1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE DIRECTORY SERVER 6.02 -...
  6. Administrator's manual

Netscape DIRECTORY SERVER 6.02 - ADMINISTRATOR Administrator's Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
Table of Contents

Advertisement

Quick Links

Download this manual
Administrator's Guide
Netscape Directory Server
Version 6.02
May 2002

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 6.02 - ADMINISTRATOR and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.02 - ADMINISTRATOR

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.02 - ADMINISTRATOR

  • Page 1 Administrator’s Guide Netscape Directory Server Version 6.02 May 2002...
  • Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents List of Figures ..............15 List of Tables .
  • Page 4 LDIF Update Statements ..............58 A Note on Renaming Entries .
  • Page 5 Backing Up and Restoring Data ............150 Backing Up All Databases .
  • Page 6 Creating ACIs Manually ............. . . 194 The ACI Syntax .
  • Page 7 Chapter 7 User Account Management ......... . . 259 Managing the Password Policy .
  • Page 8 Initializing the Replicas for Single-Master Replication ........296 Configuring Multi-Master Replication .
  • Page 9 Managing Attributes ..............332 Managing Object Classes .
  • Page 10 Chapter 11 Managing SSL ........... . 375 Introduction to SSL in the Directory Server .
  • Page 11 Chapter 13 Monitoring Directory Server Using SNMP ......413 About SNMP ............... . . 414 SNMP Overview .
  • Page 12 Country String Syntax Plug-In ............440 Distinguished Name Syntax Plug-In .
  • Page 13 Configuring Attribute Uniqueness Plug-Ins From the Directory Server Console ... . . 475 Attribute Uniqueness Plug-In Syntax Examples ......... . . 479 Replication and the Attribute Uniqueness Plug-In .
  • Page 14 Search Filter Syntax ..............511 Using Attributes in Search Filters .

  • Page 15: List Of Figures

    List of Figures Figure 1-1 Viewing the Bind DN ........... . . 31 Figure 3-1 A Sample Directory Tree with One Root Suffix .
  • Page 16 Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 17: List Of Tables

    List of Tables Table 2-1 Entry Templates and Corresponding Object Classes ......43 Table 2-2 Description of ldapmodify Parameters Used for Adding Entries .
  • Page 18 Table 10-2 System indexes ............344 Table 10-3 Attribute Name Quick Reference Table .
  • Page 19 Table 15-26 Details of Referential Integrity Postoperation Plug-In ......449 Table 15-27 Details of Retro Change Log Plug-In ........450 Table 15-28 Details of Roles Plug-In .
  • Page 20 Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 21: Introduction

    Introduction Netscape Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.

  • Page 22: Prerequisite Reading

    Prerequisite Reading • Multiple databases—Provides a simple way of breaking down your directory data to simplify the implementation of replication and chaining in your directory service. • Password Policy and Account Lockout—Allows you to define a set of rules that govern how passwords and user accounts are managed in the Directory Server.

  • Page 23: Conventions Used In This Book

    Conventions Used in This Book Conventions Used in This Book This section explains the conventions used in this book. —This typeface is used for any text that appears on the computer Monospaced font screen or text that you should type. It is also used for filenames, functions, and examples.
  • Page 24 Related Information • Netscape Directory Server Configuration, Command, and File Reference. Provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server. • Netscape Directory Server Schema Reference. Provides reference information about the Netscape Directory Server schema. •...

  • Page 25: Part 1 Administering Netscape Directory Server

    Part 1 Administering Netscape Directory Server Chapter 1, “Introduction to Netscape Directory Server” Chapter 2, “Creating Directory Entries” Chapter 3, “Configuring Directory Databases” Chapter 4, “Populating Directory Databases” Chapter 5, “Advanced Entry Management” Chapter 6, “Managing Access Control” Chapter 7, “User Account Management” Chapter 8, “Managing Replication”...
  • Page 26 Chapter 11, “Managing SSL” Chapter 12, “Monitoring Server and Database Activity” Chapter 13, “Monitoring Directory Server Using SNMP” Chapter 14, “Tuning Directory Server Performance” Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 27: Chapter 1 Introduction To Netscape Directory Server

    Chapter 1 Introduction to Netscape Directory Server Netscape Directory Server (Directory Server) product includes a Directory Server, an Administration Server to manage multiple server instances, and Netscape Console to manage server instances through a graphical interface. This chapter provides overview information about the Directory Server, and the most basic tasks you need to start administering a directory service.

