Package org.forgerock.opendj.server.config.client

Interface ProxyBackendCfgClient

  • All Superinterfaces:
    BackendCfgClient, ConfigurationClient
    public interface ProxyBackendCfgClient
extends BackendCfgClient
    A client-side interface for reading and modifying Proxy Backend settings.

    A Proxy Backend forwards LDAP requests to other servers.

    • Method Detail

      • getBaseDn

        SortedSet<ValueOrExpression<Dn>> getBaseDn()
        Gets the "base-dn" property.

        Specifies the base DN(s) for the data that the backend handles.

        A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN. When the "route-all" property is set to "true" then the "base-dn" property is ignored.

        Returns:
        Returns the values of the "base-dn" property.

      • setBaseDn

        void setBaseDn​(Collection<ValueOrExpression<Dn>> values)
        throws PropertyException
        Sets the "base-dn" property.

        Specifies the base DN(s) for the data that the backend handles.

        A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN. When the "route-all" property is set to "true" then the "base-dn" property is ignored.

        Parameters:
        values - The values of the "base-dn" property.
        Throws:
        PropertyException - If one or more of the new values are invalid.

      • getBindConnectionPoolIdleTimeout

        ValueOrExpression<Long> getBindConnectionPoolIdleTimeout()
        Gets the "bind-connection-pool-idle-timeout" property.

        The time out period after which unused non-core bind connections will be closed and removed from the bind connection pool.

        Default value: 10s

        Returns:
        Returns the value of the "bind-connection-pool-idle-timeout" property.

      • setBindConnectionPoolIdleTimeout

        void setBindConnectionPoolIdleTimeout​(ValueOrExpression<Long> value)
                               throws PropertyException
        Sets the "bind-connection-pool-idle-timeout" property.

        The time out period after which unused non-core bind connections will be closed and removed from the bind connection pool.

        Parameters:
        value - The value of the "bind-connection-pool-idle-timeout" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getBindConnectionPoolMaxSize

        ValueOrExpression<Integer> getBindConnectionPoolMaxSize()
        Gets the "bind-connection-pool-max-size" property.

        Maximum size of the connection pool that will be used for sending bind requests

        Only one bind request at a time can be pending on a connection and bind requests may take a significant amount of time to process depending on the remote server's password policies. Therefore, the maximum pool size should be reasonably high in order to be able to process bind requests concurrently.

        Default value: 1024

        Returns:
        Returns the value of the "bind-connection-pool-max-size" property.

      • setBindConnectionPoolMaxSize

        void setBindConnectionPoolMaxSize​(ValueOrExpression<Integer> value)
                           throws PropertyException
        Sets the "bind-connection-pool-max-size" property.

        Maximum size of the connection pool that will be used for sending bind requests

        Only one bind request at a time can be pending on a connection and bind requests may take a significant amount of time to process depending on the remote server's password policies. Therefore, the maximum pool size should be reasonably high in order to be able to process bind requests concurrently.

        Parameters:
        value - The value of the "bind-connection-pool-max-size" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getBindConnectionPoolMinSize

        ValueOrExpression<Integer> getBindConnectionPoolMinSize()
        Gets the "bind-connection-pool-min-size" property.

        Minimum size of the connection pool that will be used for sending bind requests

        Default value: 4

        Returns:
        Returns the value of the "bind-connection-pool-min-size" property.

      • setBindConnectionPoolMinSize

        void setBindConnectionPoolMinSize​(ValueOrExpression<Integer> value)
                           throws PropertyException
        Sets the "bind-connection-pool-min-size" property.

        Minimum size of the connection pool that will be used for sending bind requests

        Parameters:
        value - The value of the "bind-connection-pool-min-size" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getConnectionTimeout

        ValueOrExpression<Long> getConnectionTimeout()
        Gets the "connection-timeout" property.

        Specifies the timeout used when connecting to servers, performing SSL negotiation, and for individual search and bind requests.

        If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.

        Default value: 3s

        Returns:
        Returns the value of the "connection-timeout" property.

