1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Server
  5. DIRECTORY SERVER 7.1 - ADMINISTRATOR
  6. Administrator's manual

Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
Table of Contents

Advertisement

Quick Links

Download this manual
Administrator's Guide
Red Hat Directory Server
Version 7.1
May 2005
Updated February 2009

Advertisement

Table of Contents
loading

Related Manuals for Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR

Summary of Contents for Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR

  • Page 1 Administrator’s Guide Red Hat Directory Server Version 7.1 May 2005 Updated February 2009...
  • Page 2 All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E...

  • Page 3: Table Of Contents

    Contents Introduction to This Reference Guide ............27 Directory Server Overview .
  • Page 4 Cloning the Directory Configuration ........... 43 Starting the Server in Referral Mode .
  • Page 5 Configuring the Supplier Server ........... . 74 Enabling/Disabling Referential Integrity .
  • Page 6 Creating a New Database Link Using the Console ........109 Creating a Database Link from the Command-Line .
  • Page 7 Exporting to LDIF from the Command-Line ..........159 Backing Up and Restoring Data .
  • Page 8 About the CoS Template Entry ........... . 183 How a Pointer CoS Works .
  • Page 9 Defining User Access - userdn Keyword ..........221 Anonymous Access (anyone Keyword) .
  • Page 10 ACI “HostedCompany1” ............255 Denying Access .
  • Page 11 Setting Resource Limits Based on the Bind DN ..........299 Setting Resource Limits Using the Console .
  • Page 12 Making a Replica Updatable ............343 Deleting the Changelog .
  • Page 13 Creating Attributes ..............377 Editing Attributes .
  • Page 14 Chapter 11 Managing SSL and SASL ........... 417 Introduction to SSL in the Directory Server .
  • Page 15 Viewing the Audit Log ............453 Configuring the Audit Log .
  • Page 16 Tuning Database Performance ............480 Optimizing Search Performance .
  • Page 17 Roles Plug-in ..............507 Space Insensitive String Syntax Plug-in .
  • Page 18 Multi-Master Replication Scenario ........... . 542 Chapter 18 Windows Sync .
  • Page 19 Using Special Characters ............588 ldapsearch Command-Line Format .
  • Page 20 Glossary ................619 Index .
  • Page 21 List of Figures Figure 1-1 Viewing the Bind DN ........... . . 37 Figure 3-1 A Sample Directory Tree with One Root Suffix .
  • Page 22 Red Hat Directory Server Administrator’s Guide • May 2005...
  • Page 23 List of Tables Table 2-1 Entry Templates and Corresponding Object Classes ......47 Table 2-2 Description of ldapmodify Parameters Used for Adding Entries .
  • Page 24 Table 9-1 Attributes Tab Reference ..........376 Table 9-2 Object Classes Tab Reference .
  • Page 25 Table 15-21 Details of NS-MTA-MD5 Password Storage Plug-in ......502 Table 15-22 Details of SHA Password Storage Plug-in ........503 Table 15-23 Details of SSHA Password Storage Plug-in .
  • Page 26 Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 27: Introduction To This Reference Guide

    Introduction to This Reference Guide Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.

  • Page 28: Prerequisite Reading

    Prerequisite Reading • Multiple databases — Provides a simple way of breaking down your directory data to simplify the implementation of replication and chaining in your directory service. • Password Policy and Account Lockout — Allows you to define a set of rules that govern how passwords and user accounts are managed in the Directory Server.

  • Page 29: Conventions Used In This Book

    For example, if you gave the server an identifier of , then the actual path would look like this: phonebook /opt/redhat-ds/servers/slapd-phonebook/. . . • In examples/sample code, paths assume that the Directory Server is installed in the default location .

  • Page 30: Related Information

    For a list of documentation installed with Directory Server, open this file: serverRoot /manual/en/slapd/index.htm For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, check this site: http://www.redhat.com/docs/manuals/dir-server/ Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 31: Part 1 Administering Red Hat Directory Server

    Part 1 Administering Red Hat Directory Server Chapter 1, “Introduction to Red Hat Directory Server” Chapter 2, “Creating Directory Entries” Chapter 3, “Configuring Directory Databases” Chapter 4, “Populating Directory Databases” Chapter 5, “Advanced Entry Management” Chapter 6, “Managing Access Control” Chapter 7, “User Account Management”...
  • Page 32 Chapter 11, “Managing SSL and SASL” Chapter 12, “Monitoring Server and Database Activity” Chapter 13, “Monitoring Directory Server Using SNMP” Chapter 14, “Tuning Directory Server Performance” Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 33: Chapter 1 Introduction To Red Hat Directory Server

    Chapter 1 Introduction to Red Hat Directory Server Red Hat Directory Server (Directory Server) product includes a Directory Server, an Administration Server to manage multiple server instances, and Red Hat Console to manage server instances through a graphical interface. This chapter provides overview information about the Directory Server and the most basic tasks you need to start administering a directory service.

  • Page 34: Using The Directory Server Console

    Using the Directory Server Console You perform most Directory Server administrative tasks through the Red Hat Administration Server, a second server that helps manage Directory Server. For Directory Server, you use a part of the Red Hat Administration Server called Red Hat Console.

  • Page 35: Copying Entry Dns To The Clipboard

    Configuring the Directory Manager Navigate through the tree in the left-hand pane to find the machine hosting your Directory Server, and click on its name or icon to display its general properties. To edit the name and description of your Directory Server, click the Edit button.

  • Page 36: Binding To The Directory From Red Hat Console

    Binding to the Directory from Red Hat Console Select the Manager tab in the right pane. Enter the new distinguished name for the Directory Manager in the Root DN field. The default value is cn=Directory Manager From the Manager Password Encryption pull-down menu, select the storage scheme you want the server to use to store the password for Directory Manager.

  • Page 37: Viewing The Current Bind Dn From The Console

    Starting and Stopping the Directory Server For more information about the Directory Manager DN and password, refer to “Configuring the Directory Manager,” on page 35. Viewing the Current Bind DN from the Console You can view the bind DN you used to log in to the Directory Server Console by clicking the login icon in the lower-left corner of the display.

  • Page 38: Starting And Stopping The Server From The Command-Line

    Configuring LDAP Parameters Starting and Stopping the Server from the Command-Line Use one of the following scripts: serverRoot/slapd-serverID/start-slapd serverRoot/slapd-serverID/stop-slapd where is the identifier you specified for the server when you installed it. serverID Both of these scripts must run with the same UID and GID as the Directory Server.
  • Page 39 Configuring LDAP Parameters • You need to change the configuration or user directory port or secure port number configured for Red Hat Administration Server. See Managing Servers with Red Hat Console for information. • If you have other Directory Servers installed that point to the configuration or user directory, you need to update those servers to point to the new port number.

  • Page 40: Placing The Entire Directory Server In Read-Only Mode

    Configuring LDAP Parameters In the “LDAP Port” field, type in the new LDAP port number for your Directory Server port. Check the “Secure Connection” box if this is a secure port. NOTE If you try to save these changes at this step, you will get a warning box that reads, “Invalid LDAP Host/LDAP Port, can not connect.”...

  • Page 41: Tracking Modifications To Directory Entries

    Configuring LDAP Parameters Select the Settings tab in the right pane. Select the Make Entire Server Read-Only checkbox. Click Save, and then restart the server. NOTE This operation also makes the Directory Server configuration read-only; therefore, you cannot update the server configuration, enable or disable plug-ins, or even restart the Directory Server while it is in read-only mode.

  • Page 42: Cloning A Directory Server

    Cloning a Directory Server To enable the Directory Server to track this information: In the Directory Server Console, select the Configuration tab, and then select the top entry in the navigation tree in the left pane. Select the Settings tab in the right pane. Select the Track Entry Modification Times checkbox.

  • Page 43: Cloning The Directory Configuration

    Starting the Server in Referral Mode Enter the a port number for LDAP communications in the Network port field. Enter the suffix managed by this new instance of the directory in the base suffix field. Enter a DN for the Directory Manager in the Root DN field. For information on the role and privileges of the Directory Manager entry, refer to “Configuring the Directory Manager,”...

  • Page 44: Using The Refer Command

    Starting the Server in Referral Mode If the server is already running, you can put it in referral mode by using the Directory Server Console. This procedure is explained in “Setting Default Referrals,” on page 143. Using the refer Command Follow these steps to start the Directory Server in referral mode: Go to the directory under your installation directory:...

  • Page 45: Chapter 2 Creating Directory Entries

    Chapter 2 Creating Directory Entries This chapter discusses how to use the Directory Server Console and the command-line utilities to modify the contents of ldapmodify ldapdelete your directory. During the planning phase of your directory deployment, you should characterize the types of data that your directory will contain. You should read Red Hat Directory Server Deployment Guide before creating entries and modifying the default schema.

  • Page 46: Creating A Root Entry

    Managing Entries from the Directory Console • Creating Directory Entries • Modifying Directory Entries • Deleting Directory Entries This section assumes some basic knowledge of object classes and attributes. For an introduction to object classes and attributes, refer to Red Hat Directory Server Deployment Guide.

  • Page 47: Creating Directory Entries

    Managing Entries from the Directory Console In the New Object window, select the object class corresponding to the new entry. The object class you select must contain the attribute you used to name the suffix. For example, if you are creating the entry corresponding to the suffix , then you can choose the ou=people,dc=example,dc=com object class or another object class that allows the...

  • Page 48: Creating An Entry Using A Predefined Template

    Managing Entries from the Directory Console These templates contain fields representing all the mandatory attributes and some of the commonly used optional attributes. To create an entry using one of these templates, refer to “Creating an Entry Using a Predefined Template,” on page 48. To create any other type of entry, refer to “Creating Other Types of Entries,”...

  • Page 49: Modifying Directory Entries

    Managing Entries from the Directory Console Click OK. If you selected an object class related to a type of entry for which a predefined template is available, the corresponding Create window is displayed. (See “Creating an Entry Using a Predefined Template,” on page 48). In all other cases, the Property Editor is displayed.

  • Page 50: Displaying The Property Editor

    Managing Entries from the Directory Console Displaying the Property Editor You can start the Property Editor in several ways: • From the Directory tab, by right-clicking an entry in the left or right pane, and selecting Properties from the pop-up menu. •...

  • Page 51: Adding An Attribute To An Entry

    Managing Entries from the Directory Console In the Directory tab of the Directory Server Console, right-click the entry you want to modify, and select Advanced from the pop-up menu. You can also double-click the entry. The Property Editor is displayed; click on the Advanced button.

  • Page 52: Adding Very Large Attributes

    Managing Entries from the Directory Console Adding Very Large Attributes The configuration attribute sets the maximum size limit for nsslapd-maxbersize LDAP requests. The default configuration of Directory Server sets this attribute at 2Mbytes. LDAP add or modify operations will fail when attempting to add very large attributes that result in a request that is larger than 2Mbytes.

  • Page 53: Removing An Attribute Value

    Managing Entries from the Directory Console Click OK in the Advanced Property Editor when you have finished editing the entry. The Advanced Property Editor is dismissed. Click OK in the Property Editor. The Property Editor is dismissed. Removing an Attribute Value To remove an attribute value from an entry: In the Directory tab of the Directory Server Console, right-click the entry you want to modify, and select Advanced from the pop-up menu.
  • Page 54 Managing Entries from the Directory Console You can assign only one language subtype per attribute instance in an entry. To assign multiple language subtypes, add another attribute instance to the entry, and then assign the new language subtype. For example, the following is illegal: cn;lang-ja;lang-en-GB:Smith Instead, use: cn: lang-ja: ja_value...

  • Page 55: Deleting Directory Entries

    Managing Entries from the Command-Line From the Subtype drop-down list, you can also assign one of two other subtypes, binary or pronunciation. Click OK. The Add Attribute window is dismissed. When you have finished defining the information for the entry, click OK in the Advanced Property Editor.

  • Page 56: Providing Input From The Command-Line

    Managing Entries from the Command-Line • Adding Entries Using LDIF • Adding and Modifying Entries Using ldapmodify • Deleting Entries Using ldapdelete • Using Special Characters NOTE You cannot modify your directory unless the appropriate access control rules have been set. For information on creating access control rules for your directory, see chapter 6, “Managing Access Control.”...

  • Page 57: Creating A Root Entry From The Command-Line

    Managing Entries from the Command-Line For example: dn: dc=example,dc=com dn: ou=People, dc=example,dc=com People subtree entries. dn: ou=Group, dc=example,dc=com Group subtree entries. Creating a Root Entry from the Command-Line You can use the command-line utility to create a new root entry in a ldapmodify database.

  • Page 58: Adding And Modifying Entries Using Ldapmodify

    Managing Entries from the Command-Line Define the entries in an LDIF file. LDIF is described in Appendix A, “LDAP Data Interchange Format.” Import the LDIF file from the Directory Server Console. See “Importing a Database from the Console,” on page 150, for information. When you import the LDIF file, select “Append to database”...

  • Page 59: Adding Entries Using Ldapmodify

    Managing Entries from the Command-Line Adding Entries Using ldapmodify Here is a typical example of how to use the utility to add entries to the ldapmodify directory. Suppose that: • You want to create the entries specified in the file new.ldif •...

  • Page 60: Modifying Entries Using Ldapmodify

    Managing Entries from the Command-Line For full information on parameters, refer to the Red Hat Directory ldapmodify Server Configuration, Command, and File Reference. Modifying Entries Using ldapmodify Here is a typical example of how to use the utility to modify entries ldapmodify that are present in the directory.

  • Page 61: Deleting Entries Using Ldapdelete

    Managing Entries from the Command-Line For full information on parameters, refer to the Red Hat Directory ldapmodify Server Configuration, Command, and File Reference. Deleting Entries Using ldapdelete Use the command-line utility to delete entries from the directory. This ldapdelete utility opens a connection to the specified server using the distinguished name and password you provide and deletes the entry or entries.

  • Page 62: Using Special Characters

    Managing Entries from the Command-Line Table 2-4 Description of ldapdelete Parameters Used for Deleting Entries Parameter Name Description Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries.

  • Page 63: Ldif Update Statements

    LDIF Update Statements LDIF Update Statements Use LDIF update statements to define how should change your ldapmodify directory. In general, LDIF update statements are a series of statements that: • Specify the distinguished name of the entry to be modified. •...

  • Page 64: Adding An Entry Using Ldif

    LDIF Update Statements In addition, the line continuation operator is a single space. Therefore, the following two statements are identical: dn: cn=Lisa Jangles,ou=People,dc=example,dc=com dn: cn=Lisa Jangles, ou=People, dc=example,dc=com The following sections describe the change types in detail. Adding an Entry Using LDIF to add an entry to your directory.
  • Page 65 LDIF Update Statements dn: cn=Sue Jacobs,ou=People,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Sue Jacobs givenName: Sue sn: Jacobs ou: People ou: Marketing uid: sjacobs dn: ou=Groups,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit ou: Groups dn: cn=Administrators,ou=Groups,dc=example,dc=com changetype: add objectclass: top objectclass: groupOfNames...

  • Page 66: Renaming An Entry Using Ldif

    LDIF Update Statements Renaming an Entry Using LDIF to change an entry’s relative distinguished name (RDN). changetype:modrdn An entry’s RDN is the left-most element in the distinguished name. Therefore, the RDN for cn=Barry Nixon,ou=People,dc=example,dc=com cn=Barry Nixon And the RDN for ou=People,dc=example,dc=com ou=People Therefore, this rename operation allows you to change the left-most value in an...

  • Page 67: A Note On Renaming Entries

    LDIF Update Statements the server would delete , and only would cn=Sue Jacobs cn=Susan Jacobs remain within the entry. A Note on Renaming Entries You cannot rename an entry with the change type such that the entry modrdn moves to a completely different subtree. To move an entry to a completely different branch, you must create a new entry in the alternative subtree using the old entry’s attributes, and then delete the old entry.

  • Page 68: Adding Attributes To Existing Entries Using Ldif

    LDIF Update Statements The specified attribute is deleted. If more than one value of an attribute exists for the entry, then all values of the attribute are deleted in the entry. To delete just one of many attribute values, specify the attribute and associated value on the line following the delete change operation.

  • Page 69: Changing An Attribute Value Using Ldif

    LDIF Update Statements The following example adds a photograph to the directory. The photo jpeg jpeg can be displayed by Directory Server Gateway. In order to add this attribute to the directory, you must use the parameter, which indicates that ldapmodify -b should read the referenced file for binary values if the attribute value ldapmodify...

  • Page 70: Deleting All Values Of An Attribute Using Ldif

    LDIF Update Statements If the entry has multiple instances of the attribute, then, to change one of the attribute values, you must delete the attribute value that you want to change and then add the replacement value. For example, consider the following entry: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife...

  • Page 71: Deleting A Specific Attribute Value Using Ldif

    LDIF Update Statements Deleting a Specific Attribute Value Using LDIF with the delete operation to delete an attribute value changetype:modify from an entry. For example, consider the following entry: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-1212 telephonenumber: 555-6789 To delete the telephone number from this entry, use the following LDIF...

  • Page 72: Modifying An Entry In An Internationalized Directory

    Maintaining Referential Integrity dn: cn=Pete Minsky,ou=People,dc=example,dc=com changetype: delete dn: cn=Sue Jacobs,ou=People,dc=example,dc=com changetype: delete CAUTION Do not delete the suffix . The Red Hat o=NetscapeRoot Administration Server uses this suffix to store information about installed Directory Servers. Deleting this suffix could force you to reinstall the Directory Server.

  • Page 73: How Referential Integrity Works

    Maintaining Referential Integrity How Referential Integrity Works When the Referential Integrity Plug-in (see “Referential Integrity Postoperation Plug-in,” on page 505) is enabled, it performs integrity updates on specified attributes immediately after a delete or rename operation. By default, the Referential Integrity Plug-in is disabled. NOTE The Referential Integrity Plug-in should only be enabled on one supplier replica in a multi-master replication environment to avoid...

  • Page 74: Configuring The Supplier Server

    Maintaining Referential Integrity • You should never enable it on a dedicated consumer server (a server that contains only read-only replicas). • You should never enable it on a server that contains a combination of read-write and read-only replicas. • You can enable it on a supplier server that contains only read-write replicas.

  • Page 75: Recording Updates In The Changelog

    Maintaining Referential Integrity Expand the Plugins folder in the navigation tree, and select the Referential Integrity Postoperation Plug-in. The settings for the plug-in are displayed in the right pane. Check the “Enable plugin” checkbox to enable the plug-in; clear it to disable it. Click Save to save your changes.

  • Page 76: Modifying The Update Interval

    Maintaining Referential Integrity Modifying the Update Interval By default, the server makes referential integrity updates immediately after a delete or a modrdn operation. If you want to reduce the impact this operation has on your system, you may want to increase the amount of time between updates. Although there is no maximum update interval, the following intervals are commonly used: •...

  • Page 77: Modifying The Attribute List

    Maintaining Referential Integrity Modifying the Attribute List By default, the Referential Integrity Plug-in is set up to check for and update the , and attributes. You can add or delete member uniquemember owner seeAlso attributes to be updated from the Directory Server Console. For example, you may add the attribute if roles are being used.
  • Page 78 Maintaining Referential Integrity Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 79: Chapter 3 Configuring Directory Databases

    Chapter 3 Configuring Directory Databases Your directory is made up of databases over which you can distribute your directory tree. This chapter describes how to create suffixes, the branch points for your directory tree, and how to create the databases associated with each suffix. This chapter also describes how to create database links to reference databases on remote servers and how to use referrals to point clients to external sources of directory data.

  • Page 80: Creating Suffixes

    Your directory might contain more than one root suffix. For example, an ISP might host several websites, one for and one for . The example.com redhat.com ISP would create two root suffixes, one corresponding to the dc=example,dc=com naming context and one corresponding to the naming dc=redhat,dc=com context.

  • Page 81: Figure 3-2 A Sample Directory Tree With Two Root Suffixes

    Creating and Maintaining Suffixes A Sample Directory Tree with Two Root Suffixes Figure 3-2 You can also create root suffixes to exclude portions of your directory tree from search operations. For example, Corporation might want to exclude example.com their European office from a search on the general Corporation example.com directory.

  • Page 82: Creating A New Root Suffix Using The Console

    Creating and Maintaining Suffixes A Sample Directory Tree with a Sub Suffix Figure 3-4 This section describes creating root and subsuffixes for your directory using either the Directory Server Console or the command-line. This section contains the following procedures: • Creating a New Root Suffix Using the Console •...

  • Page 83: Creating A New Sub Suffix Using The Console

    Creating and Maintaining Suffixes If you selected the “Create associated database automatically” checkbox in step 4, enter a unique name for the new database in the “Database name” field. For the name, you can use a combination of alphanumeric, dash ( ), and underscore ( ) characters;...

  • Page 84: Creating Root And Sub Suffixes From The Command-Line

    Creating and Maintaining Suffixes Click OK to create the new sub suffix. The suffix appears automatically under its root suffix in the Data tree in the left navigation pane. Creating Root and Sub Suffixes from the Command-Line Use the command-line utility to add new suffixes to your directory ldapmodify configuration file.

  • Page 85: Table 3-1 Suffix Attributes

    Creating and Maintaining Suffixes dn: cn="ou=groups,dc=example,dc=com",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: GroupData nsslapd-parent-suffix: "dc=example,dc=com" cn: ou=groups,dc=example,dc=com NOTE If you want to maintain your suffixes using the Directory Server Console, you will need to respect the same spacing you use to name the root and subsuffixes via the command-line.
  • Page 86 Creating and Maintaining Suffixes Suffix Attributes (Continued) Table 3-1 Attribute Name Value Determines how the suffix handles operations. This attribute takes nsslapd-state the following values: • backend: the backend (database) is used to process all operations. • disabled: the database is not available for processing operations.

  • Page 87: Maintaining Suffixes

    Creating and Maintaining Suffixes Suffix Attributes (Continued) Table 3-1 Attribute Name Value Provides the DN of the parent entry for a sub suffix. By default, this nsslapd-parent-suffix attribute is not present, which means that the suffix is regarded as a root suffix.

  • Page 88: Enabling Referrals Only During Update Operations

    Creating and Maintaining Suffixes Click the Referrals tab. Enter an LDAP URL in the “Enter a new referral” field, or click Construct to be guided through the creation of an LDAP URL. For more information about the structure of LDAP URLs, see Appendix C, “LDAP URLs.”...

  • Page 89: Disabling A Suffix

    Creating and Maintaining Suffixes Disabling a Suffix Sometimes, you may need to take down a database for maintenance, but the data the database contains is not replicated. Rather than returning a referral, you can disable the suffix responsible for the database. Once you disable a suffix, the contents of the database related to the suffix are invisible to client applications when they perform LDAP operations such as search, add, and modify.

  • Page 90: Creating And Maintaining Databases

    Creating and Maintaining Databases Click OK to delete the suffix. A progress dialog box is displayed that tells you the steps being completed by the Console. Creating and Maintaining Databases After you create suffixes for organizing your directory data, you create databases to contain your directory data.
  • Page 91 Creating and Maintaining Databases This division of the tree corresponds to three databases, as follows: Database one contains the data for plus the data for ou=people , so that clients can conduct searches based at dc=example,dc=com . Database two contains the data for , and dc=example,dc=com ou=groups...

  • Page 92: Creating A New Database For An Existing Suffix Using The Console

    Creating and Maintaining Databases Database one contains people with names from A-K, and database two contains people with names from L-Z. Database three contains the ou=groups data, and database four contains the data. ou=contractors You need to use the custom distribution plug-in to distribute data from a single suffix across multiple databases.

  • Page 93: Creating A New Database For A Single Suffix From The Command-Line

    Creating and Maintaining Databases In the “Create database in” field, enter the path to the directory where you want to store the new database. You can also click Browse to locate a directory on your local machine. By default, the directory stores the new database in this directory: serverRoot/slapd-serverID/db Click OK.

  • Page 94: Adding Multiple Databases For A Single Suffix

    Creating and Maintaining Databases Adding Multiple Databases for a Single Suffix You can distribute a single suffix across multiple databases. However, to distribute the suffix, you need to create a custom distribution function to extend the directory. For more information on creating a custom distribution function, contact Red Hat Professional Services.

  • Page 95: Maintaining Directory Databases

    Creating and Maintaining Databases Select the Databases tab in the right window. Click Add to associate additional databases with the suffix. The “Database List” dialog box is displayed. Select a database from the list, and click OK. Enter the path to your distribution library in the “Distribution library” field, or click Browse to locate a distribution library on your local machine.

  • Page 96: Placing A Database In Read-Only Mode

    Creating and Maintaining Databases Placing a Database in Read-Only Mode When a database is in read-only mode, you cannot create, modify, or delete any entries. For example, you must put a database in read-only mode if you are manually initializing a consumer. If your Directory Server manages multiple databases, you can place all of them into read-only mode at the same time by placing your entire server in read-only mode.