  • Page 28: Overview Of Directory Server Management

    Overview of Directory Server Management Overview of Directory Server Management The Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources. It is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server runs as the process or service on your machine.

  • Page 29: Copying Entry Dns To The Clipboard

    Using the Directory Server Console Start Netscape Console by entering the following command: # /usr/netscape/servers/startconsole The Console login window is displayed. Or, if your configuration directory (the directory that contains the suffix) is stored in a separate o=NetscapeRoot instance of Directory Server, a window is displayed requesting the administrator user id, password, and the URL of the Netscape Administration Server for that Directory Server.

  • Page 30: Configuring The Directory Manager

    Configuring the Directory Manager Configuring the Directory Manager The Directory Manager is the privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the entry you define as Directory Manager. You initially defined this entry during installation. The default cn=Directory Manager The password for this user is defined in the attribute.

  • Page 31: Starting And Stopping The Directory Server

    Starting and Stopping the Directory Server Changing Login Identity You can log in with the Directory Manager DN when you first start the Netscape Console. At any time, you can choose to log in as a different user, without having to stop and restart the Console.
  • Page 32 Starting and Stopping the Directory Server NOTE On UNIX systems, rebooting the system does not automatically start the process. This is because the directory does not slapd automatically create startup or run command ( ) scripts. Check your operating system documentation for details on adding these scripts.

  • Page 33: Configuring Ldap Parameters

    Configuring LDAP Parameters Starting/Stopping the Server From the Command Line Use one of the following scripts: /usr/netscape/servers/slapd-serverID/start-slapd /usr/netscape/servers/slapd-serverID/stop-slapd where serverID is the identifier you specified for the server when you installed it. On UNIX, both of these scripts must run with the same UID and GID as the Directory Server.
  • Page 34 Configuring LDAP Parameters • You need to change the configuration or user directory port or secure port number configured for Netscape Administration Server. See Managing Servers with Netscape Console for information. • If you have other Netscape servers installed that point to the configuration or user directory, you need to update those servers to point to the new port number.

  • Page 35: Tracking Modifications To Directory Entries

    Configuring LDAP Parameters Click Save and then restart the server. NOTE This operation also makes the Directory Server configuration read-only; therefore, you cannot update the server configuration, enable or disable plug-ins, or even restart the Directory Server while it is in read-only mode. For information on placing a single database in read-only mode, refer to “Enabling Read-Only Mode,”...

  • Page 36: Starting The Server With Ssl Enabled

    Starting the Server with SSL Enabled Select the Track Entry Modification Times checkbox. The server adds the , and creatorsName createTimestamp modifiersName attributes to every newly created or modified entry. modifyTimestamp Click Save and then restart the server. See “Starting and Stopping the Directory Server,” on page 31 for more information.

  • Page 37: Cloning A Directory Server

    Cloning a Directory Server To create certificate databases, you must use the administration server and the Certificate Setup Wizard. For information on certificate databases, certificate aliases, SSL, and obtaining a server certificate, see Managing Servers with Netscape Console. For information on using SSL with your Directory Server, see Chapter 11, “Managing SSL.”...

  • Page 38: Starting The Server In Referral Mode

    Starting the Server in Referral Mode Enter the password for this user in the Password for Root DN field, and confirm it by entering it again in the Confirm Password field. If running the server on a UNIX host, enter the user ID for the Directory Server daemon, in the Server Runtime User ID field.

