1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE DIRECTORY SERVER 6.01 -...
  6. Administrator's manual

Netscape DIRECTORY SERVER 6.01 - ADMINISTRATOR Administrator's Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
Table of Contents

Advertisement

Quick Links

Download this manual
Administrator's Guide
Netscape Directory Server
Version 6.01
January 2002

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 6.01 - ADMINISTRATOR and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.01 - ADMINISTRATOR

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.01 - ADMINISTRATOR

  • Page 1 Administrator’s Guide Netscape Directory Server Version 6.01 January 2002...
  • Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents List of Figures ..............15 List of Tables .
  • Page 4 LDIF Update Statements ..............58 A Note on Renaming Entries .
  • Page 5 Backing Up and Restoring Data ............148 Backing Up All Databases .
  • Page 6 Creating ACIs Manually ............. . . 192 The ACI Syntax .
  • Page 7 Chapter 7 User Account Management ......... . . 257 Managing the Password Policy .
  • Page 8 Monitoring Replication Status ............322 Solving Common Replication Conflicts .
  • Page 9 All IDs Threshold Tuning Advice for Service Providers and Extranets ..... 368 Default All IDs Threshold Value ............369 Symptoms of an Inappropriate All IDs Threshold Value .
  • Page 10 Overview of the Directory Server Management Information Base ......414 About the Operations Table ............414 The Entries Table .
  • Page 11 ldbm Database Plug-In ............441 Legacy Replication Plug-In .
  • Page 12 Chapter 18 Configuring IM Presence Information ....... . 481 Overview of IM Presence Information ........... 481 Schema For the Presence Plug-In .
  • Page 13 Matching Rule Filter Syntax ............514 Matching Rule Formats .
  • Page 14 Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 15: List Of Figures

    List of Figures Figure 1-1 Viewing the Bind DN ........... . . 31 Figure 3-1 A Sample Directory Tree with One Root Suffix .
  • Page 16 Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 17: List Of Tables

    List of Tables Table 2-1 Entry Templates and Corresponding Object Classes ......43 Table 2-2 Description of ldapmodify Parameters Used for Adding Entries .
  • Page 18 Table 10-2 System indexes ............342 Table 10-3 Attribute Name Quick Reference Table .
  • Page 19 Table 15-26 Details of Referential Integrity Postoperation Plug-In ......447 Table 15-27 Details of Retro Change Log Plug-In ........449 Table 15-28 Details of Roles Plug-In .
  • Page 20 Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 21: Introduction

    Introduction Netscape Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.

  • Page 22: Prerequisite Reading

    Prerequisite Reading • Multiple databases—Provides a simple way of breaking down your directory data to simplify the implementation of replication and chaining in your directory service. • Password Policy and Account Lockout—Allows you to define a set of rules that govern how passwords and user accounts are managed in the directory server.

  • Page 23: Conventions Used In This Book

    Conventions Used in This Book Conventions Used in This Book This section explains the conventions used in this book. —This typeface is used for any text that appears on the computer Monospaced font screen or text that you should type. It is also used for filenames, functions, and examples.
  • Page 24 Related Information • Netscape Directory Server Configuration, Command, and File Reference. Provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server. • Netscape Directory Server Schema Reference. Provides reference information about the Netscape Directory Server schema. •...

  • Page 25: Part 1 Administering Netscape Directory Server

    Part 1 Administering Netscape Directory Server Chapter 1, “Introduction to Netscape Directory Server” Chapter 2, “Creating Directory Entries” Chapter 3, “Configuring Directory Databases” Chapter 4, “Populating Directory Databases” Chapter 5, “Advanced Entry Management” Chapter 6, “Managing Access Control” Chapter 7, “User Account Management” Chapter 8, “Managing Replication”...
  • Page 26 Chapter 11, “Managing SSL” Chapter 12, “Monitoring Server and Database Activity” Chapter 13, “Monitoring Directory Server Using SNMP” Chapter 14, “Tuning Directory Server Performance” Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 27: Chapter 1 Introduction To Netscape Directory Server

    Chapter 1 Introduction to Netscape Directory Server Netscape Directory Server (Directory Server) product ships with a Directory Server, an Administration Server, and Netscape Console. This chapter provides overview information about the Directory Server, and the most basic tasks you need to start administering a directory service. It includes the following sections: •...

  • Page 28: Overview Of Directory Server Management

    Overview of Directory Server Management Overview of Directory Server Management Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources.

  • Page 29: Copying Entry Dns To The Clipboard

    Configuring the Directory Manager Start Netscape Console by entering the following command: % /usr/netscape/servers/startconsole The Console login window is displayed. Or, if your configuration directory (the directory that contains the suffix) is stored in a separate o=NetscapeRoot instance of Directory Server, a window is displayed requesting the administrator user id, password, and the URL of the Netscape Administration Server for that directory server.

  • Page 30: Binding To The Directory From Netscape Console

    Binding to the Directory From Netscape Console To change the Directory Manager DN and password, and the encryption scheme used for this password: Log in to the Directory Console as Directory Manager. If you are already logged in to the Console, see “Binding to the Directory From Netscape Console,”...

  • Page 31: Starting And Stopping The Directory Server

    Starting and Stopping the Directory Server Click “Log on to the Directory Server as a New User.” A login dialog box appears. Enter the new DN and password and click OK. Enter the full distinguished name of the entry with which you want to bind to the server.
  • Page 32 Starting and Stopping the Directory Server Starting/Stopping the Server From the Console Start the Directory Server Console. For instructions, refer to “Starting Directory Server Console,” on page 28. On the Tasks tab, click “Start the Directory Server” or “Stop the Directory Server”...

  • Page 33: Configuring Ldap Parameters

    Configuring LDAP Parameters Configuring LDAP Parameters You can view and change the parameters relevant to the server’s network and LDAP settings through the Directory Server Console. This section provides information on: • Changing Directory Server Port Numbers • Placing the Entire Directory Server in Read-Only Mode •...
  • Page 34 Configuring LDAP Parameters Enter the port number you want the server to use for non-SSL communications in the “Port” text box. The default value is 389. Enter the port number you want the server to use for SSL communications in the Encrypted Port text box.

  • Page 35: Tracking Modifications To Directory Entries

    Configuring LDAP Parameters Tracking Modifications to Directory Entries You can configure the server to maintain special attributes for newly created or modified entries: • —The distinguished name of the person who initially created creatorsName the entry. • —The timestamp for when the entry was created in GMT createTimestamp (Greenwich Mean Time) format.

  • Page 36: Starting The Server With Ssl Enabled

    Starting the Server with SSL Enabled Starting the Server with SSL Enabled On Windows NT, if you are using SSL with your server, you must start the server from the server’s host machine. This is because a dialog box will prompt you for the certificate PIN before the server will start.

  • Page 37: Cloning A Directory Server

    Cloning a Directory Server Cloning a Directory Server Once you have set up and configured your directory server, Netscape Console offers a simple way of duplicating your configuration on another instance of the directory server. This is a two-phase procedure: •...

  • Page 38: Starting The Server In Referral Mode

    Starting the Server in Referral Mode Click OK. A status box appears to confirm that the operation was successful. To dismiss it, click OK. Cloning the Directory Configuration In the Netscape Console window, expand the Server Group folder, and right-click on the directory server that you want to clone. From the pop-up menu, select Clone Server Config.
  • Page 39 Starting the Server in Referral Mode Run the command as follows: refer prompt% ./ns-slapd refer -p port -r ldapurl where port is the port number of the Directory Server you want to start in referral mode, and ldapurl is the referral returned to clients. For information on the format of an LDAP URL, refer to Appendix C, “LDAP URLs.”...
  • Page 40 Starting the Server in Referral Mode Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 41: Chapter 2 Creating Directory Entries

    Chapter 2 Creating Directory Entries This chapter discusses how to use the Directory Server Console and the command-line utilities to modify the contents of ldapmodify ldapdelete your directory. During the planning phase of your directory deployment, you should characterize the types of data that your directory will contain. You should read Netscape Directory Server Deployment Guide before creating entries and modifying the default schema.

  • Page 42: Creating A Root Entry

    Managing Entries From the Directory Console • Deleting Directory Entries This section assumes some basic knowledge of object classes and attributes. For an introduction to object classes and attributes, refer to Netscape Directory Server Deployment Guide. For information on the definition and use of all schema provided with Netscape server products, refer to the Netscape Directory Server Schema Reference.

  • Page 43: Table 2-1 Entry Templates And Corresponding Object Classes

    Managing Entries From the Directory Console In the New Object window, select the object class corresponding to the new entry. The object class you select must contain the attribute you used to name the suffix. For example, if you are creating the entry corresponding to the suffix , then you can choose the ou=people,dc=example,dc=com object class (or another object class that allows the...

  • Page 44: Creating An Entry Using A Predefined Template

    Managing Entries From the Directory Console These templates contain fields representing all the mandatory attributes, and some of the commonly used optional attributes. To create an entry using one of these templates, refer to “Creating an Entry Using a Predefined Template,” on page 44. To create any other type of entry, refer to “Creating Other Types of Entries,”...

  • Page 45: Modifying Directory Entries

    Managing Entries From the Directory Console Click OK. If you selected an object class related to a type of entry for which a predefined template is available, the corresponding Create window is displayed. (See “Creating an Entry Using a Predefined Template,” on page 44). In all other cases, the Property Editor is displayed.

  • Page 46: Displaying The Property Editor

    Managing Entries From the Directory Console Displaying the Property Editor You can start the Property Editor in several ways: • From the Directory tab, by right-clicking an entry in the left or right pane, and selecting Properties from the pop-up menu. •...

  • Page 47: Adding An Attribute To An Entry

    Managing Entries From the Directory Console Click OK in the Property Editor when you have finished editing the entry. The Property Editor is dismissed. Adding an Attribute to an Entry Before you can add an attribute to an entry, the entry must contain an object class that either requires or allows the attribute.

  • Page 48: Removing An Attribute Value

    Managing Entries From the Directory Console Type in the name of the new attribute value. Click OK in the Property Editor when you have finished editing the entry. The Property Editor is dismissed. Removing an Attribute Value To remove an attribute value from an entry: On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Properties from the pop-up menu.
  • Page 49 Managing Entries From the Directory Console You can assign only one language subtype per attribute instance in an entry. To assign multiple language subtypes, add another attribute instance to the entry and then assign the new language subtype. For example, the following is illegal: cn;lang-ja;lang-en-GB:Smith Instead, use: cn: lang-ja: ja_value...

  • Page 50: Managing Entries From The Command Line

    Managing Entries From the Command Line From the Subtype drop-down list you can also assign one of two other subtypes: binary, or pronunciation. Click OK. The Add Attribute window is dismissed. When you have finished defining the information for the entry, click OK in the Property Editor.

  • Page 51: Providing Input From The Command Line

    Managing Entries From the Command Line • Adding and Modifying Entries Using ldapmodify • Deleting Entries Using ldapdelete • Using Special Characters You cannot modify your directory unless the appropriate access NOTE control rules have been set. For information on creating access control rules for your directory, see Chapter 6, “Managing Access Control.”...

  • Page 52: Creating A Root Entry From The Command Line

    Managing Entries From the Command Line For example: dn: dc=example,dc=com dn: ou=People, dc=example,dc=com People subtree entries. dn: ou=Group, dc=example,dc=com Group subtree entries. Creating a Root Entry From the Command Line You can use the command-line utility to create a new root entry in a ldapmodify database.

  • Page 53: Adding And Modifying Entries Using Ldapmodify

    Managing Entries From the Command Line Adding Entries Using LDIF You can use an LDIF file to add multiple entries or to import an entire database. To add entries using an LDIF file and the Directory Server Console: Define the entries in an LDIF file. LDIF is described in Appendix A, “LDAP Data Interchange Format.”...

  • Page 54: Table 2-2 Description Of Ldapmodify Parameters Used For Adding Entries

    Managing Entries From the Command Line To create a database suffix (such as ) using dc=example,dc=com ldapmodify must bind to the directory as the Directory Manager. Adding Entries Using ldapmodify Here is a typical example of how to use the utility to add entries to the ldapmodify directory.

  • Page 55: Table 2-3 Description Of Ldapmodify Parameters Used For Modifying Entries

    Managing Entries From the Command Line Description of ldapmodify Parameters Used for Adding Entries (Continued) Table 2-2 Parameter Name Description Optional parameter that specifies the file containing the LDIF update statements used to define the modifications. If you do not supply this parameter, the update statements are read from stdin.

  • Page 56: Deleting Entries Using Ldapdelete

    Managing Entries From the Command Line Description of ldapmodify Parameters Used for Modifying Entries (Continued) Table 2-3 Parameter Name Description Specifies the password associated with the distinguished name specified in the -D parameter. Specifies the name of the host on which the server is running. Specifies the port number that the server uses.

  • Page 57: Table 2-4 Description Of Ldapdelete Parameters Used For Deleting Entries

    Managing Entries From the Command Line • You have created a database administrator that has the authority to modify the entries, and whose distinguished name is cn=Directory Manager, dc=example,dc=com • The database administrator’s password is King-Pin • The server is located on cyclops •...

  • Page 58: Ldif Update Statements

    LDIF Update Statements -D "cn=Barbara Jensen,ou=Product Development,dc=example,dc=com" Depending on the command-line utility you use, you should use either single or double quotation marks for this purpose. Refer to your operating system documentation for more information. In addition, if you are using DNs that contain commas, you must escape the commas with a backslash (\).

  • Page 59: Adding An Entry Using Ldif

    LDIF Update Statements change_operation_identifier list_of_attributes A dash (-) must be used to denote the end of a change operation if subsequent change operations are specified. For example, the following statement adds the telephone number and manager attributes to the entry: dn: cn=Lisa Jangles,ou=People,dc=example,dc=com changetype: modify add: telephonenumber...
  • Page 60 LDIF Update Statements dn: ou=People, dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit ou: People ou: Marketing dn: cn=Pete Minsky,ou=People,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Pete Minsky givenName: Pete sn: Minsky ou: People ou: Marketing uid: pminsky dn: cn=Sue Jacobs,ou=People,dc=example,dc=com changetype: add...

  • Page 61: Renaming An Entry Using Ldif

    LDIF Update Statements objectclass: top objectclass: organizationalUnit ou: example.com Bolivia\, S.A. dn: cn=Carla Flores,ou=example.com Bolivia\, S.A.,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Carla Flores givenName: Carla sn: Flores ou: example.com Bolivia\, S.A. uid: cflores Renaming an Entry Using LDIF to change an entry’s relative distinguished name (RDN).

  • Page 62: A Note On Renaming Entries

    LDIF Update Statements The following example can be used to rename Sue Jacobs to Susan Jacobs: dn: cn=Sue Jacobs,ou=Marketing,dc=example,dc=com changetype: modrdn newrdn: cn=Susan Jacobs deleteoldrdn: 0 Because , this example retains the existing RDN as a value in the deleteoldrdn new entry.

  • Page 63: Adding Attributes To Existing Entries Using Ldif

    LDIF Update Statements Adds the specified attribute or attribute value. If the attribute type does not currently exist for the entry, then the attribute and its corresponding value are created. If the attribute type already exists for the entry, then the specified attribute value is added to the existing value.
  • Page 64 LDIF Update Statements The following example adds two attributes and a telephonenumber manager attribute to the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-1212 telephonenumber: 555-6789 add: manager manager: cn=Sally Nixon,ou=People,dc=example,dc=com The following example adds a jpeg photograph to the directory. The jpeg photo can be displayed by Directory Server Gateway.

  • Page 65: Changing An Attribute Value Using Ldif

    LDIF Update Statements Changing an Attribute Value Using LDIF with the replace operation to change all values of an changetype:modify attribute in an entry. For example, the following LDIF update statement changes Barney’s manager from Sally Nixon to Wally Hensford: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify replace: manager...

  • Page 66: Deleting A Specific Attribute Value Using Ldif

    LDIF Update Statements For example, the following LDIF update statement deletes all instances of the attribute from the entry, regardless of how many times it telephonenumber appears in the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify delete: telephonenumber If you want to delete just a specific instance of the attribute, then telephonenumber you simply delete that specific attribute value.

  • Page 67: Deleting An Entry Using Ldif

    LDIF Update Statements Deleting an Entry Using LDIF to delete an entry from your directory. You can only changetype:delete delete leaf entries. Therefore, when you delete an entry, make sure that no other entries exist under that entry in the directory tree. That is, you cannot delete an organizational unit entry unless you have first deleted all the entries that belong to the organizational unit.

  • Page 68: Maintaining Referential Integrity

    Maintaining Referential Integrity dn: bjensen,dc=example,dc=com changetype: modify replace: homePostalAddress;lang-fr homePostalAddress;lang-fr: 34 rue de Seine Maintaining Referential Integrity Referential integrity is a database mechanism that ensures relationships between related entries are maintained. In the Directory Server, referential integrity can be used to ensure that an update to one entry in the directory is correctly reflected in any other entries that may refer to the updated entry.

  • Page 69: Using Referential Integrity With Replication

    Maintaining Referential Integrity • Select the attributes to which you apply referential integrity • Disable referential integrity Using Referential Integrity with Replication There are certain limitations associated with the use of the referential integrity plug-in in a replication environment: • You should never enable it on a dedicated consumer server (a server that contains only read-only replicas).

  • Page 70: From The Directory Server Console

    Maintaining Referential Integrity From the Directory Server Console On the Directory Server Console, select the Configuration tab. For information on starting the Directory Server Console, refer to “Using the Directory Server Console,” on page 28. Expand the Plugins folder in the navigation tree, and select the Referential Integrity Postoperation plugin.

  • Page 71: From The Directory Server Console

    Maintaining Referential Integrity Modifying the Update Interval By default, the server makes referential integrity updates immediately after a or a operation. If you want to reduce the impact this operation has delete modrdn on your system, you may want to increase the amount of time between updates. Although there is no maximum update interval, the following intervals are commonly used: •...

  • Page 72: From The Directory Server Console

    Maintaining Referential Integrity Modifying the Attribute List By default, the referential integrity is set up to update the member uniquemember , and attributes. You can add or delete attributes to be updated from owner seeAlso the Directory Server Console. From the Directory Server Console On the Directory Server Console, select the Configuration tab.

  • Page 73: Chapter 3 Configuring Directory Databases

    Chapter 3 Configuring Directory Databases Your directory is made up of databases over which you can distribute your directory tree. This chapter describes how to create suffixes, the branch points for your directory tree, and how to create the databases associated with each suffix. This chapter also describes how to create database links to reference databases on remote servers and how to use referrals to point clients to external sources of directory data.

  • Page 74: Creating Suffixes

    Creating and Maintaining Suffixes A Sample Directory Tree with One Root Suffix Figure 3-1 suffix and all the entries and nodes below it might be stored in one ou=people database, the suffix on another database, and the ou=groups ou=contractors suffix on yet another database. This section describes creating suffixes on your directory server and associating them with databases.

  • Page 75: Figure 3-2 A Sample Directory Tree With Two Root Suffixes

    Creating and Maintaining Suffixes A Sample Directory Tree with Two Root Suffixes Figure 3-2 You can also create root suffixes to exclude portions of your directory tree from search operations. For example, Corporation might want to exclude example.com their European office from a search on the general Corporation example.com directory.

  • Page 76: Figure 3-4 A Sample Directory Tree With A Sub Suffix

    Creating and Maintaining Suffixes A Sample Directory Tree with a Sub Suffix Figure 3-4 This section describes creating root and sub suffixes for your directory using either the Directory Server Console or the command line. This section contains the following procedures: •...

  • Page 77: Creating A New Sub Suffix Using The Console

    Creating and Maintaining Suffixes If you selected the “Create associated database automatically” checkbox in step 4, enter a unique name for the new database in the “Database name” field. Use only ASCII (7-bit) characters for naming the database. This value cannot contain commas, tabs, an equals sign (=), asterisk (*), backslash (\), forward slash (/), plus sign (+), quote (‘), double quote (“), or a question mark (?).
  • Page 78 Creating and Maintaining Suffixes Click OK to create the new sub suffix. The suffix appears automatically under its root suffix in the Data tree in the left navigation pane. Creating Root and Sub Suffixes From the Command Line Use the command-line utility to add new suffixes to your directory ldapmodify configuration file.

  • Page 79: Table 3-1 Suffix Attributes

    Creating and Maintaining Suffixes To create a sub suffix for groups under this root suffix, you would do an operation to add the following entry: ldapmodify dn: cn="ou=groups,dc=example,dc=com",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: GroupData nsslapd-parent-suffix: "dc=example,dc=com" cn: ou=groups,dc=example,dc=com NOTE If you want to maintain your suffixes using the Directory Server...
  • Page 80 Creating and Maintaining Suffixes Suffix Attributes (Continued) Table 3-1 Attribute Name Value Determines how the suffix handles operations. This attribute takes nsslapd-state the following values: • backend: the backend (database) is used to process all operations. • disabled: the database is not available for processing operations.

  • Page 81: Maintaining Suffixes

    Creating and Maintaining Suffixes Suffix Attributes (Continued) Table 3-1 Attribute Name Value nsslapd-parent-suffix Provides the DN of the parent entry for a sub suffix. By default, this attribute is not present, which means that the suffix is regarded as a root suffix.

