1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. DIRECTORY SERVER 8.0
  6. Administration manual

Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Hide thumbs Also See for DIRECTORY SERVER 8.0 - ADMINISTRATION:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual

Directory Server 8.0

Administration Guide
A Guide for Using and Maintaining Red Hat Directory Server
Ella Deon Lackey
Publication date: January 15, 2008, updated on February 11, 2010

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the DIRECTORY SERVER 8.0 - ADMINISTRATION and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION

Summary of Contents for Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION

  • Page 1: Directory Server

    Directory Server 8.0 Administration Guide A Guide for Using and Maintaining Red Hat Directory Server Ella Deon Lackey Publication date: January 15, 2008, updated on February 11, 2010...
  • Page 2 Administration Guide Directory Server 8.0 Administration Guide A Guide for Using and Maintaining Red Hat Directory Server Edition 8.0.19 Author Ella Deon Lackey Copyright © 2008, 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").

  • Page 3: Table Of Contents

    Preface xiii 1. Directory Server Overview ..................... xiii 2. Examples and Formatting ....................xiv 3. Additional Reading ......................xv 4. Giving Feedback ......................xv 5. Document History ......................xvi 1. General Red Hat Directory Server Usage 1.1. Directory Server File Locations ..................1 1.2.
  • Page 4 Administration Guide 3.2. Creating and Maintaining Databases ................46 3.2.1. Creating Databases ..................46 3.2.2. Maintaining Directory Databases ..............50 3.2.3. Database Encryption ..................54 3.3. Creating and Maintaining Database Links ..............57 3.3.1. Configuring the Chaining Policy ................ 57 3.3.2.
  • Page 5 5.3.4. Deleting Views from the Command Line ............139 5.4. Using Groups ......................140 5.4.1. Managing Static Groups ................. 140 5.4.2. Managing Dynamic Groups ................141 6. Managing Access Control 6.1. Access Control Principles ..................143 6.1.1. ACI Structure ....................143 6.1.2.
  • Page 6 Administration Guide 6.10.2. Macro ACI Syntax ..................202 6.11. Access Control and Replication ................205 6.12. Compatibility with Earlier Releases ................205 7. Managing User Accounts and Passwords 7.1. Managing the Password Policy .................. 207 7.1.1. Configuring the Password Policy ..............207 7.1.2.
  • Page 7 8.7.2. Configuring Consumers from the Command Line ..........274 8.7.3. Configuring Hubs from the Command Line ............275 8.7.4. Configuring Replication Agreements from the Command Line ......276 8.7.5. Initializing Consumers Online from the Command Line ........279 8.8. Making a Replica Updatable ..................280 8.9.
  • Page 8 Administration Guide 10.1. About Indexes ......................317 10.1.1. About Index Types ..................317 10.1.2. About Default, System, and Standard Indexes ..........318 10.1.3. Overview of the Searching Algorithm ............. 321 10.1.4. Approximate Searches ................. 322 10.1.5. Balancing the Benefits of Indexing ..............322 10.2.
  • Page 9 12.3. Configuring SASL Identity Mapping from the Console ..........367 12.4. Configuring SASL Identity Mapping from the Command-Line ........369 12.5. Configuring Kerberos ....................369 12.5.1. Realms ......................369 12.5.2. Configuring the KDC Server ................. 370 12.5.3. Example: Configuring an Example KDC Server ..........371 12.5.4.
  • Page 10 Administration Guide 16.1.1. 7-Bit Check Plug-in ..................409 16.1.2. ACL Plug-in ....................409 16.1.3. ACL Preoperation Plug-in ................410 16.1.4. Binary Syntax Plug-in ................... 410 16.1.5. Boolean Syntax Plug-in ................410 16.1.6. Case Exact String Syntax Plug-in ..............411 16.1.7. Case Ignore String Syntax Plug-in ..............411 16.1.8.
  • Page 11 18. Using the Attribute Uniqueness Plug-in 18.1. Overview of the Attribute Uniqueness Plug-in ............437 18.2. Attribute Uniqueness Plug-in Syntax ................ 438 18.3. Creating an Instance of the Attribute Uniqueness Plug-in .......... 439 18.4. Configuring Attribute Uniqueness Plug-ins ..............440 18.4.1.
  • Page 12 Administration Guide A.4.1. Specifying Domain Entries ................470 A.4.2. Specifying Organizational Unit Entries ............471 A.4.3. Specifying Organizational Person Entries ............472 A.5. Defining Directories Using LDIF ................473 A.5.1. LDIF File Example ..................474 A.6. Storing Information in Multiple Languages ..............475 B.

  • Page 13: Preface

    Preface Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.

  • Page 14: Examples And Formatting

    Preface 2. Examples and Formatting All of the examples for Red Hat Directory Server commands, file locations, and other usage are given for Red Hat Enterprise Linux 5 (32-bit) systems. Be certain to use the appropriate commands and files for your platform. To start the Red Hat Directory Server: /etc/init.d/dirsv start Example 1.

  • Page 15: Additional Reading

    If there is any error in this Administrator's Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Directory Server through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...

  • Page 16: Document History

    We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at mailto:docs@redhat.com. 5. Document History...
  • Page 17 Document History Revision 8.0.9 February 24, 2009 Ella Deon Lackey Edited pin.txt information, per Bug #487149. Revision 8.0.8 February 7, 2009 Ella Deon Lackey Add -2 option to the example for generating a CA certificate, per Bug #481174. Revision 8.0.7 January 16, 2009 Ella Deon Lackey Correcting the Administration Server password file token example, per Bugzilla #476910.
  • Page 18 xviii...

  • Page 19: General Red Hat Directory Server Usage

    Chapter 1. General Red Hat Directory Server Usage Red Hat Directory Server product includes a directory service, an administration server to manage multiple server instances, and a Java-based console to manage server instances through a graphical interface. This chapter provides an overview of the basic tasks for administering a directory service. The Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources.
  • Page 20 Chapter 1. General Red Hat Directory Server Usage File or Directory Location Database files /var/lib/dirsrv/slapd-instance Runtime files /var/lock/dirsrv/slapd-instance /var/run/dirsrv/slapd-instance Initscripts /etc/rc.d/init.d/dirsrv and /etc/ sysconfig/dirsrv /etc/rc.d/init.d/dirsrv-admin and / etc/sysconfig/dirsrv-admin Tools /usr/bin/ /usr/sbin/ Table 1.1. Red Hat Enterprise Linux 4 and 5 (x86) File or Directory Location Log files...

  • Page 21: Ldap Tool Locations

    LDAP Tool Locations File or Directory Location /usr/sbin/ Table 1.3. Sun Solaris 9 (sparc) File or Directory Location Log files /var/opt/log/dirsrv/slapd-instance Configuration files /etc/opt/dirsrv/slapd-instance Instance directory /opt/dirsrv/slapd-instance Database files /var/opt/dirsrv/slapd-instance Runtime files /var/opt/dirsrv/instance Binaries /opt/dirsrv/bin/ /opt/dirsrv/sbin/ Libraries /opt/dirsrv/lib/ Table 1.4. HP-UX 11i (IA64) 1.2.

  • Page 22: Starting And Stopping Servers

    1.3.1. Starting and Stopping Directory Server from the Console 1. Start the Directory Server Console. /usr/bin/redhat-idm-console -a http://localhost:9830 2. In the Tasks tab, click Start the Directory Server, Stop the Directory Server, or Restart the Directory Server.

  • Page 23: Starting And Stopping Directory Server From The Command Line

    Starting and Stopping Directory Server from the Command Line 1.3.2. Starting and Stopping Directory Server from the Command Line There are two ways to start, stop, or restart the Directory Server: • There are scripts in the instance directories. For example: /usr/lib/dirsrv/slapd-instance/start-slapd /usr/lib/dirsrv/slapd-instance/restart-slapd /usr/lib/dirsrv/slapd-instance/stop-slapd...

  • Page 24: Starting The Directory Server Console

    The a option is a convenience, particularly if you are logging into a Directory Server for the first time. On subsequent logins, the URL is saved. If you do not pass the Administration Server port number with the redhat-idm-console command, then you are prompted for it at the Console login screen. 1.4.1. Logging into Directory Server After starting the Directory Server Console, a login screen opens, requiring the username and password for the user logging in and the URL for the Administration Server instance being access.

  • Page 25: Changing Login Identity

    Changing Login Identity 1.4.2. Changing Login Identity At any time during a session, you can log in as a different user, without having to restart the Console. To change the login identity, do the following: 1. In the Directory Server Console, select the Tasks tab. 2.

  • Page 26: Viewing The Current Console Bind Dn

    Chapter 1. General Red Hat Directory Server Usage Enter the full distinguished name of the entry with which to bind to the server. For example, to bind as user Barbara Jensen, enter her full DN in the login box: cn=Barbara Jensen, ou=People,dc=example,dc=com 1.4.3.

  • Page 27: Creating A New Directory Server Instance

    Creating a New Directory Server Instance 6. The Console returns a warning, You are about to change the port number for the Configuration Directory. This will affect all Administration Servers that use this directory and you'll need to update them with the new port number. Are you sure you want to change the port number? Click Yes. 7.

  • Page 28: Configuring The Directory Manager

    Chapter 1. General Red Hat Directory Server Usage 2. From the pop-up menu, select Create Instance and then Directory Server. The Create New Instance dialog box is displayed. 3. Enter a unique identifier for the server in the Server Identifier field. NOTE This name must only have alphanumeric characters, a dash (-), or an underscore (_).
  • Page 29 Configuring the Directory Manager 6. Enter the new password, and confirm it. 7. Click Save.

  • Page 31: Creating Directory Entries

    Chapter 2. Creating Directory Entries This chapter discusses how to use the Directory Server Console and the ldapmodify and ldapdelete command-line utilities to modify the contents of your directory. Entries stored in Active Directory can be added to the Directory Server through Windows Sync; Chapter 19, Synchronizing Red Hat Directory Server with Microsoft Active Directory for more information on adding or modifying synchronized entries through Windows User Sync.

  • Page 32: Creating Directory Entries

    Chapter 2. Creating Directory Entries 4. Choose the suffix corresponding to the entry to create. The New Object window opens. 5. In the New Object window, select the object class corresponding to the new entry. The object class you select must contain the attribute you used to name the suffix. For example, if you are creating the entry corresponding to the suffix ou=people,dc=example,dc=com, then you can choose the organizationalUnit object class or another object class that allows the ou attribute.

  • Page 33: Creating Other Types Of Entries

    Creating Directory Entries 2. In the left pane, right-click the main entry to to add the new entry, and select the type of entry: User, Group, Organizational Unit, Role, Class of Service, or Other. The corresponding Create window opens. 3. Supply values for all of the mandatory attributes (identified by an asterisk) and, if you want, for any of the optional attributes.

  • Page 34: Modifying Directory Entries

    Chapter 2. Creating Directory Entries 2.1.3. Modifying Directory Entries Modifying directory entries in Directory Server Console uses a dialog window called the Property Editor. The Property Editor contains the list of object classes and attributes belonging to an entry and can be used to edit the object classess and attributes belonging to that entry: •...

  • Page 35: Adding An Attribute To An Entry

    Modifying Directory Entries 1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Advanced from the pop-up menu. Alternatively, double-click the entry to open the Property Editor opens, and click the Advanced button. 2.

  • Page 36: Adding Attribute Values

    Chapter 2. Creating Directory Entries When determining the value to set, consider all elements of the LDAP add and modify operations used to add the attributes, not just the single attribute. There are a number of different factors to considerin, including the following: •...

  • Page 37: Adding An Attribute Subtype

    Modifying Directory Entries 2.1.3.8. Adding an Attribute Subtype There are three different kinds of subtypes to attributes which can be added to an entry: language, binary, and pronunciation. 2.1.3.8.1. Language Subtype Sometimes a user's name can be more accurately represented in characters of a language other than the default language.

  • Page 38: Deleting Directory Entries

    Chapter 2. Creating Directory Entries 2.1.3.8.4. Adding a Subtype to an Attribute To add a subtype to an entry, do the following: 1. In the Directory tab of the Directory Server Console, right-click the entry to modify, and select Properties from the pop-up menu. Alternatively, double-click the entry to open the Property Editor.

  • Page 39: Providing Input From The Command-Line

    Providing Input from the Command-Line Section 2.2.4, “Adding and Modifying Entries Using ldapmodify” • Section 2.2.5, “Deleting Entries Using ldapdelete” • Section 2.2.6, “Using Special Characters” • NOTE You cannot modify your directory unless the appropriate access control rules have been Chapter 6, set.

  • Page 40: Creating A Root Entry From The Command-Line

    Chapter 2. Creating Directory Entries 2.2.2. Creating a Root Entry from the Command-Line The ldapmodify command-line utility can be used to create a new root entry in a database. For example: ldapmodify -a -D bindDN -w password The ldapmodify utility binds to the server and prepares it to add an entry. The new root object can then be added, as follows: dn: Suffix_Name objectclass: newobjectclass...

  • Page 41: Adding Entries Using Ldapmodify

    Adding and Modifying Entries Using ldapmodify • If the server detects an attribute or object class in the entry that is not known to the server, then the modify operation will fail when it reaches the erroneous entry. All entries that were processed before the error was encountered will be successfully added or modified.

  • Page 42: Modifying Entries Using Ldapmodify

    Chapter 2. Creating Directory Entries Parameter Name Description Specifies the port number that the server uses. Optional parameter that specifies the file containing the LDIF update statements used to define the modifications. If you do not supply this parameter, the update statements are read from stdin.

  • Page 43: Deleting Entries Using Ldapdelete

    Deleting Entries Using ldapdelete Parameter Name Description Optional parameter that specifies the file containing the LDIF update statements used to define the modifications. If you do not supply this parameter, the update statements are read from stdin. For information on supplying LDIF update statements from the command-line, Section 2.2.1, “Providing Input from the refer to...

  • Page 44: Using Special Characters

    Chapter 2. Creating Directory Entries Table 2.4, “ldapdelete Parameters Used for Deleting Entries” describes the ldapdelete parameters used in the example: Parameter Name Description Specifies the distinguished name with which to authenticate to the server. The value must be a DN recognized by the Directory Server, and it must also have the authority to modify the entries.

  • Page 45: Ldif Update Statements

    LDIF Update Statements • modifiersName. The distinguished name of the person who last modified the entry. • modifyTimestamp. The timestamp for when the entry was last modified in GMT format. NOTE When a database link is used by a client application to create or modify entries, the creatorsName and modifiersName attributes do not reflect the real creator or modifier of the entries.

  • Page 46: Adding An Entry Using Ldif

    Chapter 2. Creating Directory Entries DN. For example, the distinguished name uid=ssarette,dc=example,dc=com has an RDN of uid=ssarette. The general format of LDIF update statements is as follows: dn: distinguished_name changetype: changetype_identifier change_operation_identifier: list_of_attributes change_operation_identifier: list_of_attributes A dash (-) must be used to denote the end of a change operation if subsequent change operations are specified.

  • Page 47: Renaming An Entry Using Ldif

    Renaming an Entry Using LDIF objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Pete Minsky givenName: Pete sn: Minsky ou: People ou: Marketing uid: pminsky dn: cn=Sue Jacobs,ou=People,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Sue Jacobs givenName: Sue sn: Jacobs ou: People...

  • Page 48: Modifying An Entry Using Ldif

    Chapter 2. Creating Directory Entries The modrdn change type only changes teh RDN; it cannot change other parts of a DN. For example, the entry cn=Sue Jacobs,ou=People,dc=example,dc=com can be changed to cn=Susan Jacobs,ou=People,dc=example,dc=coma, but it cannot be modified to be cn=Sue Jacobs,ou=old employees,dc=example,dc=com.

  • Page 49: Adding Attributes To Existing Entries Using Ldif

    Modifying an Entry Using LDIF The specified values are used to entirely replace the attribute's values. If the attribute does not already exist, it is created. If no replacement value is specified for the attribute, the attribute is deleted. • delete: attribute The specified attribute is deleted.

  • Page 50: Changing An Attribute Value Using Ldif

    Chapter 2. Creating Directory Entries changetype: modify add: jpegphoto jpegphoto: /path/to/photo You can also add a jpeg photograph to the directory using the following standard LDIF notation: jpegphoto: < file:/path/to/photo Using the standard notation means that the -b parameter does not need to be used withldapmodify. However, you must add version:1 to the beginning of the LDIF file or with LDIF update statements.

  • Page 51: Deleting All Values Of An Attribute Using Ldif

    Modifying an Entry Using LDIF add: telephonenumber telephonenumber: 555-4321 The entry is now as follows: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-6789 telephonenumber: 555-4321 2.4.3.3. Deleting All Values of an Attribute Using LDIF changetype: modify with the delete operation deletes an attribute from an entry. If the entry has more than one instance of the attribute, you must indicate which of the attributes to delete.

  • Page 52: Deleting An Entry Using Ldif

    Chapter 2. Creating Directory Entries 2.4.4. Deleting an Entry Using LDIF changetype: delete is the change type which deletes an entire entry from the directory. NOTE You can only delete leaf entries. Therefore, when you delete an entry, make sure that no other entries exist under that entry in the directory tree.

  • Page 53: How Referential Integrity Works

    How Referential Integrity Works For example, if a user's entry is removed from the directory and referential integrity is enabled, the server also removes the user from any groups of which the user is a member. If referential integrity is not enabled, the user remains a member of the group until manually removed by the administrator. This is an important feature if you are integrating the Directory Server with other products that rely on the directory for user and group management.

  • Page 54: Enabling/Disabling Referential Integrity

    Chapter 2. Creating Directory Entries • It is possible to enable it on a supplier server that contains only read-write replicas. • With multi-master replication, enable the plug-in on just one supplier. If the replication environment satisfies the all of those condition, you can enable the Referential Integrity Plug-in.

  • Page 55: Modifying The Attribute List

    Modifying the Attribute List • 86,400 seconds (updates occur once a day) • 604,800 seconds (updates occur once a week) To modify the update interval, do the following: Section 1.4, “Starting the Directory Server Console”. 1. Start the Directory Server Console. See 2.
  • Page 56 Chapter 2. Creating Directory Entries NOTE All attributes used in referential integrity must be indexed for presence and equality; not indexing those attributes results poor server performance for modify and delete Section 10.2, “Creating Indexes” operations. See for more information about checking and creating indexes.

  • Page 57: Configuring Directory Databases

    The data for root and sub suffixes are contained by databases. A directory might contain more than one root suffix. For example, an ISP might host several websites, one for example.com and one for redhat.com. The ISP would create two root suffixes,...
  • Page 58 Chapter 3. Configuring Directory Databases one corresponding to the dc=example,dc=com naming context and one corresponding to the Figure 3.2, “A Sample Directory Tree with Two dc=redhat,dc=com naming context, as shown in Root Suffixes”. Figure 3.2. A Sample Directory Tree with Two Root Suffixes It is also possible to create root suffixes to exclude portions of the directory tree from search operations.

  • Page 59: Creating A New Root Suffix Using The Console

    Creating Suffixes Figure 3.4. A Sample Directory Tree with a Sub Suffix This section describes creating root and sub suffixes for the directory using either the Directory Server Console or the command line. Section 3.1.1.1, “Creating a New Root Suffix Using the Console” •...

  • Page 60: Creating A New Sub Suffix Using The Console

    Chapter 3. Configuring Directory Databases 3.1.1.2. Creating a New Sub Suffix Using the Console 1. In the Directory Server Console, select the Configuration tab. 2. Under the Data in the left navigation pane, select the suffix under which to add a new sub suffix. Right-click the suffix, and select New Sub Suffix from the pop-up menu.
  • Page 61 Creating Suffixes cn: dc=example,dc=com Example 3.1. Example Root Suffix Entry 3. Create a sub suffix for groups under this root suffix using ldapmodify to add the sub suffix entry: dn: cn="ou=groups,dc=example,dc=com",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: GroupData nsslapd-parent-suffix: "dc=example,dc=com"...

  • Page 62: Maintaining Suffixes

    Chapter 3. Configuring Directory Databases Attribute Name Value The default value is disabled. nsslapd-referral Defines the LDAP URL of the referral to be returned by the suffix. This attribute can be multi- valued, with one referral per value. This attribute is required when the value of the nsslapd- state attribute is referral or referral on update.

  • Page 63: Using Referrals In A Suffix

    Maintaining Suffixes Section 3.1.2.4, “Deleting a Suffix” • 3.1.2.1. Using Referrals in a Suffix Referrals can be used to point a client application temporarily to a different server. For example, adding a referral to a suffix so that the suffix points to a different server allows the database associated with the suffix is taken off-line for maintenance without affecting the users of the Directory Server database.

  • Page 64: Creating And Maintaining Databases

    Chapter 3. Configuring Directory Databases 6. Click Save. 3.1.2.3. Disabling a Suffix Sometimes, a database may need taken down for maintenance, but the data the database contains is not replicated. Rather than returning a referral, disable the suffix responsible for the database. Once a suffix is disabled, the contents of the database related to the suffix are invisible to client applications when they perform LDAP operations such as search, add, and modify.
  • Page 65 Creating Databases • One database per suffix. The data for each suffix is contained in a separate database. Three databases are added to store the data contained in separate suffixes. This division of the tree corresponds to three databases. Database one contains the data for ou=people plus the data for dc=example,dc=com, so that clients can conduct searches based at dc=example,dc=com.

  • Page 66: Creating A New Database For An Existing Suffix Using The Console

    Chapter 3. Configuring Directory Databases Suppose the number of entries in the ou=people branch of the directory tree is so large that two databases are needed to store them. In this case, the data contained by ou=people could be distributed across two databases. DB1 contains people with names from A-K, and DB2 contains people with names from L-Z.

  • Page 67: Adding Multiple Databases For A Single Suffix

    Creating Databases 3.2.1.2. Creating a New Database for a Single Suffix from the Command Line Use the ldapmodify command-line utility to add a new database to the directory configuration file. The database configuration information is stored in the cn=ldbm database,cn=plugins,cn=config entry. For example, add a new database to the server example1: 1.