  • Page 39: Using The Refer Command

    Starting the Server in Referral Mode Using the refer Command On a UNIX machine, to start the Directory Server in referral mode follow these steps: Go to the directory under your installation directory: /bin/slapd/server prompt% cd /usr/netscape/servers/slapd-serverID/bin/slapd/server Run the command as follows: refer # ./ns-slapd refer -D instance_dir [-p port] -r ldapurl where where instance_dir is the directory instance for which queries will be referred...
  • Page 40 Starting the Server in Referral Mode Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 41: Chapter 2 Creating Directory Entries

    Chapter 2 Creating Directory Entries This chapter discusses how to use the Directory Server Console and the command-line utilities to modify the contents of ldapmodify ldapdelete your directory. During the planning phase of your directory deployment, you should characterize the types of data that your directory will contain. You should read Netscape Directory Server Deployment Guide before creating entries and modifying the default schema.

  • Page 42: Creating A Root Entry

    Managing Entries From the Directory Console • Deleting Directory Entries This section assumes some basic knowledge of object classes and attributes. For an introduction to object classes and attributes, refer to Netscape Directory Server Deployment Guide. For information on the definition and use of all schema provided with Netscape server products, refer to the Netscape Directory Server Schema Reference.

  • Page 43: Table 2-1 Entry Templates And Corresponding Object Classes

    Managing Entries From the Directory Console In the New Object window, select the object class corresponding to the new entry. The object class you select must contain the attribute you used to name the suffix. For example, if you are creating the entry corresponding to the suffix , then you can choose the ou=people,dc=example,dc=com object class (or another object class that allows the...

  • Page 44: Creating An Entry Using A Predefined Template

    Managing Entries From the Directory Console These templates contain fields representing all the mandatory attributes, and some of the commonly used optional attributes. To create an entry using one of these templates, refer to “Creating an Entry Using a Predefined Template,” on page 44. To create any other type of entry, refer to “Creating Other Types of Entries,”...

  • Page 45: Modifying Directory Entries

    Managing Entries From the Directory Console Click OK. If you selected an object class related to a type of entry for which a predefined template is available, the corresponding Create window is displayed. (See “Creating an Entry Using a Predefined Template,” on page 44). In all other cases, the Property Editor is displayed.

  • Page 46: Displaying The Property Editor

    Managing Entries From the Directory Console Displaying the Property Editor You can start the Property Editor in several ways: • From the Directory tab, by right-clicking an entry in the left or right pane, and selecting Properties from the pop-up menu. •...

  • Page 47: Adding An Attribute To An Entry

    Managing Entries From the Directory Console Click OK in the Property Editor when you have finished editing the entry. The Property Editor is dismissed. Adding an Attribute to an Entry Before you can add an attribute to an entry, the entry must contain an object class that either requires or allows the attribute.

  • Page 48: Removing An Attribute Value

    Managing Entries From the Directory Console Type in the name of the new attribute value. Click OK in the Property Editor when you have finished editing the entry. The Property Editor is dismissed. Removing an Attribute Value To remove an attribute value from an entry: On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Properties from the pop-up menu.
  • Page 49 Managing Entries From the Directory Console You can assign only one language subtype per attribute instance in an entry. To assign multiple language subtypes, add another attribute instance to the entry and then assign the new language subtype. For example, the following is illegal: cn;lang-ja;lang-en-GB:Smith Instead, use: cn: lang-ja: ja_value...

  • Page 50: Deleting Directory Entries

    Managing Entries From the Command Line From the Subtype drop-down list you can also assign one of two other subtypes: binary, or pronunciation. Click OK. The Add Attribute window is dismissed. When you have finished defining the information for the entry, click OK in the Property Editor.

  • Page 51: Providing Input From The Command Line

    Managing Entries From the Command Line • Adding and Modifying Entries Using ldapmodify • Deleting Entries Using ldapdelete • Using Special Characters You cannot modify your directory unless the appropriate access NOTE control rules have been set. For information on creating access control rules for your directory, see Chapter 6, “Managing Access Control.”...

