Overview of the object classes
Policies defined on an LDAP server are comprised of one or more
objects, each with a defined object class, and a unique name. Object
names are in the form of LDAP Distinguished Names (DNs), which are
text strings composed of individual parts known as Relative Distinguished
Names (RDNs). The structure of the naming defines a hierarchical
tree, in a manner similar to directories in a hierarchical file system.
For example, consider the following set of objects:
Object 1, DN: o=IBM, c=US
Object 2, DN: cn=group_1, o=IBM, c=US
Object 3, DN: cn=group_5, o=IBM, c=US
Object 4, DN: cn=group_1_sub_A, cn=group_1, o=IBM, c=USThis set of objects can be viewed as a tree, with Object 1 as the root. Objects 2 and 3 are branches under the root, with Object 4 a branch under Object 2. The names used are attributes of the objects they define. For example, Object 2, whose name starts with "cn=group_1" contains a cn attribute with the value group_1. See z/OS IBM Tivoli Directory Server Administration and Use for z/OS for more information on LDAP naming.
Object class names define the type of each LDAP object. The top object class is predefined and is the root of all other object classes.
There are three types of object classes.
- Abstract object classes
- Used to define broad concepts, such as policy and to define basic attributes that apply to all subclasses.
- Structural object classes
- Basic building blocks, and are the only type of object class that can be instantiated as real objects on an LDAP server.
- Auxiliary object classes
- Used to define attributes that are shared among different structural object classes, or are used to extend the basic set of objects.
The following object classes are recognized by the Policy Agent. The indentation defines subclasses. For example, ibm-policyGroup is a subclass of ibm-policy, and therefore inherits all of the attributes defined for ibm-policy.
Figure 1. LDAP schema object class
hierarchy
Note: The classes identified in bold italics in Figure 1 are for schema version 2 and are mutually
exclusive with the schema version 3 classes with similar names.
| Object class name | Purpose of object |
|---|---|
| Top | Used to anchor the LDAP hierarchical tree root. |
| ibm-policy | Used as the root for all policy objects. |
| ibm-policyGroup | Defines a policy group object. |
| ibm-policyRule | Defines a policy rule object. |
| ibm-policyRuleConditionAssociation | Defines an association between a policy rule object and a policy condition. |
| ibm-policyRuleActionAssociation | Defines an association between a policy rule object and a policy action. |
| ibm-PolicyInstance | Defines an instance of a reusable policy object. |
| ibm-PolicyConditionInstance | Defines an instance of a reusable policy condition object. |
| ibm-PolicyActionInstance | Defines an instance of a reusable policy action object. |
| ibm-PolicyElementAuxClass | Defines an auxiliary class that can be used to tag non-policy objects as though they were policy objects. |
| ibm-policyCondition | Defines a policy condition object. (schema version 2 — supported for migration) |
| ibm-policyTimePeriodCondition | Defines an auxiliary class to represent time periods during which a policy rule is considered to be active. (schema version 2 — supported for migration) |
| ibm-networkingpolicyCondition | Defines a subclass of ibm-PolicyCondition used to define networking policy conditions. (schema version 2 — supported for migration) |
| ibm-policyAction | Defines a policy action object. (schema version 2 — supported for migration) |
| ibm-serviceCategories | Defines an auxiliary class to represent a set of QoS attributes for a policy action. (schema version 2 — supported for migration) |
| ibm-policyConditionAuxClass | Defines an auxiliary class for generic policy conditions. |
| ibm-policyTimePeriodConditionAuxClass | Defines an auxiliary class to represent time periods during which a policy rule is considered to be active. |
| ibm-networkingPolicyConditionAuxClass | Defines an auxiliary class used to define networking policy conditions. |
| ibm-routeConditionAuxClass | Defines an auxiliary class to represent QoS routing conditions for a policy rule. |
| ibm-hostConditionAuxClass | Defines an auxiliary class to represent QoS host (end-point) conditions for a policy rule. |
| ibm-applicationConditionAuxClass | Defines an auxiliary class to represent QoS application and transport conditions for a policy rule. |
| ibm-idsConditionAuxClass | Defines an auxiliary class to represent generic IDS conditions. |
| ibm-idsAttackConditionAuxClass | Defines an auxiliary class to represent IDS attack conditions. |
| ibm-idsIPAttackConditionAuxClass | Defines an auxiliary class to represent IDS IP attack conditions. |
| ibm-idsTrafficRegulationConditionAuxClass | Defines an auxiliary class to represent IDS Traffic Regulation conditions. |
| ibm-idsScanConditionAuxClass | Defines an auxiliary class to represent IDS global scan conditions. |
| ibm-idsScanEventConditionAuxClass | Defines an auxiliary class to represent IDS scan event conditions. |
| ibm-idsTransportConditionAuxClass | Defines an auxiliary class to represent IDS transport conditions. |
| ibm-idsHostConditionAuxClass | Defines an auxiliary class to represent IDS host conditions. |
| ibm-policyActionAuxClass | Defines an auxiliary class for generic policy actions. |
| ibm-serviceCategoriesAuxClass | Defines an auxiliary class to represent a set of QoS attributes for a policy action. |
