-authorization-v2 proxied-mschapv2-details purge-password real-attributes-only reject-unindexed-search retain-identity retire-password simple-paged-results soft-delete soft-deleted-entry-access subentries subtree-delete transaction-settings undelete virtual-attributes-only
Allowed Values	account-usable - The account usable request control (OID 1.3.6.1.4.1.42.2.27.9.5.8) as used in the Ping Identity Directory Server. assertion - The LDAP assertion request control (OID 1.3.6.1.1.12) as defined in RFC 4528. authorization-identity - The authorization identity request control (OID 2.16.840.1.113730.3.4.16) as defined in RFC 3829. get-authorization-entry - The get authorization entry request control (OID 1.3.6.1.4.1.30221.2.5.6) as used in the Ping Identity Directory Server. get-effective-rights - The get effective rights request control (OID 1.3.6.1.4.1.42.2.27.9.5.2) as used in the Ping Identity Directory Server. get-password-policy-state-issues - The get password policy state issues request control (OID 1.3.6.1.4.1.30221.2.5.46) as used in the Ping Identity Directory Server. get-server-id - The get server ID request control (OID 1.3.6.1.4.1.30221.2.5.14). get-user-resource-limits - The get user resource limits request control (OID 1.3.6.1.4.1.30221.2.5.25). hard-delete - The hard delete request control (OID 1.3.6.1.4.1.30221.2.5.22). ignore-no-user-modification - The ignore NO-USER-MODIFICATION request control (OID 1.3.6.1.4.1.30221.2.5.5) as used in the Ping Identity Directory Server. intermediate-client - The intermediate client request control (OID 1.3.6.1.4.1.30221.2.5.2) as used in the Ping Identity Directory Server. join - The join request control (OID 1.3.6.1.4.1.30221.2.5.9). manage-dsa-it - The ManageDsaIT request control (OID 2.16.840.1.113730.3.4.2) as defined in RFC 3296. matched-values - The matched values request control (OID 1.2.826.0.1.3344810.2.3) as defined in RFC 3876. matching-entry-count - The matching entry count request control (OID 1.3.6.1.4.1.30221.2.5.36). name-with-entryuuid - The name with entryUUID request control (OID 1.3.6.1.4.1.30221.2.5.44). no-op - The LDAP no-op request control (OID 1.3.6.1.4.1.4203.1.10.2) as used in the Ping Identity Directory Server. operation-purpose - The operation purpose request control (OID 1.3.6.1.4.1.30221.2.5.19). override-search-limits - The override search limits request control (OID 1.3.6.1.4.1.30221.2.5.56). password-policy - The password policy request control (OID 1.3.6.1.4.1.42.2.27.8.5.1) as defined in draft-behera-ldap-password-policy. password-update-behavior - The password update behavior request control (OID 1.3.6.1.4.1.30221.2.5.51), which may be used to control some of the server's behavior for a password update. password-validation-details - The password validation details request control (OID 1.3.6.1.4.1.30221.2.5.40), which may be used to obtain information about why a proposed password was rejected. permissive-modify - The permissive modify request control (OID 1.2.840.113556.1.4.1413), which can be used to allow a modify operation to attempt to add attribute values which already exist or remove values which do not exist. permit-unindexed-search - The permit unindexed search request control (OID 1.3.6.1.4.1.30221.2.5.55), which can be used to indicate that the associated search operation should be processed even if it is unindexed, as long as the requester also has the unindexed-search-with-control privilege. post-read - The post-read request control (OID 1.3.6.1.1.13.2) as defined in RFC 4527. pre-read - The pre-read request control (OID 1.3.6.1.1.13.1) as defined in RFC 4527. proxied-authorization-v1 - The proxied authorization v1 request control (OID 2.16.840.1.113730.3.4.12) as defined in draft-weltman-ldapv3-proxy. proxied-authorization-v2 - The proxied authorization v2 request control (OID 2.16.840.1.113730.3.4.18) as defined in RFC 4370. proxied-mschapv2-details - The proxied MS-CHAPv2 details request control (OID 1.3.6.1.4.1.30221.2.5.4), which is needed to support the UNBOUNDID-MS-CHAP-V2 SASL mechanism through the Directory Proxy Server. purge-password - The purge password request control (OID 1.3.6.1.4.1.30221.2.5.32), which may be used to indicate that the user's current password should be purged rather than retired. real-attributes-only - The real attributes only request control (OID 2.16.840.1.113730.3.4.17) as used in the Ping Identity Directory Server. reject-unindexed-search - The reject unindexed search request control (OID 1.3.6.1.4.1.30221.2.5.54), which can be used to indicate that the server should reject the search operation if it is unindexed, even if the requester has the unindexed-search privilege. retain-identity - The retain identity request control (OID 1.3.6.1.4.1.30221.2.5.3) as used in the Ping Identity Directory Server. retire-password - The retire password request control (OID 1.3.6.1.4.1.30221.2.5.31), which may be used to indicate that the user's current password should be retired. simple-paged-results - The simple paged results request control (OID 1.2.840.113556.1.4.319) as defined in RFC 2696. soft-delete - The soft delete request control (OID 1.3.6.1.4.1.30221.2.5.20). soft-deleted-entry-access - The soft-deleted entry access request control (OID 1.3.6.1.4.1.30221.2.5.23). subentries - The LDAP subentries request control (OID 1.3.6.1.4.1.7628.5.101.1) as defined in draft-ietf-ldup-subentry. subtree-delete - The subtree delete request control (OID 1.2.840.113556.1.4.805) as defined in draft-armijo-ldap-treedelete. transaction-settings - The transaction settings request control (OID 1.3.6.1.4.1.30221.2.5.38). undelete - The undelete request control (OID 1.3.6.1.4.1.30221.2.5.23). virtual-attributes-only - The virtual attributes only request control (OID 2.16.840.1.113730.3.4.19) as used in the Ping Identity Directory Server.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