  • Page 52: Creating A Root Entry From The Command Line

    Managing Entries From the Command Line For example: dn: dc=example,dc=com dn: ou=People, dc=example,dc=com People subtree entries. dn: ou=Group, dc=example,dc=com Group subtree entries. Creating a Root Entry From the Command Line You can use the command-line utility to create a new root entry in a ldapmodify database.

  • Page 53: Adding And Modifying Entries Using Ldapmodify

    Managing Entries From the Command Line Adding Entries Using LDIF You can use an LDIF file to add multiple entries or to import an entire database. To add entries using an LDIF file and the Directory Server Console: Define the entries in an LDIF file. LDIF is described in Appendix A, “LDAP Data Interchange Format.”...

  • Page 54: Table 2-2 Description Of Ldapmodify Parameters Used For Adding Entries

    Managing Entries From the Command Line To create a database suffix (such as ) using dc=example,dc=com ldapmodify must bind to the directory as the Directory Manager. Adding Entries Using ldapmodify Here is a typical example of how to use the utility to add entries to the ldapmodify directory.

  • Page 55: Table 2-3 Description Of Ldapmodify Parameters Used For Modifying Entries

    Managing Entries From the Command Line Description of ldapmodify Parameters Used for Adding Entries (Continued) Table 2-2 Parameter Name Description Optional parameter that specifies the file containing the LDIF update statements used to define the modifications. If you do not supply this parameter, the update statements are read from stdin.

  • Page 56: Deleting Entries Using Ldapdelete

    Managing Entries From the Command Line Description of ldapmodify Parameters Used for Modifying Entries (Continued) Table 2-3 Parameter Name Description Specifies the password associated with the distinguished name specified in the -D parameter. Specifies the name of the host on which the server is running. Specifies the port number that the server uses.

  • Page 57: Table 2-4 Description Of Ldapdelete Parameters Used For Deleting Entries

    Managing Entries From the Command Line • You have created a database administrator that has the authority to modify the entries, and whose distinguished name is cn=Directory Manager, dc=example,dc=com • The database administrator’s password is King-Pin • The server is located on cyclops •...

  • Page 58: Ldif Update Statements

    LDIF Update Statements -D "cn=Barbara Jensen,ou=Product Development,dc=example,dc=com" Depending on the command-line utility you use, you should use either single or double quotation marks for this purpose. Refer to your operating system documentation for more information. In addition, if you are using DNs that contain commas, you must escape the commas with a backslash (\).

  • Page 59: Adding An Entry Using Ldif

    LDIF Update Statements change_operation_identifier list_of_attributes A dash (-) must be used to denote the end of a change operation if subsequent change operations are specified. For example, the following statement adds the telephone number and manager attributes to the entry: dn: cn=Lisa Jangles,ou=People,dc=example,dc=com changetype: modify add: telephonenumber...
  • Page 60 LDIF Update Statements dn: ou=People, dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit ou: People ou: Marketing dn: cn=Pete Minsky,ou=People,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Pete Minsky givenName: Pete sn: Minsky ou: People ou: Marketing uid: pminsky dn: cn=Sue Jacobs,ou=People,dc=example,dc=com changetype: add...

  • Page 61: Renaming An Entry Using Ldif

    LDIF Update Statements objectclass: top objectclass: organizationalUnit ou: example.com Bolivia\, S.A. dn: cn=Carla Flores,ou=example.com Bolivia\, S.A.,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Carla Flores givenName: Carla sn: Flores ou: example.com Bolivia\, S.A. uid: cflores Renaming an Entry Using LDIF to change an entry’s relative distinguished name (RDN).

  • Page 62: A Note On Renaming Entries

    LDIF Update Statements The following example can be used to rename Sue Jacobs to Susan Jacobs: dn: cn=Sue Jacobs,ou=Marketing,dc=example,dc=com changetype: modrdn newrdn: cn=Susan Jacobs deleteoldrdn: 0 Because , this example retains the existing RDN as a value in the deleteoldrdn new entry.