  • Page 97: Deleting A Database

    Creating and Maintaining Databases Deleting a Database The following procedure describes deleting a directory database using the Directory Server Console. Deleting a database deletes the configuration information and entries for that database only, not the physical database itself. In the Directory Server Console, select the Configuration tab. In the left navigation pane, locate the database you want to delete, and select it.

  • Page 98: Database Encryption

    Creating and Maintaining Databases Edit the file, and change the attribute dse.ldif nsslapd-db-logdirectory for the new log file path: nsslapd-db-logdirectory: /home/exampledb-txnlogs This attribute goes on the same entry that has the nsslapd-dbcachesize attribute. Open the database directory. serverRoot serverID /slapd- Remove all of the files.

  • Page 99: Encryption Keys

    Creating and Maintaining Databases Since the server pre-encrypts all index keys before looking up an index for an encrypted attribute, there is some hit to server performance for searches that make use of an encrypted index, but the effect is not serious enough to offset the benefits of indexing entries.

  • Page 100: Encrypting Pre-Existing Data

    Creating and Maintaining Databases The encryption cipher is configurable on a per-attribute basis and must be selected by the administrator at the time encryption is enabled for an attribute. Configuration can be done through the Console or through the command-line. Once the encryption cipher is set, it should not be changed without exporting and re-importing the data.

  • Page 101: Configuring Database Encryption From The Console

    Creating and Maintaining Databases Configuring Database Encryption from the Console NOTE To enable database encryption on an attribute with existing stored data, you have to export the database to LDIF first, then make the configuration change, then re-import the data to the database. See “Exporting and Importing an Encrypted Database,”...

  • Page 102: Exporting And Importing An Encrypted Database

    Make any configuration changes. Re-import the data using the script, as follows: ldif2db ldif2db -n Database1 -E -i /opt/redhat-ds/servers/slapd-dirserver/ldif/output.ldif See “Importing from the Command-Line,” on page 153, for more information. Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 103: Creating And Maintaining Database Links

    Creating and Maintaining Database Links Creating and Maintaining Database Links Chaining is a method by which a server contacts other servers on behalf of a client application and then returns the combined results. This method is implemented through the database link. A database link points to data stored remotely. When a client application requests data from a database link, the database link retrieves the data from the remote database and returns it to the client.

  • Page 104: Table 3-2 Components Allowed To Chain

    Creating and Maintaining Database Links Some components send internal LDAP requests to the server, expecting to access local data only. For such components, you need to control the chaining policy so that the components can complete their operations successfully. One example is the certificate verification function.
  • Page 105 Creating and Maintaining Database Links Components Allowed to Chain (Continued) Table 3-2 Component Name Description Permissions Certificate-based This component is used when the SASL-external bind Read, search, and authentication method is used. It retrieves the user certificate from the compare checking database on the remote server.
  • Page 106 Creating and Maintaining Database Links NOTE You cannot chain the following components: • Roles plug-in • Password policy component • Replication plug-ins When enabling the Referential Integrity Plug-in on servers issuing chaining requests, be sure to analyze your performance resource and time needs as well as your integrity needs.

  • Page 107: Chaining Ldap Controls

    Creating and Maintaining Database Links aci: (targetattr "*")(target="ldap:///ou=customers,l=us,dc=example,dc=com") (version 3.0; acl "RefInt Access for chaining"; allow (read,write,search,compare) userdn = "ldap:///cn=referential integrity postoperation,cn=plugins,cn=config";) Chaining Component Operations from the Command-Line You can specify components you want to include in chaining using the attribute in the nsActiveChainingComponents cn=config,cn=chaining...
  • Page 108 Creating and Maintaining Database Links • Loop detection — This control keeps track of the number of times the server chains with another server. When the count reaches a number you configure, a loop is detected, and the client application is notified. For more information about using this control, refer to “Detecting Loops,”...

  • Page 109: Creating A New Database Link

    Creating and Maintaining Database Links Table 3-3 LDAP Controls and Their OIDs Control Name Virtual list view (VLV) 2.16.840.1.113730.3.4.9 Server side sorting 1.2.840.113556.1.4.473 Managed DSA 2.16.840.1.113730.3.4.2 Loop detection 1.3.6.1.4.1.1466.29539.12 For more information about LDAP controls, refer to the LDAP C-SDK documentation at http://www.mozilla.org/directory Creating a New Database Link...
  • Page 110 Creating and Maintaining Database Links Right-click Data in the left navigation pane, and select New Root Suffix or New Sub Suffix from the pop-up menu. A “Create New Suffix” dialog box is displayed. Enter the name of the suffix on the remote server to which you want to chain in the “New suffix”...

  • Page 111: Creating A Database Link From The Command-Line

    Creating and Maintaining Database Links Enter the name of a failover server in the “Failover Server(s)” field, and specify a port number in the “Port” field. The default port number is . Click Add to add the failover server to the list. You can specify multiple failover servers.
  • Page 112 Creating and Maintaining Database Links • Providing an LDAP URL • Providing a List of Failover Servers • Summary of Cascading Chaining Configuration Attributes • Database Link Configuration Example Providing Suffix Information Use the attribute to define the suffix managed by your database nsslapd-suffix link.
  • Page 113 Creating and Maintaining Database Links to provide a user DN for the database link in the ldapmodify attribute of the nsMultiplexorBindDN cn=database_link_name,cn=chaining entry. database,cn=plugins,cn=config CAUTION The cannot be that of the Directory nsMultiplexorBindDN Manager. to provide a user password for the database link in the ldapmodify attribute of the nsMultiplexorCredentials...
  • Page 114 Creating and Maintaining Database Links Server B must contain a user entry corresponding to the nsMultiplexorBindDN and you must set the proxy authentication rights for this user. To set the proxy authorization correctly, you need to set the “proxy” ACI as you would any other ACI.
  • Page 115 Creating and Maintaining Database Links Providing an LDAP URL On the server containing your database link, you have to identify the remote server that the database link connects with using an LDAP URL. Unlike the standard LDAP URL format, the URL of the remote server does not specify a suffix. It takes the following form: ldap://hostname:portnumber You specify the URL of the remote server using the...

  • Page 116: Table 3-4 Database Link Configuration Attributes

    Creating and Maintaining Database Links The two global configuration attributes are located in the entry. The global cn=config,cn=chaining database,cn=plugins,cn=config attributes are dynamic, meaning any changes you make to them will automatically take effect on all instances of the database link within your directory.
  • Page 117 Creating and Maintaining Database Links Database Link Configuration Attributes (Continued) Table 3-4 Attributes Value Reserved for advanced use only. Allows you to disable proxied nsProxiedAuthorization authorization. A value of off means proxied authorization is disabled. The default value is on. Lists the components using chaining.
  • Page 118 Creating and Maintaining Database Links First, use the command-line utility to add a database link to Server A. ldapmodify Type the following to change to the directory containing the utility: cd serverRoot/shared/bin Run the script, as follows: ldapmodify -a -p 389 -D "cn=directory manager" -w secret -h us.example.com Then specify the configuration information for the database link: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config...
  • Page 119 Creating and Maintaining Database Links nsslapd-state: backend nsslapd-backend: DBLink1 nsslapd-parent-suffix: "ou=people,dc=example,dc=com" cn: l=Zanzibar,ou=people,dc=example,dc=com In the first section, the attribute contains the suffix on Server B nsslapd-suffix to which you want to chain from Server A. The attribute nsFarmServerURL contains the LDAP URL of Server B. The second section creates a new suffix, allowing the server to route requests made to the new database link.

  • Page 120: Chaining Using Ssl

    Creating and Maintaining Database Links NOTE When a user binds to a database link, the user’s identity is sent to the remote server. Access controls are always evaluated on the remote server. For the user to modify or write data successfully to the remote server, you need to set up the correct access controls on the remote server.

  • Page 121: Maintaining Database Links

    Creating and Maintaining Database Links Maintaining Database Links This section describe how to update and delete existing database links. It contains the following procedures: • Updating Remote Server Authentication Information • Deleting Database Links Updating Remote Server Authentication Information To update the bind DN and password used by the database link to connect to the remote server: In the Directory Server Console, select the Configuration tab.

  • Page 122: Database Links And Access Control Evaluation

    Creating and Maintaining Database Links From the Object menu, select Delete. You can also right-click the database link and select Delete from the pop-up menu. The Deleting Database Link confirmation dialog box is displayed. Click Yes to confirm that you want to delete the database link. A progress dialog box appears telling you the steps the Directory Server completes during the deletion.

  • Page 123: Advanced Feature: Tuning Database Link Performance

    Creating and Maintaining Database Links • ACIs that refer to values of a user’s entry (for example, subject rules) userattr will work if the user is remote. Though access controls are always evaluated on the remote server, you can also choose to have them evaluated on both the server containing the database link and the remote server.

  • Page 124: Managing Connections To The Remote Server

    Creating and Maintaining Database Links Managing Connections to the Remote Server Each database link maintains a pool of connections to a remote server. You can configure the connections to optimize resources for your directory. You can change the connection attributes using the Directory Server Console or through the command-line.

  • Page 125: Table 3-5 Database Link Connection Management Attributes

    Creating and Maintaining Database Links Connection lifetime (sec). How long a connection made between the database link and remote server remains open. You can keep connections between the database link and the remote server open for an unspecified time, or you can close them after a specific period of time. It is faster to keep the connections open, but it uses more resources.

  • Page 126: Detecting Errors During Normal Processing

    Creating and Maintaining Database Links Database Link Connection Management Attributes (Continued) Table 3-5 Attribute Name Description Number of times a database link attempts to bind to the nsBindRetryLimit remote server. A value of zero (0) indicates that the database link will try to bind only once. The default value is 3 attempts. Connection lifetime, in seconds.

  • Page 127: Managing Threaded Operations

    Creating and Maintaining Database Links If the remote server does not respond before the period nsMaxTestResponseDelay has passed, then an error is returned, and the connection is flagged as down. All connections between the database link and remote server will be blocked for 30 seconds, protecting your server from a performance degradation.

  • Page 128: Advanced Feature: Configuring Cascading Chaining

    Creating and Maintaining Database Links While the database link waits for results from the remote server, it can process additional operations. By default, the number of threads used by the server is However, when using database links, you can improve performance by increasing the number of threads available for processing operations.
  • Page 129 Creating and Maintaining Database Links The client application sends a modify request to Server 1. Server 1 contains a database link that forwards the operation to Server 2, which contains another database link. The database link on Server 2 forwards the operations to server three, which contains the data the clients wants to modify in a database.
  • Page 130 Creating and Maintaining Database Links The root suffix and the dc=example,dc=com ou=people ou=groups subsuffixes are stored on Server A. The l=europe,dc=example,dc=com suffixes are stored in on Server B, and the branch of the ou=groups ou=people suffix is stored on Server C. l=europe,dc=example,dc=com With cascading configured on servers A, B, and C, a client request targeted at the entry would be routed by the...

  • Page 131: Configuring Cascading Chaining Defaults Using The Console

    Creating and Maintaining Database Links First, the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the branch.

  • Page 132: Configuring Cascading Chaining Using The Console

    Creating and Maintaining Database Links Select the “Check local ACI” checkbox if you want to enable the evaluation of local ACIs on the intermediate database links involved in cascading chaining. If you select this checkbox, you will need to add the appropriate local ACIs to a database on the servers that contain intermediate database links.

  • Page 133: Configuring Cascading Chaining From The Command-Line

    Creating and Maintaining Database Links Configuring Cascading Chaining from the Command-Line Configuring a cascade of database links through the command-line involves the following steps: • Pointing one database link to the URL of the server containing the intermediate database link. •...
  • Page 134 Creating and Maintaining Database Links Creating the Proxy Administrative User ACI You need to create an ACI on the server that contains the intermediate database link that checks the rights of the first database link before translating the request to another server. For example, if Server 2 does not check the credentials of Server 1, then anyone could bind as and pass a proxy authorization control anonymous...
  • Page 135 Creating and Maintaining Database Links Setting this attribute to in the cn=default instance config,cn=chaining entry means that all new database link database,cn=plugins,cn=config instances will have the attribute set to in their nsCheckLocalACI entry. cn=database_link_name,cn=chaining database,cn=plugins,cn=config Creating Client ACIs Because you have enabled local ACI evaluation, you need to create the appropriate client application ACIs on all intermediate database links, as well as the final destination database.

  • Page 136: Summary Of Cascading Chaining Configuration Attributes

    Creating and Maintaining Database Links Summary of Cascading Chaining Configuration Attributes The following table describes the attributes used to configure intermediate database links in a cascading chain: Table 3-7 Cascading Chaining Configuration Attributes Attribute Description URL of the server containing the next database link in the cascading chain. nsFarmServerURL Enter the following OIDs to the database links involved in the cascading nsTransmittedControls...

  • Page 137: Configuring Server One

    Creating and Maintaining Database Links Configuring Server One First, use the command-line utility to add a database link to Server 1. ldapmodify To use the utility, type the following to change to the directory containing the utility: cd serverRoot/shared/bin Run the utility, as follows: ldapmodify -a -D "cn=directory manager"...
  • Page 138 Creating and Maintaining Database Links Then specify the configuration information for the database link, DBLink1, on Server 1, as follows: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: c=africa,ou=people,dc=example,dc=com nsfarmserverurl: ldap://africa.example.com:389/ nsmultiplexorbinddn: cn=server1 proxy admin,cn=config nsmultiplexorcredentials: secret cn: DBLink1 nsCheckLocalACI:off cn="c=africa,ou=people,dc=example,dc=com",cn=mapping tree,cn=config...

  • Page 139: Configuring Server Two

    Creating and Maintaining Database Links Configuring Server Two Next, you create a proxy administrative user on Server 2. This administrative user will be used to allow Server 1 to bind and authenticate to Server 2. It is useful to choose a proxy administrative user name which is specific to Server 1, as it is the proxy administrative user which will allow Server 1 to bind to Server 2.
  • Page 140 Creating and Maintaining Database Links Since database link DBLink2 is the intermediate database link in your cascading chaining configuration, you need to set the to allow the nsCheckLocalACI server to check whether it should allow the client and proxy administrative user access to the database link.

  • Page 141: Configuring Server Three

    Creating and Maintaining Database Links NOTE To create these ACIs, it is assumed that the database corresponding to the suffix already c=africa,ou=people,dc=example,dc=com exists to hold the entry. This database needs to be associated with a suffix above the suffix specified in the attribute of nsslapd-suffix each database link.
  • Page 142 Creating and Maintaining Database Links dn: cn=server2 proxy admin,cn=config objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: server2 proxy admin sn: server2 proxy admin userPassword: secret description: Entry for use by database links Then you need to add the same local proxy authorization ACI to server three as you did on Server 2.

  • Page 143: Using Referrals

    Using Referrals Using Referrals You can use referrals to tell client applications which server to contact for a specific piece of information. This redirection occurs when a client application requests a directory entry that does not exist on the local server or when a database has been taken off-line for maintenance.

  • Page 144: Setting A Default Referral From The Command-Line

    Using Referrals Setting a Default Referral from the Command-Line Use the command-line utility to add a default referral to the ldapmodify entry in your directory’s configuration file. cn=config For example, to add a new default referral from your Directory Server, , to a server named , add a new line to the dir1.example.com...

  • Page 145: Creating Smart Referrals Using The Directory Server Console

    Using Referrals The following procedures describe creating smart referrals using both the Console and the command-line utilities. Creating Smart Referrals Using the Directory Server Console To configure smart referrals: In the Directory Server Console, select the Directory tab. Browse through the tree in the left navigation pane, and select the entry for which you want to add the referral.

  • Page 146: Creating Smart Referrals From The Command-Line

    Using Referrals The Smart Referral List lists the referrals currently in place for the selected entry. The entire list of referrals is returned to client applications in response to a request when you select “Return Referrals for All Operations” or “Return Referrals for Update Operations”...

  • Page 147: Creating Suffix Referrals

    Using Referrals uid: jdoe ref: ldap://directory.europe.example.com/cn=john%20doe,ou=people, l=europe,dc=example,dc=com Use the option with when there is already a referral in the DN path. ldapmodify For information about the utility, see Red Hat Directory Server ldapmodify Configuration, Command, and File Reference. For more information on smart referrals, see Red Hat Directory Server Deployment Guide.

  • Page 148: Creating Suffix Referrals From The Command-Line

    Using Referrals Click Add to add the referral to the list. You can enter multiple referrals. The directory will return the entire list of referrals in response to requests from client applications. Click Save. Creating Suffix Referrals from the Command-Line Use the command-line utility to add a suffix referral to an entry in ldapmodify...

  • Page 149: Chapter 4 Populating Directory Databases

    Chapter 4 Populating Directory Databases Databases contain the directory data managed by your Red Hat Directory Server (Directory Server). This chapter describes the following procedures for populating your directory databases: • Importing Data (page 149) • Exporting Data (page 156) •...

  • Page 150: Importing A Database From The Console

    Importing Data Table 4-1 Import Method Comparison Action Import Initialize Database Overwrites database LDAP operations Add, modify, delete Add only Performance More time-consuming Fast Partition speciality Works on all partitions Local partitions only Response to server failure Best effort (all changes made Atomic (all changes are up to the point of the failure lost after a failure)
  • Page 151 Importing Data In the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen, and select Import Database. You can also import by going to the Configuration tab and selecting “Import” from the Console menu. The Import Database dialog box is displayed. In the “LDIF file”...

  • Page 152: Initializing A Database From The Console

    Importing Data Initializing a Database from the Console You can overwrite the existing data in a database. The following section describes using the Console to initialize databases. You must be logged in as the Directory Manager in order to initialize a database. This is because you cannot import an LDIF file that contains a root entry unless you bind to the directory as the Directory Manager (Root DN).

  • Page 153: Importing From The Command-Line

    Importing Data Importing from the Command-Line You can use three methods for importing data through the command-line: • Using — This import method overwrites the contents of your ldif2db database and requires the server to be stopped. • Using — This import method overwrites the contents of your ldif2db.pl database while the server is still running.

  • Page 154: Importing Using The Ldif2Db.pl Perl Script

    Make sure that you do not misspell the database name. An example of performing an import using the UNIX shell script ldif2db follows: ldif2db -n Database1 -i /opt/redhat-ds/servers/slapd-dirserver/ldif/demo.ldif -i /opt/redhat-ds/servers/slapd-dirserver/ldif/demo2.ldif The following table describes the options used in the examples: ldif2db Option Description Specifies the full path name of the LDIF file(s) to be imported.

  • Page 155: Importing Using The Ldif2Ldap Command-Line Script

    Directory Manager. UNIX shell script: ldif2db.pl -D "cn=Directory Manager" -w secretpwd -i /opt/redhat-ds/servers/slapd-dirserver/ldif/demo.ldif -n Database1 The following table describes the options used in the examples: ldif2db.pl Option Description Specifies the DN of the administrative user.

  • Page 156: Exporting Data

    UNIX shell script ldif2ldap follows: ldif2ldap "cn=Directory Manager" secret /opt/redhat-ds/servers/slapd-dirserver/ldif/demo.ldif script requires you to specify the DN of the administrative user, ldif2ldap the password of the administrative user, and the absolute path and filename of the LDIF file(s) to be imported.

  • Page 157: Exporting Directory Data To Ldif Using The Console

    Exporting Data To populate the new databases requires exporting the contents of database one and importing it into the new databases one and two. You can use the Directory Server Console or command-line utilities to export data. The following sections describe these methods in detail: •...

  • Page 158: Exporting A Single Database To Ldif Using The Console

    Exporting Data Select “To server machine” to indicate that you are exporting to an LDIF file located on the server’s machine. If you want to export the whole directory, select the “Entire database” radio button. If you want to export only a single subtree of the suffix contained by the database, select the “Subtree”...

  • Page 159: Exporting To Ldif From The Command-Line

    Backing Up and Restoring Data Exporting to LDIF from the Command-Line You can export your database to LDIF using the command-line script. db2ldif This script exports all of your database contents or a part of their contents to LDIF when the server is running or stopped. NOTE To export a database that has been encrypted, you must use the option with the script.

  • Page 160: Backing Up All Databases

    Backing Up and Restoring Data The following sections describe the procedures for backing up and restoring data: • Backing Up All Databases • Backing Up the dse.ldif Configuration File • Restoring All Databases • Restoring a Single Database • Restoring Databases That Include Replicated Entries •...

  • Page 161: Backing Up All Databases From The Command-Line

    This example performs an import using the UNIX shell script: db2bak db2bak /opt/redhat-ds/servers/slapd-dirserver/bak/bak_2001070110 3056 You can specify the backup directory and output file where the server saves the exported LDIF file. If you do not specify a directory and output file, the directory will store the file by default in the directory where the command-line script resides.

  • Page 162: Backing Up The Dse.ldif Configuration File

    Backing Up and Restoring Data Backing Up the dse.ldif Configuration File Directory Server automatically backs up the configuration file. When dse.ldif you start your Directory Server, the directory creates a backup of the dse.ldif file automatically in a file named in this directory: dse.ldif.startOK serverRoot/slapd-serverID/config...

  • Page 163: Restoring Your Database From The Command-Line

    This example performs an import using the UNIX shell script: bak2db bak2db /opt/redhat-ds/servers/slapd-dirserver/bak/bak_20010701103056 script requires that you define the full path and name of the input file. bak2db Using bak2db.pl Perl Script To restore your directory from the command-line while the server is running:...

  • Page 164: Restoring A Single Database

    /bak bak2db parameter to specify the backend instance name. For example: ./bak2db /opt/redhat-ds/slapd-serverID/bak/backup_file -n userRoot Restart the Directory Server by typing the following: ./start-slapd Restoring Databases That Include Replicated Entries If you are restoring a database that is supplying entries to other servers, then you...

  • Page 165: Restoring The Dse.ldif Configuration File

    Backing Up and Restoring Data • Changelog entries have not yet expired on the supplier server. If the supplier server changelog has not expired since the database backup was taken, then you can restore the local consumer and continue with normal operations.

  • Page 166: Enabling And Disabling Read-Only Mode

    Enabling and Disabling Read-Only Mode Enabling and Disabling Read-Only Mode Before performing certain operations of export or backup on your Directory Server, you can enable read-only mode on any of the databases to ensure you have a faithful image of the state of these databases at a given time. The Directory Server Console and the command-line utilities do not automatically put the directory in read-only mode before export or backup operations because this would make your directory unavailable for updates.

  • Page 167: Chapter 5 Advanced Entry Management

    Chapter 5 Advanced Entry Management You can group the entries contained within your directory to simplify the management of user accounts. Red Hat Directory Server (Directory Server) supports a variety of methods for grouping entries and sharing attributes between entries. This chapter describes the following grouping mechanisms and their procedures: •...

  • Page 168: Managing Static Groups

    Using Groups Managing Static Groups Static groups allow you to group entries by specifying the same group value in the DN attribute of any number of users. This section includes the following procedures for creating and modifying static groups: • Adding a New Static Group •...

  • Page 169: Modifying A Static Group

    Using Groups Modifying a Static Group In the Directory Server Console, select the Directory tab. The directory contents appear in the left pane. Double-click the entry you want to modify, or select Open from the Object menu. The Edit Group dialog box appears. Make your changes to the group information.

  • Page 170: Modifying A Dynamic Group

    Using Roles Click Languages in the left pane to add language-specific information for your group. Click OK to create your new group. Your new group appears in the right pane. Modifying a Dynamic Group In the Directory Server Console, select the Directory tab. The directory contents appear in the left pane.

  • Page 171: About Roles

    Using Roles • Using Roles Securely About Roles Roles unify the static and dynamic group concept supported by previous versions of Directory Server. You can use roles to: • Enumerate the members of a role. Having an enumerated list of role members can be useful for resolving queries for role members quickly.

  • Page 172: Managing Roles Using The Console

    Using Roles • Managed roles — A managed role allows you to create an explicit enumerated list of members. • Filtered roles — A filtered role allows you to assign entries to the role depending upon the attribute contained by each entry. You do this by specifying an LDAP filter.

  • Page 173: Creating A Managed Role

    Using Roles • Deleting a Role When you create a role, you need to decide whether a user can add themselves or remove themselves from the role. Refer to “Using Roles Securely,” on page 180, for more information about roles and access control. Creating a Managed Role Managed roles allow you to create an explicit enumerated list of members.

  • Page 174: Creating A Filtered Role

    Using Roles Creating a Filtered Role You assign entries to a filtered role depending upon a particular attribute contained by each entry. You do this by specifying an LDAP filter. Entries that match the filter are said to possess the role. To create and add members to a filtered role: Follow steps 1-5 of “Creating a Managed Role,”...

  • Page 175: Viewing And Editing An Entry's Roles

    Using Roles To create and add members to a nested role: Follow steps 1-5 of “Creating a Managed Role,” on page 173. Click Members in the left pane. A search dialog box appears briefly. In the right pane, select Nested Role. Click Add to add roles to the list.The members of the nested role are members of other existing roles.

