1.3 LDAP Proxy Components and Their Features

There are several components behind the functionality and design of the NetIQ LDAP Proxy and LDAP directory servers.

1.3.1 LDAP Proxy

Listener

A listener is the network interface where the LDAP Proxy listens for incoming requests. The proxy is capable of listening on multiple interfaces, and any number of listeners can be configured for LDAP Proxy.

Back-End Server

A back-end server is a directory server to which LDAP Proxy is connected. The proxy intercepts the requests to the back-end servers and processes the requests based on certain policies, and then forwards the requests to the back-end servers.

Back-End Server Group

The back-end servers that are configured for LDAP Proxy must be grouped as server groups. A server group is made up of one or more back-end servers to which the proxy sends requests. All the servers in a server group must host the same tree view.

Policy

A policy is a rule that contains a set of conditions that are evaluated and the actions that are performed when the condition is true or false.

The policies that can be configured for LDAP Proxy enable the proxy to analyze and act on the incoming requests and outgoing responses, based on the rules defined when the proxy was configured. Every request or response is sequentially passed to and processed by all the policies defined.

Figure 1-2 illustrates how a request is processed by policies.

Figure 1-2 Applying Policies to Requests and Responses

Currently, NetIQ LDAP Proxy supports the following policies:

Client Network Policy

The Client Network policy is an optional policy that acts as a directory firewall. Before establishing a new connection from a client, the proxy executes this policy and, based on the network parameters, the connection is either accepted or rejected.

Operation Restriction Policy

The Operation Restriction policy is an optional policy that is used to restrict certain LDAP operations. LDAP operations that can be restricted are Bind, Search, Modify, Add, Delete, Moddn, Compare, and extended requests.

Map Schema Policy

The Map Schema policy is an optional policy that is used to map the back-end server schema to the application-specific schema.

Search Request Policy

The Search Request policy is an optional policy that is used to perform specific operations based on the directory tree specified in the policy. This policy is applied to an incoming search request, and after the request is evaluated, the policy performs operations including modifying the incoming search request and denying the request.

Connection Route Policy

The Connection Route policy is a mandatory policy that is used to route an incoming request to the appropriate back-end server group. Based on the conditions specified, the proxy determines the client identity, applies associated policies, and routes the request to the server. At least one Connection Route policy must be configured.

Replace String Policy

The Replace String policy is an optional policy that is used to replace a string sequence in the attribute values of a directory.

1.3.2 LDAP Proxy Manager

The LDAP Proxy Manager (NLPManager) is a graphical utility that enables you to monitor, analyze, and manage LDAP events.

Using NLPManager

You use NLPManager to manage files and events:

  • Manage the nlpconf.xml configuration file used by NetIQ LDAP Proxy and configure the proxy according to your requirement.

  • Create a new XML configuration file and configure LDAP Proxy. For more information, refer to Creating a New Configuration File.

  • Configure the events to be monitored. For more information, refer to Configuring Monitoring Activities.

  • Manage the LDAP events for trend analysis. For more information, refer to Managing Trend Analysis.

NOTE:NLPManager does not allow you to configure policies for LDAP Proxy.