Configuring proxy transformations
The PingDirectoryProxy server provides proxy transformations to alter the contents of client requests as they are sent from the client to the LDAP external server. Proxy transformations can also be used to alter the responses sent back from the server to the client, including altering or omitting search result entries. The PingDirectoryProxy server provides the following types of data transformations:
-
Attribute mapping. The attribute mapping transformation rewrites client requests so that references to one attribute type can be replaced with an alternate attribute type. The PingDirectoryProxy server can perform extensive replacements, including attribute names used in DNs and attribute names encoded in the values of several different controls and extended operations. For example, a client requests a
userid
attribute, which is replaced withuid
before being forwarded on to the backend server. This mapping applies in reverse for the response returned to the client.Before adding attribute mapping transformations, you must define both the source and target attribute types in the local schema. This requirement ensures that the server handles the attribute values correctly.
If any existing attribute mapping transformations reference attributes that don’t meet this requirement, the server logs a warning on startup. You should review the logs and properly define any such attributes in the local schema.
-
Default value. The default value transformation instructs the PingDirectoryProxy server to include a static attribute value in search results being sent back to the client, in ADD requests being forwarded to an external server, or both. For example, a value of "marketing" for
businessCategory
could be returned for all search results under the base DNou=marketing,dc=example,dc=com
. -
DN mapping. The DN mapping transformation rewrites client requests so that references to entries below a specified DN will be mapped to appear below another DN. For example, references to entries below
o=example.com
could be rewritten so that they are belowdc=example,dc=com
instead. The mapping applies in reverse for the response returned to the client. -
Groovy scripted. The Groovy scripted custom transformation is written in Groovy and does not need to be compiled, though they use the Server SDK. These scripts make it possible to alter requests and responses in ways not available using the transformations provided with the PingDirectoryProxy server.
-
Suppress attribute. The suppress attribute proxy transformation allows you to exclude a specified attribute from search result entries. It also provides the ability to reject add, compare, modify, modify DN, or search requests if they attempt to reference the target attribute.
-
Suppress entry. The suppress entry proxy transformation allows you to exclude any entries that match a specified filter from a set of search results. Search requests are transformed so that the original filter will be ANDed with a NOT filter containing the exclude filter. For example, if the suppression filter is
"(objectClass=secretEntry)"
, then a search request with a filter of"((uid=john.doe)"
will be transformed so that it has a filter of"(&(uid=john.doe)(!(objectClass=secretEntry)))"
. -
Simple-to-external bind. The simple-to-external bind proxy transformation can be used to intercept a simple bind request and instead process the bind as a SASL EXTERNAL bind. If the SASL EXTERNAL bind fails, then the original simple bind request might or might not be processed, depending on how you configure the server.
-
Third-party scripted. The third-party scripted custom transformation is created using the Server SDK, making it possible to alter requests and responses in ways not available using the transformations provided with the PingDirectoryProxy server.