  • Page 176: Modifying A Role Entry

    Using Roles Click OK to save your changes once you have finished modifying the roles. Modifying a Role Entry To edit an existing role: In the Directory Server Console, select the Directory tab. Browse the navigation tree in the left pane to locate the base DN for your role. Roles appear in the right pane with other entries.

  • Page 177: Deleting A Role

    Using Roles Browse the navigation tree in the left pane to locate the base DN for your role. Roles appear in the right pane with other entries. Select the role. Select Activate from the Object menu. You can also right-click the role and select Activate from the menu. The role is reactivated.

  • Page 178: Examples: Managed Role Definition

    Using Roles • Members of a filtered role are entries that match the filter specified in the attribute. nsRoleFilter • Members of a nested role are members of the roles specified in the nsRoleDN attributes of the nested role definition entry. Table 5-1 lists the new object classes and attributes associated with each type of role.

  • Page 179: Example: Filtered Role Definition

    Using Roles Notice that the object class inherits from the nsManagedRoleDefinition , and object classes. LDAPsubentry nsRoleDefinition nsSimpleRoleDefinition Assign the role to a marketing staff member named Bob by doing an ldapmodify as follows: ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389 dn: cn=Bob,ou=people,dc=example,dc=com changetype: modify add: nsRoleDN...

  • Page 180: Example: Nested Role Definition

    Using Roles Example: Nested Role Definition You want to create a role that contains both the marketing staff and sales managers contained by the roles you created in the previous examples. The nested role you created using appears as follows: ldapmodify dn: cn=MarketingSales,ou=people,dc=example,dc=com objectclass: top...
  • Page 181 Using Roles For example, user A possesses the managed role, MR. The MR role has been locked using account inactivation through the command-line. This means that user A cannot bind to the server because the attribute is computed as nsAccountLock for that user.

  • Page 182: Assigning Class Of Service

    Assigning Class of Service Assigning Class of Service A class of service (CoS) allows you to share attributes between entries in a way that is transparent to applications. CoS simplifies entry management and reduces storage requirements. There are two methods for creating and managing CoS: with Directory Server Console or through the command-line.

  • Page 183: About The Cos Definition Entry

    Assigning Class of Service The following sections describe the entries that make up a CoS in more detail and provide examples of each type of CoS. About the CoS Definition Entry The CoS definition entry is an instance of the object class.

  • Page 184: How A Pointer Cos Works

    Assigning Class of Service • The value of one of the target entry’s attributes. The attribute used to provide the relative DN to the template entry is specified in the CoS definition entry using the cosIndirectSpecifier attribute. This type of template is associated with an indirect CoS. •...

  • Page 185: How A Classic Cos Works

    Assigning Class of Service The three CoS entries appear as illustrated in Figure 5-2. Figure 5-2 Sample Indirect CoS In this example, the target entry for William Holiday contains the indirect specifier, attribute. William’s manager is Carla Fuentes, so the manager manager attribute contains a pointer to the DN of the template entry,...

  • Page 186: Managing Cos Using The Console

    Assigning Class of Service Sample Classic CoS Figure 5-3 In this example, the Cos definition entry’s attribute specifies the cosSpecifier attribute. This attribute, in combination with the template DN, employeeType identify the template entry as . The template cn=sales,cn=exampleUS,cn=data entry then provides the value of the attribute to the target entry.
  • Page 187 Assigning Class of Service Go to the Object menu, and select New > Class of Service. You can also right click the entry and select New > Class of Service. The Create New Class of Service dialog displays. Select General in the left pane. In the right pane, enter the name of your new class of service in the “Class Name”...

  • Page 188: Creating The Cos Template Entry

    Assigning Class of Service By its DN. If you choose to have the template entry identified by only its DN (a pointer CoS), enter the DN of the template in the “Template DN” field. Click Browse to locate the DN on your local server. This will be an exact DN;...
  • Page 189 Assigning Class of Service NOTE You can also add the object class to a new template LDAPsubentry entry. Making the CoS template entry an instance of the object classes allows ordinary searches to be LDAPsubentry performed unhindered by the configuration entries. However, if the template entry already exists and is used for something else (for example, if it is a user entry), you do not need to make it an instance of the...

  • Page 190: Editing An Existing Cos

    Assigning Class of Service Editing an Existing CoS The following procedure describes changing the description and attributes generated on the target entry of an existing class of service. To edit an existing CoS: In the Directory Server Console, select the Directory tab. Browse the tree in the left navigation pane, and select the parent entry that contains your class of service.

  • Page 191: Creating The Cos Definition Entry From The Command-Line

    Assigning Class of Service • Creating the CoS Definition Entry from the Command-Line • Creating the CoS Template Entry from the Command-Line • Example of a Pointer CoS • Example of an Indirect CoS • Example of a Classic CoS Creating the CoS Definition Entry from the Command-Line Each type of CoS requires a particular object class to be specified in the definition entry.
  • Page 192 Assigning Class of Service CoS Definition Entry Attributes (Continued) Table 5-3 Attribute Definition Specifies the attribute value used by an indirect CoS to identify the cosIndirectSpecifier template entry. Specifies the attribute value used by a classic CoS, which, along with the cosSpecifier template entry’s DN, identifies the template entry.

  • Page 193: Table 5-4 Cos Definitions

    Assigning Class of Service For example, you might create a pointer CoS definition entry that contains an qualifier as follows: override dn: cn=pointerCoS,dc=example,dc=com objectclass: top objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=exampleUS,ou=data,dc=example,dc=com cosAttribute: postalCode override This pointer CoS definition entry indicates that it is associated with a template entry, , that generates the value of cn=exampleUS,ou=data,dc=example,dc=com...

  • Page 194: Creating The Cos Template Entry From The Command-Line

    Assigning Class of Service CoS Definitions (Continued) Table 5-4 CoS Type CoS definition Classic CoS objectclass: top objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn: DN_string cosSpecifier: attribute_name cosAttribute: list_of_attributes qualifier Creating the CoS Template Entry from the Command-Line Each template entry is an instance of the object class.

  • Page 195: Example Of A Pointer Cos

    Assigning Class of Service Templates that contain no attribute are considered the lowest cosPriority priority. In the case where two or more templates are considered to supply an attribute value and they have the same (or no) priority, a value is chosen arbitrarily.

  • Page 196: Example Of An Indirect Cos

    Assigning Class of Service dn: cn=exampleUS,ou=data,dc=example,dc=com objectclass: top objectclass: extensibleobject objectclass: cosTemplate postalCode: 44438 The CoS template entry ( ) supplies cn=exampleUS,ou=data,dc=example,dc=com the value stored in its attribute to any entries located under the postalCode suffix. These entries are the target entries. dc=example,dc=com Example of an Indirect CoS This indirect CoS uses the...

  • Page 197: Example Of A Classic Cos

    Assigning Class of Service Example of a Classic CoS You want to create a classic CoS that automatically generates postal codes using a combination of the template DN and the attribute specified in the cosSpecifier attribute. First, you add a new classic CoS definition entry to the suffix, dc=example,dc=com using...

  • Page 198: Creating Role-Based Attributes

    Assigning Class of Service Creating Role-Based Attributes You can create classic CoS schemes that generate attribute values for an entry based on the role possessed by the entry. For example, you could use role-based attributes to set the server look through limit on an entry-by-entry basis. To create a role-based attribute, use the attribute as the nsRole...

  • Page 199: Access Control And Cos

    Assigning Class of Service dn:cn="cn=ManagerRole,ou=people,dc=example,dc=com",cn=managerCOS ,dc=example,dc=com objectclass: top objectclass: extensibleobject objectlass: cosTemplate mailboxquota: 1000000 The template provides the value for the attribute, mailboxquota 1000000 NOTE The role entry and the CoS definition and template entries should be located at the same level in the directory tree. Access Control and CoS The server controls access to attributes generated by a CoS in exactly the same way as regular stored attributes.
  • Page 200 Assigning Class of Service Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 201: Chapter 6 Managing Access Control

    Chapter 6 Managing Access Control Red Hat Directory Server (Directory Server) provides you with the ability to control access to your directory. This chapter describes the access control mechanism. This section includes the following topics: • Access Control Principles (page 202) •...

  • Page 202: Access Control Principles

    Access Control Principles Access Control Principles The mechanism by which you define access is called access control. When the server receives a request, it uses the authentication information provided by the user in the bind operation and the access control instructions (ACIs) defined in the server to allow or deny access to directory information.

  • Page 203: Aci Placement

    Access Control Principles ACI Placement If an entry containing an ACI does not have any child entries, the ACI applies to that entry only. If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a direct consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs for every entry between the one requested and the directory suffix, as well as the ACIs on the entry itself.

  • Page 204: Aci Limitations

    Access Control Principles For example, if you deny write permission at the directory’s root level, then none of the users can write to the directory, regardless of the specific permissions you grant them. To grant a specific user write permissions to the directory, you have to restrict the scope of the original denial for write permission so that it does not include the user.

  • Page 205: Default Acis

    Default ACIs If you create target filters or bind rules that depend on the value of attributes generated by CoS, the access control rule will not work. For more information on CoS, see chapter 5, “Advanced Entry Management.” • Access control rules are always evaluated on the local server. Therefore, it is not necessary to specify the hostname or port number of the server in LDAP URLs used in ACI keywords.

  • Page 206: Creating Acis Manually

    Creating ACIs Manually • All authenticated users have search, compare, and read rights to configuration attributes that identify the Administration Server. The following sections explain how to modify these default settings to suit the needs of your organization. Creating ACIs Manually You can create access control instructions manually using LDIF statements and add them to your directory tree using the utility.

  • Page 207: Example Aci

    Creating ACIs Manually • specifically outlines what rights you are either allowing or denying permission (for example, read or search rights). • specify the credentials and bind parameters that a user has to provide bind_rules to be granted access. Bind rules can also specifically deny access to certain users or groups of users.

  • Page 208: Table 6-1 Ldif Target Keywords

    Creating ACIs Manually • An attribute value, or a combination of values, that match a specified LDAP filter, as described in “Targeting Attribute Values Using LDAP Filters,” on page 213. The general syntax for a target is: (keyword = "expression") (keyword != "expression") where: indicates the type of target.

  • Page 209: Targeting A Directory Entry

    Creating ACIs Manually Be wary of using when specifying an attribute you want to deny. ACLs are logically ORed, which means that if you created two ACLs acl1: ( target=...)( targetattr!=a )(version 3.0; acl "name";allow (...).. acl2: ( target=...)( targetattr!=b )(version 3.0; acl "name";allow (...)..
  • Page 210 Creating ACIs Manually You can also use a wildcard when targeting a distinguished name using the keyword. The wildcard indicates that any character or string or substring target is a match for the wildcard. Pattern matching is based on any other strings that have been specified with the wildcard.

  • Page 211: Targeting Attributes

    Creating ACIs Manually uid=bjensen,dc=example,dc=com ou=Engineering,dc=example,dc=com NOTE You cannot use wildcards in the suffix part of a distinguished name. That is, if your directory uses the suffixes c=US c=GB then you cannot use the following target to reference both suffixes: (target="ldap:///dc=example,c=*"). Neither can you use a target such as uid=bjensen,dc=*.com Targeting Attributes...

  • Page 212: Targeting Both An Entry And Attributes

    Creating ACIs Manually The attributes specified in the keyword apply to the entry that the targetattr ACI is targeting and to all the entries below it. If you target the password attribute on the entry , only the uid=bjensen,ou=Marketing,dc=example,dc=com password attribute on the entry is affected by the ACI because it is a leaf bjensen entry.

  • Page 213: Targeting Attribute Values Using Ldap Filters

    Creating ACIs Manually This type of filter targets whole entries. You can associate the targetfilter keywords to create ACIs that apply to a subset of attributes in the targetattr targeted entries. The following LDIF example allows members of the Engineering Admins group to modify the attributes of all entries in the departmentNumber...

  • Page 214: Targeting A Single Directory Entry

    Creating ACIs Manually • represents the operation of creating an attribute. • represents the operation of deleting an attribute. • represents the target attributes. attrx • represents filters that apply only to the associated attribute. When creating an entry, if a filter applies to an attribute in the new entry, then each instance of that attribute must satisfy the filter.

  • Page 215: Defining Permissions

    Creating ACIs Manually A safer method is to use the keyword and to specify explicitly an targetfilter attribute value that appears in the entry alone. For example, during the installation of the Directory Server, the following ACI is created: aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0;...
  • Page 216 Creating ACIs Manually • Add — Indicates whether users can create an entry. This permission applies only to the add operation. • Delete — Indicates whether users can delete an entry. This permission applies only to the delete operation. • Search —...

  • Page 217: Rights Required For Ldap Operations

    Creating ACIs Manually NOTE The proxy mechanism is very powerful and must be used sparingly. Proxy rights are granted within the scope of the ACL, and there is no way to restrict who an entry that has the proxy right can impersonate—that is, when you grant a user proxy rights, that user has the ability to proxy for any user under the target;...

  • Page 218: Permissions Syntax

    Creating ACIs Manually Grant write permission on the attribute type used in the new RDN. Grant write permission on the attribute type used in the old RDN, if you want to grant the right to delete the old RDN. Grant write permission on the value of attribute type used in the new RDN.

  • Page 219: Access Control And The Modrdn Operation

    Bind Rules aci: (target="ldap:///dc=example,dc=com") (version 3.0;acl "example"; allow (read, search, compare) bind_rule;) Access Control and the modrdn Operation To explicitly deny rights using ACIs, you must target the relevant entries modrdn but omit the keyword. For example, to prevent the targetattr group from renaming any entries cn=helpDeskGroup,ou=groups,o=example.com...

  • Page 220: Bind Rule Syntax

    Bind Rules Additionally, bind rules can be complex constructions that combine these criteria by using Boolean operators. See “Using Boolean Bind Rules,” on page 236, for more information. Bind Rule Syntax Whether access is allowed or denied depends on whether an ACI’s bind rule is evaluated to be true.

  • Page 221: Defining User Access - Userdn Keyword

    Bind Rules LDIF Bind Rule Keywords (Continued) Table 6-2 Keyword Valid Expressions Wildcard Allowed? attribute#bindType or userattr attribute#value IP_address DNS_host_name dayofweek timeofday 0 - 2359 none authmethod simple sasl authentication_method The sections that follow contain further detail on bind rule syntax for each keyword.

  • Page 222: Anonymous Access (Anyone Keyword)

    Bind Rules ldap:///suffix??sub?(filter) NOTE If a DN contains a comma, the comma must be preceded by a backslash (\) escape character. Anonymous Access (anyone Keyword) Granting anonymous access to the directory means that anyone can access it without providing a bind DN or password and regardless of the circumstances of the bind.

  • Page 223: Wildcards

    Bind Rules For example, all users in the accounting and engineering branches of the tree would be granted or denied access to the targeted resource example.com dynamically based on the following URL: userdn = "ldap:///dc=example,dc=com??sub?(|(ou=engineering) (ou=accounting))" NOTE Do not specify a hostname or port number within the LDAP URL. LDAP URLs always apply to the local server.
  • Page 224 Bind Rules • Userdn keyword excluding a specific LDAP URL: userdn != "ldap:///uid=*,ou=Accounting,dc=example,dc=com"; The bind rule is evaluated to be true if the client is not binding as a UID-based distinguished name in the accounting subtree. This bind rule only makes sense if the targeted entry is not under the accounting branch of the directory tree.

  • Page 225: Defining Group Access - Groupdn Keyword

    Bind Rules aci: (version 3.0; acl "anonymous-read-search"; allow (read, search) userdn = "ldap:///anyone";) • Userdn keyword containing the parent keyword: userdn = "ldap:///parent"; The bind rule is evaluated to be true if the bind DN is the parent of the targeted entry.

  • Page 226: Defining Role Access - Roledn Keyword

    Bind Rules • Groupdn keyword containing an LDAP URL: groupdn = "ldap:///cn=Administrators,dc=example,dc=com"; The bind rule is evaluated to be true if the bind DN belongs to the Administrators group. If you wanted to grant the Administrators group permission to write to the entire directory tree, you would create the following ACI on the node: dc=example,dc=com...

  • Page 227: Using The Userattr Keyword

    Bind Rules For example, you can specify that the bind DN must match the DN in the manager attribute of a user entry in order for the ACI to apply. In this case, only the user’s manager would have access to the entry. This example is based on DN matching.
  • Page 228 Bind Rules The bind rule is evaluated to be true if the bind DN matches the value of the attribute in the targeted entry. You can use this to allow a user’s manager manager to modify employees’ attributes. This mechanism only works if the manager attribute in the targeted entry is expressed as a full DN.
  • Page 229 Bind Rules The bind rule is evaluated to be true if the bind DN belongs to the role specified in attribute of the targeted entry. For example, if exampleEmployeeReportsTo you create a nested role for all managers in your company, you can use this mechanism to grant managers at all levels access to information about employees that are at a lower grade than themselves.

  • Page 230: Using The Userattr Keyword With Inheritance

    Bind Rules Using the userattr Keyword with Inheritance When you use the keyword to associate the entry used to bind with the userattr target entry, the ACI applies only to the target specified and not to the entries below it. In some circumstances, you might want to extend the application of the ACI several levels below the targeted entry.

  • Page 231: Granting Add Permission Using The Userattr Keyword

    Bind Rules Using Inheritance With the userattr Keyword Figure 6-1 In this example, if you did not use inheritance, you would have to do one of the following to achieve the same result: • Explicitly set read and search access for user on the bjensen cn=Profiles...

  • Page 232: Defining Access From A Specific Ip Address

    Bind Rules This ACI grants managers all rights on the entries of employees that report to them. However, because access rights are evaluated on the entry being created, this type of ACI would also allow any employee to create an entry in which the manager attribute is set to their own DN.

  • Page 233: Defining Access From A Specific Domain

    Bind Rules The bind rule is evaluated to be true if the client accessing the directory is located at the named IP address. This can be useful for allowing certain kinds of directory access only from a specific subnet or machine. For example, you could use a wildcard IP address such as to specify a 12.3.45.*...

  • Page 234: Defining Access At A Specific Time Of Day Or Day Of Week

    Bind Rules Defining Access at a Specific Time of Day or Day of Week You can use bind rules to specify that binding can only occur at a certain time of day or on a certain day of the week. For example, you can set a rule that will allow access only if it is between the hours of 8 a.m.

  • Page 235: Defining Access Based On Authentication Method

    Bind Rules The bind rule is evaluated to be true if the client is accessing the directory at any time after 8 a.m. timeofday < "1800"; The bind rule is evaluated to be true if the client is accessing the directory at any time before 6 p.m.

  • Page 236: Examples

    Bind Rules You cannot set up authentication-based bind rules through the Access Control Editor. The LDIF syntax for setting a bind rule based on an authentication method is as follows: authmethod = "authentication_method" where , or authentication_method "sasl sasl_mechanism" none simple Examples The following are examples of the...

  • Page 237: Creating Acis From The Console

    Creating ACIs from the Console (groupdn = "ldap:///cn=administrators,dc=example,dc=com" or groupdn = "ldap:///cn=mail administrators,dc=example,dc=com" and dns = "*.example.com";) The trailing semicolon (;) is a required delimiter that must appear after the final bind rule. Boolean expressions are evaluated in the following order: •...

  • Page 238: Displaying The Access Control Editor

    Creating ACIs from the Console See “Access Control Usage Examples,” on page 242, for a collection of access control rules commonly used in Directory Server security policies, along with step-by-step instructions for using the Directory Server Console to create them. The Access Control Editor does not enable you to construct some of the more complex ACIs when you are in Visual editing mode.

  • Page 239: Figure 6-2 Selecting An Object In The Navigation Tree To Set Access Control

    Creating ACIs from the Console Selecting an Object in the Navigation Tree to Set Access Control Figure 6-2 Click New. The Access Control Editor is displayed as shown in Figure 6-3. Figure 6-3 Access Control Editor Window Chapter 6 Managing Access Control...

  • Page 240: Viewing Current Acis

    Creating ACIs from the Console For information on navigating through the Access Control dialog boxes, refer to the online help. Viewing Current ACIs If you want to see what ACIs apply to a particular subtree in your directory, follow these steps: In the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu.

  • Page 241: Editing An Aci

    Creating ACIs from the Console Click OK to dismiss the Add Users and Groups window. The entries you selected are now listed on the Users/Groups tab in the ACI editor. In the Access Control Editor, click the Rights tab, and use the checkboxes to select the rights to grant.

  • Page 242: Deleting An Aci

    Access Control Usage Examples In the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu. The Access Control Manager window is displayed. It contains the list of ACIs belonging to the entry. In the Access Control Manager window, highlight the ACI that you want to edit, and click Edit.
  • Page 243 Access Control Usage Examples ’s business is to offer a web hosting service and Internet access. Part example.com ’s web hosting service is to host the directories of client companies. example.com actually hosts and partially manages the directories of two example.com medium-sized companies, .

  • Page 244: Granting Anonymous Access

    Access Control Usage Examples Granting Anonymous Access Most directories are run such that you can anonymously access at least one suffix for read, search, or compare. For example, you might want to set these permissions if you are running a corporate personnel directory that you want employees to be able to search, such as a phonebook.

  • Page 245: Aci "Anonymous World

    Access Control Usage Examples In the Hosts tab, click Add, and in the DNS host filter field, type . Click OK to dismiss the dialog box. *.example.com Click OK in the Access Control Editor window. The new ACI is added to the ones listed in the Access Control Manager window.

  • Page 246: Granting Write Access To Personal Entries

    Access Control Usage Examples In the attribute table, tick the checkboxes for the homePhone , and attributes. homePostalAddress mail All other checkboxes should be clear. This task is made easier if you click the Check None button to clear the checkoxes for all attributes in the table, then click the Name header to organize them alphabetically, and select the appropriate ones.

  • Page 247: Aci "Write Subscribers

    Access Control Usage Examples In the Directory tab, right click the node in the left navigation example.com tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type .
  • Page 248 Access Control Usage Examples In LDIF, to grant subscribers the right to update their password and example.com home telephone number, you would write the following statement: aci: (targetattr="userPassword || homePhone") (version 3.0; acl "Write Subscribers"; allow (write) userdn= "ldap://self" and authmethod="ssl";) This example assumes that the is added to the...

  • Page 249: Restricting Access To Key Roles

    Access Control Usage Examples In the attribute table, tick the checkboxes for the homePhone , and attributes. homePostalAddress mail All other checkboxes should be clear. This task is made easier if you click the Check None button to clear the checkoxes for all attributes in the table, then click the Name header to organize them alphabetically, and select the appropriate ones.
  • Page 250 Access Control Usage Examples aci: (targetattr = "nsRoleDn") (targattrfilters="add=nsRoleDN:(nsRoleDN != "cn=superAdmin,dc=example,dc=com")") (version 3.0; acl "Roles"; allow (write) userdn= "ldap:///self" and dns="*.example.com";) This example assumes that the ACI is added to the entry. ou=example-people,dc=example,dc=com From the Console, you can set this permission by doing the following: In the Directory tab, right click the node in the left navigation example.com...

  • Page 251: Granting A Group Full Access To A Suffix

    Access Control Usage Examples To create the value-based filter for roles, switch to manual editing by clicking the Edit Manually button. Add the following to the beginning of the LDIF statement: (targattrfilters="add=nsRoleDN:(nsRoleDN != "cn=superAdmin, dc=example,dc=com")") The LDIF statement should read as follows: (targattrfilters="add=nsRoleDN:(nsRoleDN != "cn=superAdmin, dc=example,dc=com")") (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version 3.0;...

  • Page 252: Granting Rights To Add And Delete Group Entries

    Access Control Usage Examples In the Directory tab, right click the entry under the example.com-people node in the left navigation tree, and choose Set Access example.com Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type .

  • Page 253: Aci "Create Group

    Access Control Usage Examples ACI “Create Group” In LDIF, to grant employees the right to create a group entry under example.com branch, you would write the following statement: ou=Social Committee aci: (target="ldap:///ou=social committee,dc=example,dc=com) (targattrfilters="add=objectClass:(objectClass=groupOfNames)") (version 3.0; acl "Create Group"; allow (add) (userdn= "ldap:///uid=*,ou=example-people,dc=example,dc=com") and dns="*.example.com";) NOTE...

  • Page 254: Aci "Delete Group

    Access Control Usage Examples In the Hosts tab, click Add to display the Add Host Filter dialog box. In the DNS host filter field, type . Click OK to dismiss the dialog *.example.com box. To create the value-based filter that will allow employees to add only group entries to this subtree, switch to manual editing by clicking the Edit Manually button.