  • Page 68: Maintaining Directory Databases

    Chapter 3. Configuring Directory Databases The distribution logic is a function declared in a suffix. This function is called for every operation reaching this suffix, including subtree search operations that start above the suffix. A distribution function can be inserted into a suffix using both the Console and the command line. 3.2.1.3.1.
  • Page 69 Maintaining Directory Databases Section 3.2.2.1, “Placing a Database in Read-Only Mode” • Section 3.2.2.2, “Deleting a Database” • Section 3.2.2.3, “Configuring Transaction Logs for Frequent Database Updates” • 3.2.2.1. Placing a Database in Read-Only Mode When a database is in read-only mode, you cannot create, modify, or delete any entries. One of the situations when read-only mode is useful is for manually initializing a consumer or before backing up or exporting data from the Directory Server.

  • Page 70: Deleting A Database

    Chapter 3. Configuring Directory Databases dn: cn=database_name,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsslapd-readonly nsslapd-readonly: on NOTE By default, the name of the database created at installation time is userRoot. 3.2.2.1.3. Placing the Entire Directory Server in Read-Only Mode If the Directory Server maintains more than one database and all databases need to be placed in read-only mode, this can be done in a single operation.

  • Page 71: Configuring Transaction Logs For Frequent Database Updates

    Maintaining Directory Databases The Deleting Database confirmation dialog box is displayed. 4. Click Yes to confirm the deletion. Once deleted, the database no longer appears in the right pane. 3.2.2.3. Configuring Transaction Logs for Frequent Database Updates When the server is going to be asked to perform frequent database updates (LDAP adds, modifies, replication), the database transaction log files should be configured to be on a different disk than the primary database files.

  • Page 72: Database Encryption

    Chapter 3. Configuring Directory Databases 3.2.3. Database Encryption The Directory Server offers a number of mechanisms to secure access to sensitive data, such as access control rules to prevent unauthorized users from reading certain entries or attributes within entries and SSL to protect data from eavesdropping and tampering on untrusted networks. However, if a copy of the server's database files should fall into the hands of an unauthorized person, they could potentially extract sensitive information from those files.

  • Page 73: Encryption Ciphers

    Database Encryption WARNING There is no mechanism for recovering a lost key. Therefore, it is especially important to back up the server's certificate database safely. If the server's certificate were lost, it would not be possible to decrypt any encrypted data stored in its database. WARNING If the SSL certificate is expiring and needs to be renewed, export the encrypted backend instance before the renewal.

  • Page 74: Exporting And Importing An Encrypted Database

    Chapter 3. Configuring Directory Databases To remove encryption from attributes, select them from the list of encrypted attributes in the Attribute Encryption table, and hit the Delete button, then hit Save to apply the changes. Any deleted attributes have to be manually re-added after saving. 3.2.3.4.

  • Page 75: Creating And Maintaining Database Links

    Creating and Maintaining Database Links • It is possible for old, unencrypted data to persist in the server's database page pool backing file, even after a successful re-import with encryption. To remove this data, stop the server and delete the db/guardian file, then re-start the server. This will force recovery, a side-effect of which is deleting the backing file.

  • Page 76: Chaining Component Operations

    Chapter 3. Configuring Directory Databases 3.3.1.1. Chaining Component Operations A component is any functional unit in the server that uses internal operations. For example, plug-ins are considered to be components, as are functions in the front-end. However, a plug-in may actually be comprised of multiple components (for example, the ACI plug-in).
  • Page 77 Configuring the Chaining Policy Component Name Description Permissions this component to chain means certificate-based authentication can work with a database link. To chain this component's operations, add the chaining component attribute, nsActiveChainingComponents: cn=certificate-based authentication,cn=components,cn=config. Referential Integrity plug-in This plug-in ensures that Read, write, search, and updates made to attributes compare...
  • Page 78 Chapter 3. Configuring Directory Databases • Roles plug-in • Password policy component • Replication plug-ins • Referential Integrity plug-in When enabling the Referential Integrity plug-in on servers issuing chaining requests, be sure to analyze performance, resource, and time needs as well as integrity needs. Integrity checks can be time-consuming and draining on memory and CPU.

  • Page 79: Chaining Ldap Controls

    Configuring the Chaining Policy Table 3.2, “Components Allowed to Chain” for a list of the components which can be chained. 2. Restart the server for the change to take effect. service dirsrv restart instance 3. Create an ACI in the suffix on the remote server to which the operation will be chained. For example, this creates an ACI for the Referential Integrity plug-in: aci: (targetattr "*")(target="ldap:///ou=customers,l=us,dc=example,dc=com") (version 3.0;...

  • Page 80: Creating A New Database Link

    Chapter 3. Configuring Directory Databases 3.3.1.2.2. Chaining LDAP Controls from the Command Line Alter the controls that the database link forwards by changing the nsTransmittedControls attribute of the cn=config,cn=chaining database, cn=plugins,cn=config entry. For example, to forward the virtual list view control, add the following to the database link entry in the configuration file: nsTransmittedControls: 2.16.840.1.113730.3.4.9 In addition, if clients of the Directory Server create their own controls and their operations should to...
  • Page 81 Creating a New Database Link The suffix must be named in line with dc naming conventions, such as dc=example,dc=com. 4. Deselect the Create associated database automatically checkbox. The checkbox must not be selected because a database link cannot be added to a suffix that is associated with a database.

  • Page 82: Creating A Database Link From The Command Line

    Chapter 3. Configuring Directory Databases 3.3.2.2. Creating a Database Link from the Command Line 1. Use the ldapmodify command-line utility to create a new database link from the command line. The new instance must be located in the cn=chaining database,cn=plugins,cn=config entry.
  • Page 83 Creating a New Database Link NOTE After creating the database link, any alterations to the nsslapd-nsslapd-suffix attribute are applied only after the server containing the database link is restarted. 3.3.2.2.2. Providing Bind Credentials For a request from a client application to be chained to a remote server, special bind credentials can be supplied for the client application.
  • Page 84 Chapter 3. Configuring Directory Databases The database link on Server A binds to Server B using a special user as defined in the nsMultiplexorBindDN attribute and a user password as defined in the nsMultiplexorCredentials attribute. In this example, Server A uses the following bind credentials: nsMultiplexorBindDN: cn=proxy admin,cn=config nsMultiplexorCredentials: secret...
  • Page 85 Creating a New Database Link Chapter 6, Managing Access Control. For more information about For more information on ACIs, see http://www.mozilla.org/ the proxy authentication control, refer to the LDAP C-SDK documentation at directory. NOTE When a database link is used by a client application to create or modify entries, the attributes creatorsName and modifiersName do not reflect the real creator or modifier of the entries.
  • Page 86 Chapter 3. Configuring Directory Databases Attributes Value nsslapd-suffix The suffix managed by the database link. Any changes to this attribute after the entry has been created take effect only after the server containing the database link is restarted. nsslapd-timelimit Default search time limit for the database link, given in seconds.
  • Page 87 Creating a New Database Link Attributes Value nsReferralOnScopedSearch Controls whether referrals are returned by scoped searches. This attribute is for optimizing the directory because returning referrals in response to scoped searches is more efficient. Takes the values on or off. The default value is off.
  • Page 88 Chapter 3. Configuring Directory Databases 1. Run ldapmodify to add a database link to Server A: ldapmodify -a -p 389 -D "cn=directory manager" -w secret -h us.example.com 2. Specify the configuration information for the database link: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: c=africa,ou=people,dc=example,dc=com...

  • Page 89: Chaining Using Ssl

    Chaining Using SSL admin,cn=config";) This ACI gives the proxy admin user read-only access to the data contained on the remote server within the l=Zanzibar,ou=people,dc=example,dc=com subtree only. NOTE When a user binds to a database link, the user's identity is sent to the remote server. Access controls are always evaluated on the remote server.

  • Page 90: Database Links And Access Control Evaluation

    Chapter 3. Configuring Directory Databases 3. In the right navigation pane, click the Authentication tab. 4. To update the remote server information, enter a new LDAP URL in the Remote Server URL field. Unlike the standard LDAP URL format, the URL of the remote server does not specify a suffix. It takes the form ldap://hostname:port/.

  • Page 91: Advanced Feature: Tuning Database Link Performance

    Advanced Feature: Tuning Database Link Performance • All access controls based on the IP address or DNS domain of the client may not work since the original domain of the client is lost during chaining. The remote server views the client application as being at the same IP address and in the same DNS domain as the database link.

  • Page 92: Managing Connections To The Remote Server

    Chapter 3. Configuring Directory Databases 3.3.6.1. Managing Connections to the Remote Server Each database link maintains a pool of connections to a remote server. The connections to optimize resources can be configured for the directory. 3.3.6.1.1. Managing Connections to the Remote Server Using the Console 1.

  • Page 93: Detecting Errors During Normal Processing

    Advanced Feature: Tuning Database Link Performance The connection management attributes specified in this entry take precedence over the attributes specified in the cn=default instance config entry. Attribute Name Description nsOperationConnectionsLimit Maximum number of LDAP connections that the database link establishes with the remote server.

  • Page 94: Managing Threaded Operations

    Chapter 3. Configuring Directory Databases and nsMaxTestResponseDelay — which work together to determine if the remote server is no longer responding. The first attribute, nsMaxResponseDelay, sets a maximum duration for an LDAP operation to complete. If the operation takes more than the amount of time specified in this attribute, the database link's server suspects that the remote server is no longer online.

  • Page 95: Advanced Feature: Configuring Cascading Chaining

    Advanced Feature: Configuring Cascading Chaining performance can be improved by increasing the number of threads available for processing operations. While the local CPU waits for a response from a remote server, it can process other operations rather than stand idle. To change the number of threads used for processing operations, change the nsslapd- threadnumber global configuration attribute in the cn=config entry.
  • Page 96 Chapter 3. Configuring Directory Databases ACIs applying to the client are evaluated only after the request has been chained to the destination server, in the above example Server 2. Consider the following example scenario. On Server A, a directory tree is split as follows: The root suffix dc=example,dc=comand the ou=people and ou=groups sub suffixes are stored on Server A.

  • Page 97: Configuring Cascading Chaining Defaults Using The Console

    Advanced Feature: Configuring Cascading Chaining First, the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the ou=people,l=europe,dc=example,dc=com branch.

  • Page 98: Configuring Cascading Chaining Using The Console

    Chapter 3. Configuring Directory Databases 3. Select the Check local ACI checkbox to enable the evaluation of local ACIs on the intermediate database links involved in cascading chaining. Selecting this checkbox may require adding the appropriate local ACIs to a database on the servers that contain intermediate database links. 4.
  • Page 99 Advanced Feature: Configuring Cascading Chaining 2. Configure the intermediate database link or links (in the example, Server 2) to transmit the Proxy Authorization Control. By default, a database link does not transmit the Proxy Authorization Control. However, when one database link contacts another, this control is used to transmit information needed by the final destination server.

  • Page 100: Summary Of Cascading Chaining Configuration Attributes

    Chapter 3. Configuring Directory Databases nsCheckLocalACI: on Setting this attribute to on in the cn=default instance config,cn=chaining database,cn=plugins,cn=config entry means that all new database link instances will have the nsCheckLocalACI attribute set to on in their cn=database_link, cn=chaining database,cn=plugins,cn=config entry. 5.

  • Page 101: Cascading Chaining Configuration Example

    Advanced Feature: Configuring Cascading Chaining Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain. nsTransmittedControls Enter the following OIDs to the database links involved in the cascading chain: nsTransmittedControls: 2.16.840.1.113730.3.4.12 nsTransmittedControls: 1.3.6.1.4.1.1466.29539.12 The first OID corresponds to the Proxy Authorization Control.

  • Page 102: Configuring Server One

    Chapter 3. Configuring Directory Databases Section 3.3.7.7.1, “Configuring Server One” • Section 3.3.7.7.2, “Configuring Server Two” • Section 3.3.7.7.3, “Configuring Server Three” • 3.3.7.7.1. Configuring Server One 1. Run ldapmodify ldapmodify -a -D "cn=directory manager" -w secret -h host -p 389 2.

  • Page 103: Configuring Server Two

    Advanced Feature: Configuring Cascading Chaining objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: c=africa,ou=people,dc=example,dc=com nsfarmserverurl: ldap://africa.example.com:389/ nsmultiplexorbinddn: cn=server1 proxy admin,cn=config nsmultiplexorcredentials: secret cn: DBLink1 nsCheckLocalACI:off dn: cn="c=africa,ou=people,dc=example,dc=com",cn=mapping tree,cn=config objectclass=nsMappingTree nsslapd-state=backend nsslapd-backend=DBLink1 nsslapd-parent-suffix: "ou=people,dc=example,dc=com" cn: "c=africa,ou=people,dc=example,dc=com" The first section creates the entry associated with DBLink1. The second section creates a new suffix, allowing the server to direct requests made to the database link to the correct server.
  • Page 104 Chapter 3. Configuring Directory Databases 2. Configure the database link, DBLink2, on Server 2, using ldapmodify: dn: cn=DBLink2,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: l=Zanzibar,c=africa,ou=people,dc=example,dc=com nsfarmserverurl: ldap://zanz.africa.example.com:389/ nsmultiplexorbinddn: cn=server2 proxy admin,cn=config nsmultiplexorcredentials: secret cn: DBLink2 nsCheckLocalACI:on dn: cn="l=Zanzibar,c=africa,ou=people,dc=example,dc=com",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree...

  • Page 105: Configuring Server Three

    Advanced Feature: Configuring Cascading Chaining Both ACIs will be placed on the database that contains the c=africa,ou=people,dc=example,dc=com suffix. NOTE To create these ACIs, the database corresponding to the c=africa,ou=people,dc=example,dc=com suffix must already exist to hold the entry. This database needs to be associated with a suffix above the suffix specified in the nsslapd-suffix attribute of each database link.

  • Page 106: Using Referrals

    Chapter 3. Configuring Directory Databases 2. Then add the same local proxy authorization ACI to server three as on Server 2. Add the following proxy authorization ACI to the l=Zanzibar,ou=people,dc=example,dc=com entry: aci: (targetattr = "*")(version 3.0; acl "Proxied authorization for database links"; allow (proxy) userdn = "ldap:///cn=server2 proxy admin,cn=config";) This ACI gives the Server 2 proxy admin read-only access to the data contained on the remote server, server three, within the l=Zanzibar,ou=people,dc=example,dc=com subtree only.

  • Page 107: Setting Default Referrals

    Setting Default Referrals • port is the optional port number of the Directory Server to start in referral mode. • referral_url is the referral returned to clients. The format of an LDAP URL is covered in Appendix C, LDAP URLs. 3.4.2.

  • Page 108: Creating Smart Referrals

    Chapter 3. Configuring Directory Databases After adding the default referral to the cn=config entry of the directory, the directory will return the default referral in response to requests made by client applications. The Directory Server does not need to be restarted. 3.4.3.

  • Page 109: Creating Suffix Referrals

    Creating Suffix Referrals 7. The Smart Referral List lists the referrals currently in place for the selected entry. The entire list of referrals is returned to client applications in response to a request with the Return Referrals for All Operations or Return Referrals for Update Operations options in the Suffix Settings tab, which is available under the Configuration tab.

  • Page 110: Creating Suffix Referrals Using The Console

    Chapter 3. Configuring Directory Databases 3.4.4.1. Creating Suffix Referrals Using the Console To create a suffix referral using the Console, do the following: 1. Select the Configuration tab. 2. Under Data in the left pane, click the suffix to which to add a referral. 3.
  • Page 111 Creating Suffix Referrals Table 3.1, “Suffix Attributes”. For more information about the suffix configuration attributes, refer to...

  • Page 113: Populating Directory Databases

    Chapter 4. Populating Directory Databases Databases contain the directory data managed by the Red Hat Directory Server. 4.1. Importing Data Directory Server can populate a database with data in one of two ways: by importing data (either through the Directory Server Console or using the import tools) or by initializing a database for replication.
  • Page 114 Chapter 4. Populating Directory Databases NOTE The LDIF files used for import operations must use UTF-8 character set encoding. Import operations do not convert data from local character set encoding to UTF-8 characterset encoding. WARNING All imported LDIF files must also contain the root suffix. To import data from the Directory Server Console, do the following: 1.

  • Page 115: Initializing A Database From The Console

    Initializing a Database from the Console NOTE Trailing spaces are dropped during a remote Console import but are preserved during both local Console or ldif2db import operations. 4.1.3. Initializing a Database from the Console The existing data in a database can be overwritten by initializing databases. You must be logged in as the Directory Manager in order to initialize a database because an LDIF file that contains a root entry cannot be imported into a database except as the Directory Manager (root DN).
  • Page 116 Chapter 4. Populating Directory Databases • Using ldif2ldap. This method appends the LDIF file through LDAP. This method is useful to append Section 4.1.4.3, “Importing Using the ldif2ldap Command-Line data to all of the databases; see Script”. NOTE The LDIF files used for import operations must use UTF-8 character set encoding. Import operations do not convert data from local character set encoding to UTF-8 characterset encoding.
  • Page 117 Importing from the Command-Line For more information about using this script, see the Directory Server Configuration, Command, and File Reference. WARNING If the database specified in the -n option does not correspond with the suffix contained by the LDIF file, all of the data contained by the database is deleted, and the import fails.

  • Page 118: Exporting Data

    Chapter 4. Populating Directory Databases NOTE You do not need root privileges to run the script, but you must authenticate as the Directory Manager. Option Description Specifies the DN of the administrative user. Specifies the password of the administrative user. Specifies the LDIF files to be imported.
  • Page 119 Exporting Data • Backing up the data in the database. • Copying data to another Directory Server. • Exporting data to another application. • Repopulating databases after a change to the directory topology. For example, if a directory contains one database, and its contents are split into two databases, then the two new databases receive their data by exporting the contents of the old databases and importing Figure 4.1, “Splitting a Database Contents into Two it into the two new databases, as illustrated in...

  • Page 120: Exporting Directory Data To Ldif Using The Console

    Chapter 4. Populating Directory Databases Section 4.2.3, “Exporting to LDIF from the Command-Line” • WARNING Do not stop the server during an export operation. 4.2.1. Exporting Directory Data to LDIF Using the Console Some or all of directory data can be exported to LDIF, depending upon the location of the final exported file.

  • Page 121: Exporting To Ldif From The Command-Line

    Exporting to LDIF from the Command-Line 2. Expand the Data tree in the left navigation pane. Expand the suffix, and select the database under the suffix. 3. Right-click the database, and select Export Database. Alterntaively, select Export Database from the Object menu. The Export Partition dialog box opens.

  • Page 122: Backing Up And Restoring Data

    Chapter 4. Populating Directory Databases The LDIF file in this case would be /var/lib/dirsrv/slapd-instance_name/ ldif/instance_name-example-2007_04_30_112718.ldif, using the name of the suffix rather than the database. If the suffix specified is a root suffix, such as dc=example,dc=com, then it is not necessary to specify the database or to use the -n option.

  • Page 123: Backing Up All Databases

    Backing up All Databases WARNING Do not stop the server during a backup or restore operation. 4.3.1. Backing up All Databases The following procedures describe backing up all of the databases in the directory using the Directory Server Console and from the command-line. NOTE These backup methods cannot be used to back up the data contained by databases on a remote server that are chained using database links.

  • Page 124: Backing Up The Dse.ldif Configuration File

    Chapter 4. Populating Directory Databases 1. Open the Directory Server instance directory: cd /usr/lib/dirsrv/slapd-instance_name 2. Run the db2bak command-line script. db2bak /var/lib/dirsrv/slapd-instance_name/bak/instance_name-2007_04_30_16_27_56 For more information about using this script, see the Directory Server Configuration, Command, and File Reference. The backup directory where the server saves the backed up databases can be specified with the script.
  • Page 125 Restoring All Databases 2. Click Restore Directory Server. The Restore Directory dialog box is displayed. 3. Select the backup from the Available Backups list, or enter the full path to a valid backup in the Directory text box. The Available Backups list shows all backups located in the default directory, /var/lib/ backup_directory is the directory of dirsrv/slapd-instance_name/bak/backup_directory.

  • Page 126: Restoring A Single Database

    Chapter 4. Populating Directory Databases For more information on using this Perl script, see the Directory Server Configuration, Command, and File Reference. Option Description Defines the full path and name of the input file. Specifies the DN of the administrative user. Specifies the password of the administrative user.

  • Page 127: Restoring The Dse.ldif Configuration File

    Restoring the dse.ldif Configuration File more information about this option, see the Directory Server Configuration, Command, and File Reference. Directory Server automatically detects the compatibility between the replica and its changelog. If a mismatch is detected, the server removes the old changelog file and creates a new, empty one. •...

  • Page 129: Managing Entries With Roles, Classes Of Service, And Views

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views Entries contained within the directory can be grouped in different ways to simplify the management of user accounts. Red Hat Directory Server supports a variety of methods for grouping entries and sharing attributes between entries.
  • Page 130 Chapter 5. Managing Entries with Roles, Classes of Service, and Views attribute. The nsRole attribute is a computed attribute, which identifies to which roles an entry belongs; the nsRole attribute is not stored with the entry itself. From the client application point of view, the method for checking membership is uniform and is performed on the server side.

  • Page 131: Managing Roles Using The Console

    Managing Roles Using the Console 5.1.2. Managing Roles Using the Console This section contains the following procedures for creating and modifying roles: Section 5.1.2.1, “Creating a Managed Role” • Section 5.1.2.2, “Creating a Filtered Role” • Section 5.1.2.3, “Creating a Nested Role” •...

  • Page 132: Creating A Filtered Role

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views The new role appears in the right pane. NOTE The nsRoleDN attribute is an operational attribute and must be explicitly requested in the search command in the list of search attributes. For example: ldapsearch ...

  • Page 133: Creating A Nested Role

    Managing Roles Using the Console NOTE The nsRoleDN attribute is an operational attribute and must be explicitly requested in the search command in the list of search attributes. For example: ldapsearch ... args ... “(uid=scarter)” \* nsRole nsRoleDN The Directory Server Console automatically shows the nsRoleDN attribute. 5.1.2.3.

