cn=Directory Manager access through the proxy

Many DPS users reported the following problem: Bind requests as cn=Directory Manager fails when the proxy is deployed.

DPS analyses the bind dn to route the request to the data view holding the target dn. In many configuration, there is no data view candidate configured to hold the cn=directory manager suffix.

There are 2 ways to address the problem: Either create a additional data view with view base set to "cn=directory manager" or use "implicit" routing with a data view with an empty ("") view base. The latter solution is simple and also user-friendly in the sense the proxy does not need to know about the list of suffixes exposed by the directory.  Note that a "root data view" with empty dn is created by default when a DPS instance is created, but the data source pool associated with it is left empty, so if you plan to use it, don't forget to add at least one data source to that pool.



Posted on: Feb 27, 2009

Posted by: Sylvain Duloutre

Category: Virtual Directory & Sun Directory Proxy Server

Permanent link to this entry

Comments:

Sylvain, your blog is the only info that comes close to explaining what I'm experiencing, but I still don't follow enough to implement. I have address book data: piPStoreOwner=user1,o=example.us,o=PiServerDB that I want to access through DPS as "cn=Directory Manager". Of the several views/pools that I have, how will DPS know to route my request to the pool that has o=PiServerDB, if I use "cn=Directroy Manager" as the suffix? Can you point me to some docs or page numbers within docs. I just did not see any explicate examples in the Install, Admin, or Ref. Guides. I would also prefer CLI, but can use dscc. Any help would be greatly appreciated.

Thanks, Cliff

Posted by Cliff Conklin on September 11, 2009 at 08:04 AM CEST #

Hi Cliff,

When your application binds as "cn=Directory Manager", DPS first routes the bind request to the data view holding "cn=Directory Manager". Then, the search to o=PiServerDB is routed to the data view holding the "o=PiServerDB" suffix. Under the hood, DPS would silently (re)-bind as "cn=directory manager" before forwarding the search request.
The routing decision is done for each request, based on the targeted entries.

Hope this helps.

PS: There might be some threads of interest as well on the forum about Sun Directory Server http://forums.sun.com/forum.jspa?forumID=761&start=0

-Sylvain

Posted by Sylvain Duloutre on September 14, 2009 at 09:53 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by Sylvain Duloutre