supported-control-oid

Description	Specifies the OIDs of any request controls that the Directory Proxy Server should allow to be forwarded to backend servers. Any request that contains a critical control whose OID is not in this list and is also not allowed by the predefined set of controls contained in the list of supported-control values will be rejected. Any non-critical request control which is not supported by the Directory Proxy Server will be removed from the request before that request is forwarded to backend servers. Note that the Directory Proxy Server may be configured to explicitly prohibit the use of some controls which may require special intermediate processing not currently supported by the Directory Proxy Server. Further, any controls which are not explicitly forbidden by the Directory Proxy Server but do require special intermediate processing may not work as expected. Contact a Directory Proxy Server support representative if you are uncertain about whether a particular request control may be used with the Directory Proxy Server.
Default Value	None
Allowed Values	A string
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

Advanced Properties

assign-client-connection-policy-from-backend-server (Advanced Property)

Description	Indicates whether a client connection to the Directory Proxy Server should use the matching Client Connection Policy from the backend server. This functionality assumes the Directory Proxy Server is configured with the same Client Connection Policies as the backend servers are. On a bind operation, the Directory Proxy Server will assign a client connection policy to the connection based on the policy selected by the backend server. If this property is set to true and a Client Connection Policy cannot be found in the Directory Proxy Server which matches the one returned by the backend server, or if the backend server does not support the use of the get user resource limits control, then the bind will fail.
Default Value	false
Allowed Values	true false
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Request Processors:

dsconfig list-request-processors
     [--property {propertyName}] ...

To view the configuration for an existing Request Processor:

dsconfig get-request-processor-prop
     --processor-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Request Processor:

dsconfig set-request-processor-prop
     --processor-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Proxying Request Processor:

dsconfig create-request-processor
     --processor-name {name}
     --type proxying
     --set load-balancing-algorithm:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Request Processor:

dsconfig delete-request-processor
     --processor-name {name}