PingDirectory

How the policy is evaluated

Whenever a connection is established, the server associates the connection with exactly one client connection policy.

The server does this by iterating over all of the defined client connection policies in ascending order of the evaluation order index. Policies with a lower evaluation order index value are examined before those with a higher evaluation order index value. The first policy that the server finds whose criteria match the client connection is associated with that connection. If no client connection policy is found with criteria matching the connection, then the connection is terminated.

So, in this example, when a new connection is established, the server first checks the connection criteria associated with the Client 1 Connection Policy because it has the lowest evaluation order index value. If it finds that the criteria do not match the new connection, the server then checks the connection criteria associated with the Client 2 Connection Policy because it has the second lowest evaluation order index. If these criteria do not match, the server finally checks the connection criteria associated with the Unauthenticated Connection Policy because it has the third lowest evaluation order index. It finds a match, so the client connection is associated with the Unauthenticated Connection Policy.

After the client performs a bind operation to authenticate to the server, then the client connection policies are re-evaluated. If Client 2 performs the bind, then the Client 1 Connection Policy does not match, but the Client 2 Connection Policy does, so the connection is re-associated with that client connection policy. Whenever a connection is associated with a client connection policy, the server checks to see if the maximum number of client connections have already been associated with that policy. If so, then the newly-associated connection is terminated.

For example, Client 1 opens a new connection. Because it is a new connection not yet associated with connection criteria, it is assigned to the Unauthenticated Connection Policy. Client 1 then sends a bind request. The determination of whether the bind operation is allowed is made based on the constraints defined in the Unauthenticated Connection Policy because it is the client connection policy already assigned to the client connection. When the bind has completed, the server re-evaluates the client connection policy against the connection criteria associated with Client 1 Connection Policy because it has the lowest evaluation order index. The associated connection criteria match, so processing stops, and the client connection is assigned to the Client 1 Connection Policy.

Next, Client 2 opens a new connection. Because it is a new connection not yet associated with connection criteria, it is assigned to the Unauthenticated Connection Policy. When Client 2 sends a bind request, the operation is allowed based on the constraints defined in the Unauthenticated Connection Policy. When the bind is complete, the client connection is evaluated against the connection criteria associated with Client 1 Connection Policy because it has the lowest evaluation order index. The associated connection criteria do not match, so the Client 2 connection is evaluated against the connection criteria associated with Client 2 Connection Policy because it has the next lowest evaluation order index. The associated connection criteria match, so processing stops, and the client connection is assigned to Client 2 Connection Policy.

Client 1 sends a search request. The Client 1 Connection Policy is used to determine whether the search operation should be allowed because this is the client connection policy assigned to the client connection for Client 1. The connection is not re-evaluated before or after processing the search operation.