      • setConnectionTimeout

        void setConnectionTimeout​(ValueOrExpression<Long> value)
                   throws PropertyException
        Sets the "connection-timeout" property.

        Specifies the timeout used when connecting to servers, performing SSL negotiation, and for individual search and bind requests.

        If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.

        Parameters:
        value - The value of the "connection-timeout" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getDiscoveryInterval

        ValueOrExpression<Long> getDiscoveryInterval()
        Gets the "discovery-interval" property.

        Interval between two server configuration discovery executions.

        Specifies how frequently to read the configuration of the servers in order to discover any configuration change.

        Default value: 60s

        Returns:
        Returns the value of the "discovery-interval" property.

      • setDiscoveryInterval

        void setDiscoveryInterval​(ValueOrExpression<Long> value)
                   throws PropertyException
        Sets the "discovery-interval" property.

        Interval between two server configuration discovery executions.

        Specifies how frequently to read the configuration of the servers in order to discover any configuration change.

        Parameters:
        value - The value of the "discovery-interval" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getHashFunction

        ValueOrExpression<ProxyBackendCfgDefn.HashFunction> getHashFunction()
        Gets the "hash-function" property.

        Specifies the hash function which will be used for data distribution.

        This setting only applies to data distribution. Once this server is deployed, this setting must not be modified. Doing so could result in data loss. The hash function is used by the router to map incoming requests to a target server based on the request's target DN. The role of the hash function is to ensure that the flow of incoming requests is evenly distributed on the set of servers.

        Default value: murmur3

        Returns:
        Returns the value of the "hash-function" property.

      • setHashFunction

        void setHashFunction​(ValueOrExpression<ProxyBackendCfgDefn.HashFunction> value)
              throws PropertyException
        Sets the "hash-function" property.

        Specifies the hash function which will be used for data distribution.

        This setting only applies to data distribution. Once this server is deployed, this setting must not be modified. Doing so could result in data loss. The hash function is used by the router to map incoming requests to a target server based on the request's target DN. The role of the hash function is to ensure that the flow of incoming requests is evenly distributed on the set of servers.

        Parameters:
        value - The value of the "hash-function" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getHeartbeatInterval

        ValueOrExpression<Long> getHeartbeatInterval()
        Gets the "heartbeat-interval" property.

        Specifies the heartbeat interval that the Proxy Backend will use when communicating with the remote servers.

        The Proxy Backend sends a heartbeat request to the servers every heartbeat interval. The heartbeat serves 3 purposes: keepalive, heartbeat and recovery. The hearbeat requests are small requests sent to prevent the connection from appearing idle and being forcefully closed (keepalive). The heartbeat responses inform the Proxy Backend the server is available (heartbeat). If a heartbeat answer is not received within the interval, the Proxy Backend closes the unresponsive connection and connects to another server. After an unresponsive connection is closed, the server is contacted each heartbeat interval to determine whether it is available again (recovery).

        Default value: 10s

        Returns:
        Returns the value of the "heartbeat-interval" property.

      • setHeartbeatInterval

        void setHeartbeatInterval​(ValueOrExpression<Long> value)
                   throws PropertyException
        Sets the "heartbeat-interval" property.

        Specifies the heartbeat interval that the Proxy Backend will use when communicating with the remote servers.

        The Proxy Backend sends a heartbeat request to the servers every heartbeat interval. The heartbeat serves 3 purposes: keepalive, heartbeat and recovery. The hearbeat requests are small requests sent to prevent the connection from appearing idle and being forcefully closed (keepalive). The heartbeat responses inform the Proxy Backend the server is available (heartbeat). If a heartbeat answer is not received within the interval, the Proxy Backend closes the unresponsive connection and connects to another server. After an unresponsive connection is closed, the server is contacted each heartbeat interval to determine whether it is available again (recovery).

        Parameters:
        value - The value of the "heartbeat-interval" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getHeartbeatSearchRequestBaseDn

        @MandatoryProperty
ValueOrExpression<Dn> getHeartbeatSearchRequestBaseDn()
        Gets the "heartbeat-search-request-base-dn" property.