  • Page 82: Enabling Referrals Only During Update Operations

    Creating and Maintaining Suffixes Click Add to add the referral to the list. You can enter multiple referrals. The directory will return the entire list of referrals in response to requests from client applications. Click Save. Enabling Referrals Only During Update Operations You may want to configure your directory to redirect update and write requests made by client applications to a read-only database.

  • Page 83: Creating And Maintaining Databases

    Creating and Maintaining Databases To disable a suffix: On the Directory Server Console select the Configuration tab. Under Data in the left navigation pane, click the suffix you want to disable. Click the Suffix Setting tab. Deselect the “Enable this suffix” checkbox. A red dot appears on the Suffix Setting tab to alert you to changes that need to be saved.

  • Page 84: Creating Databases

    Creating and Maintaining Databases This section contains information about creating databases to contain your directory data, deleting databases, and making databases temporarily read-only. Creating Databases Directory Server supports the use of multiple databases over which you can distribute your directory tree. There are two ways you can distribute your data across multiple databases: •...
  • Page 85 Creating and Maintaining Databases Database one contains the data for plus the data for ou=people , so that clients can conduct searches based at dc=example,dc=com . Database two contains the data for , and dc=example,dc=com ou=groups database three contains the data for ou=contractors •...

  • Page 86: Creating A New Database For An Existing Suffix Using The Console

    Creating and Maintaining Databases Creating a New Database for an Existing Suffix Using the Console The following procedure describes adding a database to a suffix you have already created: In the Directory Server Console, select the Configuration tab. In the left pane, expand Data then click the suffix to which you want to add the new database.

  • Page 87: Adding Multiple Databases For A Single Suffix

    Creating and Maintaining Databases Add a new entry to the configuration file by performing an as follows: ldapmodify ldapmodify -a -h example1 -p 389 -D "cn=directory manager" -w secret utility binds to the server and prepares it to add an entry to the ldapmodify configuration file.

  • Page 88: Adding The Custom Distribution Function To A Suffix

    Creating and Maintaining Databases Once Netscape Professional Services has helped you create a custom distribution logic plug-in, you need to add it to your directory. The following procedures describe adding distribution logic to a suffix in your directory. Adding the Custom Distribution Function to a Suffix The distribution logic is a function declared in a suffix.

  • Page 89: Maintaining Directory Databases

    Creating and Maintaining Databases For more information about using the command-line utility, refer to ldapmodify “Adding and Modifying Entries Using ldapmodify,” on page 53. Maintaining Directory Databases This section describes jobs associated with maintaining your directory databases. It includes the following procedures: •...

  • Page 90: Creating And Maintaining Database Links

    Creating and Maintaining Database Links Making a Database Read-Only From the Command Line If you want to manually place a database into read-only mode, you must change the read-only attribute, , to . To do so, use the nsslapd-readonly ldapmodify command-line utility.

  • Page 91: Configuring The Chaining Policy

    Creating and Maintaining Database Links You can create and configure a database link using Directory Server Console or the command line. The following sections describe the procedures for creating and maintaining a database link: • Configuring the Chaining Policy • Creating a New Database Link •...

  • Page 92: Table 3-2 Components Allowed To Chain

    Creating and Maintaining Database Links You must also create an ACI on the remote server to allow the plug-in you specify to perform its operations on the remote server. You create the ACI in the suffix assigned to the database link. The following table lists component names, the potential side-effects of allowing them to chain internal operations, and the permissions they need in the ACI you create on the remote server:...
  • Page 93 Creating and Maintaining Database Links Components Allowed to Chain (Continued) Table 3-2 Component Name Description Permissions Referential This plug-in ensures that updates made to attributes Read, write, search, and integrity plug-in containing DNs are propagated to all entries that contain compare pointers to the attribute.
  • Page 94 Creating and Maintaining Database Links Expand Data in the left pane and click Database Link Settings. Select the Settings tab in the right window. To add a component to the “Components allowed to chain” list, click Add. The “Select Components to Add” dialog box displays. Select a component from the list and click OK.

  • Page 95: Chaining Ldap Controls

    Creating and Maintaining Database Links Chaining LDAP Controls You can choose to not chain operation requests made by LDAP controls. By default, requests made by the following controls are forwarded to the remote server by the database link: • Virtual list view (VLV)—This control provides lists of parts of entries rather than returning all entry information.

  • Page 96: Creating A New Database Link

    Creating and Maintaining Database Links Chaining LDAP Controls From the Command Line You can alter the controls that the database link forwards by changing the attribute of the nsTransmittedControls cn=config,cn=chaining database, entry. For example, to forward the virtual list view cn=plugins,cn=config control, you add the following to your database link entry in the configuration file: nsTransmittedControls: 2.16.840.1.113730.3.4.9...

  • Page 97: Creating A New Database Link Using The Console

    Creating and Maintaining Database Links List of failover servers. You can provide a list of alternative servers for the database link to contact in the event of a failure. This configuration item is optional. The following sections describe creating a new database link from the Directory Server Console as well as the command line.

  • Page 98: Creating A Database Link From The Command Line

    Creating and Maintaining Database Links Enter the password used by the database link to bind to the remote server in the “Password” field. Select the “Use a secure LDAP connection between servers” checkbox if you want the database link to use SSL to communicate to the remote server. Enter the name of the remote server in the “Remote server”...
  • Page 99 Creating and Maintaining Database Links Each database link contains its own specific configuration information, which is stored with the database link entry itself, database_link_name ,cn=chaining . For more information about configuration database,cn=plugins,cn=config attributes, refer to the Netscape Directory Server Configuration, Command, and File Reference.
  • Page 100 Creating and Maintaining Database Links Create an administrative user for the database link. For information on adding entries, see “Creating Directory Entries,” on page 41. Provide proxy access rights for the administrative user created in step 1 on the subtree chained to by the database link. For more information on configuring ACI’s, refer to “Managing Access Control,”...
  • Page 101 Creating and Maintaining Database Links The database link on server A binds to server B using a special user as defined in attribute and a user password as defined in the nsMultiplexorBindDN attribute. In this example, server A uses the nsMultiplexorCredentials following bind credentials: nsMultiplexorBindDN: cn=proxy admin,cn=config...
  • Page 102 Creating and Maintaining Database Links Providing an LDAP URL On the server containing your database link, you have to identify the remote server that the database link connects with using an LDAP URL. Unlike the standard LDAP URL format, the URL of the remote server does not specify a suffix. It takes the following form: servername:portnumber ldap://...

  • Page 103: Table 3-4 Database Link Configuration Attributes

    Creating and Maintaining Database Links The two global configuration attributes are located in the cn=config,cn=chaining entry. The global attributes are dynamic, database,cn=plugins,cn=config meaning any changes you make to them will automatically take effect on all instances of the database link within your directory. Values defined for a specific database link take precedence over the global attribute value.
  • Page 104 Creating and Maintaining Database Links Database Link Configuration Attributes (Continued) Table 3-4 Attributes Value Lists the components using chaining. A component is any functional *nsActiveChainingComponents unit in the server. The value of this attribute in the database link instance overrides the value in the global configuration attribute. To disable chaining on a particular database instance, use the value none.
  • Page 105 Creating and Maintaining Database Links First, use the command-line utility to add a database link to server A. ldapmodify Type the following to change to the directory containing the utility: cd /usr/netscape/servers/shared/bin Run the script as follows: ldapmodify -a -p 389 -D "cn=directory manager" -w secret -h us.example.com Then specify the configuration information for the database link: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config...
  • Page 106 Creating and Maintaining Database Links nsslapd-state: backend nsslapd-backend: DBLink1 nsslapd-parent-suffix: "ou=people,dc=example,dc=com" cn: l=Zanzibar,ou=people,dc=example,dc=com In the first section, the attribute contains the suffix on server B nsslapd-suffix that you want to chain to from server A. The attribute contains nsFarmServerURL the LDAP URL of server B. The second section creates a new suffix, allowing the server to route requests made to the new database link.

  • Page 107: Chaining Using Ssl

    Creating and Maintaining Database Links NOTE When a user binds to a database link, the user’s identity is sent to the remote server. Access controls are always evaluated on the remote server. For the user to successfully modify or write data to the remote server, you need to set up the correct access controls on the remote server.

  • Page 108: Maintaining Database Links

    Creating and Maintaining Database Links Maintaining Database Links This section describe how to update and delete existing database links. It contains the following procedures: • Updating Remote Server Authentication Information • Deleting Database Links Updating Remote Server Authentication Information To update the bind DN and password used by the database link to connect to the remote server: On the Directory Server Console, select the Configuration tab.

  • Page 109: Database Links And Access Control Evaluation

    Creating and Maintaining Database Links From the Object menu, select Delete. You can also right-click the database link and select Delete from the pop-up menu. The Deleting Database Link confirmation dialog box is displayed. Click Yes to confirm that you want to delete the database link. A progress dialog box appears telling you the steps the directory server completes during the deletion.

  • Page 110: Advanced Feature: Tuning Database Link Performance

    Creating and Maintaining Database Links • ACIs that refer to values of a user’s entry (for example, subject rules) userattr will work if the users is remote. Though access controls are always evaluated on the remote server, you can also choose to have them evaluated on both the server containing the database link and the remote server.

  • Page 111: Managing Connections To The Remote Server

    Creating and Maintaining Database Links Managing Connections to the Remote Server Each database link maintains a pool of connections to a remote server. You can configure the connections to optimize resources for your directory. You can change the connection attributes using the Directory Server Console or through the command line.

  • Page 112: Table 3-5 Database Link Connection Management Attributes

    Creating and Maintaining Database Links Connection lifetime (sec). How long a connection made between the database link and remote server remains open. You can keep connections between the database link and the remote server open for an unspecified time, or you can close them after a specific period of time.

  • Page 113: Detecting Errors During Normal Processing

    Creating and Maintaining Database Links Database Link Connection Management Attributes (Continued) Table 3-5 Attribute Name Description Number of times a database link attempts to bind to the nsBindRetryLimit remote server. A value of zero (0) indicates that the database link will try to bind only once. The default value is 3 attempts. Connection lifetime, in seconds.

  • Page 114: Managing Threaded Operations

    Creating and Maintaining Database Links If the remote server does not respond before the period has nsMaxResponseDelay passed, then an error is returned and the connection is flagged as down. All connections between the database link and remote server will be blocked for 30 seconds, protecting your server from a performance degradation.

  • Page 115: Advanced Feature: Configuring Cascading Chaining

    Creating and Maintaining Database Links While the database link waits for results from the remote server, it can process additional operations. By default, the number of threads used by the server is 20. However, when using database links, you can improve performance by increasing the number of threads available for processing operations.
  • Page 116 Creating and Maintaining Database Links The client application sends a modify request to server one. Server one contains a database link that forwards the operation to server two, which contains another database link. The database link on server two forwards the operations to server three, which contains the data the clients wants to modify in a database.
  • Page 117 Creating and Maintaining Database Links The root suffix , the sub suffixes dc=example,dc=com ou=people ou=groups are stored on Server A. The l=europe,dc=example,dc=com ou=groups suffixes are stored in on Server B, and the branch of the ou=people suffix is stored on Server C. l=europe,dc=example,dc=com With cascading configured on servers A, B, and C, a client request targeted at the entry would be routed by the...

  • Page 118: Configuring Cascading Chaining Defaults Using The Console

    Creating and Maintaining Database Links First the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the branch.

  • Page 119: Configuring Cascading Chaining Using The Console

    Creating and Maintaining Database Links Select the “Check local ACI” checkbox if you want to enable the evaluation of local ACIs on the intermediate database links involved in cascading chaining. If you select this checkbox, you will need to add the appropriate local ACIs to a database on the servers that contain intermediate database links.

  • Page 120: Configuring Cascading Chaining From The Command Line

    Creating and Maintaining Database Links Configuring Cascading Chaining From the Command Line Configuring a cascade of database links through the command line involves the following steps: • Pointing one database link to the URL of the server containing the intermediate database link.
  • Page 121 Creating and Maintaining Database Links Creating the Proxy Administrative User ACI You need to create an ACI on the server that contains the intermediate database link that checks the rights of the first database link before translating the request to another server.
  • Page 122 Creating and Maintaining Database Links Setting this attribute to on in the cn=default instance config,cn=chaining entry means that all new database link database,cn=plugins,cn=config instances will have the attribute set to on in their nsCheckLocalACI database_link_name entry. ,cn=chaining database,cn=plugins,cn=config Creating Client ACIs Because you have enabled local ACI evaluation, you need to create the appropriate client application ACIs on all intermediate database links as well as the final destination database.

  • Page 123: Summary Of Cascading Chaining Configuration Attributes

    Creating and Maintaining Database Links Summary of Cascading Chaining Configuration Attributes The following table describes the attributes used to configure intermediate database links in a cascading chain: Table 3-7 Cascading Chaining Configuration Attributes Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain. nsTransmittedControls Enter the following OIDs to the database links involved in the cascading chain: nsTransmittedControls: 2.16.840.1.113730.3.4.12...

  • Page 124: Configuring Server One

    Creating and Maintaining Database Links Configuring Server One First, use the command-line utility to add a database link to server ldapmodify one. To use the utility, type the following to change to the directory containing the utility: cd /usr/netscape/servers/shared/bin Run the utility as follows: ldapmodify -a -D "cn=directory manager"...
  • Page 125 Creating and Maintaining Database Links Then specify the configuration information for the database link, DBLink1, on server one as follows: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: l=Zanzibar,c=africa,ou=people,dc=example,dc=com nsfarmserverurl: ldap://africa.example.com:389/ nsmultiplexorbinddn: cn=server1 proxy admin,cn=config nsmultiplexorcredentials: secret cn: DBLink1 nsCheckLocalACI:off cn="l=Zanzibar,c=africa,ou=people,dc=example,dc=com",cn=mapping tree,cn=config...

  • Page 126: Configuring Server Two

    Creating and Maintaining Database Links Configuring Server Two Next, you create a proxy administrative user on server two. This administrative user will be used to allow server one to bind and authenticate to server two. Bear in mind that it is useful to choose a proxy administrative user name which is specific to server one as it is the proxy administrative user which will allow server one to bind to server two.
  • Page 127 Creating and Maintaining Database Links Since database link DBLink2 is the intermediate database link in your cascading chaining configuration, you need to set the to on, to allow the nsCheckLocalACI server to check whether or not it should allow the client and proxy administrative user access to the database link.

  • Page 128: Configuring Server Three

    Creating and Maintaining Database Links NOTE To create these ACIs it is assumed that the database corresponding to the suffix already c=africa,ou=people,dc=example,dc=com exists to hold the entry. This database needs to be associated with a suffix above the suffix specified in the attribute of nsslapd-suffix each database link.
  • Page 129 Creating and Maintaining Database Links dn: cn=server2 proxy admin,cn=config objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: server2 proxy admin sn: server2 proxy admin userPassword: secret description: Entry for use by database links Then you need to add the same local proxy authorization ACI to server three as you did on server two.

  • Page 130: Using Referrals

    Using Referrals Using Referrals You can use referrals to tell client applications which server to contact for a specific piece of information. This redirection occurs when a client application requests a directory entry that does not exist on the local server or when a database has been taken offline for maintenance.

  • Page 131: Creating Smart Referrals

    Using Referrals Setting a Default Referral From the Command Line Use the command-line utility to add a default referral to the ldapmodify entry in your directory configuration file. cn=config For example, to add a new default referral from your directory server, , to a server named , add a new line to the example.com...

  • Page 132: Creating Smart Referrals Using The Directory Server Console

    Using Referrals Creating Smart Referrals Using the Directory Server Console On the Directory Server Console, select the Directory tab. Browse through the tree in the left navigation pane and select the entry for which you want to add the referral. Double-click the entry.

  • Page 133: Creating Smart Referrals From The Command Line

    Using Referrals Creating Smart Referrals From the Command Line Use the command-line utility to create smart referrals from the ldapmodify command line. To create a smart referral, create the relevant directory entry and add the Referral object class. This object class allows a single attribute, .

  • Page 134: Creating Suffix Referrals

    Using Referrals Creating Suffix Referrals The following procedure describes creating a referral in a suffix. This means that the suffix processes operations using a referral rather than a database or database link. For more information about referrals, refer to Netscape Directory Server Deployment Guide.
  • Page 135 Using Referrals For example, to add a new suffix referral to the ou=people,dc=example,dc=com root suffix, you do an . First, type the following to change to the ldapmodify directory containing the utility: cd /usr/netscape/servers/shared/bin Then, run as follows: ldapmodify ldapmodify -a -h example.com -p 389 -D "cn=directory manager" -w secret utility binds to the server and prepares it to add information to ldapmodify...
  • Page 136 Using Referrals Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 137: Chapter 4 Populating Directory Databases

    Chapter 4 Populating Directory Databases Databases contain the directory data managed by your Netscape Directory Server (Directory Server). This chapter describes the following procedures for populating your directory databases: • Importing Data (page 137) • Exporting Data (page 144) • Backing Up and Restoring Data (page 148) •...

  • Page 138: Table 4-1 Import Method Comparison

    Importing Data Table 4-1 Import Method Comparison Import Initialize Database Overwrites database LDAP operations Add, modify, delete Add only Performance More time consuming Fast Partition speciality Works on all partitions Local partitions only Response to server failure Best effort (all changes made Atomic (all changes are up to the point of the failure lost after a failure)
  • Page 139 Importing Data To import data from the Directory Server Console: On the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and select Import Database. You can also import by going to the Configuration tab and selecting “Import” from the Console menu.

  • Page 140: Initializing A Database From The Console

    Importing Data Initializing a Database From the Console You can overwrite the existing data in a database. The following section describes using the console to initialize databases. You must be logged in as the Directory Manager in order to initialize a database. This is because you cannot import an LDIF file that contains a root entry unless you bind to the directory as the Directory Manager (Root DN).

  • Page 141: Importing From The Command Line

    Importing Data Importing From the Command Line You can use three methods for importing data through the command line: • Using —This import method overwrites the contents of your database ldif2db and requires the server to be stopped. • Using —This import method overwrites the contents of your ldif2db.pl database while the server is still running.
  • Page 142 Importing Data Two examples of performing an import using follow: ldif2db Windows NT batch file: ldif2db.bat -n Database1 -i c:\netscape\servers\slapd-dirserver\ldif\demo.ldif -i c:\netscape\servers\slapd-dirserver\ldif\demo2.ldif UNIX shell script: ldif2db -n Database1 -i /usr/netscape/servers/slapd-dirserver/ldif/demo.ldif -i /usr/netscape/servers/slapd-dirserver/ldif/demo2.ldif The following table describes the options used in the examples: ldif2db Option Name Description...
  • Page 143 Importing Data Run the perl script. ldif2db.pl For more information about using this perl script, refer to Netscape Directory Server Configuration, Command, and File Reference. Two examples of performing an import using follow: ldif2db.pl Windows NT batch file: ..\bin\slapd\admin\bin\perl ldif2db.pl -D "cn=Directory Manager" -w secretpwd -i c:\netscape\servers\slapd-dirserver\ldif\demo.ldif -n Database1 You need to run the script from the following directory on NT...

  • Page 144: Exporting Data

    Exporting Data To import LDIF using ldif2ldap From the command line, change to the following directory: serverID /usr/netscape/servers/slapd- where serverID is the name of your directory server. Run the command-line script. ldif2ldap For more information about using this script, refer to Netscape Directory Server Configuration, Command, and File Reference.

  • Page 145: Figure 4-1 Splitting A Database Contents Into Two Databases

    Exporting Data Splitting a Database Contents into Two Databases Figure 4-1 To populate the new databases requires exporting the contents of database one and importing it into the new databases one and two. You can use the Directory Server Console or command-line utilities to export data. The following sections describe these methods in detail: •...

  • Page 146: Exporting A Single Database To Ldif Using The Console

    Exporting Data To export directory data to LDIF from the Directory Server Console while the server is running: On the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and click Export Database(s). To export all of your databases, you can also select the Configuration tab and select Export from the Console menu.

  • Page 147: Exporting To Ldif From The Command Line

    Exporting Data Expand the Data tree in the left navigation pane. Expand the suffix maintained by the database you want to export. Select the database under the suffix that you want to export. Right-click the database and select Export Database. You can also select Export Database from the Object menu.

  • Page 148: Backing Up And Restoring Data

    Backing Up and Restoring Data Option Name Description Specifies the name of the database from which the file is being exported. Defines the output file in which the server saves the exported LDIF. This file is stored by default in the directory where the command-line script resides.

  • Page 149: Backing Up All Databases From The Server Console

    Backing Up and Restoring Data Backing Up All Databases From the Server Console When you back up your databases from the Directory Server Console, the server copies all of the database contents and associated index files to a backup location. You can perform a backup while the server is running.

  • Page 150: Backing Up A Single Database

    Backing Up and Restoring Data Run the command-line script. db2bak For more information about using this script, refer to Netscape Directory Server Configuration, Command, and File Reference. Two examples of performing an import using follow: db2bak Windows NT batch file: db2bak \usr\netscape\servers\slapd-dirserver\bak\bak_20010701103056 UNIX shell script: db2bak /usr/netscape/servers/slapd-dirserver/bak/bak_20010701103056...