  • Page 134: Modifying A Role Entry

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views 3. Select Set Roles from the Object menu. The Roles dialog box opens. 4. Select the Managed Roles tab to display the managed roles to which this entry belongs. To add a new managed role, click Add, and select an available role from the Role Selector window.

  • Page 135: Managing Roles Using The Command-Line

    Managing Roles Using the Command-Line To see the inactivated entries, select Inactivation State from the View menu. A red slash through the role icon indicates that the role has been inactivated. 5.1.2.7. Reactivating a Role To reactivate a disabled role: 1.
  • Page 136 Chapter 5. Managing Entries with Roles, Classes of Service, and Views Table 5.1, “Object Classes and Attributes for Roles” lists the object classes and attributes associated with each type of role. Role Type Object Classes Attributes Managed Role nsSimpleRoleDefinition description (optional) nsManagedRoleDefinition Filtered Role nsComplexRoleDefinition...
  • Page 137 Managing Roles Using the Command-Line ldapmodify -a -D "cn=Directory Manager" -w secret -h host -p 389 2. Create the managed role entry, containing the nsManagedRoleDefinition object class, which in turn inherits from the LdapSubEntry, nsRoleDefinition, and nsSimpleRoleDefinition object classes. dn: cn=Marketing,ou=people,dc=example,dc=com objectclass: top objectclass: LdapSubEntry objectclass: nsRoleDefinition...

  • Page 138: Using Roles Securely

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views The following entry matches the filter (possesses the o attribute with the value sales managers), and, therefore, it is a member of this filtered role automatically: dn: cn=Pat,ou=people,dc=example,dc=com objectclass: person cn: Pat sn: Pat userPassword: bigsecret...

  • Page 139: Assigning Classes Of Service

    Assigning Classes of Service To prevent users from removing the nsRoleDN attribute, use the following ACIs depending upon the type of role being used. • Managed roles. For entries that are members of a managed role, use the following ACI to prevent users from unlocking themselves by removing the appropriate nsRoleDN: aci: (targetattr="nsRoleDN") (targattrfilters= add=nsRoleDN:(! (nsRoleDN=cn=AdministratorRole,...

  • Page 140: About The Cos Definition Entry

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views The CoS definition entry and template entry interact to provide attribute information to their target entries, any entry within the scope of the CoS. 5.2.1.1. About the CoS Definition Entry The CoS definition entry is an instance of the cosSuperDefinition object class.

  • Page 141: How A Pointer Cos Works

    About CoS 5.2.1.3. How a Pointer CoS Works An administrator creates a pointer CoS that shares a common postal code with all of the entries Figure 5.1, stored under dc=example,dc=com. The three entries for this CoS appear as illustrated in “Sample Pointer CoS”.

  • Page 142: How A Classic Cos Works

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views Figure 5.2. Sample Indirect CoS In this example, the target entry for William Holiday contains the indirect specifier, the manager attribute. William's manager is Carla Fuentes, so the manager attribute contains a pointer to the DN of the template entry, cn=Carla Fuentes,ou=people,dc=example,dc=com.
  • Page 143 About CoS Figure 5.3. Sample Classic CoS In this example, the CoS definition entry's cosSpecifier attribute specifies the employeeType attribute. This attribute, in combination with the template DN, identify the template entry as cn=sales,cn=exampleUS,cn=data. The template entry then provides the value of the postalCode attribute to the target entry.

  • Page 144: Managing Cos Using The Console

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views If an ldapsearch command uses the filter (postalCode=*), then both Barbara Jensen's and Ted Morris's entries are returned. • CoS allows for an override, an identifier given to the cosAttribute attribute in the CoS entry, which means that local values for an attribute can override the CoS value.

  • Page 145: Creating The Cos Template Entry

    Managing CoS Using the Console • Select Overrides target entry attribute and is operational to make the attribute override the local value and to make the attribute operational, so that it is not visible to client applications unless explicitly requested. •...

  • Page 146: Editing An Existing Cos

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views 3. Right-click on the CoS and select New > Other. 4. Select cosTemplate from the list of object classes. NOTE The LDAPsubentry object class can be added to a new template entry. Making the CoS template entry an instance of the LDAPsubentry object class allows ordinary searches to be performed unhindered by the configuration entries.

  • Page 147: Managing Cos From The Command-Line

    Managing CoS from the Command-Line 3. Double-click the CoS. The Edit Entry dialog box appears. 4. Click General in the left pane to change the CoS name and description. 5. Click Attributes in the left pane to add or remove attributes generated by the CoS. 6.
  • Page 148 Chapter 5. Managing Entries with Roles, Classes of Service, and Views CoS Type Object Classes Description Indirect CoS cosIndirectDefinition Identifies the template entry using the value of one of the target entry's attributes. The attribute of the target entry is specified in the cosIndirectSpecifier attribute.
  • Page 149 Managing CoS from the Command-Line CoS Type CoS definition objectclass: cosIndirectDefinition cosIndirectSpecifier:attribute_name cosAttribute:list_of_attributes qualifier Classic CoS objectclass: top objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn:DN_string cosSpecifier:attribute_name cosAttribute:list_of_attributes qualifier Table 5.4. CoS Definitions CoS definition entries are operational entries and are not returned by default with regular searches. This means that if a CoS is defined under ou=People,dc=example,dc=com, for example, the following ldapsearch command will not return them: ldapsearch -s sub -b ou=People,dc=example,dc=com “(objectclass=*)”...

  • Page 150: Example Of A Pointer Cos

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views template entry already exists and is used for something else, such as a user entry, the LDAPsubentry object class does not need to be added to the template entry. The CoS template entry also contains the attribute generated by the CoS (as specified in the cosAttribute attribute of the CoS definition entry) and the value for that attribute.

  • Page 151: Example Of An Indirect Cos

    Managing CoS from the Command-Line 5.2.3.4. Example of an Indirect CoS This indirect CoS uses the manager attribute of the target entry to identify the CoS template entry, which varies depending on the different values of the attribute. 1. Add a new indirect CoS definition entry to the dc=example,dc=com suffix, using ldapmodify as follows: ldapmodify -a -D "cn=directory manager"...
  • Page 152 Chapter 5. Managing Entries with Roles, Classes of Service, and Views 3. Create the template entries for the sales and marketing departments. Add the CoS attributes to the template entry. The cn of the template sets the value of the businessCategory attribute in the target entry, and then the attributes are added or overwritten according to the value in the template: dn: cn=sales,cn=classicCoS,dc=example,dc=com...
  • Page 153 Managing CoS from the Command-Line Override Qualifier Description attribute, it is not possible to use the operational qualifier because this attribute is not marked operational in the schema. operational-default Only returns a generated value if there is no corresponding attribute value stored with the entry and if it is explicitly requested in the search.

  • Page 154: Creating Role-Based Attributes

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views It is fairly common for there to be multiple templates completing to provide a value. For example, there can be a multi-valued cosSpecifier attribute in the CoS definition entry. The template priority is set using the cosPriority attribute.

  • Page 155: Access Control And Cos

    Access Control and CoS objectclass: top objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn: cn=managerCOS,dc=example,dc=com cosSpecifier: nsRole cosAttribute: mailboxquota override The cosTemplateDn attribute provides a value that, in combination with the attribute specified in the cosSpecifier attribute (in the example, the nsRole attribute of the target entry), identifies the CoS template entry.

  • Page 156: Creating Views In The Console

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views Figure 5.4. A Directory Tree with a Virtual DIT View hierarchy Virtual DIT views behave like normal DITs in that a subtree or a one-level search can be performed with the expected results being returned.

  • Page 157: Deleting Views From The Directory Server Console

    Deleting Views from the Directory Server Console (l=Sunnyvale) 9. Hit OK to close the attributes box, and hit OK again to save the new view entry. The new view is immediately populated with any entries matching the search filter, and any new entries added to directory are automatically included in the view.

  • Page 158: Using Groups

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views ldapdelete -D "cn=directory manager" -w secret -h host -p 389 "ou=Example View,dc=example,dc=com" 2. Remove the view entry. It is not necessary to remove any entries included in the view. dn: ou=Example View,dc=example,dc=com objectClass: top objectClass: organizationalunit...

  • Page 159: Managing Dynamic Groups

    Managing Dynamic Groups 5. Click Members in the left pane. In the right pane, select the Static Group tab. Click Add to add new members to the group. The standard Search users and groups dialog box appears. 6. In the Search drop-down list, select what sort of entries to search for (users, groups, or both) then click Search.

  • Page 160: Modifying A Dynamic Group

    Chapter 5. Managing Entries with Roles, Classes of Service, and Views 5. Click OK. The new group appears in the right pane. 5.4.2.2. Modifying a Dynamic Group 1. In the Directory Server Console, select the Directory tab. The directory contents appear in the left pane. 2.

  • Page 161: Managing Access Control

    Chapter 6. Managing Access Control Red Hat Directory Server allows you to control access to your directory. This chapter describes the how to implement access control. To take full advantage of the power and flexibility of access control, while you are in the planning phase for your directory deployment, define an access control strategy as an integral part of your overall security policy.

  • Page 162: Aci Evaluation

    Chapter 6. Managing Access Control The aci attribute is multi-valued, which means that you can define several ACIs for the same entry or subtree. An ACI created on an entry can be set so it does not apply directly to that entry but to some or all of the entries in the subtree below it.

  • Page 163: Default Acis

    Default ACIs However, you can match values stored in the target entry with values stored in the entry of the bind user; for example, using the userattr keyword. Access is evaluated normally even if the bind user does not have an entry on the server that holds the ACI. Section 3.3.5, “Database Links For more information on how to chain access control evaluation, see and Access Control...

  • Page 164: Creating Acis Manually

    Chapter 6. Managing Access Control • Group expansion. The following sections explain how to modify these default settings. 6.3. Creating ACIs Manually You can create access control instructions manually using LDIF statements and add them to your Section 2.4, “LDIF Update directory tree using the ldapmodify utility, similar to the instructions in Statements”.

  • Page 165: Defining Targets

    Defining Targets The following is an example of a complete LDIF ACI: aci: (target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";) In this example, the ACI states that the user bjensen has rights to modify all attributes in her own directory entry. 6.3.2.

  • Page 166: Targeting A Directory Entry

    Chapter 6. Managing Access Control ou=accounting,dc=example,dc=com, the permissions you set apply to all entries in the accounting branch of the example.com tree. As a counter example, if you place an ACI on the ou=accounting,dc=example,dc=com entry, you cannot target the uid=sarette,ou=people,dc=example,dc=com entry because it is not located under the accounting tree.

  • Page 167: Targeting Attributes

    Defining Targets • (target="ldap:///uid=*,dc=example,dc=com") — Matches every entry in the entire example.com tree that has the uid attribute in the entry's RDN. • (target="ldap:///uid=*Anderson,dc=example,dc=com") — Matches every entry directly under the example.com node with a uid ending in Anderson. • (target="ldap:///uid=C*A,dc=example,dc=com") — Matches every entry directly under the example.com node with a uid beginning with C and ending with A.

  • Page 168: Targeting Both An Entry And Attributes

    Chapter 6. Managing Access Control attributeX is the name of the targeted attribute. For example, this targets the common name (cn) attribute: (targetattr = "cn") To target an entry's common name, surname, and UID attributes, use the following: (targetattr = "cn || sn || uid") The attributes specified in the targetattr keyword apply to the entry that the ACI is targeting and to all the entries below it.

  • Page 169: Targeting Attribute Values Using Ldap Filters

    Defining Targets The following LDIF example allows members of the Engineering Admins group to modify the departmentNumber and manager attributes of all entries in the Engineering business category. This example uses LDAP filtering to select all entries with businessCategory attributes set to Engineering: dn: dc=example,dc=com objectClass: top...

  • Page 170: Defining Permissions

    Chapter 6. Managing Access Control attribute must be satisfied. If individual values of an attribute already present in the entry are replaced, then both the add and delete filters must be satisfied. For example, consider the following attribute filter: (targattrfilters="add=nsroledn:(!(nsroledn=cn=superAdmin)) && telephoneNumber: (telephoneNumber=123*)") This filter can be used to allow users to add any role (nsroledn attribute) to their own entry, except the superAdmin role.

  • Page 171: Allowing Or Denying Access

    Defining Permissions • Assigning rights 6.3.3.1. Allowing or Denying Access You can either explicitly allow or deny access permissions to the directory tree. NOTE From the Directory Server Console, you cannot explicitly deny access, only grant permissions. 6.3.3.2. Assigning Rights Rights detail the specific operations a user can perform on directory data.

  • Page 172: Rights Required For Ldap Operations

    Chapter 6. Managing Access Control Right Description Indicates that the specified DN has all rights (read, write, search, delete, compare, and selfwrite) to the targeted entry, excluding proxy rights. Table 6.2. User Rights Rights are granted independently of one another. This means, for example, that a user who is granted add rights can create an entry but cannot delete it if delete rights have not been specifically granted.

  • Page 173: Permissions Syntax

    Defining Permissions • Grant write permission on the attribute type used in the new RDN. • Grant write permission on the attribute type used in the old RDN, if you want to grant the right to delete the old RDN. •...

  • Page 174: Bind Rules

    Chapter 6. Managing Access Control from renaming any entries in the set specified by the pattern cn=*,ou=people,o=example.com, add the following ACI: aci: (target="ldap:///cn=*,ou=people,o=example.com") (version 3.0; acl "Deny modrdn rights to the helpDeskGroup"; deny(write) groupdn="ldap:///cn=helpDeskGroup,ou=groups,o=example.com";) 6.4. Bind Rules Depending on the ACIs defined for the directory, for certain operations, you need to bind to the directory.

  • Page 175: Defining User Access - Userdn Keyword

    Defining User Access - userdn Keyword The quotation marks ("") around expression and the delimiting semicolon (;) are required. The expressions you can use depend on the associated keyword. Table 6.3, “LDIF Bind Rule Keywords” lists each keyword and the associated expressions and indicates whether wildcard characters are allowed in the expression.

  • Page 176: Ldap Urls

    Chapter 6. Managing Access Control NOTE If a DN contains a comma, the comma must be preceded by a backslash (\) escape character. 6.4.2.1. Anonymous Access (anyone Keyword) Granting anonymous access to the directory means that anyone can access it without providing a bind DN or password and regardless of the circumstances of the bind.
  • Page 177 Defining User Access - userdn Keyword NOTE Do not specify a hostname or port number within the LDAP URL. LDAP URLs always apply to the local server. Appendix C, LDAP URLs. For more information about LDAP URLs, see 6.4.2.6. Wildcards You can also specify a set of users by using the wildcard character (*).

  • Page 178: Defining Group Access - Groupdn Keyword

    Chapter 6. Managing Access Control Scenario Userdn keyword containing the anyone keyword Userdn keyword containing the parent keyword Table 6.4. userdn Keyword Examples 6.4.3. Defining Group Access - groupdn Keyword Members of a specific group can access a targeted resource. This is known as group access. Group access is defined using the groupdn keyword to specify that access to a targeted entry is granted or denied if the user binds using a DN that belongs to a specific group.

  • Page 179: Defining Role Access - Roledn Keyword

    Defining Role Access - roledn Keyword Scenario Groupdn keyword containing logical OR of LDAP URLs Table 6.5. groupdn Examples 6.4.4. Defining Role Access - roledn Keyword Members of a specific role can access a targeted resource. This is known as role access. Role access is defined using the roledn keyword to specify that access to a targeted entry is granted or denied if the user binds using a DN that belongs to a specific role.
  • Page 180 Chapter 6. Managing Access Control • A role DN • An LDAP filter, in an LDAP URL • Any attribute type The LDIF syntax of the userattr keyword is as follows: userattr = "attrName#bindType Using an attribute type that requires a value other than a user DN, group DN, role DN, or an LDAP filter has the following format: userattr = "attrName#attrValue •...
  • Page 181 Defining Access Based on Value Matching In this example, the group entry is under the dc=example,dc=com suffix. The server can process this type of syntax more quickly than the previous example. (By default, owner is not an allowed entry in a user's entry. You would have to extend your schema to allow this attribute in a person object.) 6.4.5.1.3.

  • Page 182: Using The Userattr Keyword With Inheritance

    Chapter 6. Managing Access Control The bind rule is evaluated to be true if the bind DN and the target DN include the favoriteDrink attribute with a value of Beer. 6.4.5.1.6. Using the userattr Keyword with Inheritance When you use the userattr keyword to associate the entry used to bind with the target entry, the ACI applies only to the target specified and not to the entries below it.

  • Page 183: Granting Add Permission Using The Userattr Keyword

    Defining Access Based on Value Matching Figure 6.1. Using Inheritance With the userattr Keyword In this example, if you did not use inheritance, you would have to do one of the following to achieve the same result: • Explicitly set read and search access for user bjensen on the cn=Profiles, cn=mail, and cn=news entries in the directory.

  • Page 184: Defining Access From A Specific Ip Address

    Chapter 6. Managing Access Control acl "manager-write"; allow (all) userattr = "manager#USERDN";) This ACI grants managers all rights on the entries of employees that report to them. However, because access rights are evaluated on the entry being created, this type of ACI would also allow any employee to create an entry in which the manager attribute is set to their own DN.

  • Page 185: Defining Access From A Specific Domain

    Defining Access from a Specific Domain 6.4.7. Defining Access from a Specific Domain A bind rule can specify that the bind operation must originate from a particular domain or host machine. This is often used to force all directory updates to occur from a given machine or network domain.
  • Page 186 Chapter 6. Managing Access Control less than or equal to (<=) The timeofday keyword requires a time of day expressed in hours and minutes in the 24 hour clock (0 to 2359). NOTE The time on the Directory Server is used for the evaluation, not the time on the client. The LDIF syntax for setting a bind rule based on the day in the week is as follows: dayofweek = "day1, day2 ...

  • Page 187: Defining Access Based On Authentication Method

    Defining Access Based on Authentication Method 6.4.9. Defining Access Based on Authentication Method The authmethod keyword sets the specific method that a client uses to bind to the directory. There are four available authentication methods: • None. Authentication is not required. This is the default. It represents anonymous access. •...

  • Page 188: Using Boolean Bind Rules

    Chapter 6. Managing Access Control • The bind rule is evaluated to be true if the client is accessing the directory using the SASL DIGEST- MD5 mechanism. authmethod = "sasl DIGEST-MD5"; 6.4.10. Using Boolean Bind Rules Bind rules can be complex expressions that use the Boolean expressions AND, OR, and NOT to set very precise access rules.

  • Page 189: Displaying The Access Control Editor

    1. Start the Directory Server Console. Log in using the bind DN and password of a privileged user, such as the Directory Manager, who has write access to the ACIs configured for the directory. /usr/bin/redhat-idm-console 2. Select the Directory tab.
  • Page 190 Chapter 6. Managing Access Control 4. Click New to open the Access Control Editor.

  • Page 191: Creating A New Aci

    Creating a New ACI Figure 6.2. Access Control Editor Window 6.5.2. Creating a New ACI To create a new ACI in the Directory Server Console, do the following: 1. Open the Access Control Editor, as described in Section 6.5.1, “Displaying the Access Control Editor”.
  • Page 192 Chapter 6. Managing Access Control a. Select a search area from the drop-down list, enter a search string in the Search field, and click the Search button. You can use wilcards (an asterisk, *) to search for partial usernames. The search results are displayed in the list below. b.
  • Page 193 Creating a New ACI 5. Click the Targets tab. Click This Entry to display the current node as the target for the ACI or click Browse to select a different suffix.
  • Page 194 Chapter 6. Managing Access Control NOTE You can change the value of the target DN, but the new DN must be a direct or indirect child of the selected entry. If you do not want every entry in the subtree under this node to be targeted by the ACI, enter a filter in the Filter for Sub-entries field.
  • Page 195 Creating a New ACI You can specify a hostname or an IP address. With an IP address, you can use an asterisk (*) as a wildcard. 7. Click the Times tab to display the table showing at what times access is allowed. By default, access is allowed at all times.

  • Page 196: Editing An Aci

    Chapter 6. Managing Access Control 8. When you have finished editing the ACI, click OK. The Access Control Editor closes, and the new ACI is listed in the Access Control Manager window. NOTE For any point of creating the ACI, you can click the Edit Manually button to display the LDIF statement corresponding to the wizard input.

  • Page 197: Deleting An Aci

    Deleting an ACI 3. Make the edits to the ACI in the Access Control Editor; the different screens are described more Section 6.5.2, “Creating a New ACI” and in the online help. 4. When you have finished editing the ACI, click OK. The Access Control Editor windows closes, and the modified ACI is listed in the Access Control Manager.
  • Page 198 Chapter 6. Managing Access Control Get effective rights is an extended ldapsearch which returns the access control permissions set on each attribute within an entry. The effective rights can be retrieved by sending an LDAP control along with a search operation. The results show the effective rights on each returned entry and each attribute of each returned entry.

  • Page 199: Using Get Effective Rights From The Command-Line

    Using Get Effective Rights from the Command-Line Permission Description Delete. Rename the DN. View the entry. Table 6.6. Permissions That Can Be Set on Entries Permission Description Read. Search. Write (mod-add). Obliterate(mod-del). Analogous to delete. Compare. Self-write. Self-delete. Table 6.7. Permissions That Can Be Set on Attributes 6.7.1.
  • Page 200 Chapter 6. Managing Access Control l: Santa Clara manager: uid=dmiller, ou=People, dc=example,dc=com roomNumber: 4117 mail: tmorris@example.com facsimileTelephoneNumber: +1 408 555 5409 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: tmorris cn: Ted Morris userPassword: {SSHA}bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA== entryLevelRights: v attributeLevelRights: givenName:rsc, sn:rsc, ou:rsc, l:rsc, manager:rsc, roomNumber:rscwo, mail:rscwo, facsimileTelephoneNumber:rscwo, objectClass:rsc, uid:rsc, cn:rsc, userPassword:wo...

  • Page 201: Using Get Effective Rights From The Console

    Using Get Effective Rights from the Console uid=tmorris,ou=people,dc=example,dc=com" "(objectClass=*)" ldap_search: Insufficient access ldap_search: additional info: get-effective-rights: requestor has no g permission on the entry However, Ted Morris could run a get effective rights search on his personal entry to determine the rights another user, such as Sam Carter, has to it.