  • Page 255: Granting Conditional Access To A Group Or Role

    Access Control Usage Examples Granting Conditional Access to a Group or Role In many cases, when you grant a group or role privileged access to the directory, you want to ensure that those privileges are protected from intruders trying to impersonate your privileged users.
  • Page 256 Access Control Usage Examples In the Directory tab, right click the entry under the HostedCompany1 node in the left navigation tree, and choose Set Access example.com Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type .

  • Page 257: Denying Access

    Access Control Usage Examples To enforce SSL authentication from administrators, switch to HostedCompany1 manual editing by clicking the Edit Manually button. Add the following to the end of the LDIF statement: and (authmethod="ssl") The LDIF statement should be similar to: aci: (targetattr = "*") (target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc =com") (version 3.0;...

  • Page 258: Aci "Billing Info Deny

    Access Control Usage Examples In the Directory tab, right click the subscribers entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type .
  • Page 259 Access Control Usage Examples This example assumes that the relevant attributes have been created in the schema and that the ACI is added to the entry. ou=subscribers,dc=example,dc=com From the Console, you can set this permission by doing the following: In the Directory tab, right click the subscribers entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager.

  • Page 260: Setting A Target Using Filtering

    Access Control Usage Examples Setting a Target Using Filtering If you want to set access controls that allow access to a number of entries that are spread across the directory, you may want to use a filter to set the target. Keep in mind that because search filters do not directly name the object for which you are managing access, it is easy to allow or deny access to the wrong objects unintentionally, especially as your directory becomes more complex.

  • Page 261: Defining Permissions For Dns That Contain A Comma

    Access Control Usage Examples In the Directory tab, right click the entry under the example-people node in the left navigation tree, and choose Set Access example.com Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor. In the Users/Groups tab, in the ACI name field, type .

  • Page 262: Proxied Authorization Aci Example

    Access Control Usage Examples dn: dc=example.com Bolivia\, S.A.,dc=com objectClass: top objectClass: organization aci: (target="ldap:///dc=example.com Bolivia\, S.A.,dc=com")(targetattr=*) (version 3.0; acl "aci 2"; allow (all) groupdn = "ldap:///cn=Directory Administrators,dc=example.com Bolivia\, S.A.,dc=com";) Proxied Authorization ACI Example For this example, suppose: • The client application’s bind DN is "uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com"...

  • Page 263: Viewing The Acis For An Entry

    Viewing the ACIs for an Entry In the above example, if the client wanted to perform an command, ldapsearch the command would include the following controls: #ldapmodify -D "uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com" -w secretpwd -y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com" The client or application ( ) binds as itself but is granted the MoneyWizAcctSoftware privileges of the proxy entry ( ).
  • Page 264 Viewing the ACIs for an Entry “Get effective rights” is an extended which returns the access control ldapsearch permissions set on each attribute within an entry. The effective rights can be retrieved by sending an LDAP control along with a search operation. The results show the effective rights on each returned entry and each attribute of each returned entry.

  • Page 265: Using Get Effective Rights From The Command-Line

    Viewing the ACIs for an Entry Information is not given for attributes in an entry that do not have a value; for example, if the value is removed, then a future effective rights userPassword search on the entry above would not return any effective rights for userPassword even though self-write and self-delete rights could be allowed.
  • Page 266 Viewing the ACIs for an Entry specifies the account being checked, while checks the rights of the • user AuthId entry over the entry. AuthId user • is the OID for the get effective rights control, control OID 1.3.6.1.4.1.42.2.27.9.5.2 • specifies whether the search operation should return an error boolean criticality if the server does not support this control (...
  • Page 267 Viewing the ACIs for an Entry An administrative user, such as Directory Manager, can use the get effective rights operation to determine what rights are granted between users. The following is a sample to retrieve effective rights that a manager, Dave Miller (shown ldapsearch in the part of the...

  • Page 268: Using Get Effective Rights From The Console

    Viewing the ACIs for an Entry ./ldapsearch -p 389 -h localhost -D "uid=dmiller,ou=people,dc=example,dc=com" -w password -b "uid=tmorris,ou=people,dc=example,dc=com" -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn: uid=tmorris,ou=people,dc=example,dc=com" "(objectClass=*)" ldap_search: Insufficient access ldap_search: additional info: get-effective-rights: requestor has no g permission on the entry However, Ted Morris could run a get effective rights search on his personal entry to determine the rights another user, such as Sam Carter, has to it.

  • Page 269: Get Effective Rights Return Codes

    Advanced Access Control: Using Macro ACIs Get Effective Rights Return Codes If the criticality is set to for a get effective rights search and an error occurs, false the regular entry information is returned, but, in place of rights for , an error code is returned.

  • Page 270: Macro Aci Example

    Advanced Access Control: Using Macro ACIs Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. You can use a macro to represent a DN in the target portion of the ACI or in the bind rule portion, or both.

  • Page 271: Figure 6-4 Example Directory Tree For Macro Acis

    Advanced Access Control: Using Macro ACIs Example Directory Tree for Macro ACIs Figure 6-4 The following ACI is located on the dc=hostedCompany1,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1, dc=example,dc=com";) Chapter 6 Managing Access Control...

  • Page 272: Macro Aci Syntax

    Advanced Access Control: Using Macro ACIs The following ACI is located on the dc=subdomain1,dc=hostedCompany1, node: dc=example,dc=com aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1, dc=hostedCompany1,dc=example,dc=com";) The following ACI is located on the dc=hostedCompany2,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2, dc=example,dc=com";) The following ACI is located on the...

  • Page 273: Macro Matching For ($Dn)

    Advanced Access Control: Using Macro ACIs • ($dn) • [$dn] • ($attr.attrName), where attrName represents an attribute contained in the target entry To simplify the discussion in this section, the ACI keywords used to provide bind credentials, such as , and , are collectively called userdn roledn...

  • Page 274: Macro Matching For [$Dn]

    Advanced Access Control: Using Macro ACIs When the subject of the ACI also uses , the substring that matches the target ($dn) is used to expand the subject. For example: aci: (target="ldap:///ou=*,($dn),dc=example,dc=com") (targetattr = "*") (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc= com";)

  • Page 275: Macro Matching For ($Attr.attrname)

    Advanced Access Control: Using Macro ACIs Replace in subject with [$dn] dc=hostedCompany1 The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups, . In this case, if the bind DN is not dc=hostedCompany1,dc=example,dc=com" a member of that group, the ACI is not evaluated. If it is a member, the ACI is evaluated.

  • Page 276: Access Control And Replication

    Access Control and Replication roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1, dc=example,dc=com" The Directory Server then evaluates the ACI according to the normal ACI evaluation algorithm. When an attribute is multi-valued, each value is used to expand the macro, and the first one that provides a successful match is used. Consider this example: dn: cn=Jane Doe,ou=People,dc=HostedCompany1,dc=example,dc=com cn: Jane Doe...

  • Page 277: Compatibility With Earlier Releases

    Compatibility with Earlier Releases In the Console, click the Configuration tab, select Logs from the navigation menu on the right, and open the Error Log. Scroll down to error log level, and select Access Control from the menu. Hit save. For complete information on error log levels, refer to Red Hat Directory Server Configuration, Command, and File Reference.
  • Page 278 Compatibility with Earlier Releases Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 279: Chapter 7 User Account Management

    Chapter 7 User Account Management When a user connects to your Red Hat Directory Server (Directory Server), first the user is authenticated. Then, the directory can grant access rights and resource limits to the user depending upon the identity established during authentication. This chapter describes tasks for user account management, including configuring the password and account lockout policy for your directory, denying groups of users access to the directory, and limiting system resources available to users...

  • Page 280: Configuring The Password Policy

    Managing the Password Policy Once you have established a password policy, which can be for the entire directory or for specific subtrees or users, you can protect your user passwords from potential threats by configuring an account lockout policy. Account lockout protects against hackers who try to break into the directory by repeatedly guessing a user’s password.

  • Page 281: Configuring A Global Password Policy Using The Console

    Managing the Password Policy • Configuring a Subtree/User Password Policy Using the Console • Configuring a Global Password Policy Using the Command-Line • Configuring Subtree/User Password Policy Using the Command-Line NOTE After configuring your password policy, we recommend that you configure an account lockout policy.

  • Page 282: Configuring A Subtree/User Password Policy Using The Console

    Managing the Password Policy If you want users to change their passwords periodically, select the “Password expires after X days” radio button, and then enter the number of days that a user password is valid. The maximum value for the password age is derived by subtracting January 18, 2038, from today’s date.

  • Page 283: Configuring A Global Password Policy Using The Command-Line

    Managing the Password Policy In the right pane, select the Passwords tab. Check the “Enable fine-grained password policy” checkbox. Click Save to save your changes. Create the local password policy for the subtree or user. In the Directory Server Console, select the Directory tab. In the navigation pane, select the subtree or user entry for which you want to set up the password policy.
  • Page 284 Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition When on, this attribute requires users to change their passwords when passwordMustChange they first login to the directory or after the password is reset by the Directory Manager. When on, the user is required to change their password even if user-defined passwords are disabled.
  • Page 285 Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition This attribute indicates the number of seconds before a warning message is passwordWarning sent to users whose password is about to expire. Depending on the LDAP client application, users may be prompted to change their password when the warning is sent.

  • Page 286: Configuring Subtree/User Password Policy Using The Command-Line

    Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition This attribute indicates whether the directory stores a password history. passwordHistory When set to on, the directory stores the number of passwords you specify in the passwordInHistory attribute in a history. If a user attempts to reuse one of the passwords, the password will be rejected.
  • Page 287 Managing the Password Policy Add the required attributes to the subtree or user entries by running the script. ns-newpwpolicy.pl The command syntax for the script is as follows: ns-newpwpolicy.pl [-D rootDN] { -w password | -w - | -j filename } [-p port] [-h host] -U userDN -S suffixDN For updating a subtree entry, use the option.
  • Page 288 Managing the Password Policy objectclass: costemplate objectclass: ldapsubentry cosPriority: 1 pwdpolicysubentry: cn="cn=nsPwPolicyEntry, ou=people, dc=example, dc=com", cn=nsPwPolicyContainer, ou=people, dc=example, dc=com The CoS specification entry at the subtree level. For example: dn: cn=nsPwPolicy_cos, ou=people, dc=example, dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn="cn=nsPwTemplateEntry, ou=people, dc=example, dc=com", cn=nsPwPolicyContainer, ou=people,...
  • Page 289 Managing the Password Policy Assign the value of the above entry DN to the pwdpolicysubentry attribute of the target entry. For example: dn: uid=jdoe, ou=people, dc=example, dc=com changetype: modify replace: pwdpolicysubentry pwdpolicysubentry: "cn=nsPwPolicyEntry, uid=jdoe, ou=people, dc=example, dc=com", cn=nsPwPolicyContainer, ou=people, dc=example, dc=com Set the password policy attributes of subtree or user entry with the appropriate values.

  • Page 290: Setting User Passwords

    Managing the Password Policy Open the file in a text editor. dse.ldif Set the value of , and save your changes. nsslapd-pwpolicy-local Start the server. Setting User Passwords An entry can be used to bind to the directory only if it has a userpassword attribute and if it has not been inactivated.
  • Page 291 Managing the Password Policy For more information on how to use utility, see the OpenLDAP ldappasswd documentation at , or type in the http://www.openldap.org man ldappasswd command-line for the manpage. ldappasswd NOTE This operation supports Start TLS encryption ( ), and you -ZZ[Z] must use a secure connection for the password change operation.

  • Page 292: Configuring The Account Lockout Policy

    Managing the Password Policy Configuring the Account Lockout Policy The lockout policy works in conjunction with the password policy to provide further security. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user’s password. You can set up your password policy so that a specific user is locked out of the directory after a given number of failed attempts to bind.

  • Page 293: Table 7-2 Account Lockout Policy Attributes

    Managing the Password Policy Table 7-2 describes the attributes you can use to configure your account lockout policy. Table 7-2 Account Lockout Policy Attributes Attribute Name Definition This attribute indicates whether users are locked out of the directory passwordLockout after a given number of failed bind attempts. You set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure attribute.

  • Page 294: Managing The Password Policy In A Replicated Environment

    Managing the Password Policy Managing the Password Policy in a Replicated Environment Password and account lockout policies are enforced in a replicated environment as follows: • Password policies are enforced on the data master. • Account lockout is enforced on all servers participating in replication. Some of the password policy information in your directory is replicated.

  • Page 295: Sycnhronizing Passwords

    Managing the Password Policy Sycnhronizing Passwords Password changes in a Directory Server entry can be synchronized to password attributes in Windows NT4 server or Active Directory entries by using the Password Sync utility. When passwords are synchronized, password policies are enforced on each sync peer locally;...

  • Page 296: Inactivating Users And Roles

    Inactivating Users and Roles Inactivating Users and Roles You can temporarily inactivate a single user account or a set of accounts. Once inactivated, a user cannot bind to the directory. The authentication operation will fail. Users and roles are inactivated using the operational attribute nsAccountLock When an entry contains the attribute with a value of...

  • Page 297: Inactivating User And Roles Using The Command-Line

    Inactivating Users and Roles Click Account in the left pane. The right pane states that the role or user is inactivated. Click Activate to activate the user or role. Click OK to close the dialog box and save your changes. Once inactivated, you can view the state of the object by selecting Inactivation State from the View menu.

  • Page 298: Activating User And Roles Using The Command-Line

    Inactivating Users and Roles Browse the navigation tree in the left navigation pane, and double-click the user or role you want to activate. The Edit Entry dialog box appears. You can also select Activate from the Object menu as a short cut. Click Account in the left pane.

  • Page 299: Setting Resource Limits Based On The Bind Dn

    Setting Resource Limits Based on the Bind DN Setting Resource Limits Based on the Bind DN You can control server limits for search operations using special operational attribute values on the client application binding to the directory. You can set the following search operation limits: •...

  • Page 300: Setting Resource Limits Using The Command-Line

    Setting Resource Limits Based on the Bind DN Click OK when you are finished. Setting Resource Limits Using the Command-Line The following operational attributes can be set for each entry using the command-line. Use to add the following attributes to the entry: ldapmodify Attribute Description...

  • Page 301: Chapter 8 Managing Replication

    Chapter 8 Managing Replication Replication is the mechanism by which directory data is automatically copied from one Red Hat Directory Server (Directory Server) to another; it is an important mechanism for extending your directory service beyond a single server configuration. This chapter describes the tasks to be performed on the supplier servers and the consumer servers to set up single-master replication, multi-master replication, and cascading replication.

  • Page 302: Replication Overview

    Replication Overview For conceptual information on how you can use replication in your directory deployment, see the Red Hat Directory Server Deployment Guide. Replication Overview Replication is the mechanism by which directory data is automatically copied from one Directory Server to another. Updates of any kind — entry additions, modifications, or even deletions —...

  • Page 303: Supplier/Consumer

    Replication Overview Supplier/Consumer A server that holds a replica that is copied to a replica on a different server is called a supplier for that replica. A server that holds a replica that is copied from a different server is called a consumer for that replica. Generally, the replica on the supplier server is a read-write replica and the one on the consumer server is a read-only replica.

  • Page 304: Unit Of Replication

    Replication Overview Unit of Replication The smallest unit of replication is a database. This means that you can replicate an entire database but not a subtree within a database. Therefore, when you create your directory tree, you must take your replication plans into consideration. For more information on how to set up your directory tree, refer to the Red Hat Directory Server Deployment Guide.

  • Page 305: Replication Agreement

    Replication Overview For more information on creating the Replication Manager entry, refer to “Creating the Supplier Bind DN Entry,” on page 313. Replication Agreement Directory Servers use replication agreements to define their replication configuration. A replication agreement describes replication between one supplier and one consumer only.

  • Page 306: Replication Scenarios

    Replication Scenarios Replication Scenarios This section describes the most commonly used replication scenarios: • Single-Master Replication • Multi-Master Replication • Cascading Replication You can combine these basic scenarios to build the replication environment that best suits your needs. NOTE Whatever replication scenario you choose to implement, remember to consider schema replication.

  • Page 307: Multi-Master Replication

    Replication Scenarios Single-Master Replication Figure 8-1 In this particular configuration, the suffix ou=people,dc=example,dc=com receives a large number of search requests. Therefore, to distribute the load, this tree, which is mastered on Server A, is replicated to two read-only replicas located on Server B and Server C.

  • Page 308: Figure 8-2 Multi-Master Replication (Two Suppliers)

    Replication Scenarios This type of configuration can work with any number of consumer servers. Each consumer server holds a read-only replica. The consumers can receive updates from all the suppliers. The consumers also have referrals defined for all the suppliers to forward any update requests that the consumers receive. Such scenarios are called multi-master configurations.
  • Page 309 Replication Scenarios Multi-master configurations have the following advantages: • Automatic write failover when one supplier is inaccessible. • Updates are made on a local supplier in a geographically distributed environment. Chapter 8 Managing Replication...

  • Page 310: Cascading Replication

    Replication Scenarios NOTE Replication, especially multi-master replication, works better over high speed links than over slow links, such as a WAN, in geographically distributed environments. For information on setting up multi-master replication with two supplier servers and two consumer servers, refer to “Configuring Multi-Master Replication,” on page 324.
  • Page 311 Replication Scenarios Cascading Replication Figure 8-4 For information on setting up cascading replication, refer to “Configuring Cascading Replication,” on page 337. NOTE You can combine multi-master and cascading replication. For example, in the multi-master scenario illustrated in Figure 8-2, on page 308, Server C and Server D could be hub suppliers that would replicate to any number of consumer servers.

  • Page 312: Handling Complex Replication Configurations

    Handling Complex Replication Configurations Handling Complex Replication Configurations If you are configuring replication for a large number of servers and your configuration is relatively complex, for reasons of efficiency, you should proceed in the following order: On all consumer servers: Create the replica databases.

  • Page 313: Creating The Supplier Bind Dn Entry

    Handling Complex Replication Configurations NOTE It is very important to create and configure all replicas before you attempt to create a replication agreement. This also means that when you create the replication agreement, you can choose to initialize consumers immediately. These sections contain a description of the tasks you need to perform to configure replication: •...
  • Page 314 Handling Complex Replication Configurations NOTE Avoid creating simple entries under the entry in the cn=config file. The entry in the simple, flat dse.ldif cn=config dse.ldif configuration file is not stored in the same highly scalable database as regular entries. As a result, if many entries, and particularly entries that are likely to be updated frequently, are stored under , performance will probably suffer.

  • Page 315: Configuring Supplier Settings

    Handling Complex Replication Configurations cn: replication manager sn: RM userPassword: password passwordExpirationTime: 20380119031407Z Restart the Directory Server. See “Starting and Stopping the Directory Server,” on page 37, for more information on starting the server. When you configure a replica as a consumer, you must use the DN of this entry to define the supplier bind DN.

  • Page 316: Configuring A Read-Only Replica

    Handling Complex Replication Configurations In the Directory Server Console, select the Configuration tab. For information on starting the Directory Server Console, see “Using the Directory Server Console,” on page 34. In the left navigation tree, expand the Replication folder, and highlight the database to replicate.

  • Page 317: Configuring A Hub Supplier

    Handling Complex Replication Configurations In the Common Settings section, specify a purge delay in the “Purge delay” field. This option indicates how often the state information stored in the replicated entries is purged. In the Update Settings section, specify the supplier bind DN that the supplier will use to bind to the replica.

  • Page 318: Creating A Replication Agreement

    Handling Complex Replication Configurations In the left navigation tree, expand the Replication folder, and then highlight the database to replicate. The Replica Settings tab is displayed on the right pane. Check the Enable Replica checkbox. In the Replica Role section, select the Hub radio button. In the Common Settings section, specify a purge delay in the “Purge delay”...
  • Page 319 Handling Complex Replication Configurations • Configured replication settings for hub suppliers (if any) and consumers as described in “Configuring a Read-Only Replica,” on page 316. To create a replication agreement: In the Directory Server Console, select the Configuration tab. For information on starting the Directory Server Console, see “Using the Directory Server Console,”...

  • Page 320: Configuring Single-Master Replication

    Configuring Single-Master Replication NOTE The consumer of this replication agreement must be a dedicated consumer for fractional replication to work as a safeguard against potential data integrity problems. This is not enforced at the time you make the replication agreement, but replication will fail if your consumer is not a read-only replica.

  • Page 321: Configuring The Read-Only Replica On The Consumer Server

    Configuring Single-Master Replication To set up single-master replication such as the configuration shown in Figure 8-1, on page 307, between supplier Server A, which holds a read-write replica, and the two consumers Server B and Server C, which each hold a read-only replica, you need to perform the following procedures: •...

  • Page 322: Configuring The Read-Write Replica On The Supplier Server

    Configuring Single-Master Replication Check the Enable Replica checkbox. In the Replica Role section, select the Dedicated Consumer radio button. In the Common Settings section, specify a purge delay in the “Purge delay” field. This option indicates how often the state information stored in the replicated entries is purged.
  • Page 323 Configuring Single-Master Replication In the Directory Server Console, select the Configuration tab. In the navigation tree, highlight the Replication node. In the right-hand side of the window, select the Supplier Settings tab. Check the Enable Changelog checkbox. This activates all of the fields in the pane below that were previously greyed out.

  • Page 324: Initializing The Replicas For Single-Master Replication

    Configuring Multi-Master Replication In the navigation tree of the Configuration tab, right-click the database to replicate, and select New Replication Agreement. Or highlight the database, and select New Replication Agreement from the Object menu. This will start the Replication Agreement Wizard. Go through the steps in the replication wizard by clicking Next to move to the following step.

  • Page 325: Configuring 2-Way Multi-Master Replication

    Configuring Multi-Master Replication Configuring 2-Way Multi-Master Replication To set up multi-master replication such as the configuration shown in Figure 8-2, on page 308, between two suppliers Server A and Server B, which each hold a read-write replica, and two consumers Server C and Server D, which each hold a read-only replica, you need to perform the following procedures: •...
  • Page 326 Configuring Multi-Master Replication In the navigation tree, expand the Replication folder, and then select the replica database. The Replica Settings tab is displayed on the right pane. Check the Enable Replica checkbox. In the Replica Role section, select the Dedicated Consumer radio button. In the Common Settings section, specify a purge delay in the “Purge delay”...

  • Page 327: Configuring The Read-Write Replicas On The Supplier Servers

    Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier Servers Perform these steps on each supplier server, Server A and Server B: Specify the supplier settings for each server. In the Directory Server Console, select the Configuration tab. In the navigation tree, highlight the Replication node. In the right-hand side of the window, select the Supplier Settings tab.
  • Page 328 Configuring Multi-Master Replication If you have enabled the password expiration policy or intend to do so in the future, disable it to prevent replication from failing due to expiration of passwords. To disable the password expiration policy on the attribute, userPassword add the attribute with a value of...
  • Page 329 Configuring Multi-Master Replication On Server A, set up the following replication agreements: One with supplier Server B, where Server B is configured as a consumer for the replica. One for each consumer servers, Server C and Server D. To do this: In the Directory Server Console, select the Configuration tab.

  • Page 330: Initializing The Replicas For Multi-Master Replication

    Configuring Multi-Master Replication Initializing the Replicas for Multi-Master Replication In the case of multi-master replication, you should initialize replicas in the following order: Ensure one supplier has the complete set of data to replicate. Use this supplier to initialize the replicas on the other masters in the multi-master replication set.
  • Page 331 Configuring Multi-Master Replication Create the entry corresponding to the supplier bind DN if it does not exist. NOTE This is the special entry that the supplier will use to bind. The entry must not be part of the replicated database. In the Directory Server Console, select the Directory tab.

  • Page 332: Configuring The Read-Write Replicas On The Supplier Servers

    Configuring Multi-Master Replication In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. This supplier bind DN should correspond to the entry created in Step 2. The supplier bind DN corresponds to a privileged user because it is not subject to access control.
  • Page 333 Configuring Multi-Master Replication Set the changelog parameters (number and age). You must clear the unlimited checkboxes if you want to specify different values. Click Save to save the supplier settings. Create the entry corresponding to the supplier bind DN if it does not already exist.
  • Page 334 Configuring Multi-Master Replication In the Common Settings section, specify a Replica ID. The replica ID must be an integer between , both inclusive, and must be unique for a given suffix. Make sure you specify an ID that is different from the IDs used for read-write replicas on this server and on other servers.

  • Page 335: Initializing The Replicas For Multi-Master Replication

    Configuring Multi-Master Replication On server M4, set up the following replication agreements: one with supplier server M3, where server M3 is declared as a consumer for the replica; one with supplier server M1, where server M1 is declared as a consumer for the replica;...

  • Page 336: Preventing Monopolization Of The Consumer In Multi-Master Replication

    Configuring Multi-Master Replication Initialize the replicas on the consumer servers from either of the four suppliers. For information on initializing replicas, refer to “Initializing Consumers,” on page 345. Preventing Monopolization of the Consumer in Multi-Master Replication One of the features of multi-master replication is that a supplier acquires exclusive access to the consumer for the replicated area.