  • Page 63: Adding Attributes To Existing Entries Using Ldif

    LDIF Update Statements Modifying an Entry Using LDIF to add, replace, or remove attributes and/or attribute changetype:modify values to the entry. When you specify , you must also provide changetype:modify a change operation to indicate how the entry is to be modified. Change operations can be as follows: •...
  • Page 64 LDIF Update Statements For example, the following LDIF update statement adds a telephone number to the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-1212 The following example adds two telephone numbers to the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-1212 telephonenumber: 555-6789...

  • Page 65: Changing An Attribute Value Using Ldif

    LDIF Update Statements For example, you could use the following command: ldapmodify prompt% ldapmodify -D userDN -w user_passwd >version: 1 >dn: cn=Barney Fife,ou=People,dc=example,dc=com >changetype: modify >add: userCertificate >userCertificate;binary:< file: BarneysCert NOTE You can use the standard LDIF notation only with the ldapmodify command, not with other command-line utilities.

  • Page 66: Deleting All Values Of An Attribute Using Ldif

    LDIF Update Statements Barney’s entry is now as follows: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-5678 telephonenumber: 555-4321 Deleting All Values of an Attribute Using LDIF with the delete operation to delete an attribute from an changetype:modify entry.

  • Page 67: Deleting An Entry Using Ldif

    LDIF Update Statements Barney’s entry then becomes: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-5678 Deleting an Entry Using LDIF to delete an entry from your directory. You can only changetype:delete delete leaf entries. Therefore, when you delete an entry, make sure that no other entries exist under that entry in the directory tree.

  • Page 68: Maintaining Referential Integrity

    Maintaining Referential Integrity Modifying an Entry in an Internationalized Directory If the attribute values in your directory are associated with one or more languages other than English, the attribute values are associated with language tags. When using the command-line utility to modify an attribute that has an ldapmodify associated language tag, you must match the value and language tag exactly or the modify operation will fail.

  • Page 69: Using Referential Integrity With Replication

    Maintaining Referential Integrity NOTE The referential integrity plug-in should only be enabled on one master replica in a multi-master replication environment, to avoid conflict resolution loops. When enabling the plug-in on servers issuing chaining requests, be sure to analyze your performance resource and time needs as well as your integrity needs.

  • Page 70: Configuring The Supplier Server

    Maintaining Referential Integrity • In the context of multi-master replication, you should enable it on just one master. Configuring the Supplier Server When your replication environment satisfies the conditions listed above, you can enable the referential integrity plug-in. Enable the referential integrity plug-in. This task is described in “Enabling/Disabling Referential Integrity,”...

  • Page 71: From The Directory Server Console

    Maintaining Referential Integrity Recording Updates in the Change Log You can decide to record updates in the replication change log instead of recording them in the default location, that is in the file in the referint directory. You must do this if /usr/netscape/servers/slapd- serverID /logs you want referential integrity updates to be replicated to consumer servers in the context of replication.

  • Page 72: From The Directory Server Console

    Maintaining Referential Integrity • 86,400 seconds (updates occur once a day) • 604,800 seconds (updates occur once a week) You can modify the update interval from the Directory Server Console. From the Directory Server Console On the Directory Server Console, select the Configuration tab. For information on starting the Directory Server Console, refer to “Using the Directory Server Console,”...
  • Page 73 Maintaining Referential Integrity For your changes to be taken into account, go to the Tasks tab, and select Restart the Directory Server. NOTE For best performance, the attributes set for updating should also be indexed. For information on indexing, see Chapter 8, “Managing Indexes.”...
  • Page 74 Maintaining Referential Integrity Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 75: Chapter 3 Configuring Directory Databases

    Chapter 3 Configuring Directory Databases Your directory is made up of databases over which you can distribute your directory tree. This chapter describes how to create suffixes, the branch points for your directory tree, and how to create the databases associated with each suffix. This chapter also describes how to create database links to reference databases on remote servers and how to use referrals to point clients to external sources of directory data.