  • Page 202: Logging Access Control Information

    Chapter 6. Managing Access Control Code Description rights do not exist on the entry being queried, then this error is returned. No such attribute. If an attribute is specifically queried for access rights but that attribute does not exist in the schema, this error is returned. Undefined attribute type.

  • Page 203: Granting Anonymous Access

    Granting Anonymous Access • Grant write access to example.com employees for personal information, such as homePhone and (Section 6.9.2, “Granting Write Access to Personal Entries”). homePostalAddress • Grant example.com employees the right to add any role to their entry, except certain critical roles (Section 6.9.3, “Restricting Access to Key Roles”).
  • Page 204 Chapter 6. Managing Access Control 1. In the Directory tab, right-click the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager. 2. Click New to display the Access Control Editor. 3.

  • Page 205: Granting Write Access To Personal Entries

    Granting Write Access to Personal Entries 6. In the Filter for subentries field, type the following filter: (!(unlistedSubscriber=yes)) 7. In the attribute table, select the checkboxes for the homePhone, homePostalAddress, and mail attributes. All other checkboxes should be clear; if it is easier, click the Check None button to clear the checkboxes for all attributes in the table, then click the Name header to organize them alphabetically, and select the appropriate ones.
  • Page 206 Chapter 6. Managing Access Control a. Select and remove All Users, then click Add. The Add Users and Groups dialog box opens. b. Set the Search area to Special Rights, and select Self from the search results list. c. Click the Add button to list Self in the list of users who are granted access permission. d.

  • Page 207: Restricting Access To Key Roles

    Restricting Access to Key Roles 2. Click New to display the Access Control Editor. 3. In the Users/Groups tab, in the ACI name field, type Write Subscribers. In the list of users granted access permission, do the following: a. Select and remove All Users, then click Add. The Add Users and Groups dialog box opens.
  • Page 208 Chapter 6. Managing Access Control When a role gives any sort of privileged user rights over critical corporate or business functions, consider restricting access to that role. For example, at example.com, employees can add any role to Section 6.9.3.1, “ACI "Roles"”.

  • Page 209: Granting A Group Full Access To A Suffix

    Granting a Group Full Access to a Suffix dc=example,dc=com")") (targetattr = "*") (target = "ldap:/// ou=example-people,dc=example,dc=com") (version 3.0; acl "Roles"; allow (write) (userdn = "ldap:///self") and (dns="*.example.com");) 8. Click OK. The new ACI is added to the ones listed in the Access Control Manager window. 6.9.4.

  • Page 210: Granting Rights To Add And Delete Group Entries

    Chapter 6. Managing Access Control d. Click OK to dismiss the Add Users and Groups dialog box. 4. In the Rights tab, click the Check All button. All checkboxes are selected, except for proxy rights. 5. Click OK. The new ACI is added to the ones listed in the Access Control Manager window. 6.9.5.
  • Page 211 Granting Rights to Add and Delete Group Entries a. Select and remove All Users, then click Add. The Add Users and Groups dialog box opens. b. Set the Search area to Special Rights, and select All Authenticated Users from the search results list.

  • Page 212: Granting Conditional Access To A Group Or Role

    Chapter 6. Managing Access Control 6.9.6. Granting Conditional Access to a Group or Role In many cases, when you grant a group or role privileged access to the directory, you want to ensure that those privileges are protected from intruders trying to impersonate your privileged users. Therefore, in many cases, access control rules that grant critical access to a group or role are often associated with a number of conditions.

  • Page 213: Denying Access

    Denying Access This example assumes that you have created an administrators role with a cn of DirectoryAdmin. c. Click the Add button to list the administrators role in the list of users who are granted access permission. d. Click OK to dismiss the Add Users and Groups dialog box. 4.
  • Page 214 Chapter 6. Managing Access Control 6.9.7.1. ACI "Billing Info Read" In LDIF, to grant subscribers permission to read billing information in their own entry, write the following statement: aci: (targetattr="connectionTime || accountBalance") (version 3.0; acl "Billing Info Read"; allow (search,read) userdn= "ldap:///self";) This example assumes that the relevant attributes have been created in the schema and that the ACI is added to the ou=subscribers,dc=example,dc=com entry.

  • Page 215: Setting A Target Using Filtering

    Setting a Target Using Filtering aci: (targetattr="connectionTime || accountBalance") (version 3.0; acl "Billing Info Deny"; deny (write) userdn="ldap:///self";) This example assumes that the relevant attributes have been created in the schema and that the ACI is added to the ou=subscribers,dc=example,dc=com entry. From the Console, set this permission by doing the following: 1.

  • Page 216: Allowing Users To Add Or Remove Themselves From A Group

    Chapter 6. Managing Access Control NOTE Because search filters do not directly name the object for which you are managing access, it is easy to allow or deny access to the wrong objects unintentionally, especially as your directory becomes more complex. Additionally, filters can make it difficult to troubleshoot access control problems within your directory.

  • Page 217: Defining Permissions For Dns That Contain A Comma

    Defining Permissions for DNs That Contain a Comma b. Set the Search area in the Add Users and Groups dialog box to Special Rights, and select All Authenticated Users from the search results list. c. Click the Add button to list All Authenticated Users in the list of users who are granted access permission.

  • Page 218: Advanced Access Control: Using Macro Acis

    Chapter 6. Managing Access Control • The accounting administrator must have access permissions to the ou=Accounting,dc=example,dc=com subtree, so the following ACI grants all rights to the accounting administrator entry: aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*") (version 3.0; acl "allowAll-AcctAdmin"; allow (all) userdn="ldap://uid=AcctAdministrator,ou=Administrators,dc=example,dc=com") • There must be an ACI granting proxy rights to the client application in the directory: aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*") (version 3.0;...
  • Page 219 Macro ACI Example across the tree because the example.com directory tree stores the suffixes dc=hostedCompany2, dc=example,dc=com and dc=hostedCompany3,dc=example,dc=com. The ACIs that apply in the directory tree also have a repeating pattern. For example, the following ACI is located on the dc=hostedCompany1,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0;...

  • Page 220: Macro Aci Syntax

    Chapter 6. Managing Access Control groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2,dc=example,dc=com";) The following ACI is located on the dc=subdomain1,dc=hostedCompany2, dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,dc=hostedCompany2,dc=example,dc=com";) In the four ACIs shown above, the only differentiator is the DN specified in the groupdn keyword. By using a macro for the DN, it is possible to replace these ACIs by a single ACI at the root of the tree, on the dc=example,dc=com node.
  • Page 221 Macro ACI Syntax NOTE When using any macro, you always need a target definition that contains the ($dn) macro. You can combine the ($dn) macro and the ($attr.attrName) macro. 6.10.2.1. Macro Matching for ($dn) The ($dn) macro is replaced by the matching part of the resource targeted in an LDAP request.
  • Page 222 Chapter 6. Managing Access Control 2. [$dn] in the subject is replaces with dc=subdomain1,dc=hostedCompany1. The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups, dc=subdomain1,dc=hostedCompany1,dc=example,dc=com". If the bind DN is a member of that group, the matching process stops, and the ACI is evaluated. If it does not match, the process continues.

  • Page 223: Access Control And Replication

    Access Control and Replication The Directory Server then evaluates the ACI according to the normal ACI evaluation algorithm. When an attribute is multi-valued, each value is used to expand the macro, and the first one that provides a successful match is used. For example: dn: cn=Jane Doe,ou=People,dc=HostedCompany1,dc=example,dc=com cn: Jane Doe sn: Doe...

  • Page 225: Managing User Accounts And Passwords

    Chapter 7. Managing User Accounts and Passwords When a user connects to the Red Hat Directory Server, first the user is authenticated. Then, the directory grants access rights and resource limits to the user depending upon the identity established during authentication. This chapter describes tasks for managing users, including configuring the password and account lockout policy for the directory, denying groups of users access to the directory, and limiting system resources available to users depending upon their bind DNs.

  • Page 226: Configuring A Global Password Policy Using The Console

    Chapter 7. Managing User Accounts and Passwords • Bind information. The bind information includes the number of grace logins permitted, password aging attributes, and tracking bind failures. The sections that follow describe the procedures for configuring the password policy: Section 7.1.1.1, “Configuring a Global Password Policy Using the Console” •...
  • Page 227 Configuring the Password Policy log will indicate that the password maximum age is invalid. To resolve this problem, correct the passwordMaxAge attribute value in the dse.ldif file. A common policy is to have passwords expire every 30 to 90 days. By default, the password maximum age is set to 8640000 seconds (100 days).
  • Page 228 Chapter 7. Managing User Accounts and Passwords NOTE The password policy must be enabled globally before it will be applied locally. No other global password policy features must be set, and the global password policy will not override the local policy if they differ. 2.
  • Page 229 Configuring the Password Policy Attribute Name Definition Manager should not follow any obvious convention and should be difficult to discover. This attribute is off by default. passwordChange When on, this attribute indicates that users may change their own password. Allowing users to set their own passwords runs the risk of users choosing passwords that are easy to remember.
  • Page 230 Chapter 7. Managing User Accounts and Passwords Attribute Name Definition bind to the Directory Server for longer than the passwordMaxAge, they will still get the warning message in time to change their password. passwordMinAge This attribute indicates the number of seconds that must pass before a user can change their password.
  • Page 231 Configuring the Password Policy Attribute Name Definition Shorter passwords are easier to crack. Passwords can be two (2) to 512 characters long. Generally, a length of eight characters is long enough to be difficult to crack but short enough for users to remember without writing it down.
  • Page 232 Chapter 7. Managing User Accounts and Passwords Attribute Name Definition passwordMinUppers This attribute sets the minimum number of upper case alphabetic characters, A to Z, which must be used in the password. By default, this attribute is set to 0, meaning there is no required minimum.
  • Page 233 Configuring the Password Policy 1. Add the required attributes to the subtree or user entries by running the ns-newpwpolicy.pl script. The command syntax for the script is as follows: ns-newpwpolicy.pl [-D rootDN] { -w password | -w - | -j filename }[-p port] [-h host] -U userDN -S suffixDN For updating a subtree entry, use the -S option.
  • Page 234 Chapter 7. Managing User Accounts and Passwords objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn="cn=nsPwTemplateEntry,ou=people,dc=example,dc=com", cn=nsPwPolicyContainer,ou=people,dc=example,dc=com cosAttribute: pwdpolicysubentry default operational For a user (for example, uid=jdoe, ou=people, dc=example, dc=com), the following entries are added: • A container entry (nsPwPolicyContainer) at the parent level for holding various password policy related entries for the user and all its children.

  • Page 235: Setting User Passwords

    Setting User Passwords To turn off user and subtree level password policy checks, set the nsslapd-pwpolicy-local attribute to off by modifying the cn=config entry. For example: ldapmodify -h myserver -p 389 -D "cn=directory manager" -w secretpwd dn: cn=config changetype: modify replace: nsslapd-pwpolicy-local: on nsslapd-pwpolicy-local: off This attribute can also be disabled by modifying it directly in the configuration file (dse.ldif).
  • Page 236 Chapter 7. Managing User Accounts and Passwords Server does not include a client application for the password change extended operation. However, the ldappasswd utility can be used as follows: ldappasswd -h hostname -p secure_port -Z -P /path/to/cert8.db -D bindDN -w bindPassword [-a oldPassword] -s newPassworduser Parameter Description...

  • Page 237: Configuring The Account Lockout Policy

    Configuring the Account Lockout Policy ldappasswd -h ldap.example.com -p 389 -ZZ -D "uid=jsmith,ou=People,dc=example,dc=com" -w rootpassword -s newpassword To change the password on an entry other than the one specified in the bind credentials, run ldappasswd as shown below, adding the user DN to the operation and providing separate credentials, as follows: ldappasswd -h server.example.com -p 389 -ZZ -D "cn=Directory Manager"...
  • Page 238 Chapter 7. Managing User Accounts and Passwords 7.1.4.2. Configuring the Account Lockout Policy Using the Command- Line This section describes the attributes to create an account lockout policy to protect the passwords stored in the server. Use ldapmodify to change these attributes in the cn=config entry. Table 7.3, “Account Lockout Policy Attributes”...

  • Page 239: Managing The Password Policy In A Replicated Environment

    Managing the Password Policy in a Replicated Environment Attribute Name Definition the number of failures specified by the passwordMaxFailure attribute. The account is locked out for the interval specified in the passwordLockoutDuration attribute, after which time the failure counter is reset to zero (0).

  • Page 240: Synchronizing Passwords

    Chapter 7. Managing User Accounts and Passwords 7.1.6. Synchronizing Passwords Password changes in a Directory Server entry can be synchronized to password attributes in Active Directory entries by using the Password Sync utility. When passwords are synchronized, password policies are enforced on each sync peer locally. The syntax or minimum length requirements on the Directory Server apply when the password is changed in the Directory Server.

  • Page 241: Inactivating User And Roles Using The Console

    Inactivating User and Roles Using the Console WARNING The root entry (the entry corresponding to the root or sub suffix) on a database cannot be Chapter 2, Creating Directory Entries inactivated. has information on creating the entry for Chapter 3, Configuring Directory Databases a root or sub suffix, and has information on creating root and sub suffixes.

  • Page 242: Activating User And Roles Using The Console

    Chapter 7. Managing User Accounts and Passwords 7.2.3. Activating User and Roles Using the Console The following procedure describes activating a user or a role using the Console: 1. Select the Directory tab. 2. Browse the navigation tree in the left navigation pane, and double-click the user or role to activate. Alternatively, select Activate from the Object menu.

  • Page 243: Setting Resource Limits Using The Console

    Setting Resource Limits Using the Console • Size limit. Specifies the maximum number of entries the server returns to a client application in response to a search operation. • Time limit. Specifies the maximum time the server spends processing a search operation. •...
  • Page 244 Chapter 7. Managing User Accounts and Passwords Attribute Description nsTimeLimit Specifies the maximum time the server spends processing a search operation. Giving this attribute a value of -1 indicates that there is no time limit. nsIdleTimeout Specifies the time a connection to the server can be idle before the connection is dropped.

  • Page 245: Managing Replication

    Chapter 8. Managing Replication Replication is the mechanism by which directory data is automatically copied from one Red Hat Directory Server instance to another; it is an important mechanism for extending the directory service beyond a single server configuration. This chapter describes the tasks to be performed on the master and consumer servers to set up single-master replication, multi-master replication, and cascading replication.

  • Page 246: Changelog

    Chapter 8. Managing Replication • In the case of cascading replication, the hub server holds a read-only replica that it supplies to Section 8.2.3, “Cascading Replication” consumers. has more information. • In the case of multi-master replication, the masters are both suppliers and consumers for the same Section 8.2.2, “Multi-Master Replication”.

  • Page 247: Replication Agreement

    Replication Agreement on the supplier server. It is called the supplier bind DN because it is the entry which the supplier uses to bind to the consumer. This entry actually exists, then, on the consumer. Section 8.3, “Creating the For more information on creating the replication manager entry, see Supplier Bind DN Entry”.

  • Page 248: Replication Scenarios

    Chapter 8. Managing Replication • Legacy Replication Plug-in. The Legacy Replication Plug-in makes a Directory Server 8.0 instance behave as a 4.x Directory Server in a consumer role. For information on how to implement legacy Section 8.15, “Replication with Earlier Releases”.

  • Page 249: Multi-Master Replication

    Multi-Master Replication Figure 8.1. Single-Master Replication In this particular configuration, the ou=people,dc=example,dc=com suffix receives a large number of search requests. Therefore, to distribute the load, this tree, which is mastered on Server A, is replicated to two read-only replicas located on Server B and Server C. Section 8.4, “Configuring For information on setting up a single-master replication environment, see Single-Master...
  • Page 250 Chapter 8. Managing Replication Figure 8.2. Multi-Master Replication (Two Masters) Figure 8.3, “Multi-Master Replication (Four Masters)” shows a sample of multi-master replication scenario with four supplier servers and eight consumer servers. In this sample setup, each supplier server is configured with ten replication agreements to feed data to two other supplier servers and all eight consumer servers.

  • Page 251: Cascading Replication

    Cascading Replication Figure 8.3. Multi-Master Replication (Four Masters) Multi-master configurations have the following advantages: • Automatic write failover when one supplier is inaccessible. • Updates are made on a local supplier in a geographically distributed environment. NOTE The speed that replication proceeds depends on the speed of the network. Plan changes and directory configuration accordingly, and realize that changes to one directory may not be quickly replicated to other directories over slow links, such as wide-area networks, in geographically-distributed environments.
  • Page 252 Chapter 8. Managing Replication replication is very useful for balancing heavy traffic loads or to keep master servers based locally in geographically-distributed environments. Figure 8.4, “Cascading Replication” shows an example of a simple cascading replication scenario, though it is possible to create more complex scenarios with several hub servers. Figure 8.4.

  • Page 253: Creating The Supplier Bind Dn Entry

    Creating the Supplier Bind DN Entry 8.3. Creating the Supplier Bind DN Entry A critical part of setting up replication is to create the entry, called the replication manager or supplier bind DN entry, that the suppliers use to bind to the consumer servers to perform replication updates. The supplier bind DN must meet the following criteria: •...

  • Page 254: Configuring Single-Master Replication

    Chapter 8. Managing Replication dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: password passwordExpirationTime: 20380119031407Z Example 8.1. Example Supplier Bind DN Entry When configuring a replica as a consumer, use the DN of this entry to define the supplier bind DN. 8.4.
  • Page 255 Configuring the Read-Write Replica on the Supplier Server d. Check the Enable Changelog checkbox. This activates all of the fields in the pane below that were previously grayed out. e. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector.

  • Page 256: Configuring The Read-Only Replica On The Consumer

    Chapter 8. Managing Replication e. In the Common Settings section, specify a purge delay in the Purge delay field. The purge delay is how often the state information stored in the replicated entries is deleted. Click Save. 8.4.2. Configuring the Read-Only Replica on the Consumer Section 3.1.1, “Creating 1.
  • Page 257 Configuring the Read-Only Replica on the Consumer c. Check the Enable Replica checkbox. d. In the Replica Role section, select the Dedicated Consumer radio button. e. In the Common Settings section, specify a purge delay in the Purge delay field. This option indicates how often the state information stored in the replicated entries is purged.

  • Page 258: Create The Replication Agreement

    Chapter 8. Managing Replication NOTE There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement. g. Specify the URL for any supplier servers to which to refer updates. By default, all updates are first referred to the supplier servers that are specified here. If no suppliers are set here, updates are referred to the supplier servers that have a replication agreement that includes the current replica.
  • Page 259 Create the Replication Agreement • Unless there is more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu. • The port listed is the non-SSL port, even if the Directory Server instance is configured to run over SSL.
  • Page 260 Chapter 8. Managing Replication NOTE If attribute encryption is enabled, a secure connection must be used for the encrypted attributes to be replicated. Hit Next. 4. Fractional replication controls which entry attributes are replicated between servers. By default, all attributes are replicated. To select attributes that will not be replicated to the consumer, check the Enable Fractional Replication checkbox.
  • Page 261 Create the Replication Agreement NOTE To safeguard against potential integrity problems, the consumer in fractional replication must be a dedicated consumer, not a multi-master supplier or hub. This is not enforced at the time the replication agreement is made, but replication will fail if the consumer is not a read-only replica.
  • Page 262 Chapter 8. Managing Replication Hit Next. 6. Set when the consumer is initialized. Initializing a consumer manually copies all data over from the supplier to the consumer. The default is to create an initialization file (an LDIF of all supplier data) so that the consumer can be initialized later.
  • Page 263 Create the Replication Agreement The replication agreement is set up. NOTE After creating a replication agreement, the connection type (SSL or non-SSL) cannot be changed because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement.

  • Page 264: Configuring Multi-Master Replication

    Chapter 8. Managing Replication 8.5. Configuring Multi-Master Replication This section provides information on configuring multi-master replication. In a multi-master configuration, many suppliers can accept updates, synchronize with each other, and update all consumers. The consumers can send referrals for updates to all masters. Directory Server supports 4-way multi-master replication.
  • Page 265 Configuring the Read-Write Replicas on the Supplier Servers d. Check the Enable Changelog checkbox. This activates all of the fields in the pane below that were previously grayed out. e. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector.
  • Page 266 Chapter 8. Managing Replication The Replica Settings tab for that database opens in the right-hand side of the window. c. Check the Enable Replica checkbox. d. In the Replica Role section, select the Multiple Master radio button. e. In the Common Settings section, specify a Replica ID, which is an integer between 1 and 65534, inclusive.

  • Page 267: Configuring The Read-Only Replicas On The Consumer Servers

    Configuring the Read-Only Replicas on the Consumer Servers g. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. Enter the supplier bind DN in the Enter a new Supplier DN field, and click Add. The supplier bind DN appears in the Current Supplier DNs list.
  • Page 268 Chapter 8. Managing Replication c. Check the Enable Replica checkbox. d. In the Replica Role section, select the Dedicated Consumer radio button. e. In the Common Settings section, specify a purge delay in the Purge delay field. This option indicates how often the state information stored in the replicated entries is purged. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica.

  • Page 269: Setting Up The Replication Agreements

    Setting up the Replication Agreements NOTE There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement. g. Specify the URL for any supplier servers to which to refer updates. By default, all updates are first referred to the supplier servers that are specified here. If no suppliers are set here, updates are referred to the supplier servers that have a replication agreement that includes the current replica.
  • Page 270 Chapter 8. Managing Replication • Unless there is more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu. • The port listed is the non-SSL port, even if the Directory Server instance is configured to run over SSL.
  • Page 271 Setting up the Replication Agreements NOTE If attribute encryption is enabled, a secure connection is required for the encrypted attributes to be replicated. Hit Next. 4. Fractional replication controls which entry attributes are replicated between servers. By default, all attributes are replicated. To select attributes that will not be replicated to the consumer, check the Enable Fractional Replication checkbox.
  • Page 272 Chapter 8. Managing Replication NOTE To safeguard against potential integrity problems, the consumer in fractional replication must be a dedicated consumer, not a multi-master supplier or hub. This is not enforced at the time the replication agreement is made, but replication will fail if the consumer is not a read-only replica.
  • Page 273 Setting up the Replication Agreements Hit Next. 6. Set when the consumer is initialized. Initializing a consumer manually copies all data over from the supplier to the consumer. The default is to create an initialization file (an LDIF of all supplier data) so that the consumer can be initialized later.
  • Page 274 Chapter 8. Managing Replication NOTE Replication will not begin until the consumer is initialized. Hit Next. 7. The final screen shows the settings for the replication agreement, as it will be included in the dse.ldif file. Hit Done to save the agreement. The replication agreement is set up.