  • Page 151: Backing Up The Dse.ldif Configuration File

    Backing Up and Restoring Data Backing Up the dse.ldif Configuration File Directory Server automatically backs up the configuration file. When dse.ldif you start your directory server, the directory creates a backup of the file dse.ldif automatically in a file named in the dse.ldif.startOK serverID...

  • Page 152: Restoring Your Database From The Command Line

    Backing Up and Restoring Data where serverID is the name of your directory server and backup_name is the name of the backup file. Click OK to restore your databases. Restoring Your Database From the Command Line You can restore your databases from the command line by using the following scripts: •...
  • Page 153 Backing Up and Restoring Data Using bak2db.pl Perl Script To restore your directory from the command line while the server is running: At the command prompt, change to the following directory: serverID /usr/netscape/servers/slapd- where serverID is the name of your directory server. Run the perl script.

  • Page 154: Restoring Databases That Include Replicated Entries

    Backing Up and Restoring Data Restoring a Single Database To restore a single database: At the command prompt, change to the following directory: serverID cd /usr/netscape/servers/slapd- where serverID is the name of your directory server. If the server is running, type the following to shut it down: ./stop-slapd Change to the directory containing the backup you want to restore.

  • Page 155: Restoring The Dse.ldif Configuration File

    Enabling and Disabling Read-Only Mode Directory Server automatically detects the compatibility between the replica and its change log. If a mismatch is detected, the server removes the old change log file and creates a new, empty one. • Change log entries have expired on the supplier server since the time of the local backup.
  • Page 156 Enabling and Disabling Read-Only Mode Enabling Read-Only Mode On the Directory Server Console, select the Configuration tab, and expand the Data folder in the navigation tree. Select the database that you want to place in read-only mode, and click the Database Settings tab in the right pane.

  • Page 157: Chapter 5 Advanced Entry Management

    Chapter 5 Advanced Entry Management You can group the entries contained by your directory to simplify the management of user accounts. Netscape Directory Server (Directory Server) supports a variety of methods for grouping entries and sharing attributes between entries. This chapter describes the following grouping mechanisms and their procedures: •...

  • Page 158: Managing Static Groups

    Using Groups Managing Static Groups Static groups allow you to group entries by specifying the same group value in the DN attribute of any number of users. This section includes the following procedures for creating and modifying static groups: • Adding a New Static Group •...

  • Page 159: Managing Dynamic Groups

    Using Groups Modifying a Static Group In the Directory Server Console, select the Directory tab. The directory contents appear in the left pane. Double-click the entry you want to modify or select Open from the Object menu. The Edit Group dialog box appears. Make your changes to the group information.

  • Page 160: Using Roles

    Using Roles Double-click the entry you want to modify or select Properties from the Object menu. The Edit Group dialog box appears. Make your changes to the group information. Click OK. To view your changes, go to the View menu and select Refresh. Using Roles Roles are a new entry grouping mechanism that unify the static and dynamic groups described in the previous sections.

  • Page 161: Managing Roles Using The Console

    Using Roles • Remove a particular role from a given entry. You can do everything you would normally do with static groups with managed roles, and you can filter members using filtered roles as you used to do with dynamic groups. Roles are easier to use than groups, more flexible in their implementation, and reduce client complexity.

  • Page 162: Creating A Managed Role

    Using Roles • Deleting a Role When you create a role, you need to decide whether a user can add themselves or remove themselves from the role. Refer to “Using Roles Securely,” on page 169 for more information about roles and access control. Creating a Managed Role Managed roles allow you to create an explicit enumerated list of members.

  • Page 163: Creating A Filtered Role

    Using Roles Creating a Filtered Role You assign entries to a filtered role depending upon a particular attribute contained by each entry. You do this by specifying an LDAP filter. Entries that match the filter are said to possess the role. To create and add members to a filtered role: Follow steps 1-5 of “Creating a Managed Role,”...
  • Page 164 Using Roles To create and add members to a nested role: Follow steps 1-5 of “Creating a Managed Role,” on page 162. Click Members in the left pane. A search dialog box appears briefly. In the right pane, select Nested Role. Click Add to add roles to the list.The members of the nested role are members of other existing roles.

  • Page 165: Modifying A Role Entry

    Using Roles Click OK once you have finished modifying the roles to save your changes. Modifying a Role Entry To edit an existing role: On the Directory Server Console, select the Directory tab. Browse the navigation tree in the left pane to locate the base DN for your role. Roles appear in the right pane with other entries.

  • Page 166: Managing Roles Using The Command Line

    Using Roles Browse the navigation tree in the left pane to locate the base DN for your role. Roles appear in the right pane with other entries. Select the role. Select Activate from the Object menu. You can also right-click the role and select Activate from the menu. The role is reactivated.

  • Page 167: Examples: Managed Role Definition

    Using Roles • Members of a filtered role are entries that match the filter specified in the attribute. nsRoleFilter • Members of a nested role are members of the roles specified in the nsRoleDN attributes of the nested role definition entry. The following table lists the new object classes and attributes associated with each type of role: Table 5-1 Object Classses and Attributes for Roles...

  • Page 168: Example: Filtered Role Definition

    Using Roles Notice that the object class inherits from the nsManagedRoleDefinition object classes. LDAPsubentry nsRoleDefinition nsSimpleRoleDefinition Assign the role to a marketing staff member named Bob by doing an ldapmodify as follows: ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389 dn: cn=Bob,ou=people,dc=example,dc=com changetype: modify add: nsRoleDN...

  • Page 169: Example: Nested Role Definition

    Using Roles Example: Nested Role Definition You want to create a role that contains both the marketing staff and sales managers contained by the roles you created in the previous examples. The nested role you create using appears as follows: ldapmodify dn: cn=MarketingSales,ou=people,dc=example,dc=com objectclass: top...

  • Page 170: Assigning Class Of Service

    Assigning Class of Service To prevent users from removing the attribute, use the following ACIs nsRoleDN depending upon the type of role being used. Managed roles. For entries that are members of a managed role, use the following ACI to prevent users from unlocking themselves by removing the appropriate nsRoleDN aci: (targetattr=”nsRoleDN”) (targattrfilters=”...

  • Page 171: About Cos

    Assigning Class of Service • Managing CoS Using the Console • Managing CoS From the Command Line • Creating Role-Based Attributes • Access Control and CoS About CoS Clients of the Directory Server read the attributes on a user’s entry. With CoS, some attribute values may not be stored with the entry itself.

  • Page 172: About The Cos Template Entry

    Assigning Class of Service There are 3 types of CoS, defined using three types of CoS definition entries: • Pointer CoS—A pointer CoS identifies the template entry using the template DN only. • Indirect CoS—An indirect CoS identifies the template entry using the value of one of the target entry’s attributes.

  • Page 173: How A Pointer Cos Works

    Assigning Class of Service How a Pointer CoS Works You create a CoS that shares a common postal code with all of the entries stored under . The three entries for this CoS appear as illustrated in dc=example,dc=com Figure 5-1. Sample Pointer CoS Figure 5-1 In this example, the template entry is identified by its DN,...

  • Page 174: How A Classic Cos Works

    Assigning Class of Service Sample Indirect CoS Figure 5-2 In this example, the target entry for William Holiday contains the indirect specifier, attribute. William’s manager is Carla Fuentes, so the manager manager attribute contains a pointer to the DN of the template entry, cn=Carla .

  • Page 175: Managing Cos Using The Console

    Assigning Class of Service Sample Classic CoS Figure 5-3 In this example, the Cos definition entry’s attribute specifies the cosSpecifier attribute. This attribute, in combination with the template DN, employeeType identify the template entry as . The template cn=sales,cn=exampleUS,cn=data entry then provides the value of the attribute to the target entry.
  • Page 176 Assigning Class of Service Go to the Object menu and select New > Class of Service. You can also right click the entry and select New > Class of Service. The Create New Class of Service dialog displays. Select General in the left pane. In the right pane, enter the name of your new class of service in the “Class Name”...

  • Page 177: Editing An Existing Cos

    Assigning Class of Service Using the value of one of the target entry’s attribute. If you choose to have the template entry identified by the value of one of the target entry’s attributes (an indirect CoS), enter the attribute name in the “Attribute Name” field. Be sure to select an attribute which contains DN values.

  • Page 178: Managing Cos From The Command Line

    Assigning Class of Service Right-click the CoS and select Delete. A dialog box appears asking you to confirm the deletion. Click Yes. The Deleted Entries dialog box appears to inform you that the CoS was successfully deleted. Click OK. Managing CoS From the Command Line Because all configuration information and template data is stored as entries in the directory, you can use standard LDAP tools for CoS configuration and management.

  • Page 179: Table 5-3 Cos Definition Entry Attributes

    Assigning Class of Service You can use the following attributes in your CoS definition entries: Table 5-3 CoS Definition Entry Attributes Attribute Definition Provides the name of the attribute for which you want to generate a value. cosAttribute You can specify more than one cosAttribute value. This attribute is used by all types of CoS definition entries.

  • Page 180: Table 5-4 Cos Definitions

    Assigning Class of Service dn: cn=pointerCoS,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=exampleUS,cn=data cosAttribute: postalCode override This pointer CoS definition entry indicates that it is associated with a template entry, , that generates the value of the cn=exampleUS,cn=data postalCode attribute.

  • Page 181: Creating The Cos Template Entry From The Command Line

    Assigning Class of Service CoS Definitions (Continued) Table 5-4 CoS Type CoS definition Classic CoS objectclass: top bbjectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn: DN_string cosSpecifier: attribute_name cosAttribute: list_of_attributes qualifier Creating the CoS Template Entry From the Command Line The CoS template entry also inherits from the object class.

  • Page 182: Example Of A Pointer Cos

    Assigning Class of Service Templates that contain no attribute are considered the lowest cosPriority priority. In the case where two or more templates are considered to supply an attribute value and they have the same (or no) priority, a value is chosen arbitrarily.

  • Page 183: Example Of An Indirect Cos

    Assigning Class of Service Next, you create the template entry as follows: dn: cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 44438 The CoS template entry ( ) supplies cn=exampleUS,dn=cata,dc=example,dc=com the value stored in its attribute to any entries located under the postalCode suffix.

  • Page 184: Example Of A Classic Cos

    Assigning Class of Service You create a second template entry for the manager Sue Jacobs as follows: dn:cn=Sue Jacobs,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate departmentNumber: 71776 The definition entry looks in the target entries (the entries under ) for entries containing the attribute (because this dc=example,dc=com...

  • Page 185: Creating Role-Based Attributes

    Assigning Class of Service Next, you create the template entries for the sales and marketing departments as follows: dn: cn=sales,cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 44438 dn: cn=marketing,cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 99111 The classic CoS definition entry applies to all entries under the suffix.

  • Page 186: Access Control And Cos

    Assigning Class of Service objectclass: nsFilteredRoleDefinition cn: ManagerRole nsRoleFilter: o=managers Description: filtered role for managers The classic CoS definition entry would look as follows: dn: cn=managerCOS,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectlass: cosClassicDefinition cosTemplateDn: cn=managerCOS,dc=example,dc=com cosSpecifier: nsRole cosAttribute: mailboxquota override attribute provides a value that, in combination with the cosTemplateDn attribute specified in the...

  • Page 187: Chapter 6 Managing Access Control

    Chapter 6 Managing Access Control Netscape Directory Server (Directory Server) provides you with the ability to control access to your directory. This chapter describes the access control mechanism. This section includes the following topics: • Access Control Principles (page 188) •...

  • Page 188: Access Control Principles

    Access Control Principles Access Control Principles The mechanism by which you define access is called access control. When the server receives a request, it uses the authentication information provided by the user in the bind operation, and the access control instructions (ACIs) defined in the server to allow or deny access to directory information.

  • Page 189: Aci Placement

    Access Control Principles ACI Placement If an entry containing an ACI does not have any child entries, the ACI applies to that entry only. If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a direct consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs for every entry between the one requested and the directory suffix, as well as the ACIs on the entry itself.

  • Page 190: Aci Limitations

    Access Control Principles For example, if you deny write permission at the directory’s root level, then none of the users can write to the directory regardless of the specific permissions you grant them. To grant a specific user write permissions to the directory, you have to restrict the scope of the original denial for write permission so that it does not include the user.

  • Page 191: Default Acis

    Default ACIs • Access control rules are always evaluated on the local server. Therefore, it is not necessary to specify the hostname or port number of the server in LDAP URLs used in ACI keywords. If you do, the LDAP URL will not be taken into account at all.

  • Page 192: Creating Acis Manually

    Creating ACIs Manually Creating ACIs Manually You can create access control instructions manually using LDIF statements, and add them to your directory tree using the utility. The following ldapmodify sections explain in detail how to create the LDIF statements. LDIF ACI statements can be very complex. However, if you are setting access control for a large number of directory entries, using LDIF is the preferred method over using the Console because of the time it can save.

  • Page 193: Example Aci

    Creating ACIs Manually You can have multiple permission-bind rule pairs for each target. This allows you to efficiently set multiple access controls for a given target. For example: target(permission bind_rule)(permission bind_rule)... If you have several ACRs in one ACI statement, the syntax is of the form: aci: (target)(version 3.0;acl "name";permission bind_rule;...

  • Page 194: Table 6-1 Ldif Target Keywords

    Creating ACIs Manually where: indicates the type of target keyword equal (=) indicates that the target is the object specified in the , and expression not equal (!=) indicates the target is not the object specified in the expression identifies the target expression The quotation marks ("") around are required.
  • Page 195 Creating ACIs Manually This identifies the distinguished name of the entry to which the access control rule applies. For example: (target = "ldap:///uid=bjensen,dc=example,dc=com") NOTE If the DN of the entry to which the access control rule applies contains a comma, you must escape the comma with a single backslash (\).

  • Page 196: Targeting Attributes

    Creating ACIs Manually Some other valid examples follow: • (target="ldap:///uid=*,dc=example,dc=com") Matches every entry in the entire tree that has the attribute in example.com the entry’s RDN. • (target="ldap:///uid=*,ou=*,dc=example,dc=com") Matches every entry in the tree whose distinguished name example.com contains the attributes.

  • Page 197: Targeting Both An Entry And Attributes

    Creating ACIs Manually You can target multiple attributes by using the keyword with the targetattr following syntax: (targetattr = "attribute1 || attribute2 ... || attributen") Where attribute is the name of the attribute you want to target. For example, to target the common name attribute you would use: (targetattr = "cn") To target an entry’s common name, surname, and uid attributes, you would use the following:...

  • Page 198: Targeting Attribute Values Using Ldap Filters

    Creating ACIs Manually where is a standard LDAP search filter. For more information on the LDAP_filter syntax of LDAP search filters, see Appendix B, “Finding Directory Entries.” For example, suppose that all entries in the accounting department include the , and all entries in the engineering department attribute- value pair ou=accounting include the attribute- value pair...

  • Page 199: Targeting A Single Directory Entry

    Creating ACIs Manually For example, you might grant all users in your organization permission to modify attribute in their own entry. However, you would also want to nsRoleDN ensure that they do not give themselves certain key roles such as “Top Level Administrator.”...

  • Page 200: Defining Permissions

    Creating ACIs Manually • By creating a bind rule that matches user input in the bind request with an attribute value stored in the targeted entry. For more details, see “Defining Access Based on Value Matching,” on page 211. keywords •...

  • Page 201: Assigning Rights

    Creating ACIs Manually NOTE From the Server Console, you cannot explicitly deny access, but only grant permissions. Assigning Rights Rights detail the specific operations a user can perform on directory data. You can allow or deny all rights, or you can assign one or more of the following rights: Read.

  • Page 202: Rights Required For Ldap Operations

    Creating ACIs Manually Rights Required for LDAP Operations This section describes the rights you need to grant to users depending on the type of LDAP operation you want to authorize them to perform. Adding an entry: • Grant add permission on the entry being added. •...

  • Page 203: Permissions Syntax

    Bind Rules The permissions you need to set up to allow users to search the directory are more readily understood with an example. Consider the following ldapsearch operation: " " % ldapsearch -h host -s base -b uid=bkolics,dc=example,dc=com objectclass=* mail The following ACI is used to determine whether user can be granted bkolics...

  • Page 204: Bind Rule Syntax

    Bind Rules Bind rules can be simple. For example, a bind rule can simply state that the person accessing the directory must belong to a specific group. Bind rules can also be more complex. For example, a bind rule can state that a person must belong to a specific group and must log in from a machine with a specific IP address, between 8 am and 5 pm.

  • Page 205: Table 6-2 Ldif Bind Rule Keywords

    Bind Rules Table 6-2 LDIF Bind Rule Keywords Keyword Valid Expressions Wildcard Allowed? ldap:///distinguished_name yes, in DN only userdn ldap:///all ldap:///anyone ldap:///self ldap:///parent ldap:///suffix??sub?(filter) ldap:///DN || DN groupdn roledn ldap:///DN || DN attribute#bindType or userattr attribute#value IP_address DNS_host_name dayofweek 0 - 2359 timeofday none authmethod...

  • Page 206: Anonymous Access (Anyone Keyword)

    Bind Rules Defining User Access - userdn Keyword User access is defined using the keyword. The keyword requires userdn userdn one or more valid distinguished names in the following format : userdn = "ldap:///dn [|| ldap:///dn]...[||ldap:///dn]" where can be a DN or one of the expressions anyone self parent...

  • Page 207: Self Access (Self Keyword)

    Bind Rules Self Access (self Keyword) Specifies that users are granted or denied access to their own entries. In this case, access is granted or denied if the bind DN matches the DN of the targeted entry. From the Server Console, you set up self access on the Access Control Editor. For more information, see “Creating ACIs From the Console,”...
  • Page 208 Bind Rules userdn = "ldap:///uid=*,dc=example,dc=com"; The bind rule is evaluated to be true if the user binds to the directory using any distinguished name of the specified pattern. For example, both of the following bind DNs would be evaluated to be true: uid=ssarette,dc=example,dc=com uid=tjaz,ou=Accounting,dc=example,dc=com whereas the following bind DN would be evaluated to be false:...
  • Page 209 Bind Rules The bind rule is evaluated to be true for any valid bind DN. To be true, a valid distinguished name and password must have been presented by the user during the bind operation. For example, if you want to grant read access to the entire tree to all authenticated users, you would create the following ACI on the node: dc=example,dc=com...

  • Page 210: Examples

    Bind Rules keyword requires one or more valid distinguished names in the groupdn following format : groupdn="ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]" The bind rule is evaluated to be true if the bind DN belongs to the named group. NOTE If a DN contains a comma, the comma must be escaped by a backslash (\).

  • Page 211: Defining Access Based On Value Matching

    Bind Rules roledn = "ldap:///dn [|| ldap:///dn]... [|| ldap:///dn]" The bind rule is evaluated to be true if the bind DN belongs to the specified role. If a DN contains a comma, the comma must be escaped by a NOTE backslash (\).
  • Page 212 Bind Rules userattr = "attrName#attrValue" where: • is the name of the attribute used for value matching attrName • is one of bindType USERDN,GROUPDN,LDAPURL • is any string representing an attribute value attrValue The following sections provide examples of the keyword with the userattr various possible bind types.
  • Page 213 Bind Rules userattr = "ldap:///dc=example,dc=com?owner#GROUPDN" In this example, the group entry is under the suffix. The dc=example,dc=com server can process this type of syntax more quickly than the previous example. (By default, is not an allowed entry in a user’s entry. You would have to owner extend your schema to allow this attribute in a object.)

  • Page 214: Using The Userattr Keyword With Inheritance

    Bind Rules The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter attribute of the targeted entry. The myfilter attribute can be replaced by any attribute that contains an LDAP filter. Example With Any Attribute Value The following is an example of the keyword associated with a bind...

  • Page 215: Figure 6-1 Using Inheritance With The Userattr Keyword

    Bind Rules Example With userattr Inheritance The example in the following figure indicates that user is allowed to read bjensen and search the entry as well as the first level of child entries which cn=Profiles includes , thus allowing her to search through her own mail cn=mail cn=news and news IDs.

  • Page 216: Defining Access From A Specific Ip Address

    Bind Rules aci: (target="ldap:///dc=example,dc=com")(targetattr=*) (version 3.0; acl "manager-write"; allow (all) userattr = "manager#USERDN";) This ACI grants managers all rights on the entries of employees that report to them. However, because access rights are evaluated on the entry being created, this type of ACI would also allow any employee to create an entry in which the manager attribute is set to their own DN.

  • Page 217: Defining Access From A Specific Domain

    Bind Rules The IP address must be expressed in dot notation.You can use the wildcard character (*) to include multiple machines. For example, the following string is valid: ip = "12.123.1.*"; The bind rule is evaluated to be true if the client accessing the directory is located at the named IP address.

  • Page 218: Examples

    Bind Rules The bind rule is evaluated to be true if the client accessing the directory is located in the named domain. This can be useful for allowing access only from a specific domain. Note that wildcards will not work if your system uses a naming service other than DNS.

  • Page 219: Defining Access Based On Authentication Method

    Bind Rules timeofday = "1200"; The bind rule is evaluated to be true if the client is accessing the directory at noon. timeofday != "0100"; The bind rule is evaluated to be true if the client is accessing the directory at any time other than 1 am.

  • Page 220: Examples

    Bind Rules • The client must bind to the directory over a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection. In the case of SSL, the connection is established to the LDAPS second port; in the case of TLS, the connection is established through a Start TLS operation.In both cases, a certificate must be provided.

