Proxy Backend
A Proxy Backend forwards LDAP requests to other servers.
A Proxy Backend uses the proxied authorization control to forward LDAP requests on behalf of the proxy users. As a consequence, the remote servers must support the proxied authorization control and the proxy user must have appropriate privileges and permissions allowing them to use the control.
Parent
The Proxy Backend object inherits from Backend.
Proxy Backend properties
You can use configuration expressions to set property values at startup time. For details, see Property value substitution.
availability-check-interval
Synopsis |
Specifies the interval which the Proxy Backend will use to send the availability check request to decide if a server is available. |
Description |
The Proxy Backend sends an availability check request to the servers every specified interval to be informed on the availability of the server. |
Default value |
5s |
Allowed values |
Uses duration syntax. Lower limit: 10 milliseconds. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
availability-check-search-request-base-dn
Synopsis |
Specifies the name of an entry of the application data that will be targeted by availability check requests to detect whether a remote server is available and handling requests against application data. |
Description |
By default availability check requests will attempt to read the remote server’s root DSE, but the search request can target any other entry of the application data accessible by anonymous bind. |
Default value |
|
Allowed values |
A valid DN. |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
availability-check-search-request-filter
Synopsis |
Specifies the search filter of the availability check requests. |
Description |
By default availability check requests use the LDAP absolute true search filter which evaluates to always true. Specifying a filter requiring evaluation, will make the availability check fail if the evaluation returns zero entries and have the Proxy Backend mark the server as not available. |
Default value |
(&) |
Allowed values |
A string. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
availability-check-timeout
Synopsis |
Specifies the availability check request timeout that the Proxy Backend will use to decide if a server is available. |
Description |
If an availability check response is not received within the timeout, the Proxy Backend considers the server as not available to process user requests. |
Default value |
3s |
Allowed values |
Uses duration syntax. Lower limit: 10 milliseconds. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
backend-id
Synopsis |
Specifies a name to identify the associated backend. |
Description |
The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server. |
Default value |
None |
Allowed values |
A string. |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
Yes |
base-dn
Synopsis |
Specifies the base DN(s) for the data that the backend handles. |
Description |
A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN. When the "route-all" property is set to "true" then the "base-dn" property is ignored. |
Default value |
Unless route-all is enabled, a proxy with empty base DNs does not handle any requests. This helps incrementally building a proxy’s configuration. |
Allowed values |
A valid DN. |
Multi-valued |
Yes |
Required |
No |
Admin action required |
None No administrative action is required. |
Advanced |
No |
Read-only |
No |
connection-pool-idle-timeout
Synopsis |
The time out period after which unused non-core connections will be closed and removed from the connection pool. |
Default value |
60s |
Allowed values |
Uses duration syntax. Lower limit: 1 milliseconds. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
connection-pool-max-size
Synopsis |
Maximum size of the connection pool for each remote server |
Default value |
1024 |
Allowed values |
An integer. Use "-1" or "unlimited" to indicate no limit. Lower limit: 0. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
connection-pool-min-size
Synopsis |
Minimum size of the connection pool for each remote server |
Default value |
4 |
Allowed values |
An integer. Use "-1" or "unlimited" to indicate no limit. Lower limit: 0. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
connection-timeout
Synopsis |
Specifies the timeout used when connecting to servers, performing SSL negotiation, and for individual search and bind requests. |
Description |
If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available. |
Default value |
10s |
Allowed values |
Uses duration syntax. Lower limit: 10 milliseconds. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
discovery-interval
Synopsis |
Interval between two server configuration discovery executions. |
Description |
Specifies how frequently to read the configuration of the servers in order to discover any configuration change. |
Default value |
60s |
Allowed values |
Uses duration syntax. Lower limit: 1 seconds. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
enabled
Synopsis |
Indicates whether the backend is enabled in the server. |
Description |
If a backend is not enabled, then its contents are not accessible when processing operations. |
Default value |
None |
Allowed values |
true false |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
keep-alive-interval
Synopsis |
Specifies the keep-alive interval that the Proxy Backend will use for connections with the remote servers. |
Description |
The Proxy Backend sends a keep-alive request to the servers every specified interval to prevent the connection from appearing idle and being forcefully closed. |
Default value |
300s |
Allowed values |
Uses duration syntax. Lower limit: 1000 milliseconds. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
keep-alive-search-request-base-dn
Synopsis |
Specifies the name of the entry that will be targeted by keep-alive requests. |
Description |
By default keep-alive requests will attempt to read the remote server’s root DSE, but the search request can target any other entry accessible by anonymous bind. |
Default value |
|
Allowed values |
A valid DN. |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
keep-alive-search-request-filter
Synopsis |
Specifies the search filter of the keep-alive requests. |
Description |
By default keep-alive requests use the LDAP absolute true search filter, which evaluates to always true. Specifying a filter requiring evaluation, will make the keep-alive fail if the evaluation returns zero entries. |
Default value |
(&) |
Allowed values |
A string. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
keep-alive-timeout
Synopsis |
Specifies the keep-alive request timeout that the Proxy Backend will use for connections with the remote servers. |
Description |