  • Page 275: Preventing Monopolization Of The Consumer In Multi-Master Replication

    Preventing Monopolization of the Consumer in Multi-Master Replication NOTE At the end of this procedure, all supplier servers will have mutual replication agreements, which means that they can accept updates from each other. NOTE After creating a replication agreement, the connection type (SSL or non-SSL) cannot be changed because LDAP and LDAPS connections use different ports.

  • Page 276: Configuring Cascading Replication

    Chapter 8. Managing Replication The two attributes are designed so that the nsds5ReplicaSessionPauseTime interval will always be at least one second longer than the interval specified for nsds5ReplicaBusyWaitTime. The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can re-access the consumer.
  • Page 277 Configuring the Read-Write Replica on the Supplier Server d. Check the Enable Changelog checkbox. This activates all of the fields in the pane below that were previously grayed out. e. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector.

  • Page 278: Configuring The Read-Only Replica On The Consumer Server

    Chapter 8. Managing Replication e. In the Common Settings section, specify a purge delay in the Purge delay field. The purge delay is how often the state information stored in the replicated entries is deleted. Click Save. After setting up the supplier replica, begin configuring the replication agreements. 8.6.2.
  • Page 279 Configuring the Read-Only Replica on the Consumer Server c. Check the Enable Replica checkbox. d. In the Replica Role section, select the Dedicated Consumer radio button. e. In the Common Settings section, specify a purge delay in the Purge delay field. This option indicates how often the state information stored in the replicated entries is purged.

  • Page 280: Configuring The Read-Only Replica On The Hub

    Chapter 8. Managing Replication NOTE There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement. g. Specify the URL for any supplier servers to which to refer updates. By default, all updates are first referred to the supplier servers that are specified here. If no suppliers are set here, updates are referred to the supplier servers that have a replication agreement that includes the current replica.
  • Page 281 Configuring the Read-Only Replica on the Hub d. Check the Enable Changelog checkbox. This activates all of the fields in the pane below that were previously grayed out. e. Specify a changelog by clicking the Use default button, or click the Browse button to display a file selector.
  • Page 282 Chapter 8. Managing Replication c. Check the Enable Replica checkbox. d. In the Replica Role section, select the Hub radio button. e. In the Common Settings section, specify a purge delay in the Purge delay field. This option indicates how often the state information stored in the replicated entries is purged. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica.

  • Page 283: Setting Up The Replication Agreements

    Setting up the Replication Agreements NOTE There can be multiple supplier bind DNs per consumer but only one supplier DN per replication agreement. g. Specify the URL for any supplier servers to which to refer updates. By default, all updates are first referred to the supplier servers that are specified here. If no suppliers are set here, updates are referred to the supplier servers that have a replication agreement that includes the current replica.
  • Page 284 Chapter 8. Managing Replication • Unless there is more than one instance of Directory Server configured, by default, there are no consumers available in the drop-down menu. • The port listed is the non-SSL port, even if the Directory Server instance is configured to run over SSL.
  • Page 285 Setting up the Replication Agreements NOTE If attribute encryption is enabled, a secure connection must be used for the encrypted attributes to be replicated. Hit Next. 4. Fractional replication controls which entry attributes are replicated between servers. By default, all attributes are replicated. To select attributes that will not be replicated to the consumer, check the Enable Fractional Replication checkbox.
  • Page 286 Chapter 8. Managing Replication NOTE To safeguard against potential integrity problems, the consumer in fractional replication must be a dedicated consumer, not a multi-master supplier or hub. This is not enforced at the time the replication agreement is made, but replication will fail if the consumer is not a read-only replica.
  • Page 287 Setting up the Replication Agreements Hit Next. 6. Set when the consumer is initialized. Initializing a consumer manually copies all data over from the supplier to the consumer. The default is to create an initialization file (an LDIF of all supplier data) so that the consumer can be initialized later.
  • Page 288 Chapter 8. Managing Replication NOTE Replication will not begin until the consumer is initialized. Hit Next. 7. The final screen shows the settings for the replication agreement, as it will be included in the dse.ldif file. Hit Done to save the agreement.

  • Page 289: Configuring Replication From The Command Line

    Configuring Replication from the Command Line NOTE After creating a replication agreement, the connection type (SSL or non-SSL) cannot be change because LDAP and LDAPS connections use different ports. To change the connection type, re-create the replication agreement. 8.7. Configuring Replication from the Command Line Replication can be configured on the command line by creating the appropriate replica and agreement entries on the servers.
  • Page 290 Chapter 8. Managing Replication • nsslapd-changelogdir sets the directory where the changelog is kept. • nsslapd-changelogmaxage sets how long the changelog is kept; since the changelog can get very large, this helps trim the changelog to prevent affecting server performance and using up disk space.
  • Page 291 Configuring Suppliers from the Command Line Object Class or Attribute Description Values cn: changelog5 The naming attribute for the Any string; the default usage changelog entry. is to set the common name to changelog5. nsslapd-changelogdir: directory Sets the file and directory Any directory;...

  • Page 292: Configuring Consumers From The Command Line

    Chapter 8. Managing Replication Object Class or Attribute Description Values nsds5flags: number Sets whether the replica writes 0 means the replica does not to the changelog. write to the changelog; this is the default for consumers. 1 means the relics writes to the changelog;...

  • Page 293: Configuring Hubs From The Command Line

    Configuring Hubs from the Command Line This ldapmodify creates a new consumer replica on the consumer1.example.com host for the dc=example,dc=com subtree. ldapmodify -v -h consumer1.example.com -p 389 -D "cn=directory manager" -w password dn: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=example,dc=com...

  • Page 294: Configuring Replication Agreements From The Command Line

    Chapter 8. Managing Replication nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config nsds5flags: 1 This entry identifies the database and suffix as participating in replication and sets what kind of replica the database is. There are five key attributes: • nsds5replicaroot sets the subtree (suffix) which is being replicated. •...
  • Page 295 Configuring Replication Agreements from the Command Line nsds5BeginReplicaRefresh: start Example 8.4. Example Replication Agreement Entry Table 8.3, “Replication Agreement Attributes”. These The replication agreement attributes are listed in attributes are described in more detail in the Directory Server Configuration, Command, and File Reference.
  • Page 296 Chapter 8. Managing Replication Object Class or Attribute Description Values database is replicated. For example: dc=example,dc=com description: text A text description of the Any text string. It is advisable to replication agreement. make this a useful description, such as agreement between supplier1 and consumer1.

  • Page 297: Initializing Consumers Online From The Command Line

    Initializing Consumers Online from the Command Line Object Class or Attribute Description Values the consumer. If this is set, To initialize the consumer, this the attribute is only present attribute must have a value as long as the consumer is of start;...

  • Page 298: Making A Replica Updatable

    Chapter 8. Managing Replication The replication monitoring attributes are described in more detail in the Directory Server Configuration, Command, and File Reference. To keep data integrity, initialize the consumer databases from the appropriate supplier. Depending on the replication scenario, this can be more difficult in mixed replication environments, but, even when manually initializing consumers, consider four things: •...

  • Page 299: Moving The Changelog To A New Location

    Moving the Changelog to a New Location 1. In the Directory Server Console, select the Configuration tab. 2. Select the Replication Agreements folder in the left navigation tree and then the Supplier Server Settings tab in the right pane. 3. Clear the Enable Changelog checkbox. This deletes the changelog.

  • Page 300: When To Initialize A Consumer

    Chapter 8. Managing Replication 8.10.1. When to Initialize a Consumer Consumer initialization involves copying data from the supplier server to the consumer server. Once the subtree has been physically placed on the consumer, the supplier server can begin replaying update operations to the consumer server. Under normal operations, the consumer should not ever have to be reinitialized.

  • Page 301: Initializing Consumers Online Using The Command Line

    Initializing Consumers Online Using the Command Line To update this window, right-click the replicated database icon in the navigation tree, and choose Refresh Replication Agreements. When online consumer initialization finishes, the status changes to reflect this. Section 8.17, For more information about monitoring replication and initialization status, see “Monitoring Replication Status”.

  • Page 302: Filesystem Replica Initialization

    Chapter 8. Managing Replication process is more complex than the online consumer initialization process. Red Hat suggests using the manual process whenever the online process is inappropriate due to performance concerns. Initializing or reinitializing a server manually has three steps: 1.

  • Page 303: Initializing The Consumer Replica From The Backup Files

    Filesystem Replica Initialization Directory Server has the capability to initialize a replica using the database files from the supplier server. This avoids the need to rebuild the consumer database and can be done at essentially the speed of the network between the two servers by transferring the files with FTP or NFS, for example. Instead of sending entries via LDAP to replica servers, filesystem replica initialization populates the new database on the destination server by backing up the supplier database on one server and restoring the database on the destination server.

  • Page 304: Forcing Replication Updates

    Chapter 8. Managing Replication 8. Stop the destination Directory Server if it is running. service dirsrv stop slapd-example2 9. On the destination server, restore the archives with the bak2db script, using the optional -n parameter to specify the backend instance name. This -n parameter is similar to the -n used with ldif2db and db2ldif.

  • Page 305: Forcing Replication Updates From The Command-Line

    Forcing Replication Updates from the Command-Line 2. Right click the replication agreement, and choose Send Updates Now from the drop-down list. This initiates replication toward the server that holds the information that needs to be updated. 8.11.2. Forcing Replication Updates from the Command-Line From the consumer that requires updating, run a script that prompts the supplier to send replication Example 8.5, “Replicate_Now Script Example”.

  • Page 306: Replicating Account Lockout Attributes

    Chapter 8. Managing Replication Variable Definition consumer_hostname Hostname of the current consumer. consumer_portnumber LDAP port in use on the consumer. Table 8.4. Replicate_Now Variables For the update operation to occur over an SSL connection, modify the ldapmodify command in the script with the appropriate parameters and values. For more information on the ldapmodify Section 2.2, “Managing Entries from the Command-Line”...

  • Page 307: Configuring Fractional Replication For Password Policy Attributes

    Configuring Fractional Replication for Password Policy Attributes 8.12.2. Configuring Fractional Replication for Password Policy Attributes Setting the passwordIsGlobalPolicy attribute affects the consumer in replication, in that it allows the consumer to receive updates to those attributes. To control whether the password policy attributes are actually replicated by the supplier, use fractional replication, which controls what specific entry attributes are replicated.

  • Page 308: Replicating O=Netscaperoot For Administration Server Failover

    Chapter 8. Managing Replication • Select SSL Client Authentication. With SSL client authentication, the supplier and consumer servers use certificates to authenticate to each other. • Select Simple Authentication. With simple authentication, the supplier and consumer servers use a bind DN and password to authenticate to each other, which are supplied in the Replication Agreement Wizard text fields provided.

  • Page 309: Replication With Earlier Releases

    Replication with Earlier Releases With server2, use the inf file to create and configure a o=NetscapeRoot database on server2 as a multi-master supplier replica: [slapd] ConfigFile = netscaperootdb.ldif Example 3.1, “Example Root Suffix Entry” ConfigFile = repluser.ldif Example 8.1, “Example Supplier Bind DN Entry” ConfigFile = changelog.ldif Example 8.2, “Example Changelog Entry”...

  • Page 310: Using The Retro Changelog Plug-In

    Chapter 8. Managing Replication To set up legacy replication, do the following: 1. In the Directory Server Console, click the Configuration tab. 2. Select the Replication node, and click the Legacy Consumer Settings tab in the right pane. 3. Check the Enable Legacy Consumer checkbox. This activates the fields in the Authentication box.

  • Page 311: Enabling The Retro Changelog Plug-In

    Enabling the Retro Changelog Plug-in When the Directory Server is configured to maintain a retro changelog, this changelog is stored in a separate database under a special suffix, cn=changelog. The retro changelog consists of a single level of entries. Each entry in the changelog has the object Table 8.5, “Attributes of a Retro class changeLogEntry and can include the attributes listed in Changelog...

  • Page 312: Trimming The Retro Changelog

    Chapter 8. Managing Replication changetype: modify replace: nsslapd-pluginenabled nsslapd-pluginenabled: on 2. Use the ldapmodify command to import the LDIF file into the directory. Section 2.2, “Managing Entries from the For more information on the ldapmodify command, see Command-Line” and the Directory Server Configuration, Command, and File Reference. 3.

  • Page 313: Monitoring Replication Status

    Monitoring Replication Status • Read, search, and compare rights are granted to all authenticated users (userdn=anyone, not to be confused with anonymous access where userdn=all) to the retro changelog top entry cn=changelog. • Write and delete access are not granted, except implicitly to the Directory Manager. Do not grant read access to anonymous users because the changelog entries can contain modifications to sensitive information, such as passwords.

  • Page 314: Monitoring Replication Status From Administration Express

    Chapter 8. Managing Replication Table Header Description Last update message The status for the most recent replication updates. Consumer initialization The current status on consumer initialization (in progress or not). Last consumer initialization update message The status on the last initialization of the consumer.
  • Page 315 Monitoring Replication Status from Administration Express http://hostname:admin_port 3. Click Red Hat Administration Express, and, when prompted, log in. 4. Select a supplier Directory Server instance, and click Replication Status. This brings up a page for specifying the runtime parameters of the replication-monitoring tool. 5.

  • Page 316: Solving Common Replication Conflicts

    Chapter 8. Managing Replication Table Description doing an update while the others can't acquire the busy replica. 8.18. Solving Common Replication Conflicts Multi-master replication uses a loose consistency replication model. This means that the same entries can be changed on different servers. When replication occurs between the two servers, the conflicting changes need to be resolved.
  • Page 317 Solving Naming Conflicts 1. Rename the entry using a new value for the naming attribute, and keep the old RDN. For example: ldapmodify -D adminDN -w password dn: nsuniqueid=66446001-1dd211b2+uid=adamss,dc=example,dc=com changetype: modrdn newrdn: uid=NewValue deleteoldrdn: 0 2. Remove the old RDN value of the naming attribute and the conflict marker attribute. For example: ldapmodify -D adminDN -w password dn: uid=NewValue,dc=example,dc=com changetype: modify...

  • Page 318: Solving Orphan Entry Conflicts

    Chapter 8. Managing Replication changetype: modrdn newrdn: cn=TempValue deleteoldrdn: 0 2. Remove the old RDN value of the naming attribute and the conflict marker attribute. For example: ldapmodify -D adminDN -w password dn: cn=TempValue,dc=example,dc=com changetype: modify delete: dc dc: pubs delete: nsds5ReplConflict NOTE The unique identifier attribute nsuniqueid cannot be deleted.

  • Page 319: Solving Potential Interoperability Problems

    Solving Potential Interoperability Problems • The server creates a minimalistic entry with the glue and extensibleObject object classes. In such cases, modify the entry to turn it into a meaningful entry or delete it and all of its child entries. 8.18.3.
  • Page 320 Chapter 8. Managing Replication • Dump the contents of a replication-change-log file and in-memory variables purge RUV and maxRUV. • Grep and interpret change sequence numbers (CSNs) in the changelog. • Get the base-64 encoded changelog from the Directory Server, and then decode the changelog. Table 8.7, “Replication Errors”.
  • Page 321 Troubleshooting Replication-Related Problems Error/Symptom Reason Impact Remedy not, reinitialize the consumer. agmt=%s(%s:%d): Most likely the The local server will If this is a single-master Can't locate CSN changelog was not be able to send replication, reinitialize %s in the changelog recreated because of any more change the consumers.
  • Page 322 Chapter 8. Managing Replication Error/Symptom Reason Impact Remedy cn=changelog5,cn=config changetype: modify add: nsslapd- changelogmaxage nsslapd- changelogmaxage: 1d where 1d means 1 day. Other valid time units are s for seconds, m for minutes, h for hours, and w for weeks. A value of 0 turns off the purge.
  • Page 323 Troubleshooting Replication-Related Problems Error/Symptom Reason Impact Remedy “Monitoring Replication Replication Monitor. add the following line Status”.) If there is no SSL in the [connection] port problem, one section: of the servers in the replication topology *:636=389:*:password might hang. In the Replication No change has There is nothing wrong Monitor, some...

  • Page 325: Extending The Directory Schema

    Chapter 9. Extending the Directory Schema Red Hat Directory Server comes with a standard schema that includes hundreds of object classes and attributes. While the standard object classes and attributes should meet most deployments' requirements, it can be necessary to extend the schema for specific directory data. Extending the schema is done by creating new object classes and attributes.
  • Page 326 Chapter 9. Extending the Directory Schema Field Description Name The name of the attribute. The object identifier of the attribute. An OID is a string, usually of dotted decimal numbers, that uniquely identifies an object, such as an object class or an attribute. If an OID is not specified, the Directory Server automatically uses attribute_name-oid.

  • Page 327: Creating Attributes

    Creating Attributes 9.2.2. Creating Attributes The Directory Server Console can create new attributes. NOTE After adding new attributes to the schema, create a new object class to contain them, as Section 9.3.2, “Creating Object Classes”. described in To create a new attribute, do the following: 1.

  • Page 328: Deleting Attributes

    Chapter 9. Extending the Directory Schema b. To change the attribute's object identifier, enter a new one in the Attribute OID (Optional) text Table 9.1, “Attributes Tab Reference”. box. OIDs are described in c. To change the syntax that describes the data to be held by the attribute, choose a new one from the Syntax drop-down menu.
  • Page 329 Viewing Object Classes 2. In the navigation tree, select the Schema folder, and then select the Object Classes tab in the right pane. 3. In the Object Classes list, select the object class to view. This tab displays information about the standard or user-defined object class selected. The fields and lists in the Object Classes tab are described in Table 9.2, “Object Classes Tab Reference”.

  • Page 330: Creating Object Classes

    Chapter 9. Extending the Directory Schema Field Description mailto:iana@iana.org, or visit the IANA website at http://www.iana.org/. Object Classes Lists all of the standard and user-defined object classes in the Directory Server schema. Required Attributes Contains a list of attributes that must be present in entries that use this object class, including inherited attributes.

  • Page 331: Editing Object Classes

    Editing Object Classes 10. To remove an attribute belonging to the object class, highlight the attribute in the Required Attributes list or the Allowed Attributes list, and then click the Remove button. NOTE Attributes that are inherited from the parent object classes cannot be removed, regardless of whether they are allowed or required.

  • Page 332: Deleting Object Classes

    Chapter 9. Extending the Directory Schema 9.3.4. Deleting Object Classes Only user-defined object classes can be deleted. You cannot delete standard object classes. To delete an object class, do the following: 1. In the Directory Server Console, select the Configuration tab. 2.
  • Page 333 Turning Schema Checking On and Off For information, see the Directory Server Configuration, Command, and File Reference.

  • Page 335: Managing Indexes

    Chapter 10. Managing Indexes Indexing makes searching for and retrieving information easier by classifying and organizing attributes or values. This chapter describes the searching algorithm itself, placing indexing mechanisms in context, and then describes how to create, delete, and manage indexes. 10.1.

  • Page 336: About Default, System, And Standard Indexes

    Chapter 10. Managing Indexes • International index speeds up searches for information in international directories. The process for creating an international index is similar to the process for creating regular indexes, except that it applies a matching rule by associating an object identifier (OID) with the attributes to be indexed. Appendix D, Internationalization.
  • Page 337 About Default, System, and Standard Indexes Attribute Pres Purpose index is also used by the Referential Integrity Plug-in. Section 2.5, “Maintaining Referential Integrity” for more information. owner Improves Directory Server performance. This index is also used by the Referential Integrity Plug-in. Section 2.5, “Maintaining Referential...

  • Page 338: Overview Of System Indexes

    Chapter 10. Managing Indexes Attribute Pres Purpose index is also used by the Referential Integrity Plug-in. Section 2.5, “Maintaining Referential Integrity” for more information. Table 10.1. Default Indexes 10.1.2.2. Overview of System Indexes System indexes cannot be deleted or modified. They are required by the directory to function properly. Table 10.2, “System Indexes”...

  • Page 339: Overview Of The Searching Algorithm

    Overview of the Searching Algorithm 10.1.3. Overview of the Searching Algorithm Indexes are used to speed up searches. To understand how the directory uses indexes, it helps to understand the searching algorithm. Each index contains a list of attributes (such as the cn, common name, attribute) and a pointer to the entries corresponding to each value.

  • Page 340: Approximate Searches

    Chapter 10. Managing Indexes 10.1.4. Approximate Searches In addition, the directory uses a variation of the metaphone phonetic algorithm to perform searches on an approximate index. Each value is treated as a sequence of words, and a phonetic code is generated for each word.
  • Page 341 Balancing the Benefits of Indexing • The more indexes you maintain, the more disk space you require. Indexes can become very time-consuming. For example: 1. The Directory Server receives an add or modify operation. 2. The Directory Server examines the indexing attributes to determine whether an index is maintained for the attribute values.

  • Page 342: Creating Indexes

    Chapter 10. Managing Indexes As this example shows, the number of actions required to create and maintain databases for a large directory can be resource-intensive. 10.2. Creating Indexes This section describes how to create presence, equality, approximate, substring, and international indexes for specific attributes using the Directory Server Console and the command-line.