  • Page 337: Configuring Cascading Replication

    Configuring Cascading Replication NOTE If you set either attribute to a negative value, Directory Server sends the client a message and an LDAP_UNWILLING_TO_PERFORM error code. The two attributes are designed so that the nsds5ReplicaSessionPauseTime interval will always be at least 1 second longer than the interval specified for .

  • Page 338: Configuring The Read-Only Replica On The Consumer Server

    Configuring Cascading Replication • Configuring the Read-Write Replica on the Supplier Server • Initializing the Replicas for Cascading Replication Configuring the Read-Only Replica on the Consumer Server To configure the read-only replica in a consumer server: On the consumer server, create the database for the replica if it does not exist. For instructions, refer to “Creating Suffixes,”...
  • Page 339 Configuring Cascading Replication In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. This supplier bind DN should correspond to the entry created in Step 2. The supplier bind DN corresponds to a privileged user because it is not subject to access control.

  • Page 340: Configuring The Read-Only Replica On The Hub Supplier

    Configuring Cascading Replication When you have configured the replicas on each server and the necessary replication agreements among servers, you can initialize the read-only replicas on the hub supplier and on the consumer. You can perform this task from the Replication Agreement Wizard while you are configuring the supplier server and the hub supplier server or at any time afterwards.

  • Page 341: Configuring The Read-Write Replica On The Supplier Server

    Configuring Cascading Replication Check the Enable Replica checkbox. In the Replica Role section, select the Hub radio button. In the Common Settings section, specify a purge delay in the “Purge delay” field. This option indicates how often the state information stored in the replicated entries is purged.
  • Page 342 Configuring Cascading Replication In the navigation tree, highlight the Replication node. On the right pane, select the Supplier Settings tab. Check the Enable Changelog checkbox. This activates all of the fields in the pane. Specify a changelog by clicking the “Use default” button, or click the Browse button to display a file selector.

  • Page 343: Initializing The Replicas For Cascading Replication

    Making a Replica Updatable Initializing the Replicas for Cascading Replication In the case of cascading replication, you should initialize replicas in the following order: Use the supplier server to initialize the replica on the hub supplier. From the hub supplier, initialize the replica on the consumer. For information on initializing replicas, refer to “Initializing Consumers,”...

  • Page 344: Removing The Changelog

    Deleting the Changelog • Moving the Changelog to a New Location Removing the Changelog You can remove the changelog using the Directory Server Console. To remove the changelog from the supplier server: In the Directory Server Console, select the Configuration tab. Select the Replication Agreements folder in the left navigation tree and then the Supplier Server Settings tab in the right pane.

  • Page 345: Initializing Consumers

    Initializing Consumers Initializing Consumers Once you have created a replication agreement, you must initialize the consumer; that is, you must physically copy data from the supplier server to the consumer servers. This section first describes consumer initialization in detail and then provides instructions on the two different methods for initializing consumers.

  • Page 346: Online Consumer Initialization Using The Console

    Initializing Consumers Online Consumer Initialization Using the Console Online consumer initialization using the Console is the easiest way to initialize or reinitialize a consumer. However, if you are replicating across a slow link, this process can be very time-consuming, and you may find manual consumer initialization using the command-line to be a more efficient approach.

  • Page 347: Manual Consumer Initialization Using The Command-Line

    Initializing Consumers Manual Consumer Initialization Using the Command-Line Manual consumer initialization using the command-line is the fastest method of consumer initialization for sites that are replicating very large numbers of entries. However, the manual consumer initialization process is more complex than the online consumer initialization process.

  • Page 348: Importing The Ldif File To The Consumer Server

    Initializing Consumers Importing the LDIF File to the Consumer Server You can import the LDIF file which contains the supplier replica contents to the consumer server by using the import features in the Directory Server Console or by using either the script or script.

  • Page 349: Initializing The Consumer Replica From The Backup Files

    Initializing Consumers Initializing the Consumer Replica from the Backup Files Create a new database on the destination server to match the database from the source server. Before you begin initializing the consumer from the backup files, be certain that you have created the appropriate database on your destination server so that the database exists to be “restored”...

  • Page 350: Forcing Replication Updates

    . For example: ldif2db db2ldif ./bak2db serverID /opt/redhat-ds/servers/slapd- /archiveDirectory -n userRoot Restart the destination Directory Server by typing the following: ./start-slapd Replication will begin on schedule as soon as the destination server is restarted. For more information on using these scripts, see the Red Hat Directory Server Configuration, Command, and File Reference.

  • Page 351: Forcing Replication Updates From The Console

    Forcing Replication Updates To ensure that directory information will be synchronized immediately when a server comes back online, you can use either the Directory Server Console on the supplier server that holds the reference copy of the directory information or a customizable script.
  • Page 352 Forcing Replication Updates Code Example 8-1 Replicate_Now Script Example #!/bin/sh SUP_HOST=supplier_hostname SUP_PORT=supplier_portnumber SUP_MGRDN=supplier_directoryManager SUP_MGRPW=supplier_directoryManager_password MY_HOST=consumer_hostname MY_PORT=consumer_portnumber ldapsearch -1 -T -h ${SUP_HOST} -p ${SUP_PORT} -D "${SUP_MGRDN}" -w ${SUP_MGRPW} -b "cn=mapping tree, cn=config" \ "(&(objectclass=nsds5replicationagreement)(nsDS5ReplicaHost=${MY _HOST}) \ (nsDS5ReplicaPort=${MY_PORT}))" dn nsds5ReplicaUpdateSchedule > /tmp/$$ cat /tmp/$$ | awk ’...

  • Page 353: Table 8-1 Replicate_Now Variables

    Forcing Replication Updates Replicate_Now Script Example (Continued) Code Example 8-1 /^nsds5ReplicaUpdateSchedule: / { s = 1; print $0; } /^$/ { if ( $s == 1 ) { print "-" ; print ""; } else { print "nsds5ReplicaUpdateSchedule: 0000-2359 0123456"; print "-"...

  • Page 354: Replication Over Ssl

    Replication over SSL If you want the update operation to occur over an SSL connection, you must modify the command in the script with the appropriate parameters ldapmodify and values. For more information on the command, refer to ldapmodify “Managing Entries from the Command-Line,” on page 55, and Red Hat Directory Server Configuration, Command, and File Reference.

  • Page 355: Configuring Replication Over Ssl Using The Replication Agreement Wizard

    Replication with Earlier Releases Configuring Replication over SSL Using the Replication Agreement Wizard In the Directory Server Console of the supplier server, click the Configuration tab, expand the Replication folder, and select the database that you want to replicate. Right-click the database, and choose New Replication Agreement from the drop-down menu.

  • Page 356: Configuring Directory Server As A Consumer Of A Legacy Directory Server

    Replication with Earlier Releases • This version of Directory Server cannot be a supplier for other replicas. The main advantage of being able to use this version of Directory Server as a consumer of a legacy Directory Server is to ease the migration of a replicated environment.

  • Page 357: Using The Retro Changelog Plug-In

    Using the Retro Changelog Plug-in Repeat Step 7 and Step 8 for each read-only replica that will receive updates from a legacy supplier. To complete your legacy replication setup, you must now configure the legacy supplier to replicate to the Directory Server. For instructions on configuring a replication agreement on a 4.x Directory Server, refer to the documentation for your legacy Directory Server.

  • Page 358: Enabling The Retro Changelog Plug-In

    Using the Retro Changelog Plug-in Attributes of a Retro Changelog Entry (Continued) Table 8-2 Attribute Definition This attribute contains the DN of the entry that was affected targetDN by the LDAP operation. In the case of a modrdn operation, the targetDN attribute contains the DN of the entry before it was modified or moved.

  • Page 359: Trimming The Retro Changelog

    Using the Retro Changelog Plug-in Use the command to import the LDIF file into the directory. ldapmodify For more information on the command, refer to “Managing ldapmodify Entries from the Command-Line,” on page 55, and Red Hat Directory Server Configuration, Command, and File Reference. Restart the server.

  • Page 360: Retro Changelog And The Access Control Policy

    Monitoring Replication Status (&(changeNumber>=X)(changeNumber<=Y)) As a general rule, you should not perform add or modify operations on the retro changelog entries, although you can delete entries to trim the size of the changelog. You will only need to perform a modify operation on the retro changelog is to modify the default access control policy.

  • Page 361: Monitoring Replication Status From Administration Express

    Monitoring Replication Status Select the Status tab, and then, in the left navigation tree, select Replication Status. In the right pane, a table appears that contains information about each of the replication agreements configured for this server. Click Refresh to update the contents of the tab. The status information displayed is described in Table 8-3.
  • Page 362 Monitoring Replication Status script, which is explained in detail in the Red template-repl-monitor.pl Hat Directory Server Configuration, Command, and File Reference, enables you to monitor replication status to a greater extent by providing these functionalities: • Lists for each supplier replica on each Directory Server discovered, server URL or alias, replica ID, replica root, and maximum change sequence number maxcsn •...
  • Page 363 Monitoring Replication Status In the “Configuration file” field, type the path to the configuration file you created in Step 1, and click OK. The replication-status page appears; by default, the page gets refreshed every seconds. Each table shows the status of the changes originated from a supplier replica. Table Header —...

  • Page 364: Solving Common Replication Conflicts

    Solving Common Replication Conflicts Solving Common Replication Conflicts Multi-master replication uses a loose consistency replication model. This means that the same entries can be changed on different servers. When replication occurs between the two servers, the conflicting changes need to be resolved. Mostly, resolution occurs automatically, based on the timestamp associated with the change on each server.

  • Page 365: Renaming An Entry With A Multi-Valued Naming Attribute

    Solving Common Replication Conflicts • (created nsuniqueid=66446001-1dd211b2+uid=adamss,dc=example,dc=com at time The second entry needs to be renamed in such a way that it has a unique DN. The renaming procedure depends on whether the naming attribute is single-valued or multi-valued. Each procedure is described below. Renaming an Entry with a Multi-Valued Naming Attribute To rename an entry that has a multi-valued naming attribute: Rename the entry using a new value for the naming attribute, and keep the old...

  • Page 366: Renaming An Entry With A Single-Valued Naming Attribute

    Solving Common Replication Conflicts When you open the entry in the advanced mode, you will be able to see that the naming attribute has been set to . However, you cannot change nsuniqueid uid or correct the entry by changing the user ID and RDN values to something different.

  • Page 367: Solving Orphan Entry Conflicts

    Solving Common Replication Conflicts Rename the entry with the intended attribute-value pair. For example: prompt> ldapmodify -D adminDN -w password >dn: cn=TempValue,dc=example,dc=com >changetype: modrdn >newrdn: dc=NewValue >deleteoldrdn: 1 By setting the value of the attribute to , you delete the deleteoldrdn temporary attribute-value pair .

  • Page 368: Solving Potential Interoperability Problems

    Troubleshooting Replication-Related Problems Solving Potential Interoperability Problems For reasons of interoperability with applications that rely on attribute uniqueness, such as a mail server, you might need to restrict access to the entries which contain the attribute. If you do not restrict access to these nsds5ReplConflict entries, then the applications requiring one attribute only will pick up both the original entry and the conflict resolution entry containing the...

  • Page 369: Interpreting Error Messages And Symptoms

    Troubleshooting Replication-Related Problems Interpreting Error Messages and Symptoms This section lists some error messages, explains possible causes, and offers remedies. It is possible to get more debugging information for replication by setting the error log level to , which is replication debugging. For details on error log level, 8192 check the Red Hat Directory Server Configuration, Command, and File Reference.
  • Page 370 Troubleshooting Replication-Related Problems Error Message: Warning: data for replica %s was reloaded, and it no longer matches the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers, in which case the consumers should be reinitialized. Reason: This message may appear only when a supplier is restarted.
  • Page 371 Troubleshooting Replication-Related Problems Error Message: Too much time skew Reason: The system clocks on the host machines are extremely out of sync. Impact: The system clock is used to generate a part of the CSN. In order to reflect the change sequence among multiple suppliers, suppliers would forward-adjust their local clocks based on the remote clocks of the other suppliers.
  • Page 372 Troubleshooting Replication-Related Problems With changelog purge turned on, a purge thread that wakes up every five minutes will remove a change if its age is greater than the value of and if it has been replayed to all the direct nsslapd-changelogmaxage consumers of this supplier (supplier or hub).

  • Page 373: Useful Tools

    Troubleshooting Replication-Related Problems Useful Tools script, which is explained in detail in the Red Hat template-cl-dump.pl Directory Server Configuration, Command, and File Reference, enables you to troubleshoot replication-related problems. Depending on the usage options, the script can selectively dump a particular replica: •...
  • Page 374 Troubleshooting Replication-Related Problems Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 375: Chapter 9 Extending The Directory Schema

    Chapter 9 Extending the Directory Schema Red Hat Directory Server (Directory Server) comes with a standard schema that includes hundreds of object classes and attributes. While the standard object classes and attributes should meet most of your requirements, you may need to extend your schema by creating new object classes and attributes.

  • Page 376: Managing Attributes

    Managing Attributes Create new attributes. See “Creating Attributes,” on page 377, for information. Create an object class to contain the new attributes, and add the attributes to the object class. See “Creating Object Classes,” on page 381, for information. Managing Attributes Through Directory Server Console, you can view all attributes in your schema, and you can create, edit, and delete your attribute extensions to the schema.

  • Page 377: Creating Attributes

    Managing Attributes Attributes Tab Reference (Continued) Table 9-1 Field or Pane Description The object identifier of the attribute. An OID is a string, usually of dotted decimal numbers, that uniquely identifies an object, such as an object class or an attribute. If you do not specify an OID, the Directory Server automatically uses attribute_name-oid.

  • Page 378: Editing Attributes

    Managing Attributes Click Create. The Create Attribute dialog box is displayed. Enter a unique name for the attribute in the Attribute Name text box. Enter an object identifier for the attribute in the Attribute OID (Optional) text box. OIDs are described in Table 9-1, on page 376. Select a syntax that describes the data to be held by the attribute from the Syntax drop-down menu.

  • Page 379: Deleting Attributes

    Managing Object Classes To change the syntax that describes the data to be held by the attribute, choose a new one from the Syntax drop-down menu. Available syntaxes are described in Table 9-1, on page 376. To make the attribute multi-valued, select the Multi-Valued checkbox. The Directory Server allows more than one instance of a multi-valued attribute per entry.

  • Page 380: Viewing Object Classes

    Managing Object Classes Viewing Object Classes To view information about all object classes that currently exist in your directory schema: In the Directory Server Console, select the Configuration tab. In the navigation tree, select the Schema folder, and then select the Object Classes tab in the right pane.

  • Page 381: Creating Object Classes

    Managing Object Classes Object Classes Tab Reference (Continued) Table 9-2 Field or Pane Description Contains a list of attributes that may be present in entries that use this object class. Allowed Includes inherited attributes. Attributes Creating Object Classes You create an object class by giving it a unique name, selecting a parent object for the new object class, and adding required and optional attributes.

  • Page 382: Editing Object Classes

    Managing Object Classes To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list, and then click the corresponding Remove button. You cannot remove either allowed or required attributes that are inherited from the parent object classes.

  • Page 383: Deleting Object Classes

    Turning Schema Checking On and Off To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list, and then click the corresponding Remove button. You cannot remove either allowed or required inherited attributes. When you are satisfied with you the object class definition, click OK to dismiss the dialog box.
  • Page 384 Turning Schema Checking On and Off Highlight the server icon at the top of the navigation tree, then select the Settings tab in the right pane. To enable schema checking, check the “Enable Schema Checking” checkbox; clear it to turn off schema checking. Click Save.

  • Page 385: Chapter 10 Managing Indexes

    Chapter 10 Managing Indexes The Red Hat Directory Server Deployment Guide introduced the concept of indexing, the costs and benefits, and different types of index shipped with Red Hat Directory Server (Directory Server). This chapter begins with a description of the searching algorithm itself, so as to place the indexing mechanism in context, and then describes how to create, delete, and manage indexes.

  • Page 386: About Indexes And Indexing Performance

    About Indexes About Indexes and Indexing Performance Indexes are stored in files in the directory’s databases. Each index is composed of a table of index keys and matching entry ID lists. This entry ID list is used by the directory to build a list of candidate entries that may match a client application’s search request, which speeds up searches.
  • Page 387 About Indexes In the redesigned index, the storage manager has visibility into the fine-grain index structure, which optimizes transaction logging so that only the number of bytes actually changed need to be logged for any given index modification. The BerkeleyDB feature provides ID list semantics, which are implemented by the storage manager.

  • Page 388: Index Types

    About Indexes NOTE While Directory Server can support the old database design, only the new design is installed with the Directory Server. Upon startup, the server will read the database version from the DBVERSION file, which contains the text (old database version) Netscape-ldbm/6.2 (new database format).
  • Page 389 About Indexes • Substring index (sub) — The substring index is a costly index to maintain, but it allows efficient searching against substrings within entries. Substring indexes are limited to a minimum of three characters for each entry. For example, searches of the form: cn=*derson would match the common names containing strings such as: Bill Anderson...

  • Page 390: About Default, System, And Standard Indexes

    About Indexes About Default, System, and Standard Indexes When you install Directory Server, a set of default and system indexes is created per database instance. To maintain these indexes, the directory uses standard indexes. Overview of Default Indexes The default indexes can be modified depending on your indexing needs, although you should ensure that no server plug-ins or other servers in your enterprise depend on this index before you remove it.

  • Page 391: Overview Of System Indexes

    About Indexes Default Indexes (Continued) Table 10-1 Attribute Pres Purpose Improves Directory Server performance. This uniquemember index is also used by the Referential Integrity Plug-in. See “Maintaining Referential Integrity,” on page 72, for more information. Overview of System Indexes System indexes are indexes that cannot be deleted or modified. They are required by the directory to function properly.

  • Page 392: Overview Of The Searching Algorithm

    About Indexes • — Restricts the scope of one-level searches, searches that id2children.db4 examine an entry’s immediate children. • — Controls the scope of subtree searches; searches that examine an dn.db4 entry and all the entries in the subtree beneath it. •...

  • Page 393: Idlistscanlimit

    About Indexes The directory uses the returned entry ID numbers to read the corresponding entries from the file. The Directory Server then examines each id2entry.db3 of the candidate entries to see if any match the search criteria. The directory returns matching entries to the client as each is found. The directory continues until either it has examined all candidate entries or it reaches the limit set in one of the following attributes: which specifies the maximum number of entries to...

  • Page 394: Phonetic Searches

    About Indexes configuration attribute. The default value is nsslapd-idlistscanlimit 4000 which is designed to give good performance for a common range of database sizes and access patterns. Typically, it is not necessary to change this value. However, in rare circumstances it may be possible to improve search performance with a different value.

  • Page 395: Balancing The Benefits Of Indexing

    About Indexes Name in the Directory Query String Match Comments (Phonetic Code) (Phonetic code) Bertha Sarette No match. The code BR0 does not exist in (BR0 SRT) the original name. Sarette, Alice No match. The codes are not specified in (SRT ALS) the correct order.
  • Page 396 About Indexes dn: cn=John Doe, ou=People,dc=example,dc=com objectclass: top objectClass: person objectClass: orgperson objectClass: inetorgperson cn: John Doe cn: John sn: Doe ou: Manufacturing ou: people telephonenumber: 408 555 8834 description: Manufacturing lead for the Z238 line of widgets. Further suppose that the Directory Server is maintaining the following indexes: •...

  • Page 397: Creating Indexes

    Creating Indexes Creating Indexes This section describes how to create presence, equality, approximate, substring, and international indexes for specific attributes using the Directory Server Console and the command-line. NOTE Given that this version of Directory Server can operate in either a single or multi-database environment, you need to remember to create your new indexes in every database instance since newly created indexes are not automatically created in the other...

  • Page 398: Creating Indexes From The Command-Line

    Creating Indexes Expand the Data node, expand the suffix of the database you want to index, and select the database. Select the Indexes tab in the right pane. NOTE Do not click on the Database Settings node because this will take you to the Default Index Settings window and not the window for configuring indexes per database.

  • Page 399: Adding An Index Entry

    Creating Indexes Creating indexes from the command-line involves two steps: • Using the command-line utility to add a new index entry or edit ldapmodify an existing index entry. • Running the Perl script to generate the new set of indexes to be db2index.pl maintained by the server.
  • Page 400 Creating Indexes First, type the following to change to the directory containing the utility: cd serverRoot/shared/bin Run the command-line utility as follows: ldapmodify ldapmodify -a -h server -p 389 -D "cn=directory manager" -w password utility binds to the server and prepares it to add an entry to the ldapmodify configuration file.

  • Page 401: Running The Db2Index.pl Script

    Creating Indexes You can use the keyword in the attribute to specify that no none nsIndexType indexes are to be maintained for the attribute. For example, suppose you want to temporarily disable the indexes you just created on the database. You Example1 change the as follows:...

  • Page 402: Creating Vlv Indexes From The Server Console

    Creating Indexes This example generates an index using the UNIX shell script: db2index.pl db2index.pl -D "cn=Directory Manager" -w passsword ExampleServer -t sn The following table describes the options used in the examples: db2index.pl Option Description Specifies the DN of the administrative user. Specifies the password of the administrative user.

  • Page 403: Creating Vlv Indexes From The Command-Line

    Creating Indexes Hit the “Add Attribute” button, and add the attribute. nsviewfilter Create a filter that reflects the views you will create. For example: (l=Sunnyvale) Hit okay to close the attributes box, and hit okay again to save the new VLV index.

  • Page 404: Adding A Browsing Index Entry

    Creating Indexes • Ensuring that access control on VLV index information is set appropriately. The following sections describe the steps involved in creating browsing indexes. Adding a Browsing Index Entry The type of browsing index entry you want to create depends on the type of attribute sorting you want to accelerate.
  • Page 405 Creating Indexes ldapmodify -a -h server -p 389 -D "cn=directory manager" -w password utility binds to the server and prepares it to add an entry to the ldapmodify configuration file. Next, you need to add two browsing index entries which define your browsing index.

  • Page 406: Running The Vlvindex Script

    Creating Indexes contains the browsing index sort identifier. The above is the type created by the Console by default, which has the sorting order as being set “by” the browsing index base. The entry is a member of the object class. vlvIndex attribute value specifies the order in which you want your attributes vlvsort...

  • Page 407: Setting Access Control For Vlv Information

    Deleting Indexes Option Description Browsing index identifier to use to create browsing indexes. For more information about the script, see the Red Hat Directory Server vlvindex Configuration, Command, and File Reference. Setting Access Control for VLV Information The default access control for the VLV index information is to allow anyone who has authenticated.

  • Page 408: Deleting Indexes From The Server Console

    Deleting Indexes NOTE Because this version of Directory Server can operate in either a single or multi-database environment, you have to delete any unwanted indexes from every database instance. Any default indexes you delete will not be deleted from previous sets of indexes on existing database instances.

  • Page 409: Deleting Indexes From The Command-Line

    Deleting Indexes Locate the attribute containing the index you want to delete. Clear the checkbox under the index. If you want to delete all indexes maintained for a particular attribute, select the attribute’s cell under Attribute Name, and click Delete Attribute. Click Save.
  • Page 410 Deleting Indexes For example, you want to delete presence, equality, and substring indexes for the attribute on the database named Example1 You want to delete the following entry: dn: cn=sn,cn=index,cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:nsIndex cn:sn nsSystemIndex:false nsIndexType:pres nsIndexType:eq nsIndexType:sub nsMatchingRule:2.16.840.1.113730.3.3.2.3.1 To run the command-line utility, type the following to change to the ldapdelete directory containing the utility:...

  • Page 411: Running The Db2Index.pl Script

    Deleting Indexes Running the db2index.pl Script Once you have deleted an indexing entry or deleted some of the index types from an indexing entry, run the script to generate the new set of indexes to db2index.pl be maintained by the Directory Server. Once you run the script, the new set of indexes is active for any new data you add to your directory and any existing data in your directory.

  • Page 412: Deleting Browsing And Vlv Indexes From The Command-Line

    Deleting Indexes In the Directory Server Console, select the Directory tab. Select the virtual list that you want to delete, such as (to delete all the ou=Sunnyvale,ou=LocationViews,dc=example,dc=com virtual lists, you can delete the entire subsuffix, ou=LocationViews,dc=example,dc=com Right-click on the entry, and select Delete from the drop-down menu. You can also select the entry, and select Object>Delete from the tool menu at the top.

  • Page 413: Deleting A Browsing Index Entry

    Deleting Indexes Deleting a Browsing Index Entry Use the command-line utility to either delete browsing indexing ldapdelete entries or edit existing browsing index entries. To delete browsing indexes for a particular database, you remove your browsing index entries from the cn=index,cn=database_name,cn=ldbm entry, where corresponds to...