  • Page 76: Creating Suffixes

    Creating and Maintaining Suffixes A Sample Directory Tree with One Root Suffix Figure 3-1 suffix and all the entries and nodes below it might be stored in one ou=people database, the suffix on another database, and the ou=groups ou=contractors suffix on yet another database. This section describes creating suffixes on your Directory Server and associating them with databases.

  • Page 77: Figure 3-2 A Sample Directory Tree With Two Root Suffixes

    Creating and Maintaining Suffixes A Sample Directory Tree with Two Root Suffixes Figure 3-2 You can also create root suffixes to exclude portions of your directory tree from search operations. For example, Corporation might want to exclude example.com their European office from a search on the general Corporation example.com directory.

  • Page 78: Figure 3-4 A Sample Directory Tree With A Sub Suffix

    Creating and Maintaining Suffixes A Sample Directory Tree with a Sub Suffix Figure 3-4 This section describes creating root and sub suffixes for your directory using either the Directory Server Console or the command line. This section contains the following procedures: •...

  • Page 79: Creating A New Sub Suffix Using The Console

    Creating and Maintaining Suffixes If you selected the “Create associated database automatically” checkbox in step 4, enter a unique name for the new database in the “Database name” field. Use only ASCII (7-bit) characters for naming the database. This value cannot contain commas, tabs, an equals sign (=), asterisk (*), backslash (\), forward slash (/), plus sign (+), quote (‘), double quote (“), or a question mark (?).
  • Page 80 Creating and Maintaining Suffixes Click OK to create the new sub suffix. The suffix appears automatically under its root suffix in the Data tree in the left navigation pane. Creating Root and Sub Suffixes From the Command Line Use the command-line utility to add new suffixes to your directory ldapmodify configuration file.

  • Page 81: Table 3-1 Suffix Attributes

    Creating and Maintaining Suffixes To create a sub suffix for groups under this root suffix, you would do an operation to add the following entry: ldapmodify dn: cn="ou=groups,dc=example,dc=com",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: GroupData nsslapd-parent-suffix: "dc=example,dc=com" cn: ou=groups,dc=example,dc=com NOTE If you want to maintain your suffixes using the Directory Server...
  • Page 82 Creating and Maintaining Suffixes Suffix Attributes (Continued) Table 3-1 Attribute Name Value Determines how the suffix handles operations. This attribute takes nsslapd-state the following values: • backend: the backend (database) is used to process all operations. • disabled: the database is not available for processing operations.

  • Page 83: Maintaining Suffixes

    Creating and Maintaining Suffixes Suffix Attributes (Continued) Table 3-1 Attribute Name Value nsslapd-parent-suffix Provides the DN of the parent entry for a sub suffix. By default, this attribute is not present, which means that the suffix is regarded as a root suffix.

  • Page 84: Enabling Referrals Only During Update Operations

    Creating and Maintaining Suffixes Click Add to add the referral to the list. You can enter multiple referrals. The directory will return the entire list of referrals in response to requests from client applications. Click Save. Enabling Referrals Only During Update Operations You may want to configure your directory to redirect update and write requests made by client applications to a read-only database.

  • Page 85: Creating And Maintaining Databases

    Creating and Maintaining Databases To disable a suffix: On the Directory Server Console select the Configuration tab. Under Data in the left navigation pane, click the suffix you want to disable. Click the Suffix Setting tab. Deselect the “Enable this suffix” checkbox. A red dot appears on the Suffix Setting tab to alert you to changes that need to be saved.

  • Page 86: Creating Databases

    Creating and Maintaining Databases This section contains information about creating databases to contain your directory data, deleting databases, and making databases temporarily read-only. Creating Databases Directory Server supports the use of multiple databases over which you can distribute your directory tree. There are two ways you can distribute your data across multiple databases: •...
  • Page 87 Creating and Maintaining Databases Database one contains the data for plus the data for ou=people , so that clients can conduct searches based at dc=example,dc=com . Database two contains the data for , and dc=example,dc=com ou=groups database three contains the data for ou=contractors •...