  • Page 343: Creating Indexes From The Command-Line

    Creating Indexes from the Command-Line 4. If the attribute to be indexed is listed in the Additional Indexes table, go to step 6. Otherwise, click Add Attribute to open a dialog box with a list of all of the available attributes in the server schema.
  • Page 344 Chapter 10. Managing Indexes • To create a new index for a particular database, add it to the cn=index,cn=database_name,cn=ldbm database,cn=plugins,cn=config entry, where cn=database_name corresponds to the name of the database. NOTE Avoid creating entries under cn=config in the dse.ldif file. The cn=config entry in the simple, flat dse.ldif configuration file is not stored in the same highly scalable database as regular entries.
  • Page 345 Creating Indexes from the Command-Line dn: cn=sn,cn=index,cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:nsIndex cn:sn nsSystemIndex:false nsIndexType:none Appendix D, Internationalization, and for For a complete list of collation orders and their OIDs, see the index configuration attributes or the ldapmodify command-line utility, see the Directory Server Configuration, Command, and File Reference.

  • Page 346: Creating Browsing Indexes From The Server Console

    Chapter 10. Managing Indexes 10.2.3. Creating Browsing Indexes from the Server Console A virtual list view (VLV) index is a way of creating a truncated list for faster searching while enhancing server performance. The VLV index itself can be resource-intensive to maintain, but it can be beneficial in large directories (over 1000 entries).
  • Page 347 Creating Browsing Indexes from the Command-Line • The LDBM database to which the entry that forms the base of the search belongs. You can only create browsing indexes in LDBM databases. There is more information on ldapsearch options in the Directory Server Configuration, Command, and File Reference.

  • Page 348: Running The Vlvindex Script

    Chapter 10. Managing Indexes objectClass: top objectClass: vlvIndex cn: by MCC ou=People dc=example dc=com vlvSort: cn givenName o ou sn • The cn contains the browsing index sort identifier. The above cn is the type created by the Console by default, which has the sorting order as being set by the browsing index base. The entry is a member of the vlvIndex object class.

  • Page 349: Deleting Indexes

    Deleting Indexes Option Description Browsing index identifier to use to create browsing indexes. Table 10.4. vlvindex Options 10.2.4.3. Setting Access Control for VLV Information The default access control for the VLV index information is to allow anyone who has authenticated. If a site requires anonymous users to use the VLV index information, modify the access control set for cn: VLV Request Control in the Directory Server's configuration.

  • Page 350: Deleting Indexes From The Server Console

    Chapter 10. Managing Indexes WARNING Do not delete system indexes because deleting them can significantly affect Directory Server performance. System indexes are located in the cn=index,cn=instance,cn=ldbm database,cn=plugins,cn=config entry and the cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config entry. Also, be cautious when deleting default indexes since this can also affect how Directory Server works.

  • Page 351: Deleting An Index Entry

    Deleting Indexes from the Command-Line 2. Generate the new set of indexes to be maintained by the server using the db2index.pl Perl (Section 10.3.2.2, “Running the db2index.pl Script”). script 10.3.2.1. Deleting an Index Entry Use the ldapdelete command-line utility to delete either the entire indexing entry or the unwanted index types from an existing entry.

  • Page 352: Deleting Browsing Indexes From The Server Console

    Chapter 10. Managing Indexes 10.3.2.2. Running the db2index.pl Script After deleting an indexing entry or some of the index types from an indexing entry, run the db2index.pl script to generate the new set of indexes to be maintained by the Directory Server. Once you run the script, the new set of indexes is active for any new data you add to your directory and any existing data in your directory.

  • Page 353: Deleting A Browsing Index Entry

    Deleting Browsing Indexes from the Command-Line 2. Running the vlvindex script to generate the new set of browsing indexes to be maintained by (Section 10.3.4.2, “Running the vlvindex Script”). the server The actual entries for an alphabetical browsing index and virtual list view are the same. The following sections describe the steps involved in deleting browsing indexes.

  • Page 354: Managing Indexes

    Chapter 10. Managing Indexes Option Description it must also have the authority to modify the entries. Specifies the password associated with the distinguished name specified in the -D option. Specifies the name of the host on which the server is running. Specifies the port number that the server uses.

  • Page 355: Indexing Performance

    Indexing Performance 10.4.1. Indexing Performance While achieving extremely high read performance, in previous versions of Directory Server, write performance was limited by the number of bytes per second that could be written into the storage manager's transaction log file. Large log files were generated for each LDAP write operation; in fact, log file verbosity could easily be 100 times the corresponding number of bytes changed in the Directory Server.

  • Page 356: Backwards Compatibility And Migration

    Chapter 10. Managing Indexes The problems addressed by the All IDs Threshold are no longer present because of the efficiency of entry insertion, modification, and deletion in the Berkeley DB design. The All IDs Threshold is removed for database write operations, and every ID list is now maintained accurately. Since loading a long ID list from the database can significantly reduce search performance, the configuration parameter, nsslapd-idlistscanlimit, sets a limit on the number of IDs that are read before a key is considered to match the entire primary index.

  • Page 357: Attribute Name Quick Reference Table

    Attribute Name Quick Reference Table Also, the index sizes can be larger than in older releases, so you may want to increase your database cache size. To reconfigure your cache size, look up the nsslap-dbcachesize entry in the Directory Server Configuration, Command, and File Reference. 10.5.

  • Page 359: Managing Ssl

    Chapter 11. Managing SSL To provide secure communications over the network, Red Hat Directory Server includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, running over Transport Layer Security (TLS, formerly Secure Sockets Layer or SSL). Directory Server also allows spontaneous secure connections over otherwise-insecure LDAP ports, using the Start TLS LDAP extended operation.

  • Page 360: Command-Line Functions For Start Tls

    Chapter 11. Managing SSL 4. Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate for all clients that will authenticate with TLS/SSL. Section 11.7, “Configuring LDAP Clients to Use SSL”. For information, refer to 11.1.2.

  • Page 361: Obtaining And Installing Server Certificates

    Obtaining and Installing Server Certificates Section 11.2, • If the certificate database does not have the certificate authority (CA) certificate. See “Obtaining and Installing Server Certificates” for information on using certificates. • The server does not support Start TLS as an extended operation. For SDK libraries used in client programs, if a session is already in TLS mode and Start TLS is requested, then the connection continues to be in secure mode but prints the error "DSA is unwilling to perform".

  • Page 362: Step 1: Generate A Certificate Request

    Chapter 11. Managing SSL 11.2.1. Step 1: Generate a Certificate Request Generate a certificate request, and send it to a CA. The Directory Server Console has a tool, the Certificate Request Wizard, which generates a valid certificate request to submit to any certificate authority (CA).
  • Page 363 Step 1: Generate a Certificate Request • Server Name. Enter the fully qualified hostname of the Directory Server as it is used in DNS and reverse DNS lookups; for example, dir.example.com. The server name is critical for client- side validation to work, which prevents man-in-the-middle attacks. •...
  • Page 364 Chapter 11. Managing SSL The Next button is grayed out until a password is supplied. 6. The Request Submission dialog box provides two ways to submit a request: directly to the CA (if there is one internally) or manually. To submit the request manually, select Copy to Clipboard or Save to File to save the certificate request which will be submitted to the CA.

  • Page 365: Step 2: Send The Certificate Request

    Step 2: Send the Certificate Request 7. Click Done to dismiss the Certificate Request Wizard. After generating the certificate request, send it to the CA. 11.2.2. Step 2: Send the Certificate Request After the certificate request is generated, send it to a certificate authority (CA); the CA will generate return a server certificate.

  • Page 366: Step 3: Install The Certificate

    Chapter 11. Managing SSL or two to respond to the request. If the selected CA is a third-party, it could take several weeks to respond to the request. After receiving the certificate, install it in the Directory Server's certificate database. When the CA sends a response, be sure to save the information in a text file.

  • Page 367: Step 4: Trust The Certificate Authority

    Step 4: Trust the Certificate Authority After installing the server certificate, configure the Directory Server to trust the CA which issued the server's certificate. 11.2.4. Step 4: Trust the Certificate Authority Configuring the Directory Server to trust the certificate authority consists of obtaining the CA's certificate and installing it into the server's certificate database.

  • Page 368: Using Certutil

    Chapter 11. Managing SSL NOTE When renewing a certificate using the Certificate Wizard, the text on the introduction screen does not clearly indicate that the process is renewal and not requesting a new certificate. Also, the requester information is not filled in automatically. 11.3.
  • Page 369 Creating Directory Server Certificates through the Command Line 5. Create the key and certificate databases databases. certutil -N -d . -f /tmp/pwdfile 6. Generate the self-signed CA certificate. certutil creates the required key pairs and the certificate. This certificate is used to generate the other server certificates and can be exported for use with other servers and clients.

  • Page 370: Certutil Usage

    Chapter 11. Managing SSL with the same ID. Keep a log of issued serial numbers so that no number is ever duplicated. 8. Export the CA certificate for use with other servers and clients. A client usually requires the CA certificate to validate the server certificate in an TLS/SSL connection.

  • Page 371: Starting The Server With Tls/Ssl Enabled

    Starting the Server with TLS/SSL Enabled 11.4. Starting the Server with TLS/SSL Enabled Most of the time, the server should run with TLS/SSL enabled. If TLS/SSL is temporarily disabled, re- enable it before processing transactions that require confidentiality, authentication, or data integrity. Before TLS/SSL can be activated, first create a certificate database, obtain and install a server Section 11.2, “Obtaining and Installing Server certificate, and trust the CA's certificate, as described in...
  • Page 372 Chapter 11. Managing SSL 8. Set the preferences for client authentication. • Do not allow client authentication. With this option, the server ignores the client's certificate. This does not mean that the bind will fail. • Allow client authentication. This is the default setting. With this option, authentication is performed on the client's request.

  • Page 373: Enabling Tls/Ssl In The Directory Server, Administration Server, And Console

    Enabling TLS/SSL in the Directory Server, Administration Server, and Console 11.4.2. Enabling TLS/SSL in the Directory Server, Administration Server, and Console 1. Obtain server certificates and CA certs, and install them on the Directory Server. This is described Section 11.2, “Obtaining and Installing Server Certificates”.
  • Page 374 Chapter 11. Managing SSL 10. To verify the authenticity of requests, select the Check hostname against name in certificate for outbound SSL connections option. The server does this verification by matching the hostname against the value assigned to the common name (cn) attribute of the subject name in the being presented for authentication.

  • Page 375: Creating A Password File For The Directory Server

    Creating a Password File for the Directory Server the certificate. Click OK to accept the certificate (either only for that current session or permanently). 11.4.3. Creating a Password File for the Directory Server It is possible to store the certificate password in a password file. By placing the certificate database password in a file, the server can be started from the Directory Server Console and also restarted automatically when running unattended.

  • Page 376: Setting Security Preferences

    Chapter 11. Managing SSL NOTE To find out what the Administration Server user ID is, run grep in the Administration Server configuration directory: cd /etc/dirsrv/admin-serv grep \^User console.conf 3. In the /etc/dirsrv/admin-serv directory, edit the nss.conf file to point to the location of the new password file.
  • Page 377 Available Ciphers • Message Authentication. SHA stands for Secure Hash Algorithm. http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html The Mozilla site, definitions and explanations of the encryption algorithms. NOTE Directory Server supports ciphers for TLSv1 (recommended) and SSLv3. SSLv2 support is deprecated and not enabled by default in Directory Server. Directory Server provides the following TLSv1 ciphers: Directory Server Key Exchange...

  • Page 378: Selecting The Encryption Cipher

    Chapter 11. Managing SSL Directory Server Key Exchange Encryption Symmetric Key Message Name Algorithm Bit Size Authentication fortezza fortezza fortezza fortezza_rc4_128_sha fortezza fortezza_null fortezza null (none) Table 11.3. SSLv3 Ciphers 11.5.2. Selecting the Encryption Cipher To select the ciphers for the Directory Server to use, do the following: 1.

  • Page 379: Setting Up Certificate-Based Authentication

    /etc/dirsrv/slapd-instance_name directory. Previous versions of Directory Server used a single directory, /opt/redhat-ds/slapd- instance/alias, for all security-related files for all servers, and required a unique prefix, such as slapd-instance-, for the key, certificate, and security-related files. The Directory Server used the attributes nsCertFile and nsKeyFile to give the locations for the key and certificate databases.

  • Page 380: Allowing/Requiring Client Authentication

    Chapter 11. Managing SSL 11.6.2. Allowing/Requiring Client Authentication If Red Hat Console is configured to connect to the Directory Server using TLS/SSL and the Directory Server requires client authentication, the Red Hat Console cannot be used to manage server applications. You must use the appropriate command-line utilities instead. However, to change the directory configuration to no longer require but allow client authentication in order to use the Red Hat Console, do the following: 1.
  • Page 381 Configuring LDAP Clients to Use SSL -----BEGIN CERTIFICATE----- MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBh MCVVMxIzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0w GwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdC BUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3 WhcNOTgwMzI2MDIzMzU3WjBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTm V0c2NhcGUgRGlyZWN0b3 ------END CERTIFICATE----- 3. Convert the client certificate into binary format using the certutil utility. certutil -L -d certdbPath -n userCertName -r > userCert.bin certdbPath is the directory which contains the certificate database; for example, a user certificate for Mozilla Thunderbird is stored in $HOME/.thunderbird.
  • Page 382 Chapter 11. Managing SSL Now TLS/SSL and client authentication can be used with the LDAP clients. For information on how to use TLS/SSL with ldapmodify, ldapdelete, and ldapsearch, see the Directory Server Configuration, Command, and File Reference.

  • Page 383: Managing Sasl

    Chapter 12. Managing SASL Red Hat Directory Server supports LDAP client authentication through the Simple Authentication and Security Layer (SASL), an alternative to TLS/SSL and a native way for some applications to share information securely. Directory Server supports SASL authentication using the DIGEST-MD5 and GSS-API mechanisms, allowing Kerberos tickets to authenticate sessions and encrypt data.

  • Page 384: Sasl Identity Mapping

    Chapter 12. Managing SASL CRAM-MD5, DIGEST-MD5, and GSS-API are shared secret mechanisms. The server challenges the client attempting to bind with a secret, such as a password, that depends on the mechanism. The user sends back the response required by the mechanism. NOTE DIGEST-MD5 requires clear text passwords.

  • Page 385: Configuring Sasl Identity Mapping From The Console

    Configuring SASL Identity Mapping from the Console dn: cn=mymap,cn=mapping,cn=sasl,cn=config objectclass:top objectclass:nsSaslMapping cn: mymap nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\) nsSaslFilterTemplate: (objectclass=inetOrgPerson) nsSaslBaseDNTemplate: uid=\1,ou=people,dc=\2,dc=\3 When a Directory Server receives a SASL bind request with mconnors@EXAMPLE.COM as the user ID (authid), the regular expression would fill in the base DN template with uid=mconnors,ou=people,dc=EXAMPLE,dc=COM as the user ID, and authentication would proceed from there.
  • Page 386 Chapter 12. Managing SASL 2. Select the SASL Mapping tab. 3. To add a new SASL identity mapping, select the Add button, and fill in the required values. • Name. This field sets the unique name of the SASL mapping. •...

  • Page 387: Configuring Sasl Identity Mapping From The Command-Line

    Configuring SASL Identity Mapping from the Command-Line • Search base DN. This field gives the base DN to search to map entries, such as ou=People,dc=example,dc=com. This field corresponds to the nsSaslMapBaseDNTemplate value in the SASL mapping LDIF entry. • Search filter. This field gives the search filter for the components to replace, such as (objectclass=*).

  • Page 388: Configuring The Kdc Server

    Chapter 12. Managing SASL Realms are used by the server to associate the DN of the client in the following form, which looks like an LDAP DN: uid=user_name/[server_instance],cn=realm,cn=mechanism,cn=auth NOTE Kerberos systems treat the Kerberos realm as the default realm; other systems default to the server.

  • Page 389: Example: Configuring An Example Kdc Server

    Example: Configuring an Example KDC Server keytab file. This file is created by the Kerberos administrator by exporting the key from the KDC. Either the system default keytab file (typically /etc/krb5.keytab) is used, or a service-specific keytab file determined by the value of the KRB5_KTNAME environment variable; this environment variable can be set in the start-slapd script, which is recommended because it ensures that the variable is properly set each time Directory Server starts.
  • Page 390 Chapter 12. Managing SASL NOTE The default configuration file on Red Hat Enterprise Linux and HP-UX is in /etc/ sysconfig. On Solaris, it is in /etc/default. If there are multiple Directory Server instances and not all of them will use SASL authentication, then there can be instance-specific configuration files created in that directory named dirsrv-instance.

  • Page 391: Monitoring Server And Database Activity

    Chapter 13. Monitoring Server and Database Activity This chapter describes monitoring database and Red Hat Directory Server logs. For information on Chapter 14, Monitoring Directory Server Using using SNMP to monitor the Directory Server, see SNMP. 13.1. Viewing and Configuring Log Files Directory Server provides three types of logs to help better manage the directory and tune performance.

  • Page 392: Defining A Log File Deletion Policy

    Chapter 13. Monitoring Server and Database Activity 3 — Write and execute 4 — Read only 5 — Read and execute 6 — Read and write 7 — Read, write, and execute In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions.

  • Page 393: Access Log

    Access Log • The maximum size of the combined archived logs. When the maximum size is reached, the oldest archived log is automatically deleted. The default size is -1, which sets an unlimited maximum size. This parameter is ignored if the maximum number of log files is set to 1. •...

  • Page 394: Error Log

    Chapter 13. Monitoring Server and Database Activity 1. In the Directory Server Console, select the Configuration tab. 2. In the navigation tree, expand the Log folder, and select the Access Log icon. The access log configuration attributes are displayed in the right pane. 3.

  • Page 395: Configuring The Error Log

    Error Log NOTE Continuous log refresh does not work well with log files over 10 megabytes. • To view an archived error log, select it from the Select Log pull-down menu. • To specify a different number of messages, enter the number of lines to view in the Lines to show text box, and click Refresh.

  • Page 396: Audit Log

    Chapter 13. Monitoring Server and Database Activity NOTE Changing these values from the defaults may cause the error log to grow very rapidly, so Red Hat recommends not changing the logging level without being asked to do so by Red Hat technical support. 9.

  • Page 397: Manual Log File Rotation

    Manual Log File Rotation 3. To enable audit logging, select the Enable Logging checkbox. To disable audit logging, clear the checkbox. By default, audit logging is disabled. 4. Enter the full path and filename for the directory to use for the audit log in the field provided. The default path is /var/log/dirsrv/slapd-instance_name/audit.
  • Page 398 Chapter 13. Monitoring Server and Database Activity 3. Click Refresh to refresh the current display. For the server to continuously update the displayed information, select the Continuous checkbox. The server monitoring information is described in the following tables. Table 13.1, “General Information (Server)” •...
  • Page 399 Monitoring the Server from the Directory Server Console Resource Usage Since Startup Average Per Minute as searches, adds, and modifies. Often, multiple operations are initiated for each connection. Operations Completed The total number of operations Average number of operations completed by the server since per minute since server startup.
  • Page 400 Chapter 13. Monitoring Server and Database Activity Resource Current Total Databases in Use The total number of databases being serviced by the server. Table 13.3. Current Resource Usage Table Header Description Time Opened The time on the server when the connection was initially opened.

  • Page 401: Monitoring The Directory Server From The Command Line

    Monitoring the Directory Server from the Command Line Table Header Description value differs from Pages Written Out in that these are discarded read-write pages that have not been modified. Pages discarded from the cache have to be written to disk, possibly affecting server performance.
  • Page 402 Chapter 13. Monitoring Server and Database Activity Attribute Description binddn — The distinguished name used by this connection to connect to the directory. rw — The field shown if the connection is blocked for read or write. By default, this information is available to Directory Manager.

  • Page 403: Monitoring Database Activity

    Monitoring Database Activity 13.4. Monitoring Database Activity The database's current activities can be monitored through Directory Server Console or from the command line. 13.4.1. Monitoring Database Activity from the Directory Server Console To monitor the database's activities, do the following: 1.
  • Page 404 Chapter 13. Monitoring Server and Database Activity Performance Metric Current Total Entry Cache Hit Ratio Ratio that indicates the number of entry cache tries to successful entry cache lookups. This number is based on the total lookups and hits since the directory was last started. The closer this value is to 100%, the better.
  • Page 405 Monitoring Database Activity from the Directory Server Console Performance Metric Current Total appropriate database page. Thus, as this ratio drops towards zero, the number of disk accesses increases, and directory performance drops. To improve this ratio, increase the amount of data that the directory maintains in the database cache by increasing the value of the Maximum Cache Size setting.

  • Page 406: Monitoring Databases From The Command Line

    Chapter 13. Monitoring Server and Database Activity 13.4.2. Monitoring Databases from the Command Line The directory's database activities can be monitored using any LDAP too, such as ldapsearch using the following characteristics: • Search with the attribute filter objectClass=*. • Use the search base cn=monitor,cn=database_instance, cn=ldbm database, cn=plugins, cn=config.
  • Page 407 Monitoring Databases from the Command Line Attribute Description Database Performance” for information on changing this value using the Directory Server Console. currententrycachesize The total size of directory entries currently present in the entry cache. maxentrycachesize The maximum number of directory entries that can be maintained in the entry cache.

  • Page 408: Monitoring Database Link Activity

    Chapter 13. Monitoring Server and Database Activity Attribute Description a search that required data from this file was performed, and the required data could not be found in the cache. dbfilepagein-number The number of pages brought to the cache from this file.
  • Page 409 Monitoring Database Link Activity For more information about ldapsearch, see the Directory Server Configuration, Command, and File Reference.

  • Page 411: Monitoring Directory Server Using Snmp

    Chapter 14. Monitoring Directory Server Using SNMP Chapter 13, Monitoring Server and The server and database activity monitoring log setup described in Database Activity is specific to Directory Server. You can also monitor your Directory Server using Simple Network Management Protocol (SNMP), which is a management protocol used for monitoring network activity which can be used to monitor a wide range of devices in real time.

  • Page 412: Configuring The Master Agent

    Chapter 14. Monitoring Directory Server Using SNMP 14.2. Configuring the Master Agent To use the subagent, you must have a master agent that supports AgentX. A common agent is Net-SNMP master agent, which may be available through your operating system vendor or can be downloaded from the Net-SNMP website, http://www.net-snmp.org.