  • Page 414: Running The Vlvindex Script

    Deleting Indexes ldapdelete -D "cn=Directory Manager" -w password -h ExampleServer -p 845 "cn=MCC ou=People dc=example dc=com, cn=userRoot, cn=ldbm database, cn=plugins, cn=config" "cn=by MCC ou=People dc=example dc=com,cn=MCC ou=People dc=example dc=com, cn=userRoot, cn=ldbm database, cn=plugins, cn= config" The following table describes the options used in the example: ldapdelete Option...

  • Page 415: Attribute Name Quick Reference Table

    Attribute Name Quick Reference Table From the command-line, change to the following directory: serverRoot/slapd-serverID Stop the server: ./stop-slapd Run the script. vlvindex For more information about using the script, refer to Red Hat vlvindex Directory Server Configuration, Command, and File Reference. Restart the server: ./start-slapd This example recreates the indexes using the...
  • Page 416 Attribute Name Quick Reference Table Attribute Name Quick Reference Table (Continued) Table 10-3 countryName localityName stateOrProvinceName street streetAddress organization organizationalUnitName facsimileTelephoneNumber userId mail rfc822mailbox mobile mobileTelephoneNumber pager pagerTelephoneNumber friendlyCountryName labeledUri labeledUri timeToLive domainComponent authorCn documentAuthorCommonName authorSn documentAuthorSurname drink favoriteDrink Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 417: Chapter 11 Managing Ssl And Sasl

    Chapter 11 Managing SSL and SASL To provide secure communications over the network, Red Hat Directory Server (Directory Server) includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of Secure Sockets Layer (SSL). Directory Server also allows “spontaneous”...

  • Page 418: Introduction To Ssl In The Directory Server

    Introduction to SSL in the Directory Server Introduction to SSL in the Directory Server The Directory Server supports SSL/TLS to secure communications between LDAP clients and the Directory Server, between Directory Servers that are bound by a replication agreement, or between a database link and a remote database. You can use SSL/TLS with simple authentication (bind DN and password) or with certificate-based authentication.

  • Page 419: Command-Line Functions For Start Tls

    Command-Line Functions for Start TLS Configure the Administration Server to connect to an SSL-enabled Directory Server. For information, see Managing Servers with Red Hat Console. Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate for all clients that will authenticate with SSL. For information, see “Configuring LDAP Clients to Use SSL,”...

  • Page 420: Obtaining And Installing Server Certificates

    Obtaining and Installing Server Certificates • If there is no certificate database, the operation fails. See “Obtaining and Installing Server Certificates,” on page 420, for information on using certificates. • If the server does not support Start TLS, the connection proceeds in cleartext. To enforce the use of Start TLS, use the command option.

  • Page 421: Step 1: Generate A Certificate Request

    Obtaining and Installing Server Certificates • Step 5: Confirm That Your New Certificates Are Installed You will use the Certificate Request Wizard to generate a certificate request (Step 1) and send it to a Certificate Authority (Step 2). You then use the Certificate Install Wizard to install the certificate (Step 3) and to trust the Certificate Authority’s certificate (Step 4).

  • Page 422: Step 2: Send The Certificate Request

    Obtaining and Installing Server Certificates Enter the password that will be used to protect the private key, and click Next. The Next field is grayed out until you supply a password. When you click Next, the Request Submission dialog box is displayed. Select Copy to Clipboard or Save to File to save the certificate request information that you must send to the Certificate Authority.

  • Page 423: Step 3: Install The Certificate

    Obtaining and Installing Server Certificates Once you receive your certificate, you are ready to install it in your server’s certificate database. Step 3: Install the Certificate To install a server certificate: In the Directory Server Console, select the Tasks tab, and click Manage Certificates.

  • Page 424: Step 4: Trust The Certificate Authority

    Obtaining and Installing Server Certificates Step 4: Trust the Certificate Authority Configuring your Directory Server to trust the certificate authority consists of obtaining your CA’s certificate and installing it into your server’s certificate database. This process differs depending on the certificate authority you use. Some commercial CAs provide a web site that allows you to automatically download the certificate.

  • Page 425: Step 5: Confirm That Your New Certificates Are Installed

    Using certutil Step 5: Confirm That Your New Certificates Are Installed In the Directory Server Console, select the Tasks tab, and click Manage Certificates. The Manage Certificates window is displayed. Select the Server Certs tab. A list of all the installed certificates for the server is displayed. Scroll through the list.
  • Page 426 Using certutil Create a password file for the security token password. vi /tmp/pwdfile secretpw This password locks the server s private key in the key database and is used when the keys and certificates are first created. The password in this file is also the default password to encrypt PK12 files used by .
  • Page 427 Using certutil validation may fail if the clients cannot properly resolve the FQDN, and some clients refuse to connect if a server certificate does not have its FQDN in the subject. Additionally, using the format hostname.domain is essential for Directory Server clients to protect themselves from man in the middle attacks. To provide a subjectAltName, as well as the nickname, use the argument in addition to the...

  • Page 428: Starting The Server With Ssl Enabled

    Starting the Server with SSL Enabled to export other server certificates and keys created with pk12util so that they can be used on a remote server. certutil pk12util -d . -o ldap1.p12 -n Server-Cert1 -w /tmp/pwdfile -k instance_name /tmp/pwdfile -P slapd- argument is the password used to encrypt the file for transport.

  • Page 429: Enabling Ssl Only In The Directory Server

    Starting the Server with SSL Enabled Enabling SSL Only in the Directory Server: Obtain and install CA and server certificates. Set the secure port you want the server to use for SSL communications. The encrypted port number that you specify must not be the same port number you use for normal LDAP communications.

  • Page 430: Enabling Ssl In The Directory Server, Admin Server, And Console

    Starting the Server with SSL Enabled NOTE If you are using certificate-based authentication with replication, then you must configure the consumer server either to allow or to require client authentication. You can further configure the server to verify the authenticity of requests by selecting the “Check hostname against name in certificate for outbound SSL connections”...
  • Page 431 Starting the Server with SSL Enabled If you have not installed the servers as , it is necessary to change the root secure port setting from the default to a number above 1024 Change the secure port number in the Configuration>Settings tab of the Directory Server Console.
  • Page 432 Starting the Server with SSL Enabled By default, this feature is disabled. If it’s enabled and if the hostname does not match the attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server’s log files if it finds that the peer server’s hostname doesn’t match the name specified in its certificate: [DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81...

  • Page 433: Creating A Password File

    Setting Security Preferences When you restart the Console, be certain that the address reads ; otherwise, https the operation will time out, unable to find the Admin Server since it is running on a secure connection. When you successfully connect, a dialog box will appear, asking you to accept the certificate.
  • Page 434 Setting Security Preferences When a client initiates an SSL connection with a server, the client tells the server what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. There are a number of ciphers available.

  • Page 435: Using Certificate-Based Authentication

    Using Certificate-Based Authentication CAUTION Avoid selecting the cipher because the server will use this none,MD5 option if no other ciphers are available on the client. It is not secure because encryption doesn’t occur. In order to continue using the Red Hat Console with SSL, you must select at least one of the following ciphers: •...

  • Page 436: Setting Up Certificate-Based Authentication

    Using Certificate-Based Authentication NOTE When specifying the key and certificate database filenames, you may use absolute or relative paths. If using relative paths, ensure that they are relative to the server root (for example, alias/slapd-phonebook-cert8.db alias/slapd-phonebook-key3.db The name of the certificate database has been changed from .

  • Page 437: Allowing/Requiring Client Authentication

    Configuring LDAP Clients to Use SSL Map the certificate’s distinguished name to a distinguished name known by your directory. This allows you to set access control for the client when it binds using this certificate. This mapping process is described in Managing Servers with Red Hat Console.
  • Page 438 Configuring LDAP Clients to Use SSL These operations are sufficient if you want to ensure that LDAP clients recognize the server’s certificate. However, if you also want LDAP clients to use their own certificate to authenticate to the directory, make sure that all your directory users obtain and install a personal certificate.

  • Page 439: Introduction To Sasl

    Introduction to SASL NOTE Do not map your certificate-based-authentication certificate to a distinguished name under . If you map your certificate cn=monitor to a DN under , your bind will fail. Map your certificate cn=monitor to a target located elsewhere in the directory information tree. Make sure that the parameter is set to in the...

  • Page 440: Authentication Mechanisms

    Introduction to SASL SASL is a framework, meaning it sets up a system that allows different mechanisms to authenticate a user to the server, depending on what mechanism is enabled in both client and server applications. SASL can also set up a security layer for an encrypted session.

  • Page 441: Sasl Identity Mapping

    Introduction to SASL SASL Identity Mapping When processing a SASL bind request, the server matches, or maps, the SASL user ID used to authenticate to the Directory Server with an LDAP entry stored within the server. If the user ID clearly corresponds to the LDAP entry for a person, it is possible to configure the Directory Server to map the authentication DN automatically to the entry DN.

  • Page 442: Legacy Identity Mapping

    Introduction to SASL dn: cn=mymap,cn=mapping,cn=sasl,cn=config objectclass:top objectclass:nsSaslMapping cn: mymap nsSaslMapRegexString: (.*)@(.*)\.(.*) nsSaslFilterTemplate: (objectclass=inetOrgPerson) nsSaslBaseDNTemplate: uid=\1,ou=people,dc=\2,dc=\3 A bind attempt with as the regular expression would mconnors@example.com “fill in” the base DN template with as the authentication ID, and uid=mconnors,ou=people,dc=example,dc=com authentication would proceed from there. You could also write a broader mapping scheme, such as the following: objectclass: top objectclass: nsSaslMapping...

  • Page 443: Configuring Sasl Identity Mapping From The Command-Line

    Introduction to SASL Open the “Configuration” tab. Select the “SASL Mapping” tab. Select the “Add” button, and fill in the required values. Before you can modify a SASL identity, you must have saved that identity. Then you can click on the “Modify” button, and a text box appears with the current values.

  • Page 444: Realms

    Introduction to SASL Realms A realm is a set of users and the authentication methods for those users to access the realm. A realm resembles a fully-qualified domain name and can be distributed across either a single server or a single domain across multiple machines.

  • Page 445: Example

    Introduction to SASL In order to respond to Kerberos operations, the Directory Server requires access to its own cryptographic key which is read by the Kerberos libraries that the server calls via GSSAPI. The details of how it is found are implementation-dependent. However, in current releases of the supported Kerberos implementations, the mechanism is the same: the key is read from a file called a keytab file.
  • Page 446 Introduction to SASL Code Example 11-1 Configuring an Example KDC Server [libdefaults] ticket_lifetime = 24000 default_realm = COMPANY.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ccache_type = 1 forwardable = true proxiable = true default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc [realms] COMPANY.EXAMPLE.COM = {...

  • Page 447: Chapter 12 Monitoring Server And Database Activity

    Chapter 12 Monitoring Server and Database Activity This chapter describes monitoring database and Red Hat Directory Server (Directory Server) logs. This chapter contains the following sections: • Viewing and Configuring Log Files (page 447) • Manual Log File Rotation (page 455) •...

  • Page 448: Defining A Log File Rotation Policy

    Viewing and Configuring Log Files NOTE When the server is not running, you cannot read the logs using the Directory Server Console. However, you can read them using the Administration Server Console: From your browser, access: http://hostname:admin_server_port At the login prompt, use the admin login ID and password. Click the link for Red Hat Administration Express.

  • Page 449: Defining A Log File Deletion Policy

    For example, the first couple of lines of any log files generated by a Directory Server instance may show lines similar to these: Red Hat-Directory/7.1 B2003.188.1157 myhost.example.com:389 (/opt/redhat-ds/servers/slapd-ds71) Defining a Log File Deletion Policy If you want the directory to automatically delete old archived logs, you can define a log file deletion policy from the Directory Server Console.

  • Page 450: Access Log

    Viewing and Configuring Log Files • The maximum age of log files. When a log file reaches this maximum age, it is automatically deleted. The default is month. This parameter is ignored in the number of log files is set to Access Log The access log contains detailed information about client connections to the directory.

  • Page 451: Error Log

    Viewing and Configuring Log Files You can also disable access logging for the directory. You may do this because the access log can grow very quickly; every 2,000 accesses to your directory will increase your access log by approximately 1 MB. However, before you turn off access logging, consider that the access log provides beneficial troubleshooting information.

  • Page 452: Viewing The Error Log

    Viewing and Configuring Log Files Viewing the Error Log To view the error log: In the Directory Server Console, select the Status tab; then, in the navigation tree, expand the Logs folder, and select the Error Log icon. A table displays a list of the last 25 entries in the error log. To refresh the current display, click Refresh.

  • Page 453: Audit Log

    Viewing and Configuring Log Files Set the maximum number of logs, log size, and periodicity of archiving. For information on these parameters, see “Defining a Log File Rotation Policy,” on page 448. Set the maximum size of combined archived logs, minimum amount of free disk space, and maximum age for a log file.

  • Page 454: Configuring The Audit Log

    Viewing and Configuring Log Files NOTE Continuous log refresh does not work well with log files over 10Mbytes. To view an archived audit log, select it from the Select Log pull-down menu. To display a different number of messages, enter the number you want to view in the “Lines to show”...

  • Page 455: Manual Log File Rotation

    Manual Log File Rotation Manual Log File Rotation The Directory Server supports automatic log file rotation for all three logs. However, you can manually rotate log files if you have not set automatic log file creation or deletion policies. By default, access, error, and audit log files can be found in the following location: serverRoot/slapd-serverID/logs/ To manually rotate log files:...

  • Page 456: Overview Of Server Performance Monitor Information

    Monitoring Server Activity In the Directory Server Console, select the Status tab. In the navigation tree, select Performance Counters. The Status tab in the right pane displays current information about server activity. If the server is currently not running, this tab will not provide performance monitoring information.

  • Page 457: Resource Summary

    Monitoring Server Activity Database generation number. Obsolete. A unique identifier that is created only when you create your directory database without a machine data entry in the LDIF file. Current changelog number. This is the number corresponding to the last change made to your directory.

  • Page 458: Connection Status

    Monitoring Server Activity Table 12-2 Server Performance Monitoring - Current Resource Usage Resource Current total Active Threads Current number of active threads used for handling requests. Additional threads may be created by internal server tasks, such as replication or chaining. Open Connections Total number of open connections.

  • Page 459: Global Database Cache Information

    Monitoring Server Activity Server Performance Monitoring - Connection Status (Continued) Table 12-3 Table Header Description Read/Write Indicates whether the server is currently blocked for read or write access to the client. Possible values include: • Not blocked. Indicates that the server is idle, actively sending data to the client, or actively reading data from the client.

  • Page 460: Monitoring Your Server From The Command-Line

    Monitoring Server Activity Monitoring Your Server from the Command-Line You can monitor your Directory Server’s current activities from any LDAP client by performing a search operation with the following characteristics: • Search for attribute objectClass=* • Search base: cn=monitor • Search scope: base For example:...

  • Page 461: Monitoring Database Activity

    Monitoring Database Activity • : Identifies the number of connections currently in currentconnections service by the directory. • : Identifies the number of connections handled by the totalconnections directory since it started. • : Shows the number of file descriptors available to the directory. dtablesize Each connection requires one file descriptor: one for every open index, one for log file management, and one for...

  • Page 462: Monitoring Database Activity From The Server Console

    Monitoring Database Activity Monitoring Database Activity from the Server Console This section describes how you can use Directory Server Console to view the database performance monitors and what sort of information the performance monitors provide. Viewing Database Performance Monitors To monitor your database’s activities: In the Directory Server Console, select the Status tab.

  • Page 463: Summary Information Table

    Monitoring Database Activity • Configuration DN — Identifies the distinguished name that you must use as a search base to obtain these results using the command-line utility. ldapsearch Summary Information Table The Summary Information table provides the following information: Database Performance Monitoring - Summary Information Table 12-5 Performance Metric Current Total...

  • Page 464: Database Cache Information Table

    Monitoring Database Activity Database Cache Information Table The Database Cache Information table provides caching information listed in Table 12-6. Table 12-6 Database Performance Monitoring - Database Cache Information Performance Metric Current Total Hits Indicates the number of times the database cache successfully supplied a requested page.

  • Page 465: Monitoring Databases From The Command-Line

    Monitoring Database Activity Table 12-7 Database Performance Monitoring - Database File-Specific Performance Metric Current Total Cache hits Number of times that a search result resulted in a cache hit on this specific file. That is, a client performs a search that requires data from this file, and the directory obtains the required data from the cache.
  • Page 466 Monitoring Database Activity • : Provides the same information as described in Entry cache entrycachetries tries in Table 12-5, on page 463. • : Provides the same information as described in Entry entrycachehitratio cache hit ratio in Table 12-5, on page 463. •...

  • Page 467: Monitoring Database Link Activity

    Monitoring Database Link Activity • : Provides the same information as described in Pages number dbfilepageout written out in Table 12-7, on page 465. Monitoring Database Link Activity You can monitor the activity of your database links from the command-line using the monitoring attributes.
  • Page 468 Monitoring Database Link Activity Database Link Monitoring Attributes (Continued) Table 12-8 Attribute Name Description Number of bind request received. nsBindCount Number of unbinds received. nsUnbindCount Number of compare operations received. nsCompareCount Number of open connections for normal nsOperationConnectionCount operations. Number of open connections for bind operations. nsBindConnectionCount For more information about , see the Red Hat Directory Server...

  • Page 469: Chapter 13 Monitoring Directory Server Using Snmp

    Chapter 13 Monitoring Directory Server Using SNMP The server and database activity monitoring log setup described in chapter 12, “Monitoring Server and Database Activity,” is specific to Red Hat Directory Server (Directory Server). You can also monitor your Directory Server using the Simple Network Management Protocol (SNMP), which is a management protocol used for monitoring network activity which can be used to monitor a wide range of devices in real time.

  • Page 470: About Snmp

    About SNMP About SNMP SNMP is a protocol used to exchange data about network activity. With SNMP, data travels between a managed device and a network management application (NMS) where users remotely manage the network. A managed device is anything that runs SNMP, such as hosts, routers, and your Directory Server.

  • Page 471: Configuring The Subagent

    Configuring the Subagent The SNMP subagent included with Directory Server uses the AgentX protocol to communicate with the SNMP master agent running on your system. You must make sure that you enable AgentX support on your master agent. This is typically done by adding a line containing in the master agent s agentx master...

  • Page 472: Server

    If you want to enable extra debug logging, you can specify the option during startup: ./ldapagent -D /opt/redhat-ds/ldap-agent.conf To stop your subagent, you must use the kill command against its process ID. Your subagent will print its process ID in its logfile, or you can run ps -ef | to find the process ID.

  • Page 473: Configuring The Directory Server For Snmp

    Click Save. Using the Management Information Base The Directory Server’s MIB is a file called stored in the redhat-directory.mib serverRoot . This MIB contains definitions for variables /plugins/snmp directory (managed objects) pertaining to network management for the directory. Using the directory MIB and Net-SNMP, you can monitor your directory like all other managed devices on your network.

  • Page 474: Operations Table

    Operations Table The Operations Table provides statistical information about Directory Server access, operations, and errors. describes the managed objects stored in the Operations Table of the file. redhat-directory.mib Table 13-1 Operations - Managed Objects and Descriptions Managed Object Description The number of anonymous binds to the directory since server startup.

  • Page 475: Entries Table

    Entries Table The Entries Table provides information about the contents of the directory entries. Table 13-2 describes the managed objects stored in the Entries Table in the file. redhat-directory.mib Table 13-2 Entries - Managed Objects and Descriptions Managed Object Description...

  • Page 476: Interaction Table

    Provides useful information about how the interaction with peer Directory Servers affects the performance of this Directory Server. Table 13-3 describes the managed objects stored in the Interaction Table of the file. redhat-directory.mib Table 13-3 Interaction - Managed Objects and Descriptions Managed Object...
  • Page 477 Using the Management Information Base Interaction - Managed Objects and Descriptions (Continued) Table 13-3 Managed Object Description The value of sysUpTime when this row was created. If the entry was dsTimeOfCreation created before the network management subsystem was initialized, this object will contain a value of zero. The value of sysUpTime when the last attempt was made to contact dsTimeOfLastAttempt this Directory Server.
  • Page 478 Using the Management Information Base Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 479: Chapter 14 Tuning Directory Server Performance

    Chapter 14 Tuning Directory Server Performance This chapter describes the tools provided with Red Hat Directory Server (Directory Server) to help optimize performance. It also provides tips to improve the performance of your directory. This chapter contains the following sections: •...

  • Page 480: Tuning Database Performance

    Tuning Database Performance In the Directory Server Console, select the Configuration tab, and then select the topmost entry in the navigation tree in the left pane. The tabs that are displayed in the right pane control server-wide configuration attributes. Select the Performance tab in the right pane. The current server performance settings appear.

  • Page 481: Optimizing Search Performance

    Tuning Database Performance • Specifying Transaction Batching Optimizing Search Performance You can improve server performance on searches by tuning database settings. The database attributes that affect performance mainly define the amount of memory available to the server. To improve the cache hit ratio on search operations, you can increase the amount of data that the Directory Server maintains in the database cache.
  • Page 482 Tuning Database Performance The amount of memory you want to make available for cached entries (memory available for cache attribute). To configure the default database attributes that apply to all other database instances: In the Directory Server Console, select the Configuration tab; then, in the navigation tree, expand the Data Icon, and highlight the Database Settings node.

  • Page 483: Tuning Transaction Logging

    Tuning Database Performance Enter the amount of memory you want to make available for cached entries in the Memory Available for Cache field. If you are creating a very large database from LDIF, set this attribute as large as possible, depending on the memory available on your machine. The larger this parameter, the faster your database will be created.

  • Page 484: Changing The Location Of The Database Transaction Log

    Tuning Database Performance Changing the Location of the Database Transaction By default, the database transaction log file is stored in the directory along with the database files themselves. serverRoot/slapd-serverID/db Because the purpose of the transaction log is to aid in the recovery of a directory database that was shut down abnormally, it is a good idea to store the database transaction log on a different disk from the one containing the directory database.

  • Page 485: Disabling Durable Transactions

    Tuning Database Performance directory databases after a disorderly shutdown and require more disk space due to large database transaction log files. Therefore, you should only modify this attribute if you are familiar with database optimization and can fully assess the effect of the change.

  • Page 486: Specifying Transaction Batching

    Miscellaneous Tuning Tips Specifying Transaction Batching To improve update performance when full transaction durability is not required, you can use the attribute to specify how nsslapd-db-transaction-batch-val many transactions will be batched before being committed to the transaction log. Setting this attribute to a value of greater than causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value.

  • Page 487: Part 2 Plug-Ins Reference

    Part 2 Plug-ins Reference Chapter 15, “Administering Directory Server Plug-ins” Chapter 16, “Using the Pass-through Authentication Plug-in” Chapter 17, “Using the Attribute Uniqueness Plug-in” Chapter 18, “Windows Sync”...
  • Page 488 Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 489: Chapter 15 Administering Directory Server Plug-Ins

    Chapter 15 Administering Directory Server Plug-ins Red Hat Directory Server (Directory Server) plug-ins extend the functionality of the server. Directory Server ships with several plug-ins to help you manage your directory. This chapter contains general information on the types of plug-ins available and how to enable or disable them.

  • Page 490: Acl Plug-In

    Server Plug-in Functionality Reference Details of 7-Bit Check Plug-in (Continued) Table 15-1 Description Checks certain attributes are 7-bit clean Configurable on | off Options Default Setting Configurable List of attributes (uid mail userpassword) followed by "," and Arguments then suffix(es) on which the check is to occur. Dependencies None Performance...

  • Page 491: Acl Preoperation Plug-In

    Server Plug-in Functionality Reference ACL Preoperation Plug-in Table 15-3 Details of Preoperation Plug-in Plug-in Name ACL Preoperation DN of cn=ACL preoperation,cn=plugins,cn=config Configuration Entry Description ACL access check plug-in Configurable on | off Options Default Setting Configurable None Arguments Dependencies database Performance None Related...

  • Page 492: Boolean Syntax Plug-In

    Server Plug-in Functionality Reference Details of Binary Syntax Plug-in (Continued) Table 15-4 Performance Do not modify the configuration of this plug-in. You should leave Related this plug-in running at all times. Information Further Information Boolean Syntax Plug-in Table 15-5 Details of Boolean Syntax Plug-in Plug-in Name Boolean Syntax DN of...

  • Page 493: Case Ignore String Syntax Plug-In

    Server Plug-in Functionality Reference Details of Case Exact String Syntax Plug-in (Continued) Table 15-6 Description Syntax for handling case-sensitive strings Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. You should leave Related this plug-in running at all times.

  • Page 494: Chaining Database Plug-In

    Server Plug-in Functionality Reference Chaining Database Plug-in Table 15-8 Details of Cloning Database Plug-in Plug-in Name Chaining Database DN of cn=Chaining database,cn=plugins,cn=config Configuration Entry Description Syntax for handling DNs Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in.

