Sun Java System logo     Online Help
Sun Java System Directory Proxy Server 5 2004Q2

Network Group Search View Control Tab

Directory Proxy Server network groups describe how to identify an LDAP client, and the restrictions to enforce for clients that match that group. Clients are initially identified into a group based on the network address from which they connect. They may change their group after a successful bind.

Network groups are tested in the descending order of priority, specified by their placement in the Network Group window. In this window, groups on the bottom of the list have less priority than those towards the top. If no groups are found to match a client, the client's request will be rejected. There must be at least one group entry in the configuration specification.

Clients are identified to belong to this network group based on their IP address and/or domain name.

Group name. Enter the group name that specifies the name of the group. This value must be unique within the set of groups. This value must be present as it forms the RDN of entries of this class.

Enable. By default, this option is selected for you. Deselect it to disable a group in a configuration. For a group to be part of Directory Proxy Server configuration, this option must be selected.

Permit inequality filters. By default, "Permit inequality filters" is enabled. Permit inequality filters specifies whether clients are permitted to request searches that contain inequality filters (attr>=value) and (attr<=value). Disable this option if a network group does not permit inequality searches to be performed.

Permit time limit for searches. Enable this option and enter a value in seconds for a network group to specify a maximum time limit in seconds for search operations. If the client specifies a time limit that is larger than the value given in this option, the value specified for this network group will override the client's request. By default, this option is disabled and a network group will allow the client to set any time limit, including no limit.

Search requests modification:

Specify minimum search filter substring. Enable this option and enter a value to specify the minimum permissible length of a substring in a search filter. The value is a number greater than one. The default, if this option is disabled, is to allow any size of substring in a search filter. This option should be enabled in the a network group if you wish to restrict the kinds of searches that may be performed by web robots. For example, a value of 2 will block searches like (cn=A*).

Restrict to subtree with DN. Enable this option and specify the base of a subtree for all operations. This option has dn syntax. If this option is disabled, then there is no restriction to a minimum base.

Operations whose target entry is at or below the minimum base entry are not affected by this option. If the target entry is superior to the minimum base entry, and the operation is a subtree search, then the query will be rewritten before being sent to the server, to change the target entry to be the minimum base. If the target entry is not below the minimum base or a superior of it, the request will be rejected with a no such object error.

For example, if the "Restrict to subtree with DN" is set as:

o=sun, st=California, c=US

and a subtree search of st=California, c=US is received, the search will be rewritten such that the server performs a subtree search of

o=sun, st=California, c=US

Browse... Displays a dialog to aid in constructing a valid DN.



Copyright 2004 Sun Microsystems, Inc. All rights reserved.