        Specifies the name of the entry that will be targeted by heartbeat requests.

        By default heartbeat requests will attempt to read the remote server's root DSE, which is sufficient to determine whether the remote server is available, but it will not detect whether a particular backend is available. Set the heartbeat request base DN to the base entry of the backend containing application data in order to detect whether a remote server is available and handling requests against the backend.

        Default value:

        Returns:
        Returns the value of the "heartbeat-search-request-base-dn" property.

      • setHeartbeatSearchRequestBaseDn

        @MandatoryProperty
void setHeartbeatSearchRequestBaseDn​(ValueOrExpression<Dn> value)
                              throws PropertyException
        Sets the "heartbeat-search-request-base-dn" property.

        Specifies the name of the entry that will be targeted by heartbeat requests.

        By default heartbeat requests will attempt to read the remote server's root DSE, which is sufficient to determine whether the remote server is available, but it will not detect whether a particular backend is available. Set the heartbeat request base DN to the base entry of the backend containing application data in order to detect whether a remote server is available and handling requests against the backend.

        Parameters:
        value - The value of the "heartbeat-search-request-base-dn" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getJavaClass

        @MandatoryProperty
ValueOrExpression<String> getJavaClass()
        Gets the "java-class" property.

        Specifies the fully-qualified name of the Java class that provides the backend implementation.

        Default value: org.opends.server.backends.ProxyBackend

        Specified by:
        getJavaClass in interface BackendCfgClient
        Returns:
        Returns the value of the "java-class" property.

      • getKeyManagerProvider

        ValueOrExpression<String> getKeyManagerProvider()
        Gets the "key-manager-provider" property.

        Specifies the name of the key manager that should be used with this Proxy Backend.

        Default value is undefined

        Returns:
        Returns the value of the "key-manager-provider" property.

      • setKeyManagerProvider

        void setKeyManagerProvider​(ValueOrExpression<String> value)
                    throws PropertyException
        Sets the "key-manager-provider" property.

        Specifies the name of the key manager that should be used with this Proxy Backend.

        Parameters:
        value - The value of the "key-manager-provider" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getLoadBalancingAlgorithm

        ValueOrExpression<ProxyBackendCfgDefn.LoadBalancingAlgorithm> getLoadBalancingAlgorithm()
        Gets the "load-balancing-algorithm" property.

        How to load balance between servers within a shard

        Default value: affinity

        Returns:
        Returns the value of the "load-balancing-algorithm" property.

      • getPartitionBaseDn

        SortedSet<ValueOrExpression<Dn>> getPartitionBaseDn()
        Gets the "partition-base-dn" property.

        Specifies the base DN(s) which will be used for "affinity" load-balancing algorithm and data distribution

        This settings only applies for "affinity" load-balancing and data distribution. When applied to "affinity" load-balancing within a single shard, this setting provides consistency for add/delete operations targeting entries within the same sub-tree. Entries immediately subordinate to the partition base DNs will be considered to be the root of a sub-tree whose entries belong to the same shard. For example, a partition base DN of "ou=people,dc=example,dc=com" would mean that "uid=bjensen,ou=people,dc=example,dc=com" and "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" both belong to the same shard, and all operations targeting them would be routed to the same remote server. When applied to data distribution across multiple shards, this setting consistently routes operations targeting an entry below the partition DN to the same shard. Requests targeting the partition DN or above are routed to any shard. Search requests are routed to all shards unless their scope is under the partition DN. For example, if the partition base DN is set to "ou=people,dc=example,dc=com", a search with base DN "uid=bjensen,ou=people,dc=example,dc=com" or "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" is always routed to the same shard. A search with base DN "ou=people,dc=example,dc=com" is routed to all shards.

        Returns:
        Returns the values of the "partition-base-dn" property.

      • setPartitionBaseDn

        void setPartitionBaseDn​(Collection<ValueOrExpression<Dn>> values)
                 throws PropertyException
        Sets the "partition-base-dn" property.