  • Page 88: Creating A New Database For An Existing Suffix Using The Console

    Creating and Maintaining Databases Creating a New Database for an Existing Suffix Using the Console The following procedure describes adding a database to a suffix you have already created: In the Directory Server Console, select the Configuration tab. In the left pane, expand Data then click the suffix to which you want to add the new database.

  • Page 89: Adding Multiple Databases For A Single Suffix

    Creating and Maintaining Databases Add a new entry to the configuration file by performing an as follows: ldapmodify ldapmodify -a -h example1 -p 389 -D "cn=directory manager" -w secret utility binds to the server and prepares it to add an entry to the ldapmodify configuration file.

  • Page 90: Adding The Custom Distribution Function To A Suffix

    Creating and Maintaining Databases Once Netscape Professional Services has helped you create a custom distribution logic plug-in, you need to add it to your directory. The following procedures describe adding distribution logic to a suffix in your directory. Adding the Custom Distribution Function to a Suffix The distribution logic is a function declared in a suffix.

  • Page 91: Maintaining Directory Databases

    Creating and Maintaining Databases For more information about using the command-line utility, refer to ldapmodify “Adding and Modifying Entries Using ldapmodify,” on page 53. Maintaining Directory Databases This section describes jobs associated with maintaining your directory databases. It includes the following procedures: •...

  • Page 92: Deleting A Database

    Creating and Maintaining Database Links Making a Database Read-Only From the Command Line If you want to manually place a database into read-only mode, you must change the read-only attribute, , to . To do so, use the nsslapd-readonly ldapmodify command-line utility.

  • Page 93: Configuring The Chaining Policy

    Creating and Maintaining Database Links You can create and configure a database link using Directory Server Console or the command line. The following sections describe the procedures for creating and maintaining a database link: • Configuring the Chaining Policy • Creating a New Database Link •...

  • Page 94: Table 3-2 Components Allowed To Chain

    Creating and Maintaining Database Links You must also create an ACI on the remote server to allow the plug-in you specify to perform its operations on the remote server. You create the ACI in the suffix assigned to the database link. The following table lists component names, the potential side-effects of allowing them to chain internal operations, and the permissions they need in the ACI you create on the remote server:...
  • Page 95 Creating and Maintaining Database Links Components Allowed to Chain (Continued) Table 3-2 Component Name Description Permissions Referential This plug-in ensures that updates made to attributes Read, write, search, and integrity plug-in containing DNs are propagated to all entries that contain compare pointers to the attribute.
  • Page 96 Creating and Maintaining Database Links The following sections describe how to specify components you want to allow to chain using the console and from the command line. Chaining Component Operations Using the Console On the Directory Server Console, select the Configuration tab. Expand Data in the left pane and click Database Link Settings.

  • Page 97: Chaining Ldap Controls

    Creating and Maintaining Database Links After allowing the component to chain, you must create an ACI in the suffix on the remote server to which the operation will be chained. For example, you would create the following ACI for the referential integrity component: aci: (targetattr "*")(target="ldap:///ou=customers,l=us,dc=example,dc=com") (version 3.0;...

  • Page 98: Creating A New Database Link

    Creating and Maintaining Database Links Select the Settings tab in the right window. To add an LDAP control to the list, click Add. The “Select control OIDs to add” dialog box displays. Select the OID of a control you want to add to the list and click OK. To delete a control from the list, select it from the “LDAP controls forwarded to the remote server”...

  • Page 99: Creating A New Database Link Using The Console

    Creating and Maintaining Database Links Suffix information. You create a suffix in your directory tree that is managed by the database link, not a regular database. This suffix corresponds to the suffix on the remote server that contains the data. Bind credentials.