  • Page 495: Country String Syntax Plug-In

    Server Plug-in Functionality Reference Details of Class of Service Plug-in (Continued) Table 15-9 Performance Do not modify the configuration of this plug-in. You should leave Related this plug-in running at all times. Information Further Chapter 5, “Advanced Entry Management.” Information Country String Syntax Plug-in Table 15-10 Details of Country String Plug-in Plug-in Name...

  • Page 496: Generalized Time Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-11 Details of Distinguished Name Syntax Plug-in (Continued) Description Syntax for handling DNs Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. You should leave Related this plug-in running at all times.

  • Page 497: Integer Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-12 Details of Generalized Time Syntax Plug-in (Continued) Further The Generalized Time String consists of the following: Information • four digit year • two digit month (for example, 01 for January) • two digit day, two digit hour •...

  • Page 498: Internationalization Plug-In

    Server Plug-in Functionality Reference Internationalization Plug-in Table 15-14 Details of Internationalization Plug-in Plug-in Name Internationalization Plug-in DN of cn=Internationalization Configuration Plugin,cn=plugins,cn=config Entry Description Syntax for handling international characters (in DNs) Configurable on | off Options Default Setting Configurable The Internationalization Plug-in has one argument which must not Arguments be modified: serverRoot/slapd-serverID/config/slapd-collations.conf...

  • Page 499: Legacy Replication Plug-In

    Server Plug-in Functionality Reference Table 15-15 Details of ldbm Database Plug-in (Continued) Configurable None Arguments Dependencies None Performance See Red Hat Directory Server Configuration, Command, and File Related Reference for further information on ldbm database plug-in Information attributes. Further Chapter 3, “Configuring Directory Databases.” Information Legacy Replication Plug-in Table 15-16 Details of Legacy Replication Plug-in...

  • Page 500: Multi-Master Replication Plug-In

    Server Plug-in Functionality Reference Multi-Master Replication Plug-in Table 15-17 Details of Multi-Master Replication Plug-in Plug-in Name Multi-master Replication Plug-in DN of cn=Multimaster Replication plugin,cn=plugins, Configuration cn=config Entry Description Enables replication between two Directory Servers Configurable on | off Options Default Setting Configurable None Arguments...

  • Page 501: Clear Password Storage Plug-In

    Server Plug-in Functionality Reference Table 15-18 Details of Octet String Syntax Plug-in (Continued) Performance Do not modify the configuration of this plug-in. You should leave Related this plug-in running at all times. Information Further Information CLEAR Password Storage Plug-in Table 15-19 Details of CLEAR Password Storage Plug-in Plug-in Name CLEAR DN of...

  • Page 502: Ns-Mta-Md5 Password Storage Plug-In

    Server Plug-in Functionality Reference Table 15-20 Details of CRYPT Password Storage Plug-in (Continued) Description CRYPT password storage scheme used for password encryption Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in. You should leave Related this plug-in running at all times.

  • Page 503: Sha Password Storage Plug-In

    Server Plug-in Functionality Reference Table 15-21 Details of NS-MTA-MD5 Password Storage Plug-in (Continued) Further You cannot choose to encrypt passwords using the NS-MTA-MD5 Information password storage scheme. The storage scheme is present in Red Hat Directory Server but only for reasons of backward compatibility with earlier versions of Directory Server.

  • Page 504: Postal Address String Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-23 Details of SSHA Password Storage Plug-in (Continued) DN of cn=SSHA,cn=Password Storage Configuration Schemes,cn=plugins,cn=config Entry Description SSHA password storage scheme for password encryption Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance Do not modify the configuration of this plug-in.

  • Page 505: Pta Plug-In

    Server Plug-in Functionality Reference Table 15-24 Details of Postal Address String Syntax Plug-in (Continued) Further Information PTA Plug-in Table 15-25 Details of PTA Plug-in Plug-in Name Pass-Through Authentication Plug-in DN of cn=Pass Through Configuration Authentication,cn=plugins,cn=config Entry Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests.

  • Page 506: Retro Changelog Plug-In

    2. Log file for storing the change; for example /opt/redhat-ds/logs/referint 3. All the additional attrribute names you want to be checked for referential integrity.

  • Page 507: Roles Plug-In

    Server Plug-in Functionality Reference Table 15-27 Details of Retro Changelog Plug-in (Continued) DN of cn=Retro Changelog Plugin,cn=plugins,cn=config Configuration Entry Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occuring in the Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server.

  • Page 508: Space Insensitive String Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-28 Details of Roles Plug-in (Continued) Performance Do not modify the configuration of this plug-in. You should leave Related this plug-in running at all times. Information Further Chapter 5, “Advanced Entry Management.” Information Space Insensitive String Syntax Plug-in Table 15-29 Details of Space Insensitive String Syntax Plug-in Plug-in Name Space Insensitive String Syntax...

  • Page 509: State Change Plug-In

    Server Plug-in Functionality Reference State Change Plug-in Table 15-30 Details of State Change Plug-in Plug-in Name State Change Plug-in DN of cn=State Change Plugin,cn=plugins,cn=config Configuration Entry Description Enables state-change-notification service. Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Performance...

  • Page 510: Uid Uniqueness Plug-In

    Server Plug-in Functionality Reference Table 15-31 Details of Telephone Syntax Plug-in (Continued) Performance Do not modify the configuration of this plug-in. You should leave Related this plug-in running at all times. Information Further Information UID Uniqueness Plug-in Table 15-32 Details of UID Uniqueness Plug-in Plug-in Name UID Uniqueness Plug-in DN of...

  • Page 511: Uri Plug-In

    Server Plug-in Functionality Reference Table 15-32 Details of UID Uniqueness Plug-in (Continued) Dependencies Performance This plug-in may slow down Directory Server performance. Related In a multi-master replication environment, the UID Uniqueness Information Plug-in will not work at all and should therefore not be enabled. If you try to add a new entry to a server where the UID Uniqueness Plug-in is enabled and a referral has been created in a subtree, then the UID Uniqueness Plug-in will not work because if it sees any...

  • Page 512: Enabling And Disabling Plug-Ins From The Server Console

    Enabling and Disabling Plug-ins from the Server Console Table 15-33 Details of URI Plug-in (Continued) Further Information Enabling and Disabling Plug-ins from the Server Console To enable and disable plug-ins over LDAP using the Directory Server Console: In the Directory Server Console, select the Configuration tab. Double-click the Plugins folder in the navigation tree.

  • Page 513: Chapter 16 Using The Pass-Through Authentication Plug-In

    Chapter 16 Using the Pass-through Authentication Plug-in Pass-through authentication (PTA) is a mechanism by which one Directory Server consults another to authenticate bind requests. The PTA Plug-in provides this functionality, allowing a Directory Server to accept simple bind operations (password-based) for entries not stored in its local database. Red Hat Directory Server (Directory Server) uses PTA to allow you to administer your user and configuration directories on separate instances of Directory Server.
  • Page 514 PTA Plug-in. This entry contains the LDAP URL you provided. For example: dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /opt/redhat-ds/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 515: Pta Plug-In Syntax

    (the user directory configured to pass through bind requests to the authenticating directory) using the syntax described in this section. dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: extension /opt/redhat-ds/servers/lib/passthru-plugin. nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation state nsslapd-pluginEnabled: authDS subtree nsslapd-pluginarg0: ldap|ldaps:// maxconns,maxops,timeout,ldver,connlifetime...

  • Page 516: Table 16-1 Pta Plug-In Parameters

    PTA Plug-in Syntax The variable components of the PTA plug-in syntax are described in Table 16-1. NOTE • The LDAP URL ( ) must be ldap|ldaps://authDS/subtree separated from the optional parameters ( maxconns maxops ) by a single space. timeout ldver connlifetime •...
  • Page 517 PTA Plug-in Syntax PTA Plug-in Parameters (Continued) Table 16-1 Variable Definition The pass-through subtree. The PTA directory server passes through bind subtree requests to the authenticating directory server from all clients whose DN is in this subtree. See “Specifying the Pass-through Subtree,” on page 521, for more information. Optional.

  • Page 518: Configuring The Pta Plug-In

    Configuring the PTA Plug-in Configuring the PTA Plug-in The only method for configuring the PTA plug-in is to modify the entry cn=Pass in the file. To Through Authentication,cn=plugins,cn=config dse.ldif modify the file, you must proceed as follows: dse.ldif Use the command to modify ldapmodify cn=Pass Through...

  • Page 519: Configuring The Servers To Use A Secure Connection

    When you enable the plug-in, you must also check that the plug-in initialization function is properly defined. The entry cn=Pass Through Authentication,cn=plugins,cn=config should contain the following attribute-value pairs: nsslapd-pluginPath: /opt/redhat-ds/servers/lib/passthru-plugin.extension nsslapd-pluginInitfunc: passthruauth_init where is always on HP-UX PA RISC and on all other UNIX extension platforms.

  • Page 520: Specifying The Authenticating Directory Server

    Configuring the PTA Plug-in To configure the PTA directory and authenticating directory to use SSL: Create an LDIF file that contains the following LDIF update statements: dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: ldaps://authDS/subtree [optional_parameters] For information on the variable components in this sytax, refer to Table 16-1, on page 516.

  • Page 521: Specifying The Pass-Through Subtree

    Configuring the PTA Plug-in Use the command to import the LDIF file into the directory. ldapmodify Restart the server. For information on restarting the server, refer to “Starting and Stopping the Directory Server,” on page 37. Specifying the Pass-through Subtree The PTA directory passes through bind requests to the authenticating directory from all clients whose DN is defined in the pass-through subtree.

  • Page 522: Configuring The Optional Parameters

    Configuring the PTA Plug-in Configuring the Optional Parameters You can configure the following optional parameters for the PTA Plug-in: • The maximum number of connections the PTA directory server can open simultaneously to the authenticating directory, represented by maxconns the PTA syntax. The default value is •...

  • Page 523: Pta Plug-In Syntax Examples

    PTA Plug-in Syntax Examples Create an LDIF file that contains the following LDIF update statements: dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: add add: nsslapd-pluginarg0 nsslapd-pluginarg0: ldap://authDS/subtree [maxconns,maxops,timeout,ldver,connlifetime] Make sure there is a space between the parameter, and the optional subtree parameters. For example, you could set the value of the attribute to: nsslapd-pluginarg0...

  • Page 524: Specifying One Authenticating Directory Server And One Subtree

    The hostname of the authenticating Directory Server is configdir.example.com dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /opt/redhat-ds/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://configdir.example.com/o=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 7.1 nsslapd-pluginVendor: Red Hat, Inc.

  • Page 525: Specifying One Authenticating Directory Server And Multiple Subtrees

    The following example configures the PTA directory server to pass through bind requests for more than one subtree (using parameter defaults): dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /opt/redhat-ds/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://configdir.example.com/o=NetscapeRoot nsslapd-pluginarg1: ldap://configdir.example.com/dc=example,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 7.1...

  • Page 526: Specifying Different Optional Parameters And Subtrees For Different Authenticating Directory

    PTA Plug-in Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /opt/redhat-ds/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://configdir.example.com/o=NetscapeRoot 10,5,300,3,300 nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 7.1 nsslapd-pluginVendor: Red Hat, Inc. nsslapd-pluginDescription: pass through authentication plugin...
  • Page 527 PTA Plug-in Syntax Examples nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 7.1 nsslapd-pluginVendor: Red Hat, Inc. nsslapd-pluginDescription: pass through authentication plugin Chapter 16 Using the Pass-through Authentication Plug-in...
  • Page 528 PTA Plug-in Syntax Examples Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 529: Chapter 17 Using The Attribute Uniqueness Plug-In

    Chapter 17 Using the Attribute Uniqueness Plug-in The Attribute Uniqueness Plug-in can be used to ensure that the attributes you specify always have unique values in the directory. You must create a new instance of the plug-in for every attribute for which you want to ensure unique values. Red Hat Directory Server (Directory Server) provides a UID Uniqueness Plug-in that can be used to manage the uniqueness of the attribute.
  • Page 530 Overview of the Attribute Uniqueness Plug-in If an update operation applies to an attribute and suffix monitored by the plug-in and it would cause two entries to have the same attribute value, then the server terminates the operation and returns an error to LDAP_CONSTRAINT_VIOLATION the client.

  • Page 531: Overview Of The Uid Uniqueness Plug-In

    Use the following syntax to perform the uniqueness check under a suffix or subtree: dn: cn=descriptive_plugin_name,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: descriptive_plugin_name nsslapd-pluginPath: /opt/redhat-ds/servers/lib/attr-unique-plugin.extension nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: state nsslapd-pluginarg0: attribute_name nsslapd-pluginarg1: [ nsslapd-pluginarg2: dn2 ]...
  • Page 532 Use the following syntax to specify to perform the uniqueness check below an entry containing a specified object class: dn: cn=descriptive_plugin_name,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: descriptive_plugin_name nsslapd-pluginPath: /opt/redhat-ds/servers/lib/attr-unique-plugin.extension nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: state nsslapd-pluginarg0: attribute=attribute_name nsslapd-pluginarg1: markerObjectClass=objectclass1...

  • Page 533: Table 17-1 Attribute Uniqueness Plug-In Variables

    Attribute Uniqueness Plug-in Syntax NOTE • You can specify any name you like in the attribute to name the plug-in. The name should be descriptive. This attribute does not contain the name of the attribute which is checked for uniqueness. •...

  • Page 534: Creating An Instance Of The Attribute Uniqueness Plug-In

    Add the following lines for the mail uniqueness plug-in entry before or after the UID Uniqueness Plug-in entry: dn: cn=mail uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: mail uniqueness nsslapd-pluginPath: /opt/redhat-ds/servers/lib/attr-unique-plugin.extension nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: mail Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 535: Configuring Attribute Uniqueness Plug-Ins

    Configuring Attribute Uniqueness Plug-ins nsslapd-pluginarg1: dc=example,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 7.1 nsslapd-pluginVendor: Red Hat, Inc. nsslapd-pluginDescription: Enforce unique attribute values. Restart Directory Server. In this example, the uniqueness check will be performed on every entry in the entry that includes the attribute.

  • Page 536: Configuring Attribute Uniqueness Plug-Ins From The Directory Server Console

    Configuring Attribute Uniqueness Plug-ins Configuring Attribute Uniqueness Plug-ins from the Directory Server Console You can update plug-in configuration from Directory Server Console in several ways: • From the Property Editor. Display the Property Editor, as explained in “Viewing Plug-in Configuration Information,”...

  • Page 537: Configuring Attribute Uniqueness Plug-Ins From The Command-Line

    Configuring Attribute Uniqueness Plug-ins Configuring Attribute Uniqueness Plug-ins from the Command-Line This section provides information about configuring the plug-in from the command-line. It covers the following tasks: • Turning the Plug-in On or Off • Specifying a Suffix or Subtree •...

  • Page 538: Using The Markerobjectclass And Requiredobjectclass Keywords

    ) object class, you can create an LDIF file such as the one shown in the following example: dn: cn=mail uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: mail uniqueness nsslapd-pluginPath: /opt/redhat-ds/servers/lib/attr-unique-plugin.so nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on attribute=mail nsslapd-pluginarg0: markerObjectClass=ou nsslapd-pluginarg1:...

  • Page 539: Attribute Uniqueness Plug-In Syntax Examples

    You can restrict the scope of the check by using the requiredObjectClass keyword, as shown in the following example: dn: cn=mail uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: mail uniqueness nsslapd-pluginPath: /opt/redhat-ds/servers/lib/attr-unique-plugin.so nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on attribute=mail nsslapd-pluginarg0: markerObjectClass=ou nsslapd-pluginarg1: requiredObjectClass=person...

  • Page 540: Specifying One Attribute And One Subtree

    /opt/redhat-ds/servers/lib/attr-unique-plugin.so nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: mail nsslapd-pluginarg1: dc=example,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 7.1 nsslapd-pluginVendor: Red Hat, Inc.

  • Page 541: Replication And The Attribute Uniqueness Plug-In

    Replication and the Attribute Uniqueness Plug-in nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 7.1 nsslapd-pluginVendor: Red Hat, Inc. nsslapd-pluginDescription: Enforce unique attribute values. NOTE attribute always contains the name of nsslapd-pluginarg0 the attribute for which you want to ensure uniqueness. All other occurrences of the nsslapd-pluginarg nsslapd-pluginarg1 ) contain DNs.

  • Page 542: Multi-Master Replication Scenario

    Replication and the Attribute Uniqueness Plug-in Enabling the Attribute Uniqueness Plug-in on the consumer will not prevent Directory Server from operating correctly but is likely to cause a performance degradation. Multi-Master Replication Scenario In a multi-master replication scenario, the masters act both as suppliers and consumers of the same replica.

  • Page 543: Chapter 18 Windows Sync

    Chapter 18 Windows Sync The Windows Sync feature allows synchronization of adds, deletes and changes in groups, user entries, and their passwords between Red Hat Directory Server and both Microsoft Active Directory and Microsoft Windows NT 4.0 Server. It provides an efficient and effective way to maintain consistent directory information across the enterprise.
  • Page 544 About Windows Sync outbound changes that pertain to synchronized entries. The corresponding changes are made in the Windows server via LDAP. The server also performs LDAP search operations against its Windows server peer in order to synchronize inbound changes made to Windows user entries. •...

  • Page 545: Figure 18-1 Active Directory - Directory Server Synchronization Process

    About Windows Sync Active Directory - Directory Server Synchronization Process Figure 18-1 Chapter 18 Windows Sync...

  • Page 546: Figure 18-2 Windows Nt4 Server - Directory Server Synchronization Process

    About Windows Sync Windows NT4 Server - Directory Server Synchronization Process Figure 18-2 Windows Sync is compatible with Directory Server’s multi-master replication facilities. Figure 18-3 shows this arrangement: Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 547: How Windows Sync Works

    About Windows Sync Multi-Master Directory Server - Windows Domain Synchronization Figure 18-3 How Windows Sync Works Synchronization is configured and controlled by means of one or more synchronization agreements. These are similar in purpose to replication agreements and contain a similar set of information, including the host name and port number for the Windows server.
  • Page 548 About Windows Sync Windows Sync provides some control over which entries are synchronized. This is intended to allow administrators to determine that only a subset of all the entries should be subject to synchronization and to give sufficient flexibility to support different deployment scenarios.

  • Page 549: Installing Sync Services

    Installing Sync Services In addition to the entry synchronization mechanisms discussed above, the Password Sync Service is needed to catch password changes made on the Windows server. Without the Password Sync Service, it would be impossible to have inbound password sync because passwords are hashed once stored in Active Directory, and the hashing function is incompatible with that used by Directory Server.

  • Page 550: Installing And Configuring The Password Sync Service

    Installing Sync Services Installing and Configuring the Password Sync Service NOTE For Windows NT4 servers, the Password Sync must be installed on a primary domain controller (PDC). Synchronization will not function properly on a non-PDC machine. NOTE On Windows 2000, password complexity policies must be enabled in order for the password hook DLL to be triggered.
  • Page 551 Installing Sync Services Hit “Next,” then “Finish” to install Password Sync. Reboot the Windows machine to start Password Sync. NOTE You must reboot the Windows machine. Without rebooting, the password hook DLL will not be enabled, and password synchronization will not function. Password Sync is installed in C:\Program Files\Red Hat Directory Password , and the...

  • Page 552: Reconfiguring The Password Sync Service

    Installing Sync Services libplds4.dll softokn3.dll The Password Sync Service runs as a Windows service, which means that it can be started, stopped, and controlled by the command, the Services net start|stop Control Panel applet, and other Windows Services management mechanisms. Changed passwords are captured even if the Password Sync Service is not running.

  • Page 553: Installing And Configuring The Nt4 Ldap Service

    Installing Sync Services Import the server certificate from the Directory Server into the new certificate database using pk12util.exe pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx Give “trusted peer” status to the server. certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization"...
  • Page 554 Installing Sync Services Open C:\Program Files\Red Hat Directory Synchronization\conf Modify the file to reflect the Directory Server port, SSL port, usersync.conf and hostname. The only required parameters are server.net.admin.password . In the following code example, server.db.partition.suffix.usersync these parameters are in bold. sets the password of the account server.net.admin.password .
  • Page 555 Installing Sync Services #server.net.ldap.port=389 #server.net.ldaps.port=636 server.net.admin.password=password33 javax.net.ssl.keyStore=c:\\keystore javax.net.ssl.keyStorePassword=password server.net.ldaps.enable=true server.db.partition.suffix.usersync=dc=example,dc=com # do not modify beyond this point server.schemas = org.apache.ldap.server.schema.bootstrap.CoreSchema org.apache.ldap.server.schema.bootstrap.CosineSchema org.apache.ldap.server.schema.bootstrap.ApacheSchema org.apache.ldap.server.schema.bootstrap.InetorgpersonSchema org.apache.ldap.server.schema.bootstrap.JavaSchema org.apache.ldap.server.schema.bootstrap.SystemSchema org.apache.ldap.server.schema.bootstrap.UsersyncSchema server.db.partitions=usersync server.db.partition.class.usersync=org.apache.ldap.server.NetAPI Partition server.db.partition.indices.usersync=ou objectClass server.db.partition.attributes.usersync.ou=usersync server.db.partition.attributes.usersync.objectClass=top organizationalUnit extensibleObject It is not necessary to set the port number. The defaults for both the regular and secure ports are used automatically.
  • Page 556 Installing Sync Services Create a self-signed certificate using Java keytool C:\>keytool -genkey -alias ldap -keyalg RSA -validity 3650 -keystore c:\keystore Enter keystore password: password What is your first and last name? [Unknown]: directory.example.com What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]:...

  • Page 557: Uninstalling The Sync Services

    Configuring Windows Sync The NT4 LDAP Service runs as a Windows Service, which means that it can be started, stopped, and controlled by the command, the Services net start|stop Control Panel applet, and other Windows Services management mechanisms. Entry changes are not “stored” by the NT4 LDAP Service when the service is stopped, but the current state of the entries is synchronized automatically when the LDAP Service is restarted.
  • Page 558 Configuring Windows Sync Step 2: Configure SSL on Active Directory (Active Directory only). To configure SSL on Active Directory, see the appropriate user documentation. It is not necessary to configure SSL for NT4 Server; SSL is enabled when configuring the NT4 LDAP Service. Step 3: Install and Configure the Password Sync Service Password Sync can be installed on any Windows machine to synchronize Windows passwords.
  • Page 559 Configuring Windows Sync Step 6: Create the Synchronization Agreement To create a synchronization agreement: In the Directory Server Console, select the Configuration tab. In the left-hand navigation tree, right-click on the suffix to sync, and select New Synchronization Agreement. You can also highlight the suffix, and select Menu>Object>New Synchronization Agreement.
  • Page 560 Configuring Windows Sync In the middle of the screen are fields for your Windows domain information. Fill in the domain name and the domain controller. Select the checkbox(es) for the Windows entries you are going to synchronize. Sync New Windows Users. When enabled, all user entries found in Windows that are subject to the agreement will automatically be created in the Directory Server.

  • Page 561: Using Windows Sync

    Using Windows Sync The Windows and Directory Server subtree information is automatically filled in; use the defaults to sync only users or change these as appropriate to sync groups or groups and users. Check the “Using encrypted SSL connection” checkbox. The use of SSL is recommended for security reasons.

  • Page 562: Synchronized Entries

    Using Windows Sync • The Connection tab will let you change the bind DN and bind credentials for the sync manager. It will also show whether this is over an SSL connection. Finally, it shows whether new user and group entries will be created in the Directory Server.

  • Page 563: Table 18-2 User Entry Schema That Is The Same In Directory Server And Windows Servers

    Using Windows Sync User Entry Schema Mapping between Directory Server and Windows Servers Table 18-1 Directory Server Active Directory Windows NT4 Server ntUserScriptPath scriptPath usri_script_path ntUserLastLogon lastLogon usri_last_logon ntUserLastLogoff lastLogoff usri_last_logoff ntUserAcctExpires accountExpires usri_acct_expires ntUserCodePage codePage usri_code_page ntUserLogonHours logonHours usri_logon_hours ntUserMaxStorage maxStorage usri_max_storage...

  • Page 564: Groups

    Using Windows Sync When you create a Directory Server user from the Console (see “Creating Directory Entries,” on page 47), there is an NT User tab in the New User dialog. Fill in this information to supply Windows attributes automatically. You can add additional attributes either by using the Advanced button in ntUser...

  • Page 565: Manually Initiating Synchronization

    Using Windows Sync Group entries that are within the scope of the sync agreement will be synchronized in much the same way as user entries. In addition, the membership of groups is synchronized with the constraint that only those members that are also within the scope of the agreement are propagated.

  • Page 566: The Need For Resynchronization

    Using Windows Sync Right-click on the synchronization agreement icon. Select “Send and Receive Updates Now” from the drop down menu. To send a total update (resynchronizing every entry in the Directory Server and Windows server): Go to the Configuration tab in the Console. Right-click on the synchronization agreement icon.