        Specifies the base DN(s) which will be used for "affinity" load-balancing algorithm and data distribution

        This settings only applies for "affinity" load-balancing and data distribution. When applied to "affinity" load-balancing within a single shard, this setting provides consistency for add/delete operations targeting entries within the same sub-tree. Entries immediately subordinate to the partition base DNs will be considered to be the root of a sub-tree whose entries belong to the same shard. For example, a partition base DN of "ou=people,dc=example,dc=com" would mean that "uid=bjensen,ou=people,dc=example,dc=com" and "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" both belong to the same shard, and all operations targeting them would be routed to the same remote server. When applied to data distribution across multiple shards, this setting consistently routes operations targeting an entry below the partition DN to the same shard. Requests targeting the partition DN or above are routed to any shard. Search requests are routed to all shards unless their scope is under the partition DN. For example, if the partition base DN is set to "ou=people,dc=example,dc=com", a search with base DN "uid=bjensen,ou=people,dc=example,dc=com" or "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" is always routed to the same shard. A search with base DN "ou=people,dc=example,dc=com" is routed to all shards.

        Parameters:
        values - The values of the "partition-base-dn" property.
        Throws:
        PropertyException - If one or more of the new values are invalid.

      • getProxyUserDn

        ValueOrExpression<Dn> getProxyUserDn()
        Gets the "proxy-user-dn" property.

        The bind DN that is used to forward LDAP requests to remote servers.

        The proxy connects to the remote server using this bind DN and uses the proxied authorization control to forward requests on behalf of the proxy users. This bind DN must exist on all the remote servers.

        Default value is undefined

        Returns:
        Returns the value of the "proxy-user-dn" property.

      • setProxyUserDn

        void setProxyUserDn​(ValueOrExpression<Dn> value)
             throws PropertyException
        Sets the "proxy-user-dn" property.

        The bind DN that is used to forward LDAP requests to remote servers.

        The proxy connects to the remote server using this bind DN and uses the proxied authorization control to forward requests on behalf of the proxy users. This bind DN must exist on all the remote servers.

        Parameters:
        value - The value of the "proxy-user-dn" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getProxyUserPassword

        ValueOrExpression<String> getProxyUserPassword()
        Gets the "proxy-user-password" property.

        Clear-text password associated with the proxy bind DN.

        The proxy password must be the same on all the remote servers.

        Default value is undefined

        Returns:
        Returns the value of the "proxy-user-password" property.

      • setProxyUserPassword

        void setProxyUserPassword​(ValueOrExpression<String> value)
                   throws PropertyException
        Sets the "proxy-user-password" property.

        Clear-text password associated with the proxy bind DN.

        The proxy password must be the same on all the remote servers.

        Parameters:
        value - The value of the "proxy-user-password" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getRequestConnectionPoolSize

        ValueOrExpression<Integer> getRequestConnectionPoolSize()
        Gets the "request-connection-pool-size" property.

        The size of the connection pool which will be used for sending all requests other than bind requests.

        Unlike bind requests, other types of request may be processed concurrently on the same connection, so this connection pool should be configured with a smaller number of connections, such as 10.

        Default value: 10

        Returns:
        Returns the value of the "request-connection-pool-size" property.

      • setRequestConnectionPoolSize

        void setRequestConnectionPoolSize​(ValueOrExpression<Integer> value)
                           throws PropertyException
        Sets the "request-connection-pool-size" property.

        The size of the connection pool which will be used for sending all requests other than bind requests.

        Unlike bind requests, other types of request may be processed concurrently on the same connection, so this connection pool should be configured with a smaller number of connections, such as 10.

        Parameters:
        value - The value of the "request-connection-pool-size" property.
        Throws:
        PropertyException - If the new value is invalid.

      • isRouteAll

        @MandatoryProperty
ValueOrExpression<Boolean> isRouteAll()
        Gets the "route-all" property.

        Route requests to all discovered public naming contexts.

        When the "route-all" property is set to "true" then the "base-dn" property is ignored.

        Returns:
        Returns the value of the "route-all" property.

      • setRouteAll

        @MandatoryProperty
void setRouteAll​(ValueOrExpression<Boolean> value)
          throws PropertyException
        Sets the "route-all" property.