  • Page 221: Using Boolean Bind Rules

    Bind Rules Using Boolean Bind Rules Bind rules can be complex expressions that use the Boolean expressions to set very precise access rules. You cannot use the Server Console to create Boolean bind rules. You must create an LDIF statement. The LDIF syntax for a Boolean bind rule is as follows: bind_rule [boolean][bind_rule][boolean][bind_rule]...;) For example, the following bind rule will be evaluated to be true if the bind DN is a...

  • Page 222: Creating Acis From The Console

    Creating ACIs From the Console Creating ACIs From the Console You can use the Directory Server Console to view, create, edit, and delete access control instructions for your directory. This section provides general instructions for: • Displaying the Access Control Editor •...

  • Page 223: Figure 6-2 Selecting An Object In The Navigation Tree To Set Access Control L

    Creating ACIs From the Console Displaying the Access Control Editor Start the Directory Server Console. Log in using the bind DN and password of a privileged user such as the directory manager who has write access to the ACIs configured for the directory. For instructions, refer to “Using the Directory Server Console,”...

  • Page 224: Figure 6-3 Access Control Editor Window

    Creating ACIs From the Console Access Control Editor Window Figure 6-3 For information on navigating through the Access Control dialog boxes, refer to the online help. Viewing Current ACIs If you want to see what ACIs apply to a particular subtree in your directory, follow these steps: On the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu.
  • Page 225 Creating ACIs From the Console Name the ACI, by typing a name in the ACI Name text box. The name can be any string you want to use to uniquely identify the ACI. If you do not enter a name, the server uses unnamed ACI In the Users/Groups tab, select the users to whom you are granting access by highlighting All Users, or clicking the Add button to search the directory for...

  • Page 226: Editing An Aci

    Creating ACIs From the Console Click the Times tab to display the table showing at what times access is allowed. By default, access is allowed at all times. You can change the access times by clicking and dragging the cursor over the table. You cannot select discrete blocks of time.

  • Page 227: Access Control Usage Examples

    Access Control Usage Examples Deleting an ACI To delete an ACI: On the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu. The Access Control Manager window is displayed. It contains the list of ACIs belonging to the entry.

  • Page 228: Granting Anonymous Access

    Access Control Usage Examples • Grant all employees the right to create group entries under the example.com Social Committee branch of the directory, and to delete group entries that they own (see “Granting Rights to Add and Delete Group Entries,” on page 236). employees the right to add themselves to group entries •...
  • Page 229 Access Control Usage Examples This example assumes that the is added to the dc=example,dc=com entry Note that the userPassword attribute is excluded from the scope of the ACI. From the Console, you can set this permission by doing the following: On the Directory tab, right click the node in the left navigation example.com...

  • Page 230: Granting Write Access To Personal Entries

    Access Control Usage Examples This example assumes that the ACI is added to the entry. It also assumes that every subscriber ou=subscribers,dc=example,dc=com entry has an attribute which is set to yes or no. The target unlistedSubscriber definition filters out the unlisted subscribers based on the value of this attribute. For details on the filter definition, refer to “Setting a Target Using Filtering,”...
  • Page 231 Access Control Usage Examples It is also ’s policy to let their subscribers update their own personal example.com information in the tree provided that they establish an SSL example.com connection to the directory. This is illustrated in the ACI “Write Subscribers” example.
  • Page 232 Access Control Usage Examples On the Targets tab, click This Entry to display the suffix dc=example,dc=com in the target directory entry field. In the attribute table, tick the checkboxes for , and attributes. homePhone homePostalAddress userPassword All other checkboxes should be clear. This task is made easier if you click the Check None button to clear the checkoxes for all attributes in the table, then clikc the Name header to organize them alphabetically, and select the appropriate ones.
  • Page 233 Access Control Usage Examples On the Users/Groups tab, in the ACI name field, type "Write Subscribers". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area to Special Rights, and select Self from the Search results list.

  • Page 234: Restricting Access To Key Roles

    Access Control Usage Examples Restricting Access to Key Roles You can use role definitions in the directory to identify functions that are critical to your business, the administration of your network and directory, or another purpose. For example, you might create a role by identifying a subset of your superAdmin system administrators that are available at a particular time of day and day of the...

  • Page 235: Granting A Group Full Access To A Suffix

    Access Control Usage Examples Click the Add button to list Self in the list of users who are granted access permission. Click OK to dismiss the Add Users and Groups dialog box. On the Rights tab, tick the checkbox for write. Make sure the other checkboxes are clear.

  • Page 236: Granting Rights To Add And Delete Group Entries

    Access Control Usage Examples aci: (version 3.0; acl "HR"; allow (all) userdn= "ldap:///cn=HRgroup,ou=example-people,dc=example,dc=com";) This example assumes that the ACI is added to the entry. ou=example-people,dc=example,dc=com From the Console, you can set this permission by doing the following: On the Directory tab, right click the entry under the example.com-people node in the left navigation tree, and choose Set Access...
  • Page 237 Access Control Usage Examples for example, there is an active social committee that is organized example.com into various clubs: tennis, swimming, skiing, role-playing, etc. Any example.com employee can create a group entry representing a new club. This is illustrated in the ACI “Create Group”...
  • Page 238 Access Control Usage Examples Click OK to dismiss the Add Users and Groups dialog box. On the Rights tab, tick the checkbox for add. Make sure the other checkboxes are clear. On the Targets tab, click This Entry to display the ou=social committee, suffix in the target directory entry field.

  • Page 239: Granting Conditional Access To A Group Or Role

    Access Control Usage Examples Granting Conditional Access to a Group or Role In many cases, when you grant a group or role privileged access to the directory, you want to ensure that those privileges are protected from intruders trying to impersonate your privileged users.
  • Page 240 Access Control Usage Examples On the Users/Groups tab, in the ACI name field, type "HostedCompany1". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area to Users and Groups, and type DirectoryAdmin in the Search For field.

  • Page 241: Denying Access

    Access Control Usage Examples To enforce SSL authentication from HostedCompany1 administrators, switch to manual editing by clicking the Edit Manually button. Add the following to the end of the LDIF statement: and (authmethod="ssl") The LDIF statement should be similar to: aci: (targetattr = "*") (target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=co m") (version 3.0;...
  • Page 242 Access Control Usage Examples On the Users/Groups tab, in the ACI name field, type "Billing Info Read". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area in the Add Users and Groups dialog box to to Special Rights, and select Self from the Search results list.
  • Page 243 Access Control Usage Examples From the Console, you can set this permission by doing the following: On the Directory tab, right click the subscribers entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager.

  • Page 244: Setting A Target Using Filtering

    Access Control Usage Examples Setting a Target Using Filtering If you want to set access controls that allow access to a number of entries that are spread across the directory, you may want to use a filter to set the target. Keep in mind that because search filters do not directly name the object for which you are managing access, it is easy to unintentionally allow or deny access to the wrong objects, especially as your directory becomes more complex.

  • Page 245: Defining Permissions For Dns That Contain A Comma

    Access Control Usage Examples On the Users/Groups tab, in the ACI name field, type "Group Members". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area in the Add Users and Groups dialog box to to Special Rights, and select All Authenticated Users from the Search results list.

  • Page 246: Proxied Authorization Aci Example

    Access Control Usage Examples Proxied Authorization ACI Example For this example, suppose: • The client application’s bind DN is "uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com" • The targeted subtree to which the client application is requesting access is ou=Accounting,dc=example,dc=com • An Accounting Administrator with access permissions to the subtree exists in the directory.

  • Page 247: Viewing The Acis For An Entry

    Viewing the ACIs for an Entry NOTE You cannot use the directory manager’s DN (Root DN) as a proxy DN. In addition, if Directory Server receives more than one proxied authentication control, an error is returned to the client application and the bind attempt is unsuccessful.

  • Page 248: Macro Aci Example

    Advanced Access Control: Using Macro ACIs Macro ACI Example The benefits of macro ACIs and how they work are best explained using an example. Figure 6-4 on page 249 shows a directory tree in which using macro ACIs is an effective way of reducing the overall number of ACIs. In this illustration, note the repeating pattern of subdomains with the same tree structure (ou=groups, ou=people).

  • Page 249: Figure 6-4 Example Directory Tree For Macro Acis

    Advanced Access Control: Using Macro ACIs Example directory tree for Macro ACIs Figure 6-4 The following ACI is located on the dc=hostedCompany1,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1, dc=example,dc=com";) Chapter 6 Managing Access Control...

  • Page 250: Macro Aci Syntax

    Advanced Access Control: Using Macro ACIs The following ACI is located on the dc=subdomain1,dc=hostedCompany1, node: dc=example,dc=com aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1, dc=hostedCompany1,dc=example,dc=com";) The following ACI is located on the dc=hostedCompany2,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2, dc=example,dc=com";) The following ACI is located on the...

  • Page 251: Macro Matching For ($Dn)

    Advanced Access Control: Using Macro ACIs • [$dn] • ($attr.attrName), where attrName represents an attribute contained in the target entry To simplify the discussion in this section, the ACI keywords used to provide bind credentials such as , and , are collectively called userdn roledn groupdn...

  • Page 252: Macro Matching For [$Dn]

    Advanced Access Control: Using Macro ACIs aci: (target="ldap:///ou=*,($dn),dc=example,dc=com") (targetattr = "*") (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc=com" In this case, if the string matching ($dn) in the target is dc=subdomain1, , then the same string is used in the subject. The ACI above is dc=hostedCompany1 expanded as follows: aci: (target="ldap:///ou=Groups,dc=subdomain1,dc=hostedCompany1,...

  • Page 253: Macro Matching For ($Attr.attrname)

    Advanced Access Control: Using Macro ACIs Replace [$dn] in subject with dc=hostedCompany1 The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups, . In this case, if the bind DN is not dc=hostedCompany1,dc=example,dc=com" a member of that group, the ACI is not evaluated. If it is a member, the ACI is evaluated.

  • Page 254: Access Control And Replication

    Access Control and Replication In order to evaluate the part of the ACI, the server looks at the attribute roledn stored in the targeted entry, and uses the value of this attribute to expand the macro. Therefore, in the example, the is expanded as follows: roledn roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,...

  • Page 255: Compatibility With Earlier Releases

    Compatibility with Earlier Releases To set the error log level from the Console: On the Console, click the Directory tab, right click the config node, and choose Properties from the pop-up menu. This displays the Property Editor for the entry. cn=config Scroll down the list of attribute value pairs to locate the attribute.
  • Page 256 Compatibility with Earlier Releases Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 257: Chapter 7 User Account Management

    Chapter 7 User Account Management When a user connects to your Netscape Directory Server (Directory Server), first the user is authenticated. Then, the directory can grant access rights and resource limits to the user depending upon the identity established during authentication. This chapter describes tasks for user account management, including configuring the password and account lockout policy for your directory, denying groups of users access to the directory, and limiting system resources available to users...

  • Page 258: Configuring The Password Policy

    Managing the Password Policy This section provides information about configuring your password and account lockout policies. It includes the following procedures: • Configuring the Password Policy • Setting User Passwords • Configuring the Account Lockout Policy • Managing the Password Policy in a Replicated Environment Configuring the Password Policy The password policy you configure applies to all users within the directory except for the Directory Manager.
  • Page 259 Managing the Password Policy You can specify that users must change their password the first time they log on by selecting the “User must change password after reset” checkbox. If you select this checkbox, only the Directory Manager is authorized to reset the users’s password (using the field described in step 9).

  • Page 260: Configuring The Password Policy Using The Command-Line

    Managing the Password Policy Configuring the Password Policy Using the Command-Line This section describes the attributes you set to create a password policy for your server. Use ldapmodify to change these attributes in the entry. cn=config The following table describes the attributes you can use to configure your password policy: Table 7-1 Password Policy Attributes...

  • Page 261: Table 7-1 Password Policy Attributes

    Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition passwordWarning Indicates the number of seconds before a warning message is sent to users whose password is about to expire. Depending on the LDAP client application, users may be prompted to change their password when the warning is sent.

  • Page 262: Setting User Passwords

    Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition passwordHistory This attribute indicates whether the directory stores a password history. When set to on, the directory stores the number of passwords you specify in the passwordInHistory attribute in a history. If a user attempts to reuse one of the password, the password will be rejected.

  • Page 263: Configuring The Account Lockout Policy

    Managing the Password Policy For information on creating and modifying directory entries, see Chapter 2, “Creating Directory Entries.” For information on inactivating user accounts, refer to“Inactivating Users and Roles,” on page 266. You can also use the Users and Groups area of the Netscape Administration Server or the Directory Server Gateway to set or reset user passwords.

  • Page 264: Configuring The Account Lockout Policy Using The Command Line

    Managing the Password Policy Set the interval you want users to be locked out of the directory. Select the Lockout Forever radio button to lock users out until their passwords have been reset by the administrator. Set a specific lockout period by selecting the Lockout duration radio button and entering the time (in minutes) in the text box.

  • Page 265: Managing The Password Policy In A Replicated Environment

    Managing the Password Policy Account Lockout Policy Attributes (Continued) Table 7-2 Attribute Name Definition passwordResetFailureCount This attribute specifies the time in seconds after which the password failure counter will be reset. Each time an invalid password is sent from the user’s account, the password failure counter is incremented.

  • Page 266: Inactivating Users And Roles

    Inactivating Users and Roles • Warnings from the server of an impending password expiration will be issued by all replicas. This information is kept locally on each server, so if a user binds to several replicas in turn, they will be issued the same warning several times. In addition, if the user changes the password, it may take time for this information to filter to the replicas.

  • Page 267: Inactivating User And Roles Using The Console

    Inactivating Users and Roles CAUTION You cannot inactivate the root entry (the entry corresponding to the root or sub suffix) on a database. For more information on creating the entry for a root or sub suffix, refer to Chapter 2, “Creating Directory Entries” for more information.

  • Page 268: Activating User And Roles Using The Console

    Inactivating Users and Roles Option Name Description The DN of the directory administrator. The password of the directory administrator. Port used by the server. Name of the server on which the directory resides DN of the user account or role you want to inactivate. For more information about running the script, refer to ns-inactivate.pl...

  • Page 269: Activating User And Roles Using The Command Line

    Setting Resource Limits Based on the Bind DN Activating User and Roles Using the Command Line To activate a user account, use the script. The following example ns-activate.pl describes using the script to activate Joe Frasier’s user account: ns-activate.pl ns-activate.pl -D "Directory Manager" -w secretpwd -p 389 -h example.com -I "uid=jfrasier,ou=people,dc=example,dc=com"...

  • Page 270: Setting Resource Limits Using The Console

    Setting Resource Limits Based on the Bind DN NOTE The Directory Manager receives unlimited resources by default. The resource limits you set for the client application takes precedence over the default resource limits you set for in the global server configuration. This section gives procedures for the following: •...
  • Page 271 Setting Resource Limits Based on the Bind DN Attribute Description Specifies the maximum number of entries the server returns to nsSizeLimit a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit. Specifies the maximum time the server spends processing a nsTimeLimit search operation.
  • Page 272 Setting Resource Limits Based on the Bind DN Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 273: Chapter 8 Managing Replication

    Chapter 8 Managing Replication Replication is the mechanism by which directory data is automatically copied from one Netscape Directory Server (Directory Server) to another; it is an important mechanism for extending your directory service beyond a single server configuration. This chapter describes the tasks to be performed on the supplier servers and the consumer servers to set up single master replication, multi-master replication, and cascading replication.

  • Page 274: Replication Overview

    Replication Overview For conceptual information on how you can use replication in your directory deployment, see the Netscape Directory Server Deployment Guide. Replication Overview Replication is the mechanism by which directory data is automatically copied from one Directory Server to another. Updates of any kind—entry additions, modifications, or even deletions—are automatically mirrored to other Directory Servers using replication.

  • Page 275: Change Log

    Replication Overview • In the case of cascading replication, the hub supplier holds a read-only replica that it supplies to consumers. For more information, refer to “Cascading Replication,” on page 281. • In the case of multi-master replication, both masters are suppliers and consumers for the same read-write replica.

  • Page 276: Replication Identity

    Replication Overview The replication mechanism also requires that one database correspond to one suffix. This means that you cannot replicate a suffix (or namespace) that is distributed over two or more databases using custom distribution logic. For more information on this topic, refer to “Creating and Maintaining Databases,” on page Replication Identity When replication occurs between two servers, the replication process uses a special entry, often referred to as the Replication Manager entry, to identify replication...

  • Page 277: Replication Agreement

    Replication Overview Replication Agreement Directory Servers use replication agreements to define their replication configuration. A replication agreement describes replication between one supplier and one consumer only. The agreement is configured on the supplier server. It specifies: • The database to be replicated •...

  • Page 278: Replication Scenarios

    Replication Scenarios Replication Scenarios This section describes the most commonly used replication scenarios: • Single-Master Replication • Multi-Master Replication • Cascading Replication You can combine these basic scenarios to build the replication environment that best suits your needs. Whatever replication scenario you choose to implement, remember NOTE to consider schema replication.

  • Page 279: Multi-Master Replication

    Replication Scenarios Single-Master Replication Figure 8-1 In this particular configuration the suffix receives ou=people,dc=example,dc=com a large number of search requests. Therefore, to distribute the load, this tree, which is mastered on Server A, is replicated to two read-only replicas located on Server B and Server C.

  • Page 280: Figure 8-2 Multi-Master Replication

    Replication Scenarios This type of configuration can work with any number of consumer servers. Each consumer server holds a read-only replica. The consumers can receive updates from both suppliers. The consumers also have referrals defined for both suppliers which are used to forward any update requests that they receive. Such scenarios are called multi-master configurations.

  • Page 281: Cascading Replication

    Replication Scenarios For information on setting up multi-master replication with two supplier servers and two consumer servers, refer to “Configuring Multi-Master Replication,” on page 294. Cascading Replication In a cascading replication scenario, one server, often called a hub supplier, acts both as a consumer and a supplier for a particular replica.

  • Page 282: Figure 8-3 Cascading Replication

    Replication Scenarios Cascading Replication Figure 8-3 For information on setting up cascading replication, refer to “Configuring Cascading Replication,” on page 300. NOTE You can combine multi-master and cascading replication. For example, in the mult-master scenario illustrated in Figure 8-2 on page 280, Server C and Server D could be hub suppliers that would replicated to any number of consumer servers.

  • Page 283: Summary Of Steps For Complex Replication Configurations

    Summary of Steps for Complex Replication Configurations Summary of Steps for Complex Replication Configurations If you are configuring replication for a large number of servers, and your configuration is relatively complex, for reasons of efficiency you should proceed in the following order: On all consumer servers: Create the replica databases Create the Replication Manager or supplier bind DN entry...

  • Page 284: Detailed Replication Tasks

    Detailed Replication Tasks NOTE It is very important to create and configure all replicas before you attempt to create a replication agreement. This also means that when you create the replication agreement, you can choose to initialize consumers immediately. Detailed Replication Tasks This section contains a description of the tasks you need to perform to configure replication.

  • Page 285: Configuring Supplier Settings

    Detailed Replication Tasks NOTE Avoid creating entries under the entry in the cn=config dse.ldif file. The entry in the simple, flat configuration cn=config dse.ldif file is not stored in the same highly scalable database as regular entries. As a result, if many entries, and particularly entries that are likely to be updated frequently, are stored under cn=config performance will probably suffer.
  • Page 286 Detailed Replication Tasks To configure supplier settings: In the Directory Server Console, click the Configuration tab. For information on starting the Directory Server Console, “Using the Directory Server Console,” on page 28. In the left navigation tree, highlight the Replication node. In the right navigation window, click the Supplier Settings tab.
  • Page 287 Detailed Replication Tasks In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). The replica ID must be unique for a given suffix. Make sure you specify an ID that is different from the IDs used for read-write replicas on this server and on other servers.

  • Page 288: Configuring A Hub Supplier

    Detailed Replication Tasks In the Replica Update Settings section, specify the supplier bind DN or entry DN that the supplier will use to bind to the replica. This supplier bind DN or entry DN must correspond to the entry you created on the server that acts as a consumer in the replication agreement.

  • Page 289: Creating A Replication Agreement

    Detailed Replication Tasks In the left navigation tree, expand the Replication folder and highlight the database to replicate. The Replica Settings tab is displayed in the right navigation window. Check the Enable Replica checkbox. In the Replica Role section, select the Hub radio button. In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive).

  • Page 290: Configuring Single-Master Replication

    Configuring Single-Master Replication Before you can create a replication agreement, you must: • Configure supplier settings on the server, as described in “Configuring Supplier Settings,” on page 285. • Configure replication settings for suppliers, as described in “Configuring a Read-Write Replica,” on page 286. •...
  • Page 291 Configuring Single-Master Replication • Initializing the Replicas for Single-Master Replication Configuring the Read-Only Replica on the Consumer Server Create the database for the read-only replica, if it does not exist. For instructions, refer to “Creating Suffixes,” on page 74. Create the entry corresponding to the supplier bind DN on the consumer server, if it does not exist.
  • Page 292 Configuring Single-Master Replication In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). You must specify the same replica ID as for the read-write replica that supplies updates to this replica. The replica ID must be unique for a given suffix.
  • Page 293 Configuring Single-Master Replication Configuring the Read-Write Replica on the Supplier Server Specify the supplier settings for the server. In the Directory Server Console, click the Configuration tab. In the navigation tree, highlight the Replication node. In the right-hand side of the window, click the Supplier Settings tab. Check the Enable Change Log checkbox.

