The ReadFromDirectory statement in the Policy Agent configuration file initializes the Policy Agent as an LDAP client. The policies are downloaded from the LDAP server, along with the policies specified in the Policy Agent configuration files.
When configuring the ReadFromDirectory statement, first specify the name (or IPv4 address) and port of the primary server and the same for the backup server (if one is used).
Next, configure other connection attributes. The Policy Agent (as an LDAP client) must log in to the LDAP server. The user ID and password for logging in must be configured on the ReadFromDirectory statement. The user ID is also known as Distinguished Name for user ID, and it is in the form of an LDAP DN. If the user ID and password are not specified, the Policy Agent uses anonymous login to connect to the server.
The LDAP server can be configured with only LDAP protocol version 3. To use LDAP protocol version 3, you can set LDAP_ProtocolVersion to 3 on the ReadFromDirectory statement. This is the default value. This statement also configures the version of the schema to be retrieved from the server.
Finally, configure attributes to indicate how to search the LDAP server for policies. Policy roles allow one or more roles, or role-combinations, to be assigned to policy rules using the ibm-policyRoles attribute. These roles represent the intended usage of the policy rules. For example, a role of "East Coast WAN" might be used to represent policies for the wide area network on the US East coast for an enterprise. Policy role values are not standardized; they are simply values used to assign roles to policies. When an entity that requires policies (such as Policy Agent) requests policies from an LDAP server, it can filter out policy rules that do not match the roles that it plays. Although similar to policy keywords, which also allow search scoping, policy roles are a bit more sophisticated. Specifically, role-combinations are allowed, which take the form of a specification like "roleA && roleB", meaning both roleA AND roleB. Because the ibm-policyRoles attribute is multi-valued, a form of CNF/DNF logic can be used for policy roles: the roles in a role-combination are ANDed, and the roles or role-combinations specified on different values of this attribute are ORed.
Optionally, specify parameters for a secure SSL connection. For details, see Add SSL to Policy Agent connections.
The example that follows this list takes the following actions:
ReadFromDirectory
{
LDAP_Server 9.100.1.1
LDAP_DistinguishedName cn=root, o=IBM, c=US
LDAP_Password 4qr56jb
LDAP_ProtocolVersion 3
LDAP_SchemaVersion 3
SearchPolicyBaseDN ou=policy, o=IBM, c=US
SearchPolicyKeyword POLICY
SearchPolicyKeyword EASTERN
}