  • Page 413: Starting The Subagent

    Directory Server's MIB file. The Directory Server's MIB file, redhat-ds.mib, is located in /usr/share/dirsrv/mibs on Red Hat Enterprise Linux and Solaris and in /opt/dirsrv/share/mibs on HP-UX. There are some additional common required MIB files in this mibs directory if you do not already have them with your MIB tools.

  • Page 414: Configuring Snmp Traps

    Chapter 14. Monitoring Directory Server Using SNMP Each monitored server instance uses its port number as an index to identify that particular Directory Server instance. For example, querying for the dsEntityName.389 SNMP variable returns the variable value for a server running on port 389, assuming that instance exists and is being monitored by the subagent.

  • Page 415: Using The Management Information Base

    7. Click Save. 14.6. Using the Management Information Base The Directory Server's MIB is a file called redhat-directory.mib. This MIB contains definitions for variables pertaining to network management for the directory. These variables are known as managed objects. Using the directory MIB and Net-SNMP, you can monitor your directory like all other managed Section 14.3.3, “Testing the...
  • Page 416 Chapter 14. Monitoring Directory Server Using SNMP Managed Object Description failures or invalid credentials since server startup. dsInOps The number of operations forwarded to this directory from another directory since server startup. dsReadOps The number of read operations serviced by this directory since application start.

  • Page 417: Entries Table

    Entity Table are set in the Directory Server Console, as described in “Configuring the Directory Server for SNMP”. Table 14.3, “Entity Table: Managed Objects and Descriptions” describes the managed objects stored in the Entity Table of the redhat-directory.mib file. Managed Object Description dsEntityDescr The description set for the Directory Server instance.

  • Page 418: Interaction Table

    The Interaction Table is not supported by the subagent. The subagent can query the table, but it will not ever be updated with valid data. Table 14.4, “Interaction Table: Managed Objects and Descriptions” describes the managed objects stored in the Interaction Table of the redhat-directory.mib file. Managed Object Description dsIntTable...
  • Page 419 Interaction Table Managed Object Description dsSuccesses Cumulative successes since the creation of this entry. dsURL The URL of the Directory Server application. Table 14.4. Interaction Table: Managed Objects and Descriptions...

  • Page 421: Tuning Directory Server Performance

    Chapter 15. Tuning Directory Server Performance This chapter describes the tools provided with Red Hat Directory Server to help optimize performance. It also provides tips to improve the performance of the directory. 15.1. Tuning Server Performance The server's performance can be managed and improved by limiting the amount of resources the server uses to process client search requests, which is done by defining four settings: •...

  • Page 422: Tuning Database Performance

    Chapter 15. Tuning Directory Server Performance 15.2. Tuning Database Performance This section is divided into the following parts which describe methods for tuning database performance: Section 15.2.1, “Optimizing Search Performance” • Section 15.2.2, “Tuning Transaction Logging” • Section 15.2.3, “Changing the Location of the Database Transaction Log” •...

  • Page 423: Tuning Transaction Logging

    Tuning Transaction Logging To configure the default database attributes that apply to all other database instances: 1. In the Directory Server Console, select the Configuration tab; then, in the navigation tree, expand the Data Icon, and highlight the Database Settings node. This displays the Database tabs in the right pane.

  • Page 424: Changing The Location Of The Database Transaction Log

    Chapter 15. Tuning Directory Server Performance Although database transaction logging and database recovery are automatic processes that require no intervention, it can be advisable to tune some of the database transaction logging attributes to optimize performance. WARNING The transaction logging attributes are provided only for system modifications and diagnostics.

  • Page 425: Disabling Durable Transactions

    Disabling Durable Transactions To modify the checkpoint interval while the server is running, use the ldapmodify command-line utility to add the nsslapd-db-checkpoint-interval attribute to the cn=config,cn=ldbm database,cn=plugins,cn=config entry. For more information on the syntax of the nsslapd-db-checkpoint-interval attribute, refer to the Directory Server Configuration, Command, and File Reference. For instructions on using Section 2.2.4, “Adding and Modifying Entries Using ldapmodify”.

  • Page 426: Miscellaneous Tuning Tips

    Chapter 15. Tuning Directory Server Performance 15.3. Miscellaneous Tuning Tips This section covers some common performance-related tips and concepts to remember. 15.3.1. Avoid Creating Entries Under the cn=config Entry in the dse.ldif File The cn=config entry in the simple, flat dse.ldif configuration file is not stored in the same highly scalable database as regular entries.

  • Page 427: Administering Directory Server Plug-Ins

    Chapter 16. Administering Directory Server Plug- Plug-ins extend the functionality of the server. Red Hat Directory Server ships with several plug-ins to help manage the directory. This chapter contains general information on the types of plug-ins available and how to enable or disable them. 16.1.

  • Page 428: Acl Preoperation Plug-In

    Chapter 16. Administering Directory Server Plug-ins Plug-in Information Description Performance Related Information Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server. Chapter 6, Managing Access Control. Further Information Table 16.2.

  • Page 429: Case Exact String Syntax Plug-In

    Case Exact String Syntax Plug-in Plug-in Information Description Configuration Entry DN cn=Boolean Syntax,cn=plugins,cn=config Description Syntax for handling booleans Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.

  • Page 430: Chaining Database Plug-In

    Chapter 16. Administering Directory Server Plug-ins Plug-in Information Description Further Information Table 16.7. Details of Case Ignore String Syntax Plug-in 16.1.8. Chaining Database Plug-in Plug-in Information Description Plug-in Name Chaining Database Configuration Entry DN cn=Chaining database,cn=plugins,cn=config Description Syntax for handling DNs Configurable Options on | off Default Setting...

  • Page 431: Distinguished Name Syntax Plug-In

    Distinguished Name Syntax Plug-in Plug-in Information Description Configuration Entry DN cn=Country String Syntax,cn=plugins,cn=config Description Syntax for handling countries Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.

  • Page 432: Integer Syntax Plug-In

    Chapter 16. Administering Directory Server Plug-ins Plug-in Information Description Further Information The Generalized Time String consists of the following: four digit year two digit month (for example, 01 for January) two digit day, two digit hour two digit minute two digit second decimal part of a second (optional) a time zone indication Red Hat strongly recommends using the Z time...

  • Page 433: Ldbm Database Plug-In

    ldbm Database Plug-in Plug-in Information Description config/slapd-collations.conf file. This file stores the collation orders and locales used by the Internationalization Plug-in. Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times. Section B.4, “Searching an Internationalized Further Information Directory”...

  • Page 434: Multi-Master Replication Plug-In

    Chapter 16. Administering Directory Server Plug-ins Plug-in Information Description Section 8.15, “Replication with Earlier Further Information Releases”. Table 16.16. Details of Legacy Replication Plug-in 16.1.17. Multi-Master Replication Plug-in Plug-in Information Description Plug-in Name Multi-master Replication Plug-in Configuration Entry DN cn=Multimaster Replication plugin,cn=plugins, cn=config Description Enables replication between two Directory...

  • Page 435: Crypt Password Storage Plug-In

    CRYPT Password Storage Plug-in Plug-in Information Description Configuration Entry DN cn=CLEAR,cn=Password Storage Schemes,cn=plugins, cn=config Description CLEAR password storage scheme used for password encryption Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.

  • Page 436: Sha Password Storage Plug-In

    Chapter 16. Administering Directory Server Plug-ins Plug-in Information Description Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug- in. Red Hat recommends leaving this plug-in running at all times. Further Information Passwords cannot be encrypted using the NS- MTA-MD5 password storage scheme.

  • Page 437: Ssha Password Storage Plug-In

    SSHA Password Storage Plug-in 16.1.23. SSHA Password Storage Plug-in Plug-in Information Description Plug-in Name SSHA Configuration Entry DN cn=SSHA, cn=Password Storage Schemes, cn=plugins, cn=config cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config Description SSHA password storage scheme for password encryption Configurable Options on | off...

  • Page 438: Referential Integrity Postoperation Plug-In

    Chapter 16. Administering Directory Server Plug-ins Plug-in Information Description Configuration Entry DN cn=Pass Through Authentication,cn=plugins,cn=config Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. This plug- in is not listed in the Directory Server Console if the same server is used for the user directory and configuration directory.

  • Page 439: Retro Changelog Plug-In

    Retro Changelog Plug-in Plug-in Information Description intervals corresponding to the integer (number of seconds) specified. • Log file for storing the change; for example /var/log/dirsrv/ slapd-instance_name/referint. • All the additional attribute names to be checked for referential integrity. Dependencies Database Performance Related Information The Referential Integrity Plug-in should be enabled only on one master in a multimaster...

  • Page 440: Roles Plug-In

    Chapter 16. Administering Directory Server Plug-ins Plug-in Information Description Performance Related Information May slow down Directory Server update performance. Chapter 8, Managing Replication. Further Information Table 16.27. Details of Retro Changelog Plug-in 16.1.28. Roles Plug-in Plug-in Information Description Plug-in Name Roles Plug-in Configuration Entry DN cn=Roles Plugin,cn=plugins,cn=config...

  • Page 441: State Change Plug-In

    State Change Plug-in Plug-in Information Description use the space insensitive syntax. For more information about finding directory entries, see Appendix B, Finding Directory Entries. Table 16.29. Details of Space Insensitive String Syntax Plug-in 16.1.30. State Change Plug-in Plug-in Information Description Plug-in Name State Change Plug-in Configuration Entry DN...

  • Page 442: Uri Plug-In

    Chapter 16. Administering Directory Server Plug-ins Plug-in Information Description Description Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique. Configurable Options on | off Default Setting...

  • Page 443: Enabling And Disabling Plug-Ins

    Enabling and Disabling Plug-ins Plug-in Information Description Configuration Entry DN cn=URI Syntax,cn=plugins,cn=config Description Syntax for handling URIs (Unique Resource Identifiers), including URLs (Unique Resource Locators) Configurable Options on | off Default Setting Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug-in.

  • Page 445: Using The Pass-Through Authentication Plug-In

    Chapter 17. Using the Pass-through Authentication Plug-in Pass-through authentication (PTA) is a mechanism which allows one Red Hat Directory Server instance to consult another to authenticate bind requests. Pass-through authentication is implement through the PTA Plug-in; when enabled, the plug-in lets a Directory Server instance accept simple bind operations (password-based) for entries not stored in its local database.

  • Page 446: Pta Plug-In Syntax

    Chapter 17. Using the Pass-through Authentication Plug-in This entry contains the LDAP URL for the configuration directory. For example: dn: cn=Pass Through Authentication,cn=plugins, nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://configdir.example.com/o=NetscapeRoot The user directory is now configured to send all bind requests for entries with a DN containing o=NetscapeRoot to the configuration directory configdir.example.com.
  • Page 447 PTA Plug-in Syntax nsslapd-pluginarg2: LDAP URL for the third server The optional parameters are described in the following table in the order in which they appear in the syntax. Variable Definition state Defines whether the plug-in is enabled or disabled. Acceptable values are on or off. See Section 17.3.1, “Turning the Plug-in On or Off”...

  • Page 448: Configuring The Pta Plug-In

    Chapter 17. Using the Pass-through Authentication Plug-in Variable Definition Optional. The time limit, in seconds, that the timeout PTA directory waits for a response from the authenticating Directory Server. If this timeout is exceeded, the server returns an error to the client.

  • Page 449: Turning The Plug-In On Or Off

    Turning the Plug-in On or Off NOTE If the user and configuration directories are installed on different instances of the directory, the PTA Plug-in entry is automatically added to the user directory's configuration and enabled. This section provides information about configuring the plug-in in the following sections: Section 17.3.1, “Turning the Plug-in On or Off”...

  • Page 450: Specifying The Pass-Through Subtree

    Chapter 17. Using the Pass-through Authentication Plug-in 1. Use ldapmodify edit the PTA Plug-in entry. ldapmodify -p 389 -D "cn=Directory Manager" -w password -h example dn: cn=Pass Through Authentication,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: ldap://dirserver.example.com/o=NetscapeRoot Optionally, include the port number. If the port number is not given, the PTA Directory Server attempts to connect using either the standard port (389) for ldap:// or the secure port (636) for ldaps://.

  • Page 451: Configuring The Optional Parameters

    Configuring the Optional Parameters 17.3.5. Configuring the Optional Parameters Additional parameters the control the PTA connection can be set with the LDAP URL. ldap|ldaps://authDS/subtree maxconns, maxops, timeout, ldver, connlifetime • The maximum number of connections the PTA Directory Server can open simultaneously to the authenticating directory, represented by maxconns in the PTA syntax.

  • Page 452: Specifying One Authenticating Directory Server And One Subtree

    Chapter 17. Using the Pass-through Authentication Plug-in Section 17.4.1, “Specifying One Authenticating Directory Server and One Subtree” • Section 17.4.2, “Specifying Multiple Authenticating Directory Servers” • Section 17.4.3, “Specifying One Authenticating Directory Server and Multiple Subtrees” • Section 17.4.4, “Using Non-Default Parameter Values” •...

  • Page 453: Using Non-Default Parameter Values

    Using Non-Default Parameter Values dn: cn=Pass Through Authentication,cn=plugins,cn=config nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://configdir.example.com/o=NetscapeRoot nsslapd-pluginarg1: ldap://configdir.example.com/dc=example,dc=com 17.4.4. Using Non-Default Parameter Values This example uses a non-default value (10) only for the maximum number of connections parameter maxconns. Each of the other parameters is set to its default value. However, because one parameter is specified, all parameters must be defined explicitly in the syntax.

  • Page 455: Using The Attribute Uniqueness Plug-In

    Chapter 18. Using the Attribute Uniqueness Plug-in The Attribute Uniqueness Plug-in can be used to ensure that the new or edited attributes always have unique values in the directory. A new instance of the Attribute Uniqueness Plug-in must be created for every attribute for which values must be unique.

  • Page 456: Attribute Uniqueness Plug-In Syntax

    Chapter 18. Using the Attribute Uniqueness Plug-in Directory Server provides a default instance of the Attribute Uniqueness Plug-in, the UID Uniqueness Plug-in, to ensure that values given to the uid attribute are unique in the root suffix (the suffix corresponding to the userRoot database) configured when the Directory Server was first set up. This plug-in is disabled by default because it affects the operation of multi-master replication.

  • Page 457: Creating An Instance Of The Attribute Uniqueness Plug-In

    Creating an Instance of the Attribute Uniqueness Plug-in • The cn attribute does not contain the name of the attribute which is checked for uniqueness. • Only one attribute can be specified on which the uniqueness check will be performed. •...

  • Page 458: Configuring Attribute Uniqueness Plug-Ins

    Chapter 18. Using the Attribute Uniqueness Plug-in in the directory that includes a mail attribute has a unique value for that attribute, create a mail uniqueness plug-in. To create an instance of the Attribute Uniqueness Plug-in, modify the Directory Server configuration to add an entry for the new plug-in under the cn=plugins,cn=config entry.

  • Page 459: Configuring Attribute Uniqueness Plug-Ins From The Directory Server Console

    Configuring Attribute Uniqueness Plug-ins from the Directory Server Console 3. In the right navigation window, double-click the plug-in entry to view. The Property Editor opens. It contains a list of all the attributes and values for the plug-in. 18.4.2. Configuring Attribute Uniqueness Plug-ins from the Directory Server Console The plug-in configuration can be updated from the Directory Server Console in several ways: •...

  • Page 460: Specifying A Suffix Or Subtree

    Chapter 18. Using the Attribute Uniqueness Plug-in Section 18.4.3.3, “Using the markerObjectClass and requiredObjectClass Keywords” • 18.4.3.1. Turning the Plug-in On or Off 1. To turn the plug-in on from the command line, run ldapmodify using an LDIF update statement to change the nsslapd-pluginenabled attribute.

  • Page 461: Attribute Uniqueness Plug-In Syntax Examples

    Attribute Uniqueness Plug-in Syntax Examples 18.4.3.3. Using the markerObjectClass and requiredObjectClass Keywords Instead of specifying a suffix or subtree in the configuration of an Attribute Uniqueness Plug-in, perform the check under the entry belonging to the DN of the updated entry that has the object class given in the markerObjectClass keyword.

  • Page 462: Specifying One Attribute And One Subtree

    Chapter 18. Using the Attribute Uniqueness Plug-in 18.5.1. Specifying One Attribute and One Subtree This example configures the plug-in to ensure the uniqueness of the mail attribute under the dc=example,dc=com subtree. dn: cn=mail uniqueness,cn=plugins,cn=config nsslapd-pluginEnabled: on nsslapd-pluginarg0: mail nsslapd-pluginarg1: dc=example,dc=com 18.5.2.

  • Page 463: Simple Replication Scenario

    Simple Replication Scenario • Complex replication with multiple masters. Attribute Uniqueness Plug-ins do not perform any checking on attribute values when an update is performed as part of a replication operation. 18.6.1. Simple Replication Scenario Because all modifications by client applications are performed on the supplier server, the Attribute Uniqueness Plug-in should be enabled on the supplier.

  • Page 465: Synchronizing Red Hat Directory Server With Microsoft Active Directory

    Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory The Windows Sync feature allows synchronization of adds, deletes, and changes in groups, users, and passwords between Red Hat Directory Server and Microsoft Active Directory. It provides an efficient and effective way to maintain consistent information across directories. 19.1.
  • Page 466 Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory similar in purpose to replication agreements and contain a similar set of information, including the hostname and port number for Active Directory. The Directory Server connects to its peer Windows server via LDAP/LDAPS to both send and receive updates.

  • Page 467: Configuring Windows Sync

    Configuring Windows Sync WARNING There can only be a single sync agreement between the Directory Server environment and the Active Directory environment. Multiple sync agreements to the same Active Directory domain can create entry conflicts. Figure 19.2. Multi-Master Directory Server - Windows Domain Synchronization Directory Server passwords are synchronized along with other entry attributes because plain-text passwords are retained in the Directory Server changelog.

  • Page 468: Step 2: Configure The Active Directory Domain

    Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory • Directory Server certificate, accessible by the sync services 19.2.2. Step 2: Configure the Active Directory Domain The Active Directory domain has to be properly configured for synchronization to work. 1.

  • Page 469: Step 3: Select Or Create The Sync Identity

    Step 3: Select or Create the Sync Identity iv. Accept the certificate request. For example: certreq -accept cernew.cer Make sure that the server certificate is present on the Active Directory server. In the File menu, click Add/Remove, then click Certificates and Personal>Certificates. vi.
  • Page 470 Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory 4. Fill in the Directory Server hostname, secure port number, user name (such as cn=sync manager,cn=config), the certificate token (password), and the search base (e.g., ou=People,dc=example,dc=com). Figure 19.3. Setting up Password Sync Information Hit Next, then Finish to install Password Sync.

  • Page 471: Step 5: Configure The Password Sync Service

    Step 5: Configure the Password Sync Service • passhook.dll • nsldap32v50.dll • nsldapssl32v50.dll • libplc4.dll • nsldappr32v50.dll • nss3.dll • libnspr4.dll • ssl3.dll • libplds4.dll • softokn3.dll 19.2.5. Step 5: Configure the Password Sync Service Next, set up certificates that Password Sync will use to access the Directory Server over SSL: NOTE SSL is required for Password Sync to send password to Directory Server.

  • Page 472: Step 6: Configure The Directory Server Database For Synchronization

    Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory NOTE If any Active Directory user accounts exist when Password Sync is first installed, then the passwords for those user accounts cannot be synchronized until they are changed because Password Sync cannot decrypt a password once it has been hashed in Active Directory.

  • Page 473: Step 7: Create The Synchronization Agreement

    Step 7: Create the Synchronization Agreement NOTE Chapter 8, Managing Replication. For more information on replication settings, see 19.2.7. Step 7: Create the Synchronization Agreement Create the synchronization agreement: 1. In the Directory Server Console, select the Configuration tab. 2. In the left-hand navigation tree, click Replication, then right-click on the database to sync. The default user database is userRoot, but additional databases are added as new suffuxes are added to the Directory Server.
  • Page 474 Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory Figure 19.4. Setting up the Sync Agreement 6. In the middle of the screen are fields for the Windows domain information. Fill in the domain name and the domain controller. 7.

  • Page 475: Step 7: Begin Synchronization

    Step 7: Begin Synchronization • Sync New Windows Groups. When enabled, all group entries found in Windows that are subject to the agreement will automatically be created in the Directory Server. 8. The Windows and Directory Server subtree information is automatically filled in; use the defaults to sync only users or change these as appropriate to sync groups or groups and users.
  • Page 476 Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory begins). When a new Windows user account is created, a corresponding entry will automatically be created on the peer Directory Server. If an existing sync agreement is modified to begin synchronizing users, the Windows users will be added to the Directory Server after the next total update.
  • Page 477 Synchronizing Users Figure 19.5. Setting User Attributes Additional ntUser attributes can be created either by using the Advanced button in the Console or by Section 2.2.4.2, “Modifying Entries Using ldapmodify”. using ldapmodify; see Table 19.1, “User Schema Mapped between Directory Server and Active Directory” shows the Table 19.2, “User attributes that are mapped between the Directory Server and Windows servers, and...

  • Page 478: Synchronizing Groups

    Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory Directory Server Active Directory ntUserProfile profilePath ntUserParms userParameters ntUserWorkstations userWorkstations Table 19.1. User Schema Mapped between Directory Server and Active Directory physicalDeliveryOfficeName description postOfficeBox destinationIndicator postalAddress facsimileTelephoneNumber postalCode givenName registeredAddress homePhone homePostalAddress...

  • Page 479: Deleting Entries

    Deleting Entries Table 19.3, “Group Entry Attribute Mapping between Directory Server and Active Directory” shows Table 19.4, the attributes that are mapped between the Directory Server and Windows servers, and “Group Entry Attributes That Are the Same between Directory Server and Active Directory” shows the attributes that are the same between the Directory Server and Windows servers.

  • Page 480: Manually Updating And Resynchronizing Entries

    Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory • On Windows 2000, Active Directory creates a new entry with a new unique ID; this new ID is synched back to the Directory Server entry. • On Windows 2003, Active Directory resurrects the old entry and preserves the original unique ID for the entry.

  • Page 481: Schema Differences

    Schema Differences • The Summary tab allows the description of the agreement to be changed. This tab also shows the sync peer host and port information and synchronized subtrees. • The Connection tab allows the bind DN and bind credentials for the sync ID to be changed and shows whether Windows users and groups are synchronized.