  • Page 294: Configuring Multi-Master Replication

    Configuring Multi-Master Replication Click Save to save the replication settings for the database. Create a replication agreement. You must create one replication agreement for each read-only replica. For example, in the case illustrated in Figure 8-1 on page 279, Server A holds two replication agreements, one for Server B, and one for Server C.
  • Page 295 Configuring Multi-Master Replication To set up multi-master replication such as the configuration shown in Figure 8-2 on page 280, between two suppliers Server A and Server B that each hold a read-write replica, and two consumers Server C and Server D that each hold a read-only replica, you need to perform the following procedures: •...
  • Page 296 Configuring Multi-Master Replication Check the Enable Replica checkbox. In the Replica Role section, select the Dedicated Consumer radio button. In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). You must specify the same replica ID as for the read-write replica that supplies updates to this replica.
  • Page 297 Configuring Multi-Master Replication Repeat these steps for every read-only replica in your replication configuration. Configuring the Read-Write Replicas on the Supplier Servers Perform these steps on each supplier server: On Server A and Server B, specify the supplier settings for each server. In the Directory Server Console, click the Configuration tab.
  • Page 298 Configuring Multi-Master Replication NOTE This entry must not be part of the replicated database. On Server A and Server B, specify the replication settings for the multi-mastered read-write replica. In the navigation tree on the Configuration tab, expand the Replication node and highlight the database to replicate.
  • Page 299 Configuring Multi-Master Replication One for each consumer, Server C and Server D. In the navigation tree on the Configuration tab, right-click the database to replicate, and select New Replication Agreement. Alternatively, highlight the database and select New Replication Agreement from the Object menu. This will start the Replication Agreement Wizard.

  • Page 300: Configuring Cascading Replication

    Configuring Cascading Replication Initializing the Replicas for Multi-Master Replication In the case of multi-master replication, you should initialize replicas in the following order: Ensure one master has the complete set of data to replicate. Use this master to initialize the replica on the other master in the multi-master replication set. Initialize the replicas on the consumer servers from any one of the two masters.
  • Page 301 Configuring Cascading Replication On the consumer server, create the entry corresponding to the supplier bind DN, if it does not exist. This is the special entry that the supplier will use to bind. On the consumer server, specify the replication settings for the read-only replica.
  • Page 302 Configuring Cascading Replication Specify any supplier servers to which you want to refer updates. By default, all updates are first referred to the supplier servers that you specify here. If you specify none, updates are referred to the supplier servers that have a replication agreement that includes the current replica. In the case of cascading replication, referrals are automatically sent to the hub supplier, which in turn refers the request to the original master.
  • Page 303 Configuring Cascading Replication Create the entry corresponding to the supplier bind DN, if it does not exist. This is the special entry that the supplier will use to bind. In the Directory Server Console, click the Directory tab, and create an entry.
  • Page 304 Configuring Cascading Replication In the Replica Update Settings section enter your supplier bind DN in the Enter a new Supplier DN or entry DN field. Click Add. You supplier bind DN will appear in the Current Supplier DNs or entry DNs to which the supplier’s certificate is mapped field directly above.

  • Page 305: Initializing The Replicas For Cascading Replication

    Configuring Cascading Replication Specify a change log by clicking the Use Default button, or click the Browse button to display a file selector. Set the change log parameters (number and age). You must clear the unlimited checkboxes if you want to specify different values.

  • Page 306: Deleting The Change Log

    Deleting the Change Log Deleting the Change Log The change log is a record of all modifications on a given replica that the supplier uses to replay these modifications to replicas on consumer servers (or masters in the case of multi-master replication). In the event of a supplier server going offline, it is important to be able to delete the changelog because it no longer holds a true record of all modifications, and, as a result, should not be used as a basis for replication.

  • Page 307: Initializing Consumers

    Initializing Consumers Moving the Change Log to a New Location To delete the change log while the server is still running and continuing to log changes, you simply move the change log to a new location. By moving the change log, a new change log is created in the directory you specify, and the old change log is deleted.

  • Page 308: Online Consumer Initialization Using The Console

    Initializing Consumers Manual consumer initialization using the command line, is a more effective method of initializing a large number of consumers from a single LDIF file. Online Consumer Initialization Using the Console Online consumer initialization using the console is the easiest way to initialize or reinitialize a consumer.

  • Page 309: Manual Consumer Initialization Using The Command Line

    Initializing Consumers To update this window, right-click the replicated database icon in the navigation tree, and choose Refresh Replication Agreements. When online consumer initialization finishes, the status changes to reflect this. For more information about monitoring replication and initialization status, see “Monitoring Replication Status,”...

  • Page 310: Forcing Replication Updates

    Forcing Replication Updates Exporting a Replica to LDIF You can convert the replica to LDIF using one of the following three procedures: When you create a replication agreement by selecting “Create consumer initialization file” in the Initialize Consumer dialog box of the Replication Wizard.

  • Page 311: Forcing Replication Updates From The Console

    Forcing Replication Updates Note that if you have configured replication agreements to always keep the supplier server and the consumer server in sync, this is not sufficient to bring back up-to-date a server that has been offline for over five minutes. The reason is that with the “Always Keep in Sync”...
  • Page 312 Forcing Replication Updates You can copy this example and give it a meaningful name, for example, . You must provide actual values for the variables listed in replicate_now.sh Code Example 8-1. NOTE The administrator must run this script as it cannot be configured to run automatically as soon as the server which was offline comes back online again.
  • Page 313 Forcing Replication Updates Replicate_Now Script Example Code Example 8-1 #!/bin/sh SUP_HOST=supplier_hostname SUP_PORT=supplier_portnumber SUP_MGRDN=supplier_directoryManager SUP_MGRPW=supplier_directoryManager_passwd MY_HOST=consumer_hostname MY_PORT=consumer_portnumber ldapsearch -1 -T -h ${SUP_HOST} -p ${SUP_PORT} -D "${SUP_MGRDN}" \ -w ${SUP_MGRPW} -b "cn=mapping tree, cn=config" \ "(&(objectclass=nsds5replicationagreement)(nsDS5ReplicaHost=${MY_HOST}) \ (nsDS5ReplicaPort=${MY_PORT}))" dn nsds5ReplicaUpdateSchedule > /tmp/$$ cat /tmp/$$ | awk ’...

  • Page 314: Replication Over Ssl

    Replication over SSL If you intend to use this script, you must replace the variables with actual values in your replication environment. Table 8-1 Replicate_Now Variables Variable Definition supplier_hostname Hostname of the supplier to contact for information on replication agreements with the current consumer.

  • Page 315: Configuring Replication Over Ssl Using The Replication Wizard

    Replication over SSL NOTE Replication over SSL will fail in the following cases: • If the supplier’s certificate is a self-signed certificate • If the supplier’s certificate is an SSL server-only certificate, that is it can’t act as a client during an SSL handshake. When your servers are configured to use SSL, you can ensure replication operations occur over SSL connections by using the: •...

  • Page 316: Replication With Earlier Releases

    Replication with Earlier Releases Configuring Replication Over SSL Using the Console On the Directory Server Console of the supplier server, click the Configuration tab, expand the Replication folder and select the replication agreement that you want to modify to enable replication over SSL. Click the Connection tab in the right navigation window.
  • Page 317 Replication with Earlier Releases The main advantage of being able to use this version of Directory Server as a consumer of a legacy Directory Server is to ease the migration of a replicated environment. For more information on the steps to follow to migrate a replicated environment, refer to the Netscape Directory Server Installation Guide.

  • Page 318: Using The Retro Change Log Plug-In

    Using the Retro Change Log Plug-In Click Save. Repeat Step 7 and Step 8 for each read-only replica that will receive updates from a legacy supplier. To complete your legacy replication setup, you must now configure the legacy supplier to replicate to the Directory Server. For instructions on configuring a replication agreement on a 4.x Directory Server, refer to the documentation for your legacy Directory Server.

  • Page 319: Table 8-2 Attributes Of A Retro Change Log Entry

    Using the Retro Change Log Plug-In Table 8-2 Attributes of a Retro Change Log Entry Attribute Definition This single-valued atttribute is always present. It contains an changeNumber integer which uniquely identifies each change. This number is related to the order in which the change occurred. The higher the number, the later the change.

  • Page 320: Trimming The Retro Change Log

    Using the Retro Change Log Plug-In To enable the retro change log plug-in from the command line: Create an LDIF file that contains the following LDIF update statements: dn: cn=Retro Changelog Plugin,cn=plugins,cn=config cn: Retro Changelog Plugin changetype: modify replace: nsslapd-pluginenabled nsslapd-pluginenabled: on Use the command to import the LDIF file into the directory.

  • Page 321: Searching And Modifying The Retro Change Log

    Using the Retro Change Log Plug-In NOTE There should be no space between the Integer and timeUnit variables. The space in the syntax above is intended to show that the attribute value is composed of two variable parts, not just one. Example of value: nsslapd-changelogmaxage...

  • Page 322: Monitoring Replication Status

    Monitoring Replication Status Monitoring Replication Status You can monitor replication status using the Directory Server Console. To view a summary of replication status: On the Directory Server Console, select the Status tab and then select Replication Status in the left navigation tree. In the right pane, a table appears that contains information about each of the replication agreements configured for this server.

  • Page 323: Solving Common Replication Conflicts

    Solving Common Replication Conflicts Solving Common Replication Conflicts Multi-master replication uses a loose consistency replication model. This means that the same entries can be changed on different servers. When replication occurs between the two servers, the conflicting changes need to be resolved. Mostly, resolution occurs automatically, based on the timestamp associated with the change on each server.
  • Page 324 Solving Common Replication Conflicts • (created nsuniqueid=66446001-1dd211b2+uid=adamss,dc=example,dc=com at time t2) The second entry needs to be renamed in such a way that it has a unique DN. The renaming procedure depends on whether the naming attribute is single-valued or multi-valued. Each procedure is described below. Renaming an Entry with a Multi-Valued Naming Attribute To rename an entry that has a multi-valued naming attribute: Rename the entry using a new value for the naming attribute, and keep the old...

  • Page 325: Solving Orphan Entry Conflicts

    Solving Common Replication Conflicts >dn: nsuniqueid=66446001-1dd211b2+dc=pubs,dc=example,dc=com >changetype: modrdn >newrdn: cn=TempValue >deleteoldrdn: 0 Remove the old RDN value of the naming attribute, and the conflict marker attribute. For example: prompt% ldapmodify -D adminDN -w passwd >dn: cn=TempValue,dc=example,dc=com >changetype: modify >delete: dc >dc: pubs >- >delete: nsds5ReplConflict...

  • Page 326: Solving Potential Interoperability Problems

    Solving Common Replication Conflicts In the same way, when an add operation is replicated, and the consumer server cannot find the parent entry, the conflict resolution procedure creates a glue entry representing the parent so that the new entry is not an orphan entry. Glue entries are temporary entries that include the object classes glue .
  • Page 327 Solving Common Replication Conflicts > aci: (target="ldap:///dc=example,dc=com")(targetattr!="userPassword") (targetfilter="(!(nsds5ReplConflict=*))")(version 3.0;acl "Anonymous read-search access";allow (read, search, compare) (userdn="ldap:///anyone");) > - The new ACI contains filters out all entries that contain the nsds5ReplConflict attribute from search results. For more information on the command, refer to “Managing Entries ldapmodify From the Command Line,”...
  • Page 328 Solving Common Replication Conflicts Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 329: Chapter 9 Extending The Directory Schema

    Chapter 9 Extending the Directory Schema Netscape Directory Server (Directory Server) comes with a standard schema that includes hundreds of object classes and attributes. While the standard object classes and attributes should meet most of your requirements, you may need to extend your schema by creating new object classes and attributes.

  • Page 330: Managing Attributes

    Managing Attributes To extend the directory schema you should proceed in the following order: Create new attributes. See “Creating Attributes,” on page 331 for information. Create an object class to contain the new attributes and add the attributes to the object class.

  • Page 331: Creating Attributes

    Managing Attributes Attributes Tab Reference (Continued) Table 9-1 Field or Pane Description The object identifier of the attribute. An OID is a string, usually of dotted decimal numbers, that uniquely identifies an object, such as an object class or an attribute. If you do not specify an OID, the Directory Server automatically uses attribute_name-oid.

  • Page 332: Editing Attributes

    Managing Attributes Click Create. The Create Attribute dialog box is displayed. Enter a unique name for the attribute in the Attribute Name text box. Enter an object identifier for the attribute in the Attribute OID (Optional) text box. OIDs are described in Table 9-1 on page 330. Select a syntax that describes the data to be held by the attribute from the Syntax drop-down menu.

  • Page 333: Managing Object Classes

    Managing Object Classes To make the attribute multivalued, select the Multi-Valued checkbox. The Directory Server allows more than one instance of a multivalued attribute per entry. When you have finished editing the attribute, click OK. Deleting Attributes You can delete only attributes that you have created. You cannot delete standard attributes.

  • Page 334: Table 9-2 Object Classes Tab Reference

    Managing Object Classes Viewing Object Classes To view information about all object classes that currently exist in your directory schema: On the Directory Server Console, select the Configuration tab. In the navigation tree, select the Schema folder and then select the Object Classes tab in the right pane.

  • Page 335: Creating Object Classes

    Managing Object Classes Object Classes Tab Reference (Continued) Table 9-2 Field or Pane Description Allowed Attributes Contains a list of attributes that may be present in entries that use this object class. Includes inherited attributes. Creating Object Classes You create an object class by giving it a unique name, selecting a parent object for the new object class, and adding required and optional attributes.

  • Page 336: Editing Object Classes

    Managing Object Classes To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button. You cannot remove either allowed or required attributes that are inherited from the parent object classes.

  • Page 337: Deleting Object Classes

    Turning Schema Checking On and Off To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button. You cannot remove either allowed or required inherited attributes. When you are satisfied with you the object class definition, click OK to dismiss the dialog box.
  • Page 338 Turning Schema Checking On and Off Highlight the server icon at the top of the navigation tree, then select the Settings tab in the right pane. To enable schema checking, check the “Enable Schema Checking” checkbox; clear it to turn off schema checking. Click Save.

  • Page 339: Chapter 10 Managing Indexes

    Chapter 10 Managing Indexes The Netscape Directory Server Deployment Guide guide introduced the concept of indexing, the costs and benefits and the different types of index shipped with Netscape Directory Server (Directory Server). This chapter begins with a description of the searching algorithm itself, so as to place the indexing mechanism in context, and then describes how to create, delete and manage indexes.

  • Page 340: About Index Types

    About Indexes About Index Types Indexes are stored in files in the directory’s databases. The names of the files are based on the indexed attribute, not the type of index contained in the file. Each index file may contain multiple types of indexes if multiple indexes are maintained for the specific attribute.

  • Page 341: About Default, System, And Standard Indexes

    About Indexes NOTE Substring indexes are limited to a minimum of three characters for each entry. • International index—The international index speeds up searches for information in international directories. The process for creating an international index is similar to the process for creating regular indexes, except that you apply a matching rule by associating a locale (OID) with the attributes to be indexed.

  • Page 342: Overview Of System Indexes

    About Indexes Default indexes (Continued) Table 10-1 Attribute Pres Purpose mail Improves the performance of the most common types of user directory searches. mailHost Used by the Netscape Messaging Server. member Improves Netscape server performance. This index is also used by the referential integrity plug-in.

  • Page 343: Overview Of Standard Indexes

    About Indexes System indexes (Continued) Table 10-2 Attribute Pres Purpose dnComp Used to help accelerate subtree searches in the directory. objectClass Used to help accelerate subtree searches in the directory. entryDN Speeds up entry retrieval based on DN searches. parentID Enhances directory performance during one-level searches.
  • Page 344 About Indexes The directory examines the incoming request to make sure that the specified base DN matches a suffix contained by one or more of its databases or database links. If they do match, the directory processes the request. If they do not match, the directory returns an error to the client indicating that the suffix does not match.
  • Page 345 About Indexes See Netscape Directory Server Configuration, Command, and File Reference for further information about these attributes. In addition, the directory uses a variation of the metaphone phonetic algorithm to perform searches on an approximate index. Each value is treated as a sequence of words, and a phonetic code is generated for each word.

  • Page 346: Balancing The Benefits Of Indexing

    About Indexes Balancing the Benefits of Indexing Before you create new indexes, balance the benefits of maintaining indexes against the costs. Keep in mind that: • Approximate indexes are not efficient for attributes commonly containing numbers, such as telephone numbers. •...
  • Page 347 About Indexes ou: Manufacturing ou: people telephonenumber: 408 555 8834 description: Manufacturing lead for the Z238 line. Further suppose that the directory server is maintaining the following indexes: • Equality, approximate, and substring indexes for common name and surname attributes •...

  • Page 348: Creating Indexes

    Creating Indexes Creating Indexes This section describes how to create presence, equality, approximate, substring and international indexes for specific attributes using the Directory Server Console and the command line. NOTE Given that this version of Directory Server can operate in either a single or multi-database environment, you need to remember to create your new indexes in every database instance, since newly created indexes are not automatically created in the other...

  • Page 349: Creating Indexes From The Command Line

    Creating Indexes Expand the Data node, then expand the suffix of the database you want to index and select the database. Select the Indexes tab in the right pane. NOTE Do not click on the Database Settings node because this will take you to the Default Index Settings window and not the window for configuring indexes per database.

  • Page 350: Adding An Index Entry

    Creating Indexes Creating indexes from the command line involves two steps: • Using the command-line utility to add a new index entry or edit ldapmodify an existing index entry. • Running the perl script to generate the new set of indexes to be db2index.pl maintained by the server.
  • Page 351 Creating Indexes First, type the following to change to the directory containing the utility: cd /usr/netscape/servers/shared/bin Run the command-line utility as follows: ldapmodify ldapmodify -a -h server -p 389 -D "cn=directory manager" -w password utility binds to the server and prepares it to add an entry to the ldapmodify configuration file.

  • Page 352: Running The Db2Index.pl Script

    Creating Indexes dn: cn=sn,cn=index,cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:nsIndex cn:sn nsSystemIndex:false nsIndexType:none For a complete list of collation orders and their OIDs, refer to Appendix D, “Internationalization.” For more information about the index configuration attributes, see the Netscape Directory Server Configuration, Command, and File Reference. For more information about the command-line utility, refer to the ldapmodify...

  • Page 353: Creating Browsing Indexes From The Server Console

    Creating Indexes CAUTION You need to run the script from the following directory on NT machines: . This path appears in the ..\bin\slapd\admin\bin\perl example. UNIX shell script: db2index.pl -D "cn=Directory Manager" -w passsword -n ExampleServer -t sn The following table describes the options used in the examples: db2index.pl Option Name...

  • Page 354: Creating Browsing Indexes From The Command Line

    Creating Indexes The Create Browsing Index dialog box appears displaying the status of the index creation. You can click on the Status Logs box to view the status of the indexes created. Click Close to close the Create Browsing Index dialog box. The new index is immediately active for any new data that you add to your directory.
  • Page 355 Creating Indexes NOTE You can only create browsing indexes in ldbm databases. For example, you want to create a browsing index to accelerate an ldapsearch the entry held in the database where the search "dc=example,dc=com" Example1 base is , the search filter is "dc=example,dc=com"...

  • Page 356: Running The Vlvindex Script

    Creating Indexes The second entry you add specifies the sorting order you want for the returned attributes: dn:cn=sort_cn_givenname_o_ou_sn,cn="dc=example,dc=com",cn=Example1, cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvIndex cn:cn=sort_cn_givenname_o_ou_sn vlvsort:cn givenname o ou sn contains the browsing index sort identifier. We recommend you use a sort identifier which clearly identifies the search sorting order for the browsing index you create, such as the explicit sort identifier cn=sort_cn_givenname_o_ou_sn...

  • Page 357: Deleting Indexes

    Deleting Indexes Windows NT batch file: ..\bin\slapd\admin\bin\perl vlvindex -n Example1 -T "dc=example,dc=com" CAUTION You need to run the script from the following directory on NT machines: . This path appears in the ..\bin\slapd\admin\bin\perl example. UNIX shell script: vlvindex -n Example1 -T "dc=example,dc=com" The following table describes the options used in the examples: vlvindex...

  • Page 358: Deleting Indexes From The Server Console

    Deleting Indexes • Deleting Indexes From the Command Line • Deleting Browsing Indexes From the Server Console • Deleting Browsing Indexes From the Command Line You must not delete system indexes as deleting them can CAUTION significantly affect Directory Server performance. System indexes are located in the cn=index,cn=instance,cn=ldbm entry and the...

  • Page 359: Deleting Indexes From The Command Line

    Deleting Indexes The Delete Browsing Index dialog box appears displaying the status of the index deletion. You can click on the Status Logs button to view the status of the indexes deleted. Once the indexing is complete, click on Close to close the Delete Browsing Index box.