        Route requests to all discovered public naming contexts.

        When the "route-all" property is set to "true" then the "base-dn" property is ignored.

        Parameters:
        value - The value of the "route-all" property.
        Throws:
        PropertyException - If the new value is invalid.

      • getShard

        @MandatoryProperty
SortedSet<ValueOrExpression<String>> getShard()
        Gets the "shard" property.

        Specifies one or more shards which will be used for distributing data and requests.

        When multiple shards are configured, this setting consistently routes write requests for the same target entry below the partition DN to the same shard. Requests targeting an entry under the partition DN are always routed to a single shard. Requests targeting the partition DN or above are routed to any shard. Search requests are routed to all shards unless their scope is under the partition DN. For example, a search with base DN "uid=bjensen,ou=people,dc=example,dc=com" or "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" is always routed to the same shard. A search with base DN "ou=people,dc=example,dc=com" is routed to all shards.

        Default value is undefined

        Returns:
        Returns the values of the "shard" property.

      • setShard

        @MandatoryProperty
void setShard​(Collection<ValueOrExpression<String>> values)
       throws PropertyException
        Sets the "shard" property.

        Specifies one or more shards which will be used for distributing data and requests.

        When multiple shards are configured, this setting consistently routes write requests for the same target entry below the partition DN to the same shard. Requests targeting an entry under the partition DN are always routed to a single shard. Requests targeting the partition DN or above are routed to any shard. Search requests are routed to all shards unless their scope is under the partition DN. For example, a search with base DN "uid=bjensen,ou=people,dc=example,dc=com" or "deviceid=12345,uid=bjensen,ou=people,dc=example,dc=com" is always routed to the same shard. A search with base DN "ou=people,dc=example,dc=com" is routed to all shards.

        Parameters:
        values - The values of the "shard" property.
        Throws:
        PropertyException - If one or more of the new values are invalid.

      • getSslCertNickname

        SortedSet<ValueOrExpression<String>> getSslCertNickname()
        Gets the "ssl-cert-nickname" property.

        Specifies the nicknames (also called the aliases) of the keys or key pairs that the Proxy Backend should use when performing SSL communication.

        The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the Proxy Backend is configured to use SSL.

        Returns:
        Returns the values of the "ssl-cert-nickname" property.

      • setSslCertNickname

        void setSslCertNickname​(Collection<ValueOrExpression<String>> values)
                 throws PropertyException
        Sets the "ssl-cert-nickname" property.

        Specifies the nicknames (also called the aliases) of the keys or key pairs that the Proxy Backend should use when performing SSL communication.

        The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the Proxy Backend is configured to use SSL.

        Parameters:
        values - The values of the "ssl-cert-nickname" property.
        Throws:
        PropertyException - If one or more of the new values are invalid.

      • isUseSaslExternal

        ValueOrExpression<Boolean> isUseSaslExternal()
        Gets the "use-sasl-external" property.

        Indicates whether the Proxy Backend should use certificate based authentication when communicating with backend servers.

        If enabled, the Proxy Backend will use mutual TLS when connecting to backend servers. Once the TLS handshake has completed, a SASL/External LDAP bind request will be sent in order to associate the TLS client certificate with an LDAP account on the remote backend server. A key manager provider containing the client certificate must be configured in order to use this feature.

        Default value: false

        Returns:
        Returns the value of the "use-sasl-external" property.

      • setUseSaslExternal

        void setUseSaslExternal​(ValueOrExpression<Boolean> value)
                 throws PropertyException
        Sets the "use-sasl-external" property.

        Indicates whether the Proxy Backend should use certificate based authentication when communicating with backend servers.

        If enabled, the Proxy Backend will use mutual TLS when connecting to backend servers. Once the TLS handshake has completed, a SASL/External LDAP bind request will be sent in order to associate the TLS client certificate with an LDAP account on the remote backend server. A key manager provider containing the client certificate must be configured in order to use this feature.

        Parameters:
        value - The value of the "use-sasl-external" property.
        Throws:
        PropertyException - If the new value is invalid.