If a keep-alive answer is not received within the timeout, the Proxy Backend closes the unresponsive connection and connects to another server. |
Default value |
3s |
Allowed values |
Uses duration syntax. Lower limit: 10 milliseconds. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
key-manager-provider
Synopsis |
Specifies the name of the key manager that should be used with this Proxy Backend. |
Default value |
None |
Allowed values |
The name of an existing key-manager-provider. The referenced key manager provider must be enabled when the Proxy Backend is enabled and configured to use SASL/External certificate authentication. |
Multi-valued |
No |
Required |
No |
Admin action required |
None Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections. |
Advanced |
No |
Read-only |
No |
partition-base-dn
Synopsis |
Specifies the base DN(s) which is used for affinity load-balancing and data distribution |
Description |
Within a single shard, "affinity" load-balancing uses this setting to provide consistency for add/delete operations targeting entries within the same sub-tree. Entries immediately subordinate to the partition base DNs will be considered to be the root of a sub-tree whose entries belong to the same shard. For example, a partition base DN of "ou=people,dc=example,dc=com" would mean that "uid=bjensen,ou=people,dc=example,dc=com" and "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" both belong to the same shard, and all operations targeting them would be routed to the same remote server. When applied to data distribution across multiple shards, this setting consistently routes operations targeting an entry below the partition DN to the same shard. Requests targeting the partition DN or above are routed to any shard. Search requests are routed to all shards unless their scope is under the partition DN. For example, if the partition base DN is set to "ou=people,dc=example,dc=com", a search with base DN "uid=bjensen,ou=people,dc=example,dc=com" or "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" is always routed to the same shard. A search with base DN "ou=people,dc=example,dc=com" is routed to all shards. |
Default value |
No consistency for add/delete operations. |
Allowed values |
A valid DN. |
Multi-valued |
Yes |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
proxy-user-dn
Synopsis |
The bind DN that is used to forward LDAP requests to remote servers. |
Description |
The proxy connects to the remote server using this bind DN and uses the proxied authorization control to forward requests on behalf of the proxy users. This bind DN must exist on all the remote servers. |
Default value |
None |
Allowed values |
A valid DN. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
proxy-user-password
Synopsis |
Clear-text password associated with the proxy bind DN. |
Description |
The proxy password must be the same on all the remote servers. |
Default value |
None |
Allowed values |
A string. |
Multi-valued |
No |
Required |
No |
Admin action required |
None Changes to this property will take effect the next time that the Proxy Backend is accessed. |
Advanced |
No |
Read-only |
No |
route-all
Synopsis |
Route requests to all discovered public naming contexts. |
Description |
When the "route-all" property is set to "true" then the "base-dn" property is ignored. |
Default value |
None |
Allowed values |
true false |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
shard
Synopsis |
Specifies one or more shards which will be used for distributing data and requests. |
Description |
When multiple shards are configured, this setting consistently routes write requests for the same target entry below the partition DN to the same shard. Requests targeting an entry under the partition DN are always routed to a single shard. Requests targeting the partition DN or above are routed to any shard. Search requests are routed to all shards unless their scope is under the partition DN. For example, a search with base DN "uid=bjensen,ou=people,dc=example,dc=com" or "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" is always routed to the same shard. A search with base DN "ou=people,dc=example,dc=com" is routed to all shards. |
Default value |
None |
Allowed values |
The name of an existing service-discovery-mechanism. |
Multi-valued |
Yes |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
ssl-cert-nickname
Synopsis |
Specifies the nicknames (also called the aliases) of the keys or key pairs that the Proxy Backend should use when performing SSL communication. |
Description |
The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the Proxy Backend is configured to use SSL. |
Default value |
Let the server decide. |
Allowed values |
A string. |
Multi-valued |
Yes |
Required |
No |
Admin action required |
The object must be disabled and re-enabled for changes to take effect. |
Advanced |
No |
Read-only |
No |
use-sasl-external
Synopsis |
Indicates whether the Proxy Backend should use certificate based authentication when communicating with backend servers. |
Description |
If enabled, the Proxy Backend will use mutual TLS when connecting to backend servers. Once the TLS handshake has completed, a SASL/External LDAP bind request will be sent in order to associate the TLS client certificate with an LDAP account on the remote backend server. A key manager provider containing the client certificate must be configured in order to use this feature. |
Default value |
false |
Allowed values |
true false |
Multi-valued |
No |
Required |
No |
Admin action required |
The object must be disabled and re-enabled for changes to take effect. |
Advanced |
No |
Read-only |
No |
Advanced properties
Use the --advanced
option to access advanced properties.
hash-function
Synopsis |
Specifies the hash function which will be used for data distribution. |
Description |
This setting only applies to data distribution. Once this server is deployed, this setting must not be modified. Doing so could result in data loss. The hash function is used by the router to map incoming requests to a target server based on the request’s target DN. The role of the hash function is to ensure that the flow of incoming requests is evenly distributed on the set of servers. |
Default value |
murmur3 |
Allowed values |
|
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
Yes |
Read-only |
No |
java-class
Synopsis |
Specifies the fully-qualified name of the Java class that provides the backend implementation. |
Default value |
org.opends.server.backends.ProxyBackend |
Allowed values |
A Java class that extends or implements:
|
Multi-valued |
No |
Required |
Yes |
Admin action required |
The object must be disabled and re-enabled for changes to take effect. |
Advanced |
Yes |
Read-only |
No |