  • Page 360: Running The Db2Index.pl Script

    Deleting Indexes To run the command-line utility, type the following to change to the ldapdelete directory containing the utility: cd /usr/netscape/servers/shared/bin Perform the as follows: ldapdelete ldapdelete -D "cn=Directory Manager" -w password -h ExampleServer -p845 "cn=sn,cn=index,cn=Example1,dn=ldbm database, cn=plugins,dn=config" The following table describes the options used in the example: ldapdelete Option Name...

  • Page 361: Deleting Browsing Indexes From The Server Console

    Deleting Indexes Run the perl script. db2index.pl For more information about using the perl script, refer to db2index.pl Netscape Directory Server Configuration, Command, and File Reference. Two examples of generating the new set of indexes to be maintained by the server using follow: db2index.pl...

  • Page 362: Deleting Browsing Indexes From The Command Line

    Deleting Indexes Select the entry from which you want to delete the index in the navigation tree, for example, , and select Delete Browsing Index from the Object People menu.You can also select and right-click the entry for which you want to create the index in the navigation tree and choose Delete Browsing Index from the pop-up menu.
  • Page 363 Deleting Indexes To delete this browsing index you need to delete the two corresponding browsing index entries which follow: dn: cn="dc=example,dc=com",cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvSearch cn:"dc=example,dc=com" vlvbase:"dc=example,dc=com vlvscope:one vlvfilter:(|(objectclass=*)(objectclass=ldapsubentry)) dn:cn=sort_cn_givenname_o_ou_sn,cn="dc=example,dc=com",cn=Example1, cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvIndex cn:cn=sort_cn_givenname_o_ou_sn vlvsort:cn givenname o ou sn To run the command-line utility, type the following to change to the ldapdelete directory containing the utility:...

  • Page 364: Running The Vlvindex Script

    Deleting Indexes For full information on options, refer to the Netscape Directory Server ldapdelete Configuration, Command, and File Reference. Once you have deleted these two browsing index entries, the browsing index for accelerating operations on the entry " held in the ldapsearch dc=example,dc=com"...

  • Page 365: Managing Indexes

    Managing Indexes Option Name Description Name of the database containing the entries to index. Browsing index identifier to use to create browsing indexes. For more information about the script, see the Netscape Directory Server vlvindex Configuration, Command, and File Reference. Managing Indexes Each index that the directory uses is composed of a table of index keys and matching entry ID lists.

  • Page 366: Drawbacks Of The All Ids Mechanism

    Managing Indexes • Does not have to load unnecessarily large entry ID lists into memory in response to search requests that result in all directory entries anyway, thus increasing search performance by reducing large disk reads • Does not require large amounts of RAM to hold in memory unnecessarily large entry ID lists Drawbacks of the All IDs Mechanism Performance problems can occur if the All IDs threshold is set either too low (this is...

  • Page 367: When All Ids Threshold Is Too High

    Managing Indexes When All IDs Threshold is Too High Setting the All IDs Threshold too high can also cause performance problems. An excessively high All IDs Threshold results in large entry ID lists that must be maintained and loaded into memory when servicing search requests. An excessively high All IDs Threshold can eliminate all of the benefits of the All IDs mechanism (see “Benefits of the All IDs Mechanism,”...

  • Page 368: All Ids Threshold Tuning Advice For Service Providers And Extranets

    Managing Indexes If you expect your directory to grow considerably in the future, you can do one of the following: • Set the All IDs Threshold to the current best value (2,500), and plan on rebuilding your database when your directory becomes large enough to warrant it.

  • Page 369: Default All Ids Threshold Value

    Managing Indexes Default All IDs Threshold Value By default, the directory server is set to an All IDs Threshold of 4000. This value is suitable for a database of up to 80,000 entries. If you expect your databases to be larger than 80,000 entries, we recommend that you change your all IDs Threshold to a large value before populating your databases.

  • Page 370: Changing The All Ids Threshold Value

    Managing Indexes The presence of the flag indicates that the All IDs Threshold has been notes=U reached for the attribute index. Changing the All IDs Threshold Value To change the All IDs Threshold value for your server: Shut down your Directory Server. Export all of your directory databases to LDIF using the command line.

  • Page 371: Attribute Name Quick Reference Table

    Attribute Name Quick Reference Table Set your database cache size using the attribute attribute. nsslapd-dbcachesize For more information, see attribute in the Netscape nsslapd-dbcachesize Directory Server Configuration, Command, and File Reference. Attribute Name Quick Reference Table The following table lists all attributes which have a primary or real name as well as an alias.

  • Page 372: Table 10-3 Attribute Name Quick Reference Table

    Attribute Name Quick Reference Table Attribute Name Quick Reference Table (Continued) Table 10-3 drink favoriteDrink Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 373: Chapter 11 Managing Ssl

    Chapter 11 Managing SSL To provide secure communications over the network, Netscape Directory Server (Directory Server) includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of the Secure Sockets Layer (SSL). This chapter describes how to use SSL with your Directory Server in the following sections: •...
  • Page 374 Introduction to SSL in the Directory Server Using SSL with simple authentication guarantees confidentiality and data integrity. The benefits of using a certificate to authenticate to the Directory Server instead of a bind DN and password include: • Improved efficiency—When you are using applications that prompt you once for your certificate database password, and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password.

  • Page 375: Obtaining And Installing Server Certificates

    Obtaining and Installing Server Certificates For a complete description of SSL, internet security, and certificates, see Managing Servers with Netscape Console. Obtaining and Installing Server Certificates This section describes the process of creating a certificate database, obtaining and installing a certificate for use with your Directory Server, and configuring Directory Server to trust the certification authority’s (CA) certificate.
  • Page 376 Obtaining and Installing Server Certificates Enter the Requestor Information in the blank text fields, then click Next. Enter the following information: Server Name. Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups, for example, dir.example.com Organization.
  • Page 377 Obtaining and Installing Server Certificates -----BEGIN NEW CERTIFICATE REQUEST----- MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1JOSUExLD AqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF0aW9uMRwwGgYDV QQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQK BgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7ug0EfgSLR0f+K41eNqqWRftGR83e mqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n/zMyahxtV7+mT8GOFFigFfuxJaxMjr2j7I vELlxQ4IfZgWwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABoAAwDQYJKoZIhvcNAQ EEBQADgYEAZyZAm8UmP9PQYwNy4Pmypk79t2nvzKbwKVb97G+MT/gw1pLRsI1uBoKi nMfLgKp1Q38K5Py2VGW1E47K7/rhm3yVQrIiwV+Z8Lcc= -----END NEW CERTIFICATE REQUEST----- Send the email message to the CA. Once you have emailed your request, you must wait for the CA to respond with your certificate.
  • Page 378 Obtaining and Installing Server Certificates -----BEGIN CERTIFICATE----- MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3DQEBAQUA A0kAMEYCQQCksMR/aLGdfp4m0OiGcgijG5KgOsyRNvwGYW7kfW+8mmijDtZRjYNj jcgpF3VnlsbxbclX9LVjjNLC5ZuUpSpdLxlzweJKiMwDQYJKoZIo= -----END CERTIFICATE----- Check that the certificate information displayed is correct, and click Next. Specify a name for the certificate, and click Next. Verify the certificate by providing the password that protects the private key. This password is the same as the one you provided in “Step 1: Generate a Certificate Request,”...

  • Page 379: Activating Ssl

    Activating SSL Check that the certificate information that is displayed is correct, and click Next. Specify a name for the certificate, and click Next. Select the purpose of trusting this Certificate Authority (you can select both): Accepting connections from clients (Client Authentication). The server checks that the client’s certificate has been issued by a trusted Certificate Authority.
  • Page 380 Activating SSL Before you can activate SSL, you must create a certificate database, obtain and install a server certificate and trust the CA’s certificate as described in “Obtaining and Installing Server Certificates,” on page 375. To activate SSL communications: Set the secure port you want the server to use for SSL communications. See “Changing Directory Server Port Numbers,”...

  • Page 381: Setting Security Preferences

    Setting Security Preferences NOTE If you are using certificate-based authentication with replication, then you must configure the consumer server to either allow or require client authentication. If you want Netscape Console to use SSL during communications with Directory Server, select Use SSL in Netscape Console. Click Save.
  • Page 382 Setting Security Preferences • FIPS Triple DES with 168-bit encryption and SHA message authentication. This cipher meets the FIPS 140-1 US government standard for implementations of cryptographic modules. To select the ciphers you want the server to use: Make sure SSL is enabled for your server. For information, see “Activating SSL,”...

  • Page 383: Using Certificate-Based Authentication

    Using Certificate-Based Authentication Using Certificate-Based Authentication Directory Server allows you to use certificate-based authentication for the command-line tools (which are LDAP clients) and for replication communications. Certificate-based authentication can occur between: • An LDAP client connecting to the Directory Server •...

  • Page 384: Configuring Ldap Clients To Use Ssl

    Configuring LDAP Clients to Use SSL Allowing/Requiring Client Authentication If you have configured Netscape Console to connect to your Directory Server using SSL and your Directory Server requires client authentication, you can no longer use Netscape Console to manage any of your Netscape servers. You will have to use the appropriate command-line utilities instead.
  • Page 385 Configuring LDAP Clients to Use SSL The following procedure describes how to use Netscape Communicator 4.7 to perform these tasks. To create a certificate, it is sufficient to start Netscape Communicator 4.7. If it does not already exist, the certificate database will be created. Use Communicator to connect to your Certificate Authority.
  • Page 386 Configuring LDAP Clients to Use SSL MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3DQEBAQUA A0kAMEYCQQCksMR/aLGdfp4m0OiGcgijG5KgOsyRNvwGYW7kfW+8m -----END CERTIFICATE----- You must convert the client certificate into binary format using the certutil utility. To do this: Download the utility from certutil http://www.mozilla.org/projects/security/pki/nss/tools/. as follows: certutil cert7.db_path user_cert_name user_cert.bin certutil -L -d -r >...
  • Page 387 Configuring LDAP Clients to Use SSL Click Set Value. A file selector is displayed. Use it to select the binary file you created in Step 6. For information on using the Directory Server Console to edit entries, refer to “Modifying Directory Entries,” on page 45. You can now use SSL with your LDAP clients.
  • Page 388 Configuring LDAP Clients to Use SSL Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 389: Chapter 12 Monitoring Server And Database Activity

    Chapter 12 Monitoring Server and Database Activity This chapter describes monitoring database and Netscape Directory Server (Directory Server) logs. This chapter contains the following sections: • Viewing and Configuring Log Files (page 389) • Manual Log File Rotation (page 396) •...

  • Page 390: Defining A Log File Rotation Policy

    Viewing and Configuring Log Files The following sections describe how to define your log file creation and deletion policy, and how to view and configure each type of log. Defining a Log File Rotation Policy If you want the directory to periodically archive the current log and start a new one, you can define a log file rotation policy from Directory Server Console.

  • Page 391: Access Log

    Viewing and Configuring Log Files You can configure the following parameters: • The maximum size of the combined archived logs. When the maximum size is reached, the oldest archived log is automatically deleted. If you don’t want to in this field. The default is MB.

  • Page 392: Error Log

    Viewing and Configuring Log Files Configuring the Access Log You can configure a number of settings to customize the access log, including where the directory stores the access log and the creation and deletion policies. You can also disable access logging for the directory. You may do this because the access log can grow very quickly (every 2,000 accesses to your directory will increase your access log by approximately 1 MB).

  • Page 393: Viewing The Error Log

    Viewing and Configuring Log Files This section contains the following procedures: • Viewing the Error Log • Configuring the Error Log Viewing the Error Log To view the error log: On the Directory Server Console, select the Status tab, then in the navigation tree, expand the Logs folder and select the Error Log icon.

  • Page 394: Audit Log

    Viewing and Configuring Log Files Set the maximum number of logs, log size, and periodicity of archiving. For information on these parameters, see “Defining a Log File Rotation Policy,” on page 390. Set the maximum size of combined archived logs, minimum amount of free disk space, and maximum age for a log file.

  • Page 395: Configuring The Audit Log

    Viewing and Configuring Log Files To view an archived audit log, select it from the Select Log pull-down menu. To display a different number of messages, enter the number you want to view in the “Lines to show” text box and click Refresh. You can display messages containing a string you specify.

  • Page 396: Manual Log File Rotation

    Manual Log File Rotation Manual Log File Rotation The directory server supports automatic log file rotation for all three logs. However, you can manually rotate log files if you have not set automatic log file creation or deletion policies. By default, access, error, and audit log files can be found in the following location: /usr/netscape/servers/slapd-serverID/logs/ To manually rotate log files:...

  • Page 397: Viewing The Server Performance Monitor

    Monitoring Server Activity Viewing the Server Performance Monitor To monitor your server’s activities using Directory Server Console: On the Directory Server Console, select the Status tab. In the navigation tree, select Performance Counters. The Status tab in the right pane displays current information about server activity.

  • Page 398: Resource Summary

    Monitoring Server Activity Database generation number. Possibly obsolete: A unique identifier that is created only when you create your directory database without a machine data entry in the LDIF file. Current change log number. This is the number corresponding to the last change made to your directory.

  • Page 399: Connection Status

    Monitoring Server Activity Table 12-2 Server Performance Monitoring - Current Resource Usage Table Resource Current total Active Threads Current number of active threads used for handling requests. Additional threads may be created by internal server tasks, such as replication or chaining.

  • Page 400: Global Database Cache Information

    Monitoring Server Activity Server Performance Monitoring - Connection Status Table (Continued) Table 12-3 Table Header Description Started Indicates the number of operations initiated by this connection. Completed Indicates the number of operations completed by the server for this connection. Bound as Indicates the distinguished name used by the client to bind to the server.

  • Page 401: Table 12-4 Server Performance Monitoring - Global Database Cache Table

    Monitoring Server Activity Server Performance Monitoring - Global Database Cache Table (Continued) Table 12-4 Table Header Description Read-write page evicts Indicates the number of read-write pages discarded from the cache to make room for new pages. This value differs from Pages Written Out in that these are discarded read-write pages that have not been modified.
  • Page 402 Monitoring Server Activity —The number of operations initiated by this connection. opsinitiated —The number of operations completed. opscompleted —The distinguished name used by this connection to connect to the binddn directory. —The field shown if the connection is blocked for read or write. By default, this information is available to you only if you bind to the directory as the Directory Manager.

  • Page 403: Monitoring Database Activity

    Monitoring Database Activity • : Solaris 2.x only. Indicates the current level of thread concurrency concurrency. • : Identifies the DN of each directory database. backendmonitordn Monitoring Database Activity You can monitor your database’s current activities from Directory Server Console or from the command line.

  • Page 404: General Information (Database)

    Monitoring Database Activity • Summary Information Table • Database Cache Information Table • Database File-Specific Table General Information (Database) The directory provides the following general database information: • Database—Identifies the type of database that you are monitoring. • Configuration DN—Identifies the distinguished name that you must use as a search base to obtain these results using the command-line utility.

  • Page 405: Database Cache Information Table

    Monitoring Database Activity Database Performance Monitoring - Summary Information (Continued) Table 12-5 Performance Metric Current Total Maximum entry cache Indicates the size of the entry cache maintained by the directory. This value is size (in bytes) managed by the “Maximum Cache Size” attribute. See “Tuning Database Performance,”...

  • Page 406: Database File-Specific Table

    Monitoring Database Activity Database Performance Monitoring - Database Cache Information (Continued) Table 12-6 Performance Metric Current Total Read-only page evicts Indicates the number of read-only pages discarded from the cache to make room for new pages. Read-write page evicts Indicates the number of read-write pages discarded from the cache to make room for new pages.
  • Page 407 Monitoring Database Activity ldapsearch -h directory.example.com -s base -b "cn=monitor,cn=Example,cn=ldbm database,cn=plugins, cn=config" "objectclass=*" In this example, the ldapsearch operation looks for the database. For Example information on searching the directory, see “Using ldapsearch,” on page 502. When you monitor your server’s activities, you see the following information: •...

  • Page 408: Monitoring Database Link Activity

    Monitoring Database Link Activity Next the following information for each file that makes up your database is displayed: • number: Indicates the name of the file. provides a number dbfilename- sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given this same numerical identifier.

  • Page 409: Table 12-8 Database Link Monitoring Attributes

    Monitoring Database Link Activity Table 12-8 Database Link Monitoring Attributes Attribute Name Description Number of add operations received. nsAddCount Number of delete operations received. nsDeleteCount Number of modify operations received. nsModifyCount Number of rename operations received. nsRenameCount Number of base level searches received. nsSearchBaseCount Number of one-level searches received.
  • Page 410 Monitoring Database Link Activity Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 411: Chapter 13 Monitoring Directory Server Using Snmp

    Chapter 13 Monitoring Directory Server Using SNMP The server and database activity monitoring log setup described in Chapter 12, “Monitoring Server and Database Activity” is specific to Netscape Directory Server (Directory Server). You can also monitor your Directory Server using the Simple Network Management Protocol (SNMP) which is a management protocol used for monitoring network activity which can be used to monitor a wide range of devices in real time.

  • Page 412: About Snmp

    About SNMP About SNMP SNMP is a protocol used to exchange data about network activity. With SNMP, data travels between a managed device and a network management station (NMS) where users remotely manage the network. A managed device is anything that runs SNMP, such as hosts, routers, and your Directory Server.

  • Page 413: Nms-Initiated Communication

    About SNMP • Managed Device-Initiated Communication NMS-Initiated Communication NMS-initiated communication is the most common type of communication between an NMS and a managed device. In this type of communication, the NMS either requests information from the managed device or changes the value of a variable stored on the managed device.

  • Page 414: Overview Of The Directory Server Management Information Base

    Overview of the Directory Server Management Information Base Overview of the Directory Server Management Information Base Each Netscape server has its own MIB. The Directory Server’s MIB is a file called . This MIB contains definitions for variables pertaining to netscape-ldap.mib network management for the directory.

  • Page 415: Table 13-1 Operations Table Managed Objects And Descriptions

    Overview of the Directory Server Management Information Base Table 13-1 Operations Table Managed Objects and Descriptions Managed Object Description dsAnonymousBinds The number of anonymous binds to the directory since server startup. dsUnauthBinds The number of unauthenticated binds to the directory since server startup. dsSimpleAuthBinds The number of binds to the directory that were established using a simple authentication method (such as password protection) since server startup.

  • Page 416: The Entries Table

    Overview of the Directory Server Management Information Base Operations Table Managed Objects and Descriptions (Continued) Table 13-1 Managed Object Description dsReferrals The number of referrals returned by this directory in response to client requests since server startup. dsSecurityErrors The number of operations forwarded to this directory that did not meet security requirements.

  • Page 417: Setting Up Snmp

    Setting Up SNMP Setting Up SNMP The steps for configuring SNMP monitoring for your directory depend on whether you run your directory on Windows NT, UNIX or AIX. This section contains the following procedures : • Setting Up SNMP on Windows NT •...

  • Page 418: Configuring The Aix Snmp Daemon

    Setting Up SNMP On AIX machines, configure the AIX SNMP Daemon. See “Configuring the AIX SNMP Daemon,” on page 418 for information. Enable the directory subagent. See “Configuring SNMP for the Directory Server,” on page 420 for information. Start the directory subagent. See “Starting and Stopping the SNMP Subagent on UNIX,”...

  • Page 419: Starting And Stopping The Snmp Subagent On Unix

    Starting and Stopping the SNMP Subagent on UNIX Starting and Stopping the SNMP Subagent on UNIX To start, stop, and restart the SNMP subagent for a directory running on UNIX: On the Directory Server Console, select the Configuration tab and then select the top most entry in the navigation tree in the left pane.

  • Page 420: Configuring Snmp For The Directory Server

    Configuring SNMP for the Directory Server NOTE If you add another server instance and you want the instance to be part of the SNMP network, you must restart the subagent. Configuring SNMP for the Directory Server To configure SNMP settings from the Directory Server Console: Make sure the Directory Server is running.

  • Page 421: Chapter 14 Tuning Directory Server Performance

    Chapter 14 Tuning Directory Server Performance This chapter describes the tools provided with Netscape Directory Server (Directory Server) to help optimize performance. It also provides tips to improve the performance of your directory. This chapter contains the following sections: • Tuning Server Performance (page 421) •...

  • Page 422: Tuning Database Performance

    Tuning Database Performance To configure Directory Server to optimize performance: On the Directory Server Console, select the Configuration tab and then select the topmost entry in the navigation tree in the left pane. The tabs that are displayed in the right pane control server-wide configuration attributes.

  • Page 423: Optimizing Search Performance

    Tuning Database Performance • Changing the Database Checkpoint Interval • Disabling Durable Transactions • Specifying Transaction Batching Optimizing Search Performance You can improve server performance on searches by tuning database settings. The database attributes that affect performance mainly define the amount of memory available to the server.
  • Page 424 Tuning Database Performance • The attributes of each database that you use to store directory data, including the server configuration data in the database. On these NetscapeRoot databases, you can change the following attributes to improve performance: The maximum number of entries you want the server to keep in memory (maximum entries in cache attribute) The amount of memory you want to make available for cached entries (memory available for cache attribute)

  • Page 425: Tuning Transaction Logging

    Tuning Database Performance Enter the amount of memory you want to make available for cached entries in the Memory Available for Cache field. If you are creating a very large database from LDIF, set this attribute as large as possible, depending on the memory available on your machine. The larger this parameter, the faster your database will be created.