  • Page 482: Contraints On The Initials Attribute

    Chapter 19. Synchronizing Red Hat Directory Server with Microsoft Active Directory in Directory Server, then all street attribute values in Directory Server are replaced with the new, single Active Directory value. 19.4.4. Contraints on the initials Attribute For the initials attribute, Active Directory imposes a maximum length constraint of six characters, but Directory Server does not have a length limit.

  • Page 483: Troubleshooting

    Troubleshooting 3. If SSL was configured for the Password Sync, then the cert8.db and key3.db databases that were created were not removed when Password Sync was uninstalled. Delete these files by hand. 19.6. Troubleshooting If synchronization does not seem to be functioning properly, see the Windows event log and/or Directory Server error log for information on any potential problems.

  • Page 485: Ldap Data Interchange Format

    Appendix A. LDAP Data Interchange Format Red Hat Directory Server (Directory Server) uses the LDAP Data Interchange Format (LDIF) to describe a directory and directory entries in text format. LDIF is commonly used to build the initial directory database or to add large numbers of entries to the directory all at once. In addition, LDIF is also used to describe changes to directory entries.

  • Page 486: Continuing Lines In Ldif

    Appendix A. LDAP Data Interchange Format Field Definition objectClass: object_class Specifies an object class to use with this entry. The object class identifies the types of attributes, or schema, allowed and required for the entry. Chapter 9, Extending the Directory Schema for information on customizing the schema.

  • Page 487: Standard Ldif Notation

    Standard LDIF Notation A.3.1. Standard LDIF Notation Standard LDIF notation uses the lesser than (<) symbol to indicate that the data are binary. For example: jpegphoto: < file:/path/to/photo With this standard notation, it is not necessary to specify the ldapmodify -b parameter. However, standard notation requires that the following line be added to the beginning of the LDIF file or the LDIF update statements: version: 1...

  • Page 488: Specifying Directory Entries Using Ldif

    Appendix A. LDAP Data Interchange Format A.4. Specifying Directory Entries Using LDIF Many types of entries can be stored in the directory. This section concentrates on three of the most common types of entries used in a directory: domain, organizational unit, and organizational person entries.

  • Page 489: Specifying Organizational Unit Entries

    Specifying Organizational Unit Entries LDIF Element Description dc=com unless the server has been configured to use that suffix. list_of_attributes Specifies the list of optional attributes to maintain for the entry. Table A.2. LDIF Elements in Domain Entries A.4.2. Specifying Organizational Unit Entries Organizational unit entries are often used to represent major branch points, or subdirectories, in the directory tree.

  • Page 490: Specifying Organizational Person Entries

    Appendix A. LDAP Data Interchange Format LDIF Element Description list_of_attributes Specifies the list of optional attributes to maintain for the entry. Table A.3. LDIF Elements in Organizational Unit Entries A.4.3. Specifying Organizational Person Entries The majority of the entries in the directory represent organizational people. In LDIF, the definition of an organizational person is as follows: dn: distinguished_name objectClass: top...

  • Page 491: Defining Directories Using Ldif

    Defining Directories Using LDIF LDIF Element Description during search operations for an organizational person. objectClass: inetOrgPerson Specifies the inetOrgPerson object class. The inetOrgPerson object class is recommended for the creation of an organizational person entry because this object class includes the widest range of attributes.

  • Page 492: Ldif File Example

    Appendix A. LDAP Data Interchange Format NOTE The LDIF file is read in order, so parent entries must be listed before the child entries. 4. Create the directory from the LDIF file using one of the following methods: • Initializing the database through the Directory Server Console. Use this method if there is a Section 4.1.2, “Importing a Database small database to import (less than 10,000 entries).

  • Page 493: Storing Information In Multiple Languages

    Storing Information in Multiple Languages tel: 555-5559 dn: cn=June Rossi,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: June Rossi sn: Rossi givenName: June mail: rossi@example.com userPassword: {sha}KDIE3AL9DK ou: Accounting ou: people telephoneNumber: 2616 roomNumber: 220 dn: cn=Marc Chambers,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson...
  • Page 494 Appendix A. LDAP Data Interchange Format When information in the directory is represented in multiple languages, the server associates language tags with attribute values. When a new entry is added, the attribute values used in the RDN (relative distinguished name, the naming attribute) must be provided without any language codes. Multiple languages can be stored for a single attribute.

  • Page 495: Finding Directory Entries

    Appendix B. Finding Directory Entries Entries in the directory can be searched for and found using any LDAP client. Most clients provide some form of search interface so that the directory can be searched easily and entry information can be easily retrieved. NOTE Users cannot search the directory unless the appropriate access control has been set in Chapter 6,...

  • Page 496: Using Ldapsearch

    Appendix B. Finding Directory Entries Figure B.2. Searching for Entries NOTE See the online help for information on using the search form. WARNING Do not modify the contents of the o=NetscapeRoot suffix using the Directory tab unless instructed to do so by Red Hat technical support. B.2.

  • Page 497: Using Special Characters

    Using Special Characters NOTE For most Linux systems, OpenLDAP tools are already installed in the /usr/bin/ directory. These OpenLDAP tools will not work for Directory Server operations. This section contains information about the following topics: Section B.2.1, “Using Special Characters” •...

  • Page 498: Commonly Used Ldapsearch Options

    Appendix B. Finding Directory Entries explicitly specified operational attributes, use an asterisk (*) in the list of attributes in the ldapsearch command. To retrieve no attributes, just a list of the matching DNs, use the special attribute 1.1. This is useful, for example, to get a list of DNs to pass to the ldapdelete command.

  • Page 499: Ldapsearch Examples

    ldapsearch Examples Option Description base searches only the entry specified in the -b option or defined by the LDAP_BASEDN environment variable. one searches only the immediate children of the entry specified in the -b option. Only the children are searched; the actual entry specified in the -b option is not searched.
  • Page 500 Appendix B. Finding Directory Entries • SSL is enabled for the server on port 636(the default SSL port number). • The suffix under which all data is stored is dc=example,dc=com. B.2.4.1. Returning All Entries Given the previous information, the following call will return all entries in the directory (subject to the configured size and time resource limits): ldapsearch -h mozilla -b "dc=example,dc=com"...
  • Page 501 ldapsearch Examples In this example, the default scope of sub is used because the -s option was not used to specify the scope. B.2.4.6. Displaying Subsets of Attributes The ldapsearch command returns all search results in LDIF format. By default, ldapsearch returns the entry's distinguished name and all of the attributes that a user is allowed to read.

  • Page 502: Ldap Search Filters

    Appendix B. Finding Directory Entries ldapsearch -h mozilla -s base -b "l=Bolivia\,S.A.,dc=example,dc=com" "objectclass=*" B.2.4.9. Using Client Authentication When Searching This example shows user bjensen searching the directory using client authentication: ldapsearch -h mozilla -p 636 -b "dc=example,dc=com" -N "bjensenscertname" -Z -W certdbpassword -P /home/bjensen/certdb/cert8.db "givenname=Richard" B.3.
  • Page 503 Search Filter Syntax B.3.1.1. Using Attributes in Search Filters When searching for an entry, the attributes associated with that type of entry can be specified, such as using the cn attribute to search for people with a specific common name. Examples of attributes that people entries include are the following: •...
  • Page 504 Appendix B. Finding Directory Entries Search Type Operator Description Approximate Returns entries containing the specified attribute with a value that is approximately equal to the value specified in the search filter. For example, cn~=suret l~=san fransico could return cn=sarette l=san francisco.

  • Page 505: Searching An Internationalized Directory

    Searching an Internationalized Directory B.3.1.4. Search Filter Examples The following filter searches for entries containing one or more values for the manager attribute. This is also known as a presence search: manager=* The following filter searches for entries containing the common name Ray Kultgen. This is also known as an equality search: cn=Ray Kultgen The following filter returns all entries that do not contain the common name Ray Kultgen:...

  • Page 506: Matching Rule Filter Syntax

    Appendix B. Finding Directory Entries This section focuses on the matching rule filter portion of the ldapsearch syntax. For more Section B.3, “LDAP Search Filters”. For information information on general ldapsearch syntax, see on searching internationalized directories using the Users and Groups portion of the Red Hat Console, see the online help.
  • Page 507 Matching Rule Filter Syntax B.4.1.1.1. Using an OID for the Matching Rule Each locale supported by the Directory Server has an associated collation order OID. For a list of Table D.1, “Supported locales supported by the directory server and their associated OIDs, see Locales”.

  • Page 508: Supported Search Types

    Appendix B. Finding Directory Entries B.4.1.1.4. Using a Language Tag and Suffix for the Matching Rule As an alternative to using a relational operator-value pair, append a suffix that represents a specific operator to the language tag in the matching rule portion of the filter. Combine the language tag and suffix as follows: attr: language-tag+suffix:=value For example, to search for all surnames that come at or after La Salle in the French collation order,...

  • Page 509: International Search Examples

    International Search Examples (=, >=, >, <, <=) in the value portion of the search string, or use a special type of operator, called a Table B.3, suffix (not to be confused with the directory suffix), in the matching rule portion of the filter. “Search Types, Operators, and Suffixes”...
  • Page 510 Appendix B. Finding Directory Entries B.4.3.3. Equality Example Performing a locale-specific search using the equal to operator (=), or suffix (.3) searches for all attribute values that match the given attribute in a specific collation order. For example, to search for all businessCategory attributes with the value softwareprodukte in the German collation order, any of the following matching rule filters would work: businessCategory:2.16.840.1.113730.3.3.2.7.1:==softwareprodukte businessCategory:de:== softwareprodukte...
  • Page 511 International Search Examples uid:2.16.840.1.113730.3.3.2.49.1:=* *ming uid:zh:=* *ming uid:2.16.840.1.113730.3.3.2.49.1.6:=* *ming uid:zh.6:=* *ming Substring search filters that use DN-valued attributes, such as modifiersName or memberOf, do not always match entries correctly if the filter contains one or more space characters. To work around this problem, use the entire DN in the filter instead of a substring, or ensure that the DN substring in the filter begins at an RDN boundary;...

  • Page 513: Ldap Urls

    Appendix C. LDAP URLs LDAP URLs identify the Red Hat Directory Server instance, similarly to the way site URLs identify a specific website or web page. There are three common times when the LDAP URL of the Directory Server instance is used: •...

  • Page 514: Escaping Unsafe Characters

    Appendix C. LDAP URLs Component Description cn,mail,telephoneNumber. If no attributes are specified in the URL, all attributes are returned. scope The scope of the search, which can be one of these values: base retrieves information only about the distinguished name (base_dn) specified in the URL.

  • Page 515: Examples Of Ldap Urls

    Examples of LDAP URLs Unsafe Character Escape Characters < > " C.3. Examples of LDAP URLs NOTE http://www.ietf.org/ The LDAP URL format is described in RFC 4516, which is available at rfc/rfc4516.txt. Example 1 The following LDAP URL specifies a base search for the entry with the distinguished name dc=example,dc=com.
  • Page 516 Appendix C. LDAP URLs • Because no search scope is specified, the search is restricted to the base entry dc=example,dc=com. • Because no filter is specified, the directory uses the default filter (objectclass=*). Example 3 The following LDAP URL retrieves the cn, mail, and telephoneNumber attributes of the entry for Barbara Jensen: ldap://ldap.example.com/cn=Barbara%20Jensen,dc=example,dc=com?cn,mail,telephoneNumber •...

  • Page 517: Internationalization

    Appendix D. Internationalization Red Hat Directory Server allows users to store, manage, and search for entries and their associated attributes in a number of different languages. An internationalized directory can be an invaluable corporate resource, providing employees and business partners with immediate access to the information they need in languages they understand.

  • Page 518: Identifying Supported Locales

    Appendix D. Internationalization Because a locale describes cultural, customary, and regional differences in addition to mechanical language differences, the directory data can both be translated into the specific languages understood by users as well as be presented in a way that users in a given region expect. D.2.

  • Page 519: Supported Language Subtypes

    Supported Language Subtypes Locale Language Tag Collation Order Object Identifiers (OIDs) Hungarian 2.16.840.1.113730.3.3.2.23.1 Icelandic 2.16.840.1.113730.3.3.2.24.1 Japanese 2.16.840.1.113730.3.3.2.28.1 Korean 2.16.840.1.113730.3.3.2.29.1 Latvian, Lettish 2.16.840.1.113730.3.3.2.31.1 Lithuanian 2.16.840.1.113730.3.3.2.30.1 Macedonian 2.16.840.1.113730.3.3.2.32.1 Norwegian 2.16.840.1.113730.3.3.2.35.1 Polish 2.16.840.1.113730.3.3.2.38.1 Romanian 2.16.840.1.113730.3.3.2.39.1 Russian 2.16.840.1.113730.3.3.2.40.1 Serbian (Cyrillic) 2.16.840.1.113730.3.3.2.45.1 Serbian (Latin) 2.16.840.1.113730.3.3.2.41.1 Slovakian 2.16.840.1.113730.3.3.2.42.1 Slovenian...

  • Page 520: Troubleshooting Matching Rules

    Appendix D. Internationalization Language Tag Language Basque Finnish Faroese French Irish Galician Croatian Hungarian Indonesian Icelandic Italian Japanese Korean Dutch Norwegian Polish Portuguese Romanian Russian Slovakian Slovenian Albanian Serbian Swedish Turkish Ukrainian Chinese Table D.2. Supported Language Subtypes D.4. Troubleshooting Matching Rules International collation order matching rules may not behave consistently.
  • Page 521 Troubleshooting Matching Rules ldapsearch -p 389 -D "uid=userID,ou=people,dc=example,dc=com" -w password -b "dc=example,dc=com" "sn:2.16.840.1.113730.3.3.2.7.1.3:=passin" ldapsearch -p 389 -D "uid=userID,ou=people,dc=example,dc=com" -w password -b "dc=example,dc=com" "sn:de.3:=passin"...

  • Page 523: Glossary

    Glossary See ACI. access control instruction An instruction that grants or denies permissions to entries in the directory. access control instruction. See Also See ACL. access control list The mechanism for controlling access to your directory. access control list. See Also access rights In the context of access control, specify the level of access granted or denied.
  • Page 524 Glossary authentication (1) Process of proving the identity of the client user to the Directory Server. Users must provide a bind DN and either the corresponding password or certificate in order to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.
  • Page 525 certificate A collection of data that associates the public keys of a network user with their DN in the directory. The certificate is stored in the directory as user object attributes. Certificate Authority Company or organization that sells and issues authentication certificates.
  • Page 526 Glossary A method for sharing attributes between entries in a way that is invisible to applications. CoS definition entry Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects. CoS template entry Contains a list of the shared attribute values.
  • Page 527 IP address for a hostname from a DNS server, or they look it up in tables maintained on their systems. DNS alias A DNS alias is a hostname that the DNS server knows points to a different host specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases.
  • Page 528 Glossary hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, www.example.com is the machine www in the subdomain example and com domain. HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web.
  • Page 529 LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format. LDAP client Software used to request and view LDAP entries from an LDAP Directory Server.
  • Page 530 Glossary See supplier. master SNMP master agent. master agent matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data that is unique with high probability and is mathematically extremely hard to produce;...
  • Page 531 Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, filesystems, and network parameters throughout a network of computers. Powerful workstation with one or more network management network management station.
  • Page 532 Glossary access rights. See Also Encoded messages which form the basis of data exchanges between protocol data unit. SNMP devices. Also pointer CoS A pointer CoS identifies the template entry using the template DN only. presence index Allows searches for entries that contain a specific indexed attribute. protocol A set of rules that describes how devices on a network exchange information.
  • Page 533 (2) In the context of replication, when a read-only replica receives an update request, it forwards it to the server that holds the corresponding read-write replica. This forwarding process is called a referral. read-only replica A replica that refers all update operations to read-write replicas. A server can hold any number of read-only replicas.
  • Page 534 Glossary schema checking Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default, and users will receive an error if they try to save an entry that does not conform to the schema.
  • Page 535 A software library establishing a secure connection between two parties (client and server) used to implement HTTPS, the secure Secure Sockets Layer. version of HTTP. Also called standard index index maintained by default. sub suffix A branch underneath a root suffix. SNMP subagent.
  • Page 536 Glossary topology The way a directory tree is divided among physical servers and how these servers link with one another. See TLS. Transport Layer Security A unique number associated with each user on a Unix system. Uniform Resource Locater. The addressing system used by the server and the client to request documents.

  • Page 537: Index

    Index turning off, 375 turning on, 375 viewing, 375 account inactivation, 222 from command line, 223 access control from console, 223 ACI attribute, 143 account lockout, 219 ACI syntax, 146 configuration allowing or denying access, 153 attributes, 220 and replication, 205 configuring, 219 and schema checking, 149 using command line, 220...
  • Page 538 Index targetattr keyword, 149 editing, 309 targetfilter keyword, 150 multi-valued, 309 userattr and parent, 164 nsslapd-schemacheck, 314 userattr keyword, 161 OID, 309 using macro ACIs, 200 passwordChange, 211 value-based, 151 passwordExp, 211 viewing current, 179 passwordGraceLimit, 210 wildcard in target, 148 passwordInHistory, 212 wildcards, 159 passwordMaxRepeats, 213...
  • Page 539 enabling, 378 LDAP URLs, 158 viewing, 378 LDIF keywords, 157 authentication overview, 156 access control and, 169 parent keyword, 158 bind DN, 6 role access, 161 certificate-based, 360 roledn keyword, 161 LDAP URLs, 498 self keyword, 158 over SSL, 353 timeofday keyword, 167 SASL, 365 user access...
  • Page 540 Index overview, 57 code page, 499 using SSL, 71 collation order change operations, 28 international index, 325 add, 30 overview, 499 delete, 31 search filters and, 487 replace, 30 command line change type providing input from, 21 add, 28 command-line scripts delete, 34 db2bak, 105 LDIF, 27...
  • Page 541 creating a database importing and exporting, 56 from the command line, 49 database link from the console, 48 cascading creating a virtual DIT, 137 configuring defaults, 79 creating the directory, 473 configuring from command line, 80 custom distribution function configuring from console, 80 adding to suffix, 50 overview, 77 custom distribution logic...
  • Page 542 Index multiple attributes, 31 Directory Server Console object classes, 314 starting, 6 deleting directory entries, 25 directory trees denying access, 153 finding entries in, 478 precedence rule, 144 disabling suffixes, 46 directory creation, 473 disk space directory entries access log and, 375 adding using LDIF, 22 log files and, 379 creating, 14...
  • Page 543 order of deletion, 25 removing an object class, 16 general access renaming, 30 example, 159 root, 473 overview, 158 targeting, 148 get effective rights, 180 entry distribution, 48 return codes, 183 entry ID list, 336 global password policy, 207 environment variables glue entries, 300 LDAP_BASEDN, 482 greater than or equal to search...
  • Page 544 Index equality index, 317 ip keyword, 166 international index, 318 presence index, 317 substring index, 317 jpeg images, 468 virtual list view index, 318 indexes creating dynamically, 325 Kerberos, 365 dynamic changes to, 325 configuring, 369 presence, 320 realms, 369 indexing, 317 creating indexes from console, 324 system indexes, 320...
  • Page 545 creating entries, 23 example, 474 DNs with commas and, 26 importing from Server Console, 22 example, 23 internationalization and, 475 example of use, 23 LDIF format, 467 modifying entries, 22 LDIF update statements, 27 schema checking and, 23 adding attributes, 31 vs.
  • Page 546 OID and suffix, 489 nsslapd-timelimit attribute role in searching algorithm, 321 metaphone phonetic algorithm, 322 nsview, 137 nsviewfilter, 137 Directory Server, 397 redhat-directory.mib, 397 entity table, 399 entries table, 399 object class interaction table, 400 adding to an entry, 16 operations table, 397...
  • Page 547 operations table, 397 passwordGraceLimit attribute, 210 operations, defined, 380 passwordInHistory attribute, 212 operators passwordMaxRepeats attribute, 213 Boolean, 486 passwordMin8bit attribute, 214 international searches and, 490 passwordMinAlphas attribute, 213 search filters and, 485 passwordMinCategories attribute, 213 suffix, 490 passwordMinDigits attribute, 213 optional attributes passwordMinLowers attribute, 213 creating, 312...
  • Page 548 51 PTA plug-in, 419 read-only replica, 227 reference, 409 read-write replica, 227 referential integrity plug-in, 420 redhat-directory.mib, 397 retro changelog plug-in, 421 entity table, 399 roles plug-in, 422 entries table, 399 SHA password storage plug-in, 418 interaction table, 400...
  • Page 549 changelog, 228 and access control, 294 compatibility with earlier versions, 229 attributes, 293 configuring from the command line, 271 object class, 293 configuring legacy replication, 292 searching, 294 configuring SSL, 290 trimming, 294 consumer server, 227 retro changelog plug-in creating the supplier bind DN, 235 enabling, 293 forcing synchronization, 286 overview, 230...
  • Page 550 Index CRAM-MD5, 365 less than or equal to, 485 DIGEST-MD5, 365 of directory tree, 478 GSS-API, 365 presence, 485 password change extended operation, 217 specifying scope, 480 schema substring, 485 checking, 314 searching algorithm creating new attributes, 309 overview, 321 creating new object classes, 312 Secure Sockets Layer, see SSL, 353 deleting attributes, 310...
  • Page 551 overview, 393 custom distribution function, 50 subagent, 393 custom distribution logic, 50 configuration file, 394 disabling, 46 location, 394 in Directory Server, 39 starting, 395 using referrals, 45 stopping, 395 on update only, 45 testing the subagent, 395 with multiple databases, 49 suffix referrals Administration Server password file, 357 creating, 91...
  • Page 552 Index directory entries, 148 template entry. See CoS template entry., 122 wildcard thread in LDAP URL, 159 monitoring, 381 in target, 148 time format, 499 wildcards timeofday keyword, 167 in international searches, 490 transaction logs in matching rule filters, 490 moving, 53 WinSync, 447 tuning performance...

Table of Contents