  • Page 567: Modifying The Synchronization Agreement

    Active Directory Schema Compatibility The total update time shows when the last resynchronization operation completed. Modifying the Synchronization Agreement It is possible to modify parts of the synchronization agreement after it has been created. In the Configuration>Replication tab of the Directory Server Console, select the sync agreement icon from beneath the database.

  • Page 568: Nt4-Specific Limitations

    NT4-Specific Limitations • Active Directory uses the attribute for a user or group’s streetAddress physical or postal address. Directory Server uses the RFC2798 inetOrgPerson attribute for this purpose. However, as defined in RFC2256, street is an alias for . To compound the confusion, Active streetAddress street Directory also has the...

  • Page 569: Troubleshooting

    Troubleshooting Troubleshooting If synchronization does not seem to be functioning properly, see the Windows event log and/or Directory Server error log for information on any potential problems. You can also enable replication logging for more detailed information on synchronization to be recorded in the error logs: In the Console, click the Configuration tab, select Logs from the navigation menu on the right, and open the Error Log.
  • Page 570 Troubleshooting Error 5 NT4 and Active Directory: After synchronization, the status shows error 81. One of the sync peer servers has not been properly configured for SSL communication. Examine the Directory Server access log file to see if the connection attempt was received by the Directory Server. You may also find helpful messages in the Directory Server’s error log file.

  • Page 571: Part 3

    Part 3 Appendixes Appendix A, “LDAP Data Interchange Format” Appendix B, “Finding Directory Entries” Appendix C, “LDAP URLs” Appendix D, “Internationalization”...
  • Page 572 Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 573: Appendix A Ldap Data Interchange Format

    Appendix A LDAP Data Interchange Format Red Hat Directory Server (Directory Server) uses the LDAP Data Interchange Format (LDIF) to describe a directory and directory entries in text format. LDIF is commonly used to build the initial directory database or to add large numbers of entries to the directory all at once.
  • Page 574 LDIF File Format The basic form of a directory entry represented in LDIF is as follows: dn: distinguished_name objectClass: object_class objectClass: object_class attribute_type[;subtype]:attribute_value attribute_type[;subtype]:attribute_value You must supply the DN and at least one object class definition. In addition, you must include any attributes required by the object classes that you define for the entry.

  • Page 575: Continuing Lines In Ldif

    LDIF File Format Table A-1 LDIF Fields (Continued) Field Definition [subtype] Optional. Specifies subtype, language, binary, or pronunciation. Use this tag to identify the language in which the corresponding attribute value is expressed or whether the attribute value is binary or a pronunciation of an attribute value.
  • Page 576 LDIF File Format If you use this standard notation, you do not need to specify the ldapmodify parameter. However, you must add the following line to the beginning of your LDIF file or your LDIF update statements: version:1 For example, you could use the following command: ldapmodify prompt>...

  • Page 577: Specifying Directory Entries Using Ldif

    Specifying Directory Entries Using LDIF Specifying Directory Entries Using LDIF You can store many types of entries in your directory. This section concentrates on three of the most common types of entries used in a directory: organization, organizational unit, and organizational person entries. The object classes defined for an entry are what indicate whether the entry represents an organization, an organizational unit, an organizational person, or some other type of entry.
  • Page 578 Specifying Directory Entries Using LDIF dn: o="example.com Chile\\, S.A." objectclass: top objectclass: organization o: "example.com Chile\\, S.A." description: Fictional company for example purposes telephonenumber: 555-5556 Each element of the LDIF-formatted organization entry is defined in Table A-2. Table A-2 LDIF Elements in Organization Entries LDIF Element Description dn: distinguished_name...

  • Page 579: Specifying Organizational Unit Entries

    Specifying Directory Entries Using LDIF Specifying Organizational Unit Entries Organizational unit entries are often used to represent major branch points, or subdirectories, in your directory tree. They correspond to major, reasonably static entities within your enterprise, such as a subtree that contains people or a subtree that contains groups.

  • Page 580: Specifying Organizational Person Entries

    Specifying Directory Entries Using LDIF Table A-3 LDIF Elements in Organizational Unit Entries (Continued) LDIF Element Description ou: organizational_unit_name Attribute that specifies the organizational unit’s name. list_of_attributes Specifies the list of optional attributes that you want to maintain for the entry. See the Red Hat Directory Server Schema Reference for a list of the attributes you can use with this object class.

  • Page 581: Defining Directories Using Ldif

    Defining Directories Using LDIF Table A-4 LDIF Elements in Person Entries LDIF Element Description Specifies the distinguished name for the entry. A DN is dn: distinguished_name required. If there is a comma in the DN, the comma must be escaped with a backslash (\). For example, dn:uid=bjensen,ou=people,o=example.com Bolivia\,S.A.
  • Page 582 Defining Directories Using LDIF To create a directory using LDIF, follow these steps: Create an ASCII file containing the entries you want to add in LDIF format. Make sure each entry is separated from the next by an empty line. You should use just one line, and the first line of the file must not be blank, or else the utility will exit.

  • Page 583: Ldif File Example

    Defining Directories Using LDIF LDIF File Example The following example shows an LDIF file that contains one organization, two organizational units, and three organizational person entries: dn: o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organization o: example.com Corp description: Fictional organization for example purposes dn: ou=People,o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organizationalUnit...

  • Page 584: Storing Information In Multiple Languages

    Storing Information in Multiple Languages dn: cn=Robert Wong,ou=People,example.com Corp,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Robert Wong cn: Bob Wong sn: Wong givenName: Robert givenName: Bob mail: bwong@example.com userPassword: {sha}nn2msx761 telephoneNumber: 2881 roomNumber: 211 ou: Manufacturing ou: people dn: ou=Groups,o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organizationalUnit...
  • Page 585 Storing Information in Multiple Languages NOTE The language tag has no effect on how the string is stored within the directory. All object class and attribute strings are stored using UTF-8. For example, suppose Corporation has offices in the United States example.com and France and wants employees to be able to view directory information in their native language.
  • Page 586 Storing Information in Multiple Languages Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 587: Appendix B Finding Directory Entries

    Appendix B Finding Directory Entries You can find entries in your directory using any LDAP client. Most clients provide some form of a search interface that allows you to search the directory easily and retrieve entry information. NOTE You cannot search the directory unless the appropriate access control has been set in your directory.

  • Page 588: Using Ldapsearch

    Using ldapsearch On Directory Server Console, select the Directory tab. Depending on the DN you used to authenticate to the directory, this tab displays the contents of the directory that you have access permissions to view. You can browse through the contents of the tree, or right-click an entry, and select Search from the pop-up menu.

  • Page 589: Ldapsearch Command-Line Format

    Using ldapsearch Depending on your command-line interpreter, use either single or double quotation marks for this purpose. Refer to your operating system documentation for more information. ldapsearch Command-Line Format When you use , you must enter the command using the following ldapsearch format: ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes]...
  • Page 590 Using ldapsearch Option Description Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the environment variable has LDAP_BASEDN been set to a base DN. The value specified in this option should be provided in double quotation marks.
  • Page 591 Using ldapsearch Option Description Specifies the scope of the search. The scope can be one of the following: • — Search only the entry specified in the option or defined base by the environment variable. LDAP_BASEDN • — Search only the immediate children of the entry specified in option.

  • Page 592: Ldapsearch Examples

    Using ldapsearch ldapsearch Examples In the next set of examples, suppose the following are true: • You want to perform a search of all entries in the directory. • You have configured your directory to support anonymous access for search and read.

  • Page 593: Searching The Schema Entry

    Using ldapsearch Searching the Schema Entry Directory Server stores all directory server schema in the special entry. cn=schema This entry contains information on every object class and attribute defined for your Directory Server. You can examine the contents of this entry as follows: ldapsearch -h mozilla -b "cn=schema"...

  • Page 594: Specifying Search Filters Using A File

    Using ldapsearch Specifying Search Filters Using a File You can enter search filters into a file instead of entering them on the command-line. When you do this, specify each search filter on a separate line in the file. The command runs each search in the order in which it ldapsearch appears in the file.

  • Page 595: Ldap Search Filters

    LDAP Search Filters LDAP Search Filters Search filters select the entries to be returned for a search operation. They are most commonly used with the command-line utility. When you use ldapsearch , you can place multiple search filters in a file, with each filter on a ldapsearch separate line in the file, or you can specify a search filter directly on the command-line.

  • Page 596: Using Attributes In Search Filters

    LDAP Search Filters Using Attributes in Search Filters When searching for an entry, you can specify attributes associated with that type of entry. For example, when you search for people entries, you can use the attribute to search for people with a specific common name. Examples of attributes that people entries might include: •...

  • Page 597: Using Compound Search Filters

    LDAP Search Filters Table B-1 Search Filter Operators (Continued) Search Type Operator Description Less than or equal to <= Returns entries containing attributes that are less than or equal to the specified value. For example: buildingname <= alpha Presence Returns entries containing one or more values for the specified attribute.

  • Page 598: Search Filter Examples

    LDAP Search Filters Table B-2 Search Filter Boolean Operators (Continued) Operator Symbol Description At least one specified filter must be true for the statement to be true. For example: (|(filter)(filter)(filter)...) The specified statement must not be true for the statement to be true. Only one filter is affected by the NOT operator.

  • Page 599: Searching An Internationalized Directory

    Searching an Internationalized Directory The following filter returns all entries that do not represent a person: (!(objectClass=person)) The following filter returns all entries that do not represent a person and whose common name is similar to printer3b (&(!(objectClass=person))(cn~=printer3b)) Searching an Internationalized Directory When you perform search operations, you can request that the directory sort the results based on any language for which the server has a supporting collation order.

  • Page 600: Matching Rule Formats

    Searching an Internationalized Directory attr:matchingRule:=value where: • attr is an attribute belonging to entries you’re searching for, such as mail. • matchingRule is a string that identifies either the collation order or the collation order and a relational operator, depending on the format you prefer. For a discussion of matching rule formats, see “Matching Rule Formats,”...
  • Page 601 Searching an Internationalized Directory You can use the collation order OID in the matching rule portion of the matching rule filter as follows: attr:OID:=(relational_operator value) The relational operator is included in the value portion of the string, separated from the value by a single space. For example, to search for all departmentNumber attributes that are at or after in the Swedish collation order, use the...

  • Page 602: Using Wildcards In Matching Rule Filters

    Searching an Internationalized Directory Using a Language Tag and Suffix for the Matching Rule As an alternative to using a relational operator-value pair, you can append a suffix that represents a specific operator to the language tag in the matching rule portion of the filter.

  • Page 603: International Search Examples

    Searching an Internationalized Directory Approximate, or phonetic, and presence searches are supported only in English. As with a regular search operation, an international search uses ldapsearch operators to define the type of search. However, when invoking an international search, you can either use the standard operators (=, >=, >, <, <=) in the value portion of the search string, or you can use a special type of operator, called a suffix (not to be confused with the directory suffix), in the matching rule portion of the filter.

  • Page 604: Less-Than Or Equal-To Example

    Searching an Internationalized Directory Less-Than or Equal-to Example When you perform a locale-specific search using the less-than or equal-to operator (<=), or suffix ( ), you search for all attribute values that come at or before the given attribute in a specific collation order. For example, to search for all room numbers that come at or before room number CZ422 in the Hungarian collation order, you could use any of the following matching rule filters:...

  • Page 605: Greater-Than Example

    Searching an Internationalized Directory Greater-Than Example When you perform a locale-specific search using the greater-than operator (>), or suffix ( ), you search for all attribute values that come at or before the given attribute in a specific collation order. For example, to search for all mail hosts that come after host in the schranka4...
  • Page 606 Searching an Internationalized Directory Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 607: Appendix C Ldap Urls

    Appendix C LDAP URLs When you access the Red Hat Directory Server (Directory Server) using a web-based client such as Directory Server Gateway, you must provide an LDAP URL identifying the Directory Server you wish to access. You also use LDAP URLs when managing Directory Server referrals or access control instructions.
  • Page 608 Components of an LDAP URL Table C-1 LDAP URL Components (Continued) Component Description base_dn Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search. If no base DN is specified, the search starts at the root of the directory tree. attributes The attributes to be returned.

  • Page 609: Escaping Unsafe Characters

    Escaping Unsafe Characters Escaping Unsafe Characters Any “unsafe” characters in the URL need to be represented by a special sequence of characters. This is called escaping unsafe characters. For example, a space is an unsafe character that must be represented as within the URL.
  • Page 610 Examples of LDAP URLs ldap://ldap.example.com/dc=example,dc=com Because no port number is specified, the standard LDAP port number ) is used. Because no attributes are specified, the search returns all attributes. Because no search scope is specified, the search is restricted to the base entry dc=example,dc=com Because no filter is specified, the directory uses the default filter...
  • Page 611 Examples of LDAP URLs Example 5: The following LDAP URL specifies a search for the object class for all entries one level under dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com?objectClass?one Because the search scope is , the search encompasses all entries one level under the base entry .
  • Page 612 Examples of LDAP URLs Red Hat Directory Server Administrator’s Guide • May 2005...

  • Page 613: Appendix D Internationalization

    Appendix D Internationalization Red Hat Directory Server (Directory Server) allows you to store, manage, and search for entries and their associated attributes in a number of different languages. An internationalized directory can be an invaluable corporate resource, providing employees and business partners with immediate access to the information they need in the languages they can understand.

  • Page 614: Identifying Supported Locales

    Identifying Supported Locales In addition, the locale information indicates what code page should be used to represent a given language. A code page is an internal table that the operating system uses to relate keyboard keys to character font screen displays. More specifically, a locale specifies: •...
  • Page 615 Identifying Supported Locales A language tag is a string that begins with the two-character lowercase language code that identifies the language (as defined in ISO Standard 639). If necessary to distinguish regional differences in language, the language tag may also contain a country code, which is a two-character string (as defined in ISO Standard 3166).

  • Page 616: Supported Language Subtypes

    Supported Language Subtypes Table D-1 Supported Locales (Continued) Locale Language Tag Collation Order Object Identifiers (OIDs) German 2.16.840.1.113730.3.3.2.7.1 Greek 2.16.840.1.113730.3.3.2.10.1 Hebrew 2.16.840.1.113730.3.3.2.27.1 Hungarian 2.16.840.1.113730.3.3.2.23.1 Icelandic 2.16.840.1.113730.3.3.2.24.1 Japanese 2.16.840.1.113730.3.3.2.28.1 Korean 2.16.840.1.113730.3.3.2.29.1 Latvian, Lettish 2.16.840.1.113730.3.3.2.31.1 Lithuanian 2.16.840.1.113730.3.3.2.30.1 Macedonian 2.16.840.1.113730.3.3.2.32.1 Norwegian 2.16.840.1.113730.3.3.2.35.1 Polish 2.16.840.1.113730.3.3.2.38.1 Romanian 2.16.840.1.113730.3.3.2.39.1...

  • Page 617: Table D-2 Supported Language Subtypes

    Supported Language Subtypes Table D-2 Supported Language Subtypes Language tag Language Afrikaans Byelorussian Bulgarian Catalan Czechoslovakian Danish German Greek English Spanish Basque Finnish Faroese French Irish Galician Croatian Hungarian Indonesian Icelandic Italian Japanese Korean Dutch Norwegian Polish Portuguese Romanian Appendix D Internationalization...

  • Page 618: Troubleshooting Matching Rules

    Troubleshooting Matching Rules Table D-2 Supported Language Subtypes (Continued) Language tag Language Russian Slovakian Slovenian Albanian Serbian Swedish Turkish Ukrainian Chinese Troubleshooting Matching Rules International collation order matching rules may not behave consistently. Some forms of matching-rule invocation do not work correctly, producing incorrect search results.
  • Page 619 Glossary access control instruction See ACI. ACI Also Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Also Access Control List. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
  • Page 620 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class. authenticating directory server In pass-through authentication (PTA), the authenticating Directory Server is the Directory Server that contains the authentication credentials of the requesting client.
  • Page 621 browsing index Also virtual view index. Speeds up the display of entries in the Directory Server Console. Browsing indexes can be created on any branchpoint in the directory tree to improve display performance. CA See Certificate Authority. cascading replication In a cascading replication scenario, one server, often called the hub supplier, acts both as a consumer and a supplier for a particular replica.
  • Page 622 classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry’s attributes. client See LDAP client. code page An internal table used by a locale in the context of the internationalization plug-in that the operating system uses to relate keyboard keys to character font screen displays.
  • Page 623 Directory Access Protocol See DAP. directory tree The logical representation of the information stored in the directory. It mirrors the tree model used by most filesystems, with the tree’s root point appearing at the top of the hierarchy. Also known as DIT. Directory Manager The privileged database administrator, comparable to the root user in UNIX.
  • Page 624 entry ID list Each index that the directory uses is composed of a table of index keys and matching entry ID lists. The entry ID list is used by the directory to build a list of candidate entries that may match the client application’s search request.
  • Page 625 HTTP-NG The next generation of Hypertext Transfer Protocol. HTTPS A secure version of HTTP, implemented using the Secure Sockets Layer, SSL. hub supplier In the context of replication, a server that holds a replica that is copied from a different server, and, in turn, replicates it to a third server. See also cascading replication. index key Each index that the directory uses is composed of a table of index keys and matching entry ID lists.
  • Page 626 leaf entry An entry under which there are no other entries. A leaf entry cannot be a branch point in a directory tree. Lightweight Directory Access Protocol See LDAP. locale Identifies the collation order, character type, monetary format and time / date format used to present data for users of a specific region, culture, and/or custom.
  • Page 627 multi-master replication An advanced replication scenario in which two servers each hold a copy of the same read-write replica. Each server maintains a changelog for the replica. Modifications made on one server are automatically replicated to the other server. In case of conflict, a time stamp is used to determine which server holds the most recent version.
  • Page 628 parent access When granted, indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry. pass-through authentication See PTA. pass-through subtree In pass-through authentication, the PTA directory server will pass through bind requests to the authenticating directory server from all clients whose DN is contained in this subtree.
  • Page 629 RAM Random access memory. The physical semiconductor-based memory in a computer. Information stored in RAM is lost when the computer is shut down. rc.local A file on Unix machines that describes programs that are run when the machine starts. It is also called because of its location.
  • Page 630 role-based attributes Attributes that appear on an entry because it possesses a particular role within an associated CoS template. root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine. root suffix The parent of one or more sub suffixes.
  • Page 631 Simple Authentication and Security Layer See SASL. Simple Network Management Protocol See SNMP. single-master replication The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers. In a single-master replication scenario, the supplier server maintains a changelog.
  • Page 632 supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica. supplier-initiated replication Replication configuration where supplier servers replicate directory data to consumer servers. symmetric encryption Encryption that uses the same key for both encrypting and decrypting.
  • Page 633 X.500 standard The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementation. Glossary...
  • Page 634 Red Hat Directory Server Administrator’s Guide • May 2005...
  • Page 635 Index value matching 226 viewing Access Control Editor 240 get effective rights 264 Access Control Editor displaying 238 access control instruction (ACI). See ACI access log configuring 450 manually rotating 455 turning off 450 turning on 450 viewing 450 account inactivation 296 access control from command line 297 ACI attribute 202...
  • Page 636 roledn keyword 226 attribute structure ACI 202, 203 syntax 206 adding 67, 68 targattrfilters keyword 213 adding multiple values 52 target 206 adding to entry 51 target DN containing comma 261 creating 381 target DN containing comma and 209 defining 377 target keywords 208 deleting 67, 379 target overview 207...
  • Page 637 targeting 213 LDIF example 224 anyone keyword 222 audit log authmethod keyword 235 configuring 454 Boolean 236 disabling 454 dayofweek keyword 234 enabling 454 dns keyword 233 viewing 453 general access 222 authentication example 224 access control and 235 group access 225 bind DN 36 group access example 251 certificate-based 435...
  • Page 638 loop detection 135 class of service (CoS) 182 overview 128 access control 199 proxy admin user ACI 134 classic proxy authorization 133 example 185 overview 185 cascading replication cosPriority attribute 194 initializing the replicas 343 creating 186 introduction 310 definition entry 191 setting up 337 editing 190 certificate...
  • Page 639 specifying LDIF entries with 579, 581 custom distribution logic specifying suffix with 577, 578 adding databases 94 using ldapsearch with 594 adding to suffix 94 compare right 216 compatibility ACIs 277 replication 305 compound search filters 597 dash, in change operation 63 configuration attributes data consistency account lockout 293...
  • Page 640 database encryption 98 deleting importing and exporting 102 ACI 242 attribute values 71 database link attributes 67, 70 cascading attributes from an object class 382, 383 configuring defaults 131 database link 121 configuring from command line 133 entries 71 configuring from console 132 multiple attributes 67 overview 128 object classes 383...
  • Page 641 modifying entries 49, 60 adding very large attributes 52 monitoring 447, 455 cache hit ratio 463 monitoring from command line 460 creating 47, 59 monitoring with SNMP 469 using LDIF 577 overview 33 deleting 55, 61 performance counters 455, 462 using ldapdelete 61 plug-ins 489 deleting using LDIF update statements 71...
  • Page 642 creating 169 modifying 170 failover servers overview 167 for database links 115 static 168 files creating 168 access log 450 modifying 169 database backup 161 GSS-API 440 dn.db2 392 dn2id.db2 392 EOF marker 56 error log 452 id2children.db2 392 id2entry.db2 391 hub supplier 303, 310 filesystem replica initialization 348 configuration 317...
  • Page 643 indirect CoS example 184 Kerberos 440, 443 overview 184 realms 444 initializing databases 152 initializing replicas cascading replication 343 filesystem replica 348 multi-master replication 330, 335 interaction table 476 language code international charactersets 613 in LDIF entries 584 international index 389 list of supported 615 collation order 398 language subtype 53...
  • Page 644 example 61 organizational person 580 organizational units 579 ldapmodify utility 58 organizations 577 attributes with language tags 72 internationalization and 584 creating a root entry 57 creating entries 59 LDIF files DNs with commas and 62 continued lines 575 example 59, 60 creating directory using 581 example of use 59, 60 creating multiple entries 57...
  • Page 645 OID 600 nsslapd-db-checkpoint-interval 485 using OID and suffix 601 nsslapd-db-durable-transactions 485 MD5 message authentication 435 nsslapd-db-logdirectory 484 metaphone phonetic algorithm 394 nsslapd-idlistscanlimit 393 nsslapd-lookthroughlimit attribute directory server 473 role in searching algorithm 393 redhat-directory.mib 473 nsslapd-maxbersize 52 entries table 475 Index...
  • Page 646 nsslapd-schemacheck attribute 384 override CoS qualifier 192 nsslapd-sizelimit attribute role in searching algorithm 393 nsslapd-timelimit attribute role in searching algorithm 393 parent access 222 parent keyword 222 parent object 381 pass-through authentication (PTA). See PTA plug-in object class password change extended operation 290 adding to an entry 50 password file creating 381...
  • Page 647 permissions port number ACI syntax 207 directory server configuration 38 allowing or denying access 215 for SSL communications 38 assigning rights 215 precedence rule overview 215 ACI 203 precedence rule 203 preferences plug-in functions 489 security 433 plug-ins presence index 388 7-bit check plug-in 489 defaults 391 ACL plug-in 490...
  • Page 648 312 configuring a hub supplier 317 read-write replica 302 configuring a read-only replica 316 configuration 315 configuring a read-write replica 315 redhat-directory.mib 473 configuring legacy replication 356 entries table 475 configuring SSL 355 interaction table 476 configuring supplier settings 315...
  • Page 649 restoring data 159 bak2db 163 SASL bak2db.pl 163 authentication 235, 439 dse.ldif 165 identity mapping 441 from console 162 mechanisms replicated entries 164 DIGEST-MD5 440 restoring the database 483 GSS-API 440 retro changelog password change extended operation 290 and access control 360 schema attributes 357 checking 383...
  • Page 650 international 599 ldap-agent 472 international examples 603 managed device 470 less than 603 managed objects 470 less than or equal to 597, 604 master agent 470 of directory tree 588 configuring 470 presence 597, 598 restricting scope of one-level 392 entries table 475 restricting scope of subtree 392 interaction table 476...
  • Page 651 creating from console 83 LDIF update statements 63 matching rule filter 599 substring index 389 search filter 595 substring index limitation 389 system connections substring search 596 monitoring 458 international example 605 system indexes 391 subtree level password policy 280 system resources subtypes monitoring 457...
  • Page 652 unique attribute plug-in 529 wildcard configuring 535 in LDAP URL 223 creating an instance of 534 in target 210 disabling 537 wildcards enabling 537 in international searches 602 examples 539 in matching rule filters 602 markerObjectClass 538 Windows Sync 543 requiredObjectClass 538 NT4 LDAP Service 544 syntax 531...

This manual is also suitable for:

Directory server 7.1

Table of Contents