  • Page 426: Changing The Location Of The Database Transaction Log

    Tuning Database Performance Changing the Location of the Database Transaction Log By default, the database transaction log file is stored in the directory along with the database /usr/netscape/servers/slapd- serverID /db files themselves. Because the purpose of the transaction log is to aid in the recovery of a directory database that was shut down abnormally, it is a good idea to store the database transaction log on a different disk from the one containing the directory database.

  • Page 427: Disabling Durable Transactions

    Tuning Database Performance databases after a disorderly shutdown and require more disk space due to large database transaction log files. Therefore, you should only modify only this attribute if you are familiar with database optimization and can fully assess the effect of the change.

  • Page 428: Specifying Transaction Batching

    Miscellaneous Tuning Tips Use the command-line utility to add the ldapmodify attribute to the nsslapd-db-durable-transactions cn=config,cn=ldbm entry, and set the value of this attribute to database,cn=plugins,cn=config For information on the syntax of the nsslapd-db-durable-transactions attribute, see the Netscape Directory Server Configuration, Command, and File Reference.

  • Page 429: Avoid Creating Entries Under The Cn=Config Entry In The Dse.ldif File

    Miscellaneous Tuning Tips Avoid Creating Entries Under the cn=config Entry in the dse.ldif File entry in the simple, flat configuration file is not stored in cn=config dse.ldif the same highly scalable database as regular entries. As a result, if many entries, and particularly entries that are likely to be updated frequently, are stored under , performance will probably suffer.
  • Page 430 Miscellaneous Tuning Tips Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 431: Part 2 Plug-Ins Reference

    Part 2 Plug-Ins Reference Chapter 15, “Administering Directory Server Plug-Ins” Chapter 16, “Using the Pass-Through Authentication Plug-In” Chapter 17, “Using the Attribute Uniqueness Plug-In” Chapter 18, “Configuring IM Presence Information...
  • Page 432 Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 433: Chapter 15 Administering Directory Server Plug-Ins

    Chapter 15 Administering Directory Server Plug-Ins Netscape Directory Server (Directory Server) plug-ins extend the functionality of the server. Directory Server ships with several plug-ins to help you manage your directory. This chapter contains general information on the types of plug-ins available, and how to enable or disable them.

  • Page 434: Acl Plug-In

    Server Plug-in Functionality Reference Details of 7-Bit Check Plug-In (Continued) Table 15-1 Plug-in Name 7-bit check (NS7bitAtt) Configurable on | off Options Default Setting list of attributes (uid mail userpassword) followed by "," and Configurable Arguments then suffix(ex) on which the check is to occur None Dependencies None...

  • Page 435: Acl Preoperation Plug-In

    Server Plug-in Functionality Reference ACL Preoperation Plug-In Table 15-3 Details of Preoperation Plug-In Plug-in Name ACL preoperation DN of Configuration cn=ACL preoperation,cn=plugins,cn=config Entry Description ACL access check plug-in Configurable on | off Options Default Setting None Configurable Arguments database Dependencies Performance None Related Information...

  • Page 436: Boolean Syntax Plug-In

    Server Plug-in Functionality Reference Boolean Syntax Plug-In Table 15-5 Details of Boolean Syntax Plug-In Plug-in Name Boolean Syntax DN of Configuration cn=Boolean Syntax,cn=plugins,cn=config Entry Description Syntax for handling booleans Configurable on | off Options Default Setting None Configurable Arguments None Dependencies Performance Do not modify the configuration of this plug-in.

  • Page 437: Case Ignore String Syntax Plug-In

    Server Plug-in Functionality Reference Case Ignore String Syntax Plug-In Table 15-7 Details of Case Ignore String Syntax Plug-In Plug-in Name Case Ignore String Syntax DN of Configuration cn=Case Ignore String Syntax,cn=plugins,cn=config Entry Description Syntax for handling case-insensitive strings Configurable on | off Options Default Setting None...

  • Page 438: Class Of Service Plug-In

    Server Plug-in Functionality Reference Class of Service Plug-In Table 15-9 Details of Class of Service Plug-In Plug-in Name Class of Service DN of Configuration cn=Class of Service,cn=plugins,cn=config Entry Description Allows for sharing of attributes between entries Configurable on | off Options Default Setting None...

  • Page 439: Distinguished Name Syntax Plug-In

    Server Plug-in Functionality Reference Distinguished Name Syntax Plug-In Table 15-11 Details of Distinguished Name Syntax Plug-In Plug-in Name Distinguished Name Syntax DN of Configuration cn=Distinguished Name Syntax,cn=plugins,cn=config Entry Description Syntax for handling DNs Configurable on | off Options Default Setting None Configurable Arguments...

  • Page 440: Integer Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-12 Details of Generalized Time Syntax Plug-In (Continued) Plug-in Name Generalized Time Syntax Further Information The Generalized Time String consists of the following: four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication.

  • Page 441: Ldbm Database Plug-In

    Server Plug-in Functionality Reference Table 15-14 Details of Internationalization Plug-In (Continued) Plug-in Name Internationalization Plugin Configurable on | off Options Default Setting The Internationalization has one argument which must not be Configurable Arguments modified: /usr/netscape/servers/slapd-serverID/config/slapd-c ollations.conf This directory stores the collation orders and locales used by the internationalization plug-in.

  • Page 442: Legacy Replication Plug-In

    Server Plug-in Functionality Reference Legacy Replication Plug-In Table 15-16 Details of Legacy Replication Plug-In Plug-in Name Legacy Replication plug-in DN of Configuration cn=Legacy Replication Entry plug-in,cn=plugins,cn=config Description Enables Netscape Directory Server 6.0 to be a consumer of a 4.1 supplier on | off Configurable Options...

  • Page 443: Octet String Syntax Plug-In

    Server Plug-in Functionality Reference Octet String Syntax Plug-in Table 15-18 Details of Octet String Syntax Plug-In Plug-in Name Octet String Syntax DN of Configuration cn=Octet String Syntax,cn=plugins,cn=config Entry Description Syntax for handling octet strings Configurable on | off Options Default Setting None Configurable Arguments...

  • Page 444: Crypt Password Storage Plug-In

    Server Plug-in Functionality Reference CRYPT Password Storage Plug-In Table 15-20 Details of CRYPT Password Storage Plug-In Plug-in Name CRYPT DN of Configuration cn=CRYPT,cn=Password Storage Schemes,cn=plugins, Entry cn=config Description CRYPT password storage scheme used for password encryption Configurable on | off Options Default Setting None...

  • Page 445: Sha Password Storage Plug-In

    Server Plug-in Functionality Reference Table 15-21 Details of NS-MTA-MD5 Password Storage Plug-In (Continued) Plug-in Name NS-MTA-MD5 Further Information You cannot choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is present in Netscape Directory Server 6.0 but only for reasons of backward compatibility with earlier versions of Directory Server.

  • Page 446: Postal Address String Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-23 Details of SSHA Password Storage Plug-In (Continued) Plug-in Name SSHA Configurable on | off Options Default Setting None Configurable Arguments None Dependencies Do not modify the configuration of this plug-in. You should leave Performance Related Information this plug-in running at all times.

  • Page 447: Pta Plug-In

    Server Plug-in Functionality Reference PTA Plug-In Table 15-25 Details of PTA Plug-In Plug-in Name Pass-Through Authentication Plugin DN of Configuration cn=Pass Through Entry Authentication,cn=plugins,cn=config Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. This plug-in is not listed in Directory Server Console if you use the same server for your user directory and configuration directory.
  • Page 448 Server Plug-in Functionality Reference Table 15-26 Details of Referential Integrity Postoperation Plug-In (Continued) Plug-in Name Referential Integrity Postoperation Configurable When enabled the post operation Referential Integrity plug-in Arguments performs integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation.

  • Page 449: Retro Change Log Plug-In

    Server Plug-in Functionality Reference Retro Change Log Plug-In Table 15-27 Details of Retro Change Log Plug-In Plug-in Name Retro Changelog Plugin DN of Configuration cn=Retro Changelog Plugin,cn=plugins,cn=config Entry Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occuring in the Directory Server.

  • Page 450: Telephone Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-28 Details of Roles Plug-In (Continued) Plug-in Name Roles Plugin Performance Do not modify the configuration of this plug-in. You should leave Related Information this plug-in running at all times. Further Information Chapter 5, “Advanced Entry Management.” Telephone Syntax Plug-In Table 15-29 Details of Telephone Syntax Plug-In Telephone Syntax...
  • Page 451 Server Plug-in Functionality Reference Table 15-30 Details of UID Uniqueness Plug-In (Continued) Plug-in Name UID Uniqueness plug-in Configurable Enter the following arguments: Arguments "DN" "DN"... if you want to check for uid attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid"...

  • Page 452: Uri Plug-In

    Enabling and Disabling Plug-Ins From the Server Console URI Plug-in Table 15-31 Details of URI Plug-In Plug-in Name URI Syntax DN of Configuration cn=URI Syntax,cn=plugins,cn=config Entry Description Syntax for handling URIs (Unique Resource Identifiers) including URLs (Unique Resource Locators) Configurable on | off Options Default Setting...

  • Page 453: Chapter 16 Using The Pass-Through Authentication Plug-In

    Chapter 16 Using the Pass-Through Authentication Plug-In Pass-through authentication (PTA) is a mechanism by which one directory server consults another to authenticate bind requests. The PTA plug-in provides this functionality; allowing a directory server to accept simple bind operations (password based) for entries not stored in its local database. Netscape Directory Server (Directory Server) uses PTA to allow you to administer your user and configuration directories on separate instances of Directory Server.
  • Page 454 How Directory Server Uses PTA The user directory in this example acts as the PTA directory, that is, the server that passes through bind requests to another directory server. The configuration directory acts as the authenticating directory, that is, the server that contains the entry and verifies the bind credentials of the requesting client.

  • Page 455: Pta Plug-In Syntax

    PTA Plug-In Syntax nsslapd-pluginarg0: ldap://config.example.com/ou=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.0 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin The user directory is now configured to send all bind requests for entries whose DN contains to the configuration directory o=NetscapeRoot configdir.example.com When installation is complete, the...

  • Page 456: Table 16-1 Pta Plug-In Parameters

    PTA Plug-In Syntax Notes: • The LDAP URL (ldap|ldaps://authDS/subtree) must be separated from the optional parameters (maxconns, maxops, timeout, ldver, connlifetime) by a single space. • If you explicitly define any of the optional parameters, you must define all of them, even if you specify only the default values.

  • Page 457: Configuring The Pta Plug-In

    Configuring the PTA Plug-In PTA Plug-In Parameters (Continued) Table 16-1 Variable Definition maxconns Optional. The maximum number of connections the PTA directory can simultaneously open to the authenticating directory. The default is 3. See “Configuring the Optional Parameters,” on page 461 for more information. maxops Optional.
  • Page 458 Configuring the PTA Plug-In Restart Directory Server. Before you configure any of the parameters discussed in this section, the PTA plug-in entry must be present in the file. If this entry does not exist, you dse.ldif must create it with the appropriate syntax, as described in “PTA Plug-In Syntax,” on page 455.

  • Page 459: Configuring The Servers To Use A Secure Connection

    Configuring the PTA Plug-In When you enable the plug-in, you must also check that the plug-in initialization function is properly defined. The entry cn=Pass Through Authentication,cn=plugins,cn=config should contain the following attribute-value pairs: nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.extension nsslapd-pluginInitfunc: passthruauth_init where extension is always on HP-UX, on all other UNIX platforms, and on Windows NT.

  • Page 460: Specifying The Authenticating Directory Server

    Configuring the PTA Plug-In Restart the server. For information on restarting the server, refer to “Starting and Stopping the Directory Server,” on page 31. Specifying the Authenticating Directory Server The authenticating directory contains the bind credentials for the entry with which the client is attempting to bind.

  • Page 461: Configuring The Optional Parameters

    Configuring the PTA Plug-In Specifying the Pass-Through Subtree The PTA directory passes through bind requests to the authenticating directory from all clients whose DN is defined in the pass-through subtree. You specify the subtree by replacing the subtree parameter in the LDAP URL of the PTA directory. The pass-through subtree must not exist in the PTA directory.
  • Page 462 Configuring the PTA Plug-In • The time limit you want the PTA directory server to wait for a response from the authenticating directory server. In the PTA syntax, this parameter is represented as timeout. The default value is seconds (five minutes). •...

  • Page 463: Pta Plug-In Syntax Examples

    PTA Plug-In Syntax Examples PTA Plug-In Syntax Examples This section contains the following examples of PTA plug-in syntax in the file: dse.ldif • Specifying One Authenticating Directory Server and One Subtree • Specifying Multiple Authenticating Directory Servers • Specifying One Authenticating Directory Server and Multiple Subtrees •...

  • Page 464: Specifying One Authenticating Directory Server And Multiple Subtrees

    PTA Plug-In Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://config-dir.example.com/ou=NetscapeRoot nsslapd-pluginarg1: ldap://config2-dir.example.com/ou=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.0 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin Specifying One Authenticating Directory Server and Multiple Subtrees...

  • Page 465: Specifyingdifferentoptionalparametersandsubtreesfordifferentauthenticatingdirectoryservers

    PTA Plug-In Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://config-dir.example.com/ou=NetscapeRoot 10,5,300,3,300 nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.0 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers If you want to specify a different pass-through subtree and optional parameter...
  • Page 466 PTA Plug-In Syntax Examples Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 467: Chapter 17 Using The Attribute Uniqueness Plug-In

    Chapter 17 Using the Attribute Uniqueness Plug-In The attribute uniqueness plug-in can be used to ensure that the attributes you specify always have unique values in the directory. You must create a new instance of the plug-in for every attribute for which you want to ensure unique values. Netscape Directory Server (Directory Server), provides a uid uniqueness plug-in that can be used to manage the uniqueness of the uid attribute.
  • Page 468 Overview of the Attribute Uniqueness Plug-In If an update operation applies to an attribute and suffix monitored by the plug-in, and it would cause two entries to have the same attribute value, then the server terminates the operation and returns an error to the LDAP_CONSTRAINT_VIOLATION client.

  • Page 469: Overview Of The Uid Uniqueness Plug-In

    Overview of the UID Uniqueness Plug-in Overview of the UID Uniqueness Plug-in Directory Server provides an instance of the attribute uniqueness plug-in, the Uid Uniqueness plug-in. By default, the plug-in ensures that values given to the uid attribute are unique in the suffix you configured when installing the directory (the suffix corresponding to the database).
  • Page 470 Attribute Uniqueness Plug-In Syntax nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 6.0 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: Enforce unique attribute values Notes: • You can specify any name you like in the attribute to name the plug-in. The name should be descriptive. This attribute does not contain the name of the attribute which is checked for uniqueness.

  • Page 471: Table 17-1 Attribute Uniqueness Plug-In Variables

    Attribute Uniqueness Plug-In Syntax • You can specify only one attribute on which the uniqueness check will be performed. • If the attribute begins with attribute_name, nsslapd-pluginarg0 attribute= then the server expects that the attribute will include a nsslapd-pluginarg1 markerObjectClass The variable components of the attribute uniqueness plug-in syntax are described in Table 17-1.

  • Page 472: Creating An Instance Of The Attribute Uniqueness Plug-In

    Creating an Instance of the Attribute Uniqueness Plug-In Creating an Instance of the Attribute Uniqueness Plug-In If you want to ensure that a particular attribute in your directory always has unique values, you must create an instance of the attribute uniqueness plug-in for the attribute you want to check.

  • Page 473: Configuring Attribute Uniqueness Plug-Ins

    Configuring Attribute Uniqueness Plug-Ins Configuring Attribute Uniqueness Plug-Ins This section explains how to use Directory Server Console to view the plug-ins configured for your directory, and how to modify the configuration of the attribute uniqueness plug-ins. Viewing Plug-In Configuration Information From the Directory Server Console, you can display the configuration entry for attribute uniqueness plug-ins as follows: On the Directory Server Console, click the Directory tab.
  • Page 474 Configuring Attribute Uniqueness Plug-Ins On the Directory Server Console, select the Configuration tab, then in the navigation tree, expand the Plugins folder, and select the attribute uniqueness plug-in that you want to modify. The configuration parameters for the plug-in are displayed in the right pane. To turn the plug-in on or off, check or clear the Enable Plugin checkbox.

  • Page 475: Specifying A Suffix Or Subtree

    Configuring Attribute Uniqueness Plug-Ins Turning the Plug-in On or Off To turn the plug-in on from the command line, you must create an LDIF file that contains the following LDIF update statements: dn: cn=descriptive_plugin_name,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginenabled nsslapd-pluginenabled: on Use the command to import the LDIF file into the directory.

  • Page 476: Using The Markerobjectclass And Requiredobjectclass Keywords

    Configuring Attribute Uniqueness Plug-Ins Using the markerObjectClass and requiredObjectClass Keywords Instead of specifying a suffix or subtree in the configuration of an attribute uniqueness plug-in, you can specify to perform the check under the entry belonging to the DN of the updated entry that has the object class specified in the keyword.

  • Page 477: Attribute Uniqueness Plug-In Syntax Examples

    Attribute Uniqueness Plug-In Syntax Examples markerObjectClass=ou nsslapd-pluginarg1: requiredObjectClass=person nsslapd-pluginarg2: nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 6.0 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: Enforce unique attribute values You cannot repeat the keywords markerObjectClass requiredObjectClass by incrementing the counter in the attribute suffix. nsslapd-pluginarg NOTE attribute always contains the name of nsslapd-pluginarg0...

  • Page 478: Specifying One Attribute And Multiple Subtrees

    Attribute Uniqueness Plug-In Syntax Examples Specifying One Attribute and Multiple Subtrees This example configures the plug-in to ensure the uniqueness of the attribute mail under the l=Chicago,dc=example,dc=com l=Boston,dc=example,dc=com subtrees. dn: cn=mail uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: mail uniqueness nsslapd-pluginPath: /usr/netscape/servers/lib/uid-plugin.so nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation...

  • Page 479: Replication And The Attribute Uniqueness Plug-In

    Replication and the Attribute Uniqueness Plug-In Replication and the Attribute Uniqueness Plug-In When you use the attribute uniqueness plug-ins on Directory Servers involved in a replication agreement, you must think carefully about how to configure the plug-in on each server. Consider the following cases: •...
  • Page 480 Replication and the Attribute Uniqueness Plug-In When these conditions are met, attribute uniqueness conflicts are reported as naming conflicts at replication time. Naming conflicts require manual resolution. For information on how to resolve replication conflicts, refer to “Solving Common Replication Conflicts,” on page 323. Netscape Directory Server Administrator’s Guide •...

  • Page 481: Chapter 18 Configuring Im Presence Information

    Chapter 18 Configuring IM Presence Information Netscape Directory Server (Directory Server) 6.0 includes a preview release of a new feature called Instant Messenger (IM) Presence Information. This chapter provides an overview of this feature and information that will help you configure Directory Server to provide an IM user’s online-status information as a part of the user-profile information stored in the directory.

  • Page 482: Schema For The Presence Plug-In

    Schema For the Presence Plug-In Making the presence information available via a directory provides an easy, efficient, and unified way of looking at a user’s online status. In organizations where directory is generally deployed to store user-profile information, presence information can be added to the directory schema and the online status of users becomes available to everyone within the organization without having to worry about the details of how this information is queried or obtained.

  • Page 483: Performance-Related Information

    Performance-Related Information The file lists the default object classes with the allowed attributes that must be added to a user’s entry in order for presence information to be available for that user: objectclass: nsAIMpresence attributeTypes: nsAIMid syntax DirectoryString attributeTypes: nsAIMStatusGraphic syntax Binary NO-USER-MODIFICATION USAGE directoryOperation attributeTypes: nsAIMStatusText syntax DirectoryString NO-USER-MODIFICATION USAGE directoryOperation...

  • Page 484: Setting Resource Limits Based On Bind Dn

    Troubleshooting Setting Resource Limits Based on Bind DN You can control or set limits on search operations for directory data using special operational attribute values on the client application binding to the directory. Table 18-1 lists attributes that you can use to set search-operation limits. Table 18-1 Attributes for Setting Limits On Search Operations Parameter...

  • Page 485: Part 3

    Part 3 Appendixes Appendix A, “LDAP Data Interchange Format” Appendix B, “Finding Directory Entries” Appendix C, “LDAP URLs” Appendix D, “Internationalization”...
  • Page 486 Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 487: Appendix A Ldap Data Interchange Format

    Appendix A LDAP Data Interchange Format Netscape Directory Server (Directory Server) uses the LDAP Data Interchange Format (LDIF) to describe a directory and directory entries in text format. LDIF is commonly used to build the initial directory database or to add large numbers of entries to the directory all at once.
  • Page 488 LDIF File Format The basic form of a directory entry represented in LDIF is as follows: dn: distinguished_name objectClass: object_class objectClass: object_class attribute_type[;subtype]:attribute_value attribute_type[;subtype]:attribute_value You must supply the DN and at least one object class definition. In addition, you must include any attributes required by the object classes that you define for the entry.