| ibm-idsActionAuxClass | Defines an auxiliary class to represent generic IDS actions. |
| ibm-idsNotificationAuxClass | Defines an auxiliary class to represent notification options for IDS actions. |
| ibm-idsAttackActionsAuxClass | Defines an auxiliary class to represent attack attributes for IDS actions. |
| ibm-idsFloodAttackActionsAuxClass | Defines an auxiliary class to represent flood-specific attack attributes for IDS actions. |
| ibm-idsTrafficRegulationActionAuxClass | Defines an auxiliary class to represent generic Traffic Regulation attributes for IDS actions. |
| ibm-idsTRtcpActionAuxClass | Defines an auxiliary class to represent Traffic Regulation TCP attributes for IDS actions. |
| ibm-idsTRudpActionAuxClass | Defines an auxiliary class to represent Traffic Regulation UDP attributes for IDS actions. |
| ibm-idsScanActionAuxClass | Defines an auxiliary class to represent global scan attributes for IDS actions. |
| ibm-idsScanSensitivityActionAuxClass | Defines an auxiliary class to represent scan sensitivity attributes for IDS actions. |
| ibm-idsScanExclusionActionAuxClass | Defines an auxiliary class to define scan exclusion lists for IDS actions. |
| ibm-policyRepository | Defines a repository for generic reusable policy objects. |
| ibm-policySubtreesPtrAuxClass | Defines an auxiliary class to represent pointers to subtrees in the LDAP directory tree to be retrieved by the Policy Agent. This allows entire subtrees to be retrieved at once, improving retrieval performance in some situations. |
| ibm-policyGroupContainmentAuxClass | Defines an auxiliary class for binding a policy group object to another policy group. |
| ibm-policyRuleContainmentAuxClass | Defines an auxiliary class for binding a policy rule object to another policy group. |
| ibm-policyGroupLoadDistributionAuxClass | Defines an auxiliary class to represent load distribution attributes for policy groups. The load distribution attributes are applied to all policy rules that are pointed to by groups to which this auxiliary class has been attached. |
| SetSubnetPrioTosMask | Defines a mapping of outbound IPv4 packet Type of Service (ToS) byte or IPv6 packet Traffic Class values to QDIO device priorities and Virtual LAN (VLAN) user priorities. |
Policy objects are used to accomplish the following objectives:
- Group related objects together. Policy groups can contain related policy rules, and can also contain other policy groups. This allows objects to be grouped in various administrative ways. If the resulting objects will be retrieved by any Policy Agent prior to z/OS® Communications Server V1R2, then the object should not include the values ibm-policyGroupContainmentAuxClass, ibm-policyRuleContainmentAuxClass or ibm-policyGroupLoadDistributionAuxClass for the objectClass attribute.
- Specify conditions for a policy rule. The conditions are used
to filter traffic packets, and can specify attributes such as source
and destination port, application name, protocol, and so on. Policy
rules can be either simple or complex, depending on the nature of
the specified conditions. When a single condition is specified, the
rule is a simple rule. This single condition can be composed of any
of the condition attributes, but only one instance of each. For example,
only a single destination port range can be specified in a simple
rule. Complex rules specify more than one condition. The specified
conditions are organized into one or more levels, and each level is
composed of one or more conditions. Each condition can be composed
of one instance of any of the condition attributes. The conditions
can thus be thought of as a two-dimensional array. Any individual
condition can be negated. Two types of processing are applied to the
conditions, depending on the specified condition list type:
- Disjunctive Normal Form (DNF). DNF conditions are logically ANDed at each level, and ORed between levels.
- Conjunctive Normal Form (CNF). CNF conditions are logically ORed at each level, and ANDed between levels.
For example, suppose five conditions are specified, two at one level and three at another:Level 1: C1, NOT C2 Level 2: C3, C4, C5If DNF is specified, the conditions are evaluated as:(C1 AND NOT C2) OR (C3 AND C4 AND C5)CNF evaluation of the same conditions is:(C1 OR NOT C2) AND (C3 OR C4 OR C5)This allows a wide variety of conditional logic to be defined for policy rules.
- Specify time periods during which policy rules are active. Active policy rules are those that are installed in a TCP/IP stack by the Policy Agent. A wide variety of attributes are available to specify time periods, and up to 25 time periods can be specified for any policy rule. The policy rule is active if any of the specified time intervals include the current time.
- Specify actions to take on behalf of traffic that maps to active policy rules, based on the evaluation of its conditions. QoS Actions contain a scope attribute that indicates the type of policy being defined, namely Differentiated Services, RSVP, or both Differentiated Services and RSVP. Up to four actions can be specified for each rule, but only one action per scope can be active at a time. IDS actions contain an action type that indicates the type of policy being defined, namely Attack, TR, Scan Global, or Scan Event. Only one IDS action can be specified for each rule. QoS and IDS actions (or conditions) can't be mixed within a single policy rule.