  • Page 489: Continuing Lines In Ldif

    LDIF File Format LDIF Fields (Continued) Table A-1 Field Definition [subtype] Optional. Specifies a subtype, either language, binary, or pronunciation. Use this tag to identify the language in which the corresponding attribute value is expressed, or whether the attribute value is binary or a pronunciation of an attribute value.
  • Page 490 LDIF File Format If you use this standard notation, you do not need to specify the ldapmodify -b parameter. However, you must add the following line to the beginning of your LDIF file, or your LDIF update statements: version:1 For example, you could use the following command: ldapmodify prompt% ldapmodify -D userDN -w user_passwd...

  • Page 491: Specifying Directory Entries Using Ldif

    Specifying Directory Entries Using LDIF Specifying Directory Entries Using LDIF You can store many types of entries in your directory. This section concentrates on three of the most common types of entries used in a directory: organization, organizational unit, and organizational person entries. The object classes defined for an entry are what indicate whether the entry represents an organization, an organizational unit, an organizational person, or some other type of entry.

  • Page 492: Table A-2 Ldif Elements In Organization Entries

    Specifying Directory Entries Using LDIF dn: o="example.com Chile\\, S.A." objectclass: top objectclass: organization o: “example.com Chile\\, S.A.” description: Fictional company for example purposes telephonenumber: 555-5556 Each element of the LDIF-formatted organization entry is defined in Table A-2. Table A-2 LDIF Elements in Organization Entries LDIF Element Description dn: distinguished_name...

  • Page 493: Table A-3 Ldif Elements In Organizational Unit Entries

    Specifying Directory Entries Using LDIF Specifying Organizational Unit Entries Organizational unit entries are often used to represent major branch points, or subdirectories, in your directory tree. They correspond to major, reasonably static entities within your enterprise, such as a subtree that contains people, or a subtree that contains groups.

  • Page 494: Specifying Organizational Person Entries

    Specifying Directory Entries Using LDIF LDIF Elements in Organizational Unit Entries (Continued) Table A-3 LDIF Element Description ou: organizational_unit_name Attribute that specifies the organizational unit’s name. list_of_attributes Specifies the list of optional attributes that you want to maintain for the entry. See the Netscape Directory Server Schema Reference for a list of the attributes you can use with this object class.

  • Page 495: Defining Directories Using Ldif

    Defining Directories Using LDIF Table A-4 LDIF Elements in Person Entries LDIF Element Description dn: distinguished_name Specifies the distinguished name for the entry. A DN is required. If there is a comma in the DN, the comma must be escaped with a backslash (\). For example, dn:uid=bjensen,ou=people,o=example.com Bolivia\,S.A.
  • Page 496 Defining Directories Using LDIF To create a directory using LDIF, follow these steps: Create an ASCII file containing the entries you want to add in LDIF format. Make sure each entry is separated from the next by an empty line. You should use just one line, and the first line of the file must not be blank or else the utility will exit.

  • Page 497: Ldif File Example

    Defining Directories Using LDIF LDIF File Example The following example shows an LDIF file that contains one organization, two organizational units, and three organizational person entries: dn: o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organization o: example.com Corp description: Fictional organization for example purposes dn: ou=People,o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organizationalUnit...

  • Page 498: Storing Information In Multiple Languages

    Storing Information in Multiple Languages dn: cn=Robert Wong,ou=People,example.com Corp,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Robert Wong cn: Bob Wong sn: Wong givenName: Robert givenName: Bob mail: bwong@example.com userPassword: {sha}nn2msx761 telephoneNumber: 2881 roomNumber: 211 ou: Manufacturing ou: people dn: ou=Groups,o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organizationalUnit...
  • Page 499 Storing Information in Multiple Languages For example, suppose Corporation has offices in the United States example.com and France and wants employees to be able to view directory information in their native language. When adding directory entries, the directory administrator chooses to provide attribute values in both English and French. When adding a directory entry for a new employee, Babs Jensen, the administrator creates the following LDIF entry: dn: uid=bjensen,ou=people,dc=example,dc=com...
  • Page 500 Storing Information in Multiple Languages Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 501: Appendix B Finding Directory Entries

    Appendix B Finding Directory Entries You can find entries in your directory using any LDAP client. Most clients provide some form of a search interface that allows you to easily search the directory and retrieve entry information. NOTE You cannot search the directory unless the appropriate access control has been set in your directory.

  • Page 502: Using Ldapsearch

    Using ldapsearch On Directory Server Console, select the Directory tab. Depending on the DN you used to authenticate to the directory, this tab displays the contents of the directory that you have access permissions to view. You can browse through the contents of the tree or right-click an entry and select Search from the pop-up menu.

  • Page 503: Ldapsearch Command-Line Format

    Using ldapsearch ldapsearch Command-Line Format When you use , you must enter the command using the following ldapsearch format: ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes] where • optional_options represents a series of command-line options. These must be specified before the search filter, if any. •...
  • Page 504 Using ldapsearch Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the environment variable has LDAP_BASEDN been set to a base DN. The value specified in this option should be provided in double quotation marks.

  • Page 505: Ldapsearch Examples

    Using ldapsearch Specifies the scope of the search. The scope can be one of the following: • —Search only the entry specified in the option or defined base by the environment variable. LDAP_BASEDN • —Search only the immediate children of the entry specified in option.

  • Page 506: Returning All Entries

    Using ldapsearch • You have configured your directory to support anonymous access for search and read. You do not have to specify any bind information in order to perform the search. For more information on anonymous access, see “Defining User Access - userdn Keyword,”...

  • Page 507: Using Ldap_Basedn

    Using ldapsearch Using LDAP_BASEDN To make searching easier, you can set your search base using the LDAP_BASEDN environment variable. Doing this allows you to skip specifying the search base with the option (for information on how to set environment variables, see the documentation for your operating system).

  • Page 508: Specifying Dns That Contain Commas In Search Filters

    LDAP Search Filters then first finds all the entries with the surname Francis, and then all ldapsearch the entries with the givenname Richard. If an entry is found that matches both search criteria, then the entry is returned twice. For example, suppose you specified the previous search filters in a file named , and you set your search base using .

  • Page 509: Search Filter Syntax

    LDAP Search Filters For example, the following filter specifies a search for the common name Babs Jensen: cn=babs jensen This search filter returns all entries that contain the common name Babs Jensen. Searches for common name values are not case sensitive. When the common name attribute has values associated with a language tag, all of the values are returned.

  • Page 510: Using Operators In Search Filters

    LDAP Search Filters Examples of attributes that people entries might include: • (the person’s common name) • (the person’s surname, or last name, or family name) • (the person’s telephone number) telephoneNumber • (the name of the building in which the person resides) buildingName •...

  • Page 511: Using Compound Search Filters

    LDAP Search Filters Search Filter Operators (Continued) Table B-1 Search type Operator Description Presence Returns entries containing one or more values for the specified attribute. For example, cn=* telephonenumber=* manager=* Approximate Returns entries containing the specified attribute with a value that is approximately equal to the value specified in the search filter.

  • Page 512: Search Filter Examples

    LDAP Search Filters Table B-2 Search Filter Boolean Operators Operator Symbol Description & All specified filters must be true for the statement to be true. For example, (&(filter)(filter)(filter)...) At least one specified filter must be true for the statement to be true. For example, (|(filter)(filter)(filter)...) The specified statement must not be true for the statement to be true.

  • Page 513: Searching An Internationalized Directory

    Searching an Internationalized Directory The following filter returns all entries whose organizational unit is Marketing and that have Julie Fulmer or Cindy Zwaska as a manager: (&(ou=Marketing)(|(manager=cn=Julie Fulmer,ou=Marketing,dc=example,dc=com)(manager=cn=Cindy Zwaska,ou=Marketing,dc=example,dc=com))) The following filter returns all entries that do not represent a person: (!(objectClass=person)) The following filter returns all entries that do not represent a person and whose common name is similar to...

  • Page 514: Matching Rule Filter Syntax

    Searching an Internationalized Directory Matching Rule Filter Syntax A matching rule provides special guidelines for how the directory compares strings during a search operation. In an international search, the matching rule tells the system what collation order and operator to use when performing the search operation.
  • Page 515 Searching an Internationalized Directory • Using a Language Tag and Suffix for the Matching Rule Using an OID for the Matching Rule Each locale supported by the directory server has an associated collation order OID. For a list of locales supported by the directory server and their associated OIDs, see Table D-1 on page 529.

  • Page 516: Using Wildcards In Matching Rule Filters

    Searching an Internationalized Directory For a list of locales supported by the directory server and their associated OIDs, see Table D-1 on page 529. For a list of relational operators and their equivalent suffixes, see Table B-3 on page 517. Using a Language Tag and Suffix for the Matching Rule As an alternative to using a relational operator-value pair, you can append a suffix that represents a specific operator to the language tag in the matching rule portion...

  • Page 517: International Search Examples

    Searching an Internationalized Directory • greater than or equal to (>=) • less than (<) • less than or equal to (<=) Approximate, or phonetic, and presence searches are supported only in English. As with a regular search operation, an international search uses ldapsearch operators to define the type of search.

  • Page 518: Less Than Or Equal To Example

    Searching an Internationalized Directory sn:2.16.840.1.113730.3.3.2.15.1:=< Marquez sn:es:=< Marquez sn:2.16.840.1.113730.3.3.2.15.1.1:=Marquez sn:es.1:=Marquez Less Than or Equal to Example When you perform a locale-specific search using the less than or equal to operator (<=) or suffix (.2), you search for all attribute values that come at or before the given attribute in a specific collation order.

  • Page 519: Greater Than Example

    Searching an Internationalized Directory Greater Than Example When you perform a locale-specific search using the greater than operator (>) or suffix (.5), you search for all attribute values that come at or before the given attribute in a specific collation order. For example, to search for all mail hosts that come after host in the schranka4...
  • Page 520 Searching an Internationalized Directory Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 521: Appendix C Ldap Urls

    Appendix C LDAP URLs When you access the Netscape Directory Server (Directory Server) using a web-based client such as Directory Server Gateway, you must provide an LDAP URL identifying the Directory Server you wish to access. You also use LDAP URLs when managing Directory Server referrals or access control instructions.
  • Page 522 Components of an LDAP URL LDAP URL Components (Continued) Table C-1 Component Description port Port number of the LDAP server (for example, 696). If no port is specified, the standard LDAP port (389) or LDAPS port (636) is used. base_dn Distinguished name (DN) of an entry in the directory.

  • Page 523: Escaping Unsafe Characters

    Escaping Unsafe Characters The two consecutive question marks indicate that no attributes have been specified. Since no specific attributes are identified in the URL, all attributes are returned in the search. Escaping Unsafe Characters Any “unsafe” characters in the URL need to be represented by a special sequence of characters.

  • Page 524: Examples Of Ldap Urls

    Examples of LDAP URLs Examples of LDAP URLs • The following LDAP URL specifies a base search for the entry with the distinguished name dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com Because no port number is specified, the standard LDAP port number (389) is used. Because no attributes are specified, the search returns all attributes.
  • Page 525 Examples of LDAP URLs • The following LDAP URL specifies a search for the object class for all entries one level under dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com?objectClass?one Because the search scope is , the search encompasses all entries one level under the base entry .
  • Page 526 Examples of LDAP URLs Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 527: Appendix D Internationalization

    Appendix D Internationalization Netscape Directory Server (Directory Server) allows you to store, manage, and search for entries and their associated attributes in a number of different languages. An internationalized directory can be an invaluable corporate resource, providing employees and business partners with immediate access to the information they need in the languages they can understand.

  • Page 528: Identifying Supported Locales

    Identifying Supported Locales More specifically, a locale specifies: • Collation order—The collation order provides language and cultural-specific information about how the characters of a given language are to be sorted. It identifies things like the sequence of the letters in the alphabet, how to compare letters with accents with letters without accents, and if there are any characters that can be ignored when comparing strings.
  • Page 529 Identifying Supported Locales A language tag is a string that begins with the two-character lowercase language code that identifies the language (as defined in ISO standard 639). If necessary to distinguish regional differences in language, the language tag may also contain a country code, which is a two-character string (as defined in ISO standard 3166).

  • Page 530: Supported Language Subtypes

    Supported Language Subtypes Supported Locales (Continued) Table D-1 Locale Language Tag Collation Order Object Identifiers (OIDs) German 2.16.840.1.113730.3.3.2.7.1 Greek 2.16.840.1.113730.3.3.2.10.1 Hebrew 2.16.840.1.113730.3.3.2.27.1 Hungarian 2.16.840.1.113730.3.3.2.23.1 Icelandic 2.16.840.1.113730.3.3.2.24.1 Japanese 2.16.840.1.113730.3.3.2.28.1 Korean 2.16.840.1.113730.3.3.2.29.1 Latvian, Lettish 2.16.840.1.113730.3.3.2.31.1 Lithuanian 2.16.840.1.113730.3.3.2.30.1 Macedonian 2.16.840.1.113730.3.3.2.32.1 Norwegian 2.16.840.1.113730.3.3.2.35.1 Polish 2.16.840.1.113730.3.3.2.38.1 Romanian 2.16.840.1.113730.3.3.2.39.1...

  • Page 531: Table D-2 Supported Language Subtypes

    Supported Language Subtypes Table D-2 Supported Language Subtypes Language tag Language Afrikaans Byelorussian Bulgarian Catalan Czechoslovakian Danish German Greek English Spanish Basque Finnish Faroese French Irish Galician Croatian Hungarian Indonesian Icelandic Italian Japanese Korean Dutch Norwegian Polish Portuguese Romanian Appendix D Internationalization...
  • Page 532 Supported Language Subtypes Supported Language Subtypes (Continued) Table D-2 Language tag Language Russian Slovakian Slovenian Albanian Serbian Swedish Turkish Ukrainian Chinese Netscape Directory Server Administrator’s Guide • January 2002...

  • Page 533: Glossary

    Glossary access control instruction See ACI. ACI Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Access control list. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
  • Page 534 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
  • Page 535 browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Otherwise known as the virtual view index, speeds up the display of entries in the Directory Server Console.
  • Page 536 CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory. class of service See CoS. classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry’s attributes.
  • Page 537 DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. data master The server that is the master source of a particular piece of data. database link An implementation of chaining. The database link behaves like a database but has no persistent storage.
  • Page 538 DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as might point to a real machine called www.[yourdomain].[domain] where the server currently exists.
  • Page 539 HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Netscape Navigator how to display text, position graphics and form items, and display links to other pages. HTTP Hypertext Transfer Protocol.
  • Page 540 LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating directory servers using DNS and then completing the query via LDAP.
  • Page 541 matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. MD5 A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data, that is unique with high probability, and is mathematically extremely hard to produce a piece of data that will produce the same message digest.
  • Page 542 network management station See NMS. NIS Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, file systems, and network parameters throughout a network of computers. NMS Network Management Station.
  • Page 543 permission In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied. See access rights. PDU Protocol Data Unit. Encoded messages which form the basis of data exchanges between SNMP devices.
  • Page 544 RDN Relative distinguished name. The name of the actual entry itself, before the entry’s ancestors have been appended to the string to form the full distinguished name. referential integrity Mechanism that ensures that relationships between related entries are maintained within the directory. referral (1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request.
  • Page 545 root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine. root suffix The parent of one or more sub suffixes. A directory tree can contain more than one root suffix. schema Definitions describing what types of information can be stored as entries in the directory.
  • Page 546 single-master replication The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers. In a single-master replication scenario, the supplier server maintains a change log. SIR See supplier-initiated replication. slapd LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication.
  • Page 547 supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica. supplier-initiated replication Replication configuration where supplier servers replicate directory data to consumer servers. symmetric encryption Encryption that uses the same key for both encrypting and decrypting.
  • Page 548 virtual list view index Otherwise known as a browsing index, speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance. X.500 standard The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementations.

  • Page 549: Index

    Index targeting attributes 196 targeting entries 194 access control targeting using filters 197 ACI attribute 188 using the Access Control Editor 222 ACI syntax 192 value matching 211 allowing or denying access 200 Access Control Editor and replication 254 displaying 223 and schema checking 196 viewing current ACIs 224 anonymous access 206, 219, 228...
  • Page 550 cascading chaining 121 adding directory entries 54 creating from console 224 Administration Server dayofweek keyword 218 master agents and 412 deleting from console 227 agents dns keyword 217 master agent 412 editing from console 226 Unix 412 evaluation 189 Windows NT 412 examples of use 227 subagent 412 groupdn keyword 209...
  • Page 551 passwordInHistory 262 passwordMustChange 260 backing up data 148 passwordStorageScheme 262 all 148 ref 133 db2bak 149 removing a value 48 dse.ldif 151 roles 167 bak2db script 152 searching for 509 standard 329, 330 bak2db.pl perl script 153 syntax 332 base 64 encoding 489 targeting 196 base DN, ldapsearch and 507 user-defined 330...
  • Page 552 self keyword 207 overview 90 timeofday keyword 218 using SSL 107 user access change log 275 LDIF example 208 deleting 306 parent 207 using with referential integrity 70 self 207 change operations 59 user access example 230 add 62 userattr keyword 211 delete 63 userdn keyword 206 replace 63...
  • Page 553 overview 174 online consumer creation 308 client consumer server 274 using to find entries 501 continued lines client authentication in LDIF 489 over SSL 384 in LDIF update statements 59 code page 527 CoS definition entry attributes 179 collation order object classes 178 international indexing 349 overview 528...
  • Page 554 export from console 145 date format 528 import 137 dayofweek keyword 218 ldif2db 141 db2bak script 149 ldif2db.pl 142 db2bak utility 149 ldif2ldap 143 db2ldif utility 147 initialization 140 default referrals making read-only 89 setting 130 monitoring from command-line 406 setting from console 130 monitoring from server console 403 settings from command line 131...
  • Page 555 binding to 30 dynamic groups 159 changing bind DN 30 creating 159 configuration 33 modifying 159 controlling access 187 creating a root entry 42, 52 creating content 137 creating entries 43, 54 data 137 databases 73 end of file marker 51 deleting entries 50, 56 entries importing data 137...
  • Page 556 configuring 393 greater than or equal to search manually rotating 396 international example 518, 519 turning off 393 overview 510 turning on 393 groupdn keyword 209 viewing 393 LDIF examples 210 example groupdnattr keyword 211 cascading chaining 123 groups exporting data 144 access control 206 db2ldif 147 access control example 235...
  • Page 557 creating dynamically 349 dynamic changes to 349 jpeg images 489 presence 342 indexing 340 creating indexes from console 348 system indexes 342 indirect CoS example 173 language code overview 173 in LDIF entries 498 initializing databases 140 list of supported 529 initializing replicas language subtype 48 cascading replication 305...
  • Page 558 attributes with language tags 67 organizations 491 creating a root entry 52 internationalization and 498 creating entries 54 LDIF files DNs with commas and 57 continued lines 489 example 54, 55 creating directory using 495 example of use 54, 55 creating multiple entries 53 modifying entries 53, 55 example 497...
  • Page 559 database transaction 425 entries table 416 deletion policy 390 operations table 414 error log 392 modifying location of 396 attribute values 65 manual rotation 396 entries 62 manually rotating 396 international entries 67 rotation policy 390 modifying directory entries 55 login identity monetary format 528 changing 30...
  • Page 560 role in searching algorithm 344 parent access 207 parent keyword 207 parent object 335 pass-through authentication (PTA). See PTA plug-in object class password file adding to an entry 46 SSL certificate 36 creating 335 password policy deleting 337 account lockout 263 editing 336 attributes 260 name 335...
  • Page 561 ACL preoperation plug-in 435 presence search binary syntax plug-in 435 example 512 Boolean syntax plug-in 436 syntax 511 case exact string syntax plug-in 436 pronunciation subtype 49 case ignore string syntax plug-in 437 Property Editor chaining database plug-in 437 displaying 46 Class of Service plug-in 438 protocol data units.
  • Page 562 using replication change log 70 single-master 290 with replication 69, 70 solving conflicts 323 supplier server 274 referral object class 133 supplier-initiated 275 referrals unit of 275 creating smart referrals 131 replication agreement 277 creating suffix 134 creating 289 on update 82 setting default 130 replication manager 276 suffix 81...
  • Page 563 attributes 167 contained in file 507 editing 164 examples 509, 512 filtered matching rule 514 creating 163 operators in 510 example 168 specifying attributes 509 inactivating 266 syntax 509 inactivation 165 using compound 511 managed using multiple 511 creating 162 search right 201 example 167 search types, list of 510, 516...
  • Page 564 Simple Network Management Protocol. See SNMP configuring clients to use 384 enabling 379 Simple Sockets Layer. See SSL port number 33 single-master replication setting preferences 381 introduction 278 starting the server with 36 setting up 290 SSL authentication 379 smart referrals standard creating 131 attributes 329, 330...
  • Page 565 with multiple databases 87 template entry. See CoS template entry. suffix referrals thread creating 134 concurrency on Solaris 399 creating from command line 134 monitoring 399, 401 creating from console 134 time format 528 supplier server 274 timeofday keyword 218 symbols traps 413 -, in change operation 59...
  • Page 566 inactivating 266 UTF-8 527 value-based ACI 198 viewing attributes 330 wildcard in LDAP URL 207 in target 195 wildcards in international searches 516 in matching rule filters 516 Windows NT master agent 412 write right 201 Netscape Directory Server Administrator’s Guide • January 2002...

This manual is also suitable for:

Directory server 6.01

Table of Contents