  • Page 100: Creating A Database Link From The Command Line

    Creating and Maintaining Database Links Enter the name of the new database link in the “Database link name” field. Use only ASCII (7-bit) characters for naming the database link. This value cannot contain commas, tabs, an equals sign (=), asterisk (*), backslash (\), forward slash (/), plus sign (+), quote (‘), double quote (“), or a question mark (?).
  • Page 101 Creating and Maintaining Database Links Your new instance must be located in the cn=chaining database,cn=plugins, entry. cn=config Default configuration attributes are contained in the cn=default config, entry. These configuration cn=chaining database,cn=plugins,cn=config attributes apply to all database links at creation time. Changes to the default configuration only affect new database links.
  • Page 102 Creating and Maintaining Database Links Providing Bind Credentials For a request from a client application to be chained to a remote server, you can provide special bind credentials for the client application. This gives the remote server the proxied authorization rights needed to chain operations. If you do not specify bind credentials, the database link binds to the remote server as anonymous.
  • Page 103 Creating and Maintaining Database Links The database link on server A binds to server B using a special user as defined in attribute and a user password as defined in the nsMultiplexorBindDN attribute. In this example, server A uses the nsMultiplexorCredentials following bind credentials: nsMultiplexorBindDN: cn=proxy admin,cn=config...
  • Page 104 Creating and Maintaining Database Links For more information on ACIs, refer to “Managing Access Control,” on page 189. For more information about the proxy authentication control, refer to the C-SDK documentation at http://enterprise.netscape.com/docs NOTE When a database link is used by a client application to create or modify entries, the attributes creatorsName modifiersName...

  • Page 105: Table 3-4 Database Link Configuration Attributes

    Creating and Maintaining Database Links In this sample LDAP URL, the database link first contacts the server example.com on the standard port to service an operation. If it does not respond, the database link then contacts the server on port 389. If this server fails, it then us.example.com contacts on port 1000.
  • Page 106 Creating and Maintaining Database Links Database Link Configuration Attributes (Continued) Table 3-4 Attributes Value Password for the administrative user, given in plain text. If no nsMultiplexorCredentials password is provided, it means that users can bind as anonymous. The password is encrypted in the configuration file. Reserved for advanced use only.
  • Page 107 Creating and Maintaining Database Links First, use the command-line utility to add a database link to server A. ldapmodify Type the following to change to the directory containing the utility: cd /usr/netscape/servers/shared/bin Run the script as follows: ldapmodify -a -p 389 -D "cn=directory manager" -w secret -h us.example.com Then specify the configuration information for the database link: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config...
  • Page 108 Creating and Maintaining Database Links nsslapd-state: backend nsslapd-backend: DBLink1 nsslapd-parent-suffix: "ou=people,dc=example,dc=com" cn: l=Zanzibar,ou=people,dc=example,dc=com In the first section, the attribute contains the suffix on server B nsslapd-suffix that you want to chain to from server A. The attribute contains nsFarmServerURL the LDAP URL of server B. The second section creates a new suffix, allowing the server to route requests made to the new database link.

  • Page 109: Chaining Using Ssl

    Creating and Maintaining Database Links NOTE When a user binds to a database link, the user’s identity is sent to the remote server. Access controls are always evaluated on the remote server. For the user to successfully modify or write data to the remote server, you need to set up the correct access controls on the remote server.

  • Page 110: Maintaining Database Links

    Creating and Maintaining Database Links Maintaining Database Links This section describe how to update and delete existing database links. It contains the following procedures: • Updating Remote Server Authentication Information • Deleting Database Links Updating Remote Server Authentication Information To update the bind DN and password used by the database link to connect to the remote server: On the Directory Server Console, select the Configuration tab.

  • Page 111: Database Links And Access Control Evaluation

    Creating and Maintaining Database Links From the Object menu, select Delete. You can also right-click the database link and select Delete from the pop-up menu. The Deleting Database Link confirmation dialog box is displayed. Click Yes to confirm that you want to delete the database link. A progress dialog box appears telling you the steps the Directory Server completes during the deletion.

  • Page 112: Advanced Feature: Tuning Database Link Performance

    Creating and Maintaining Database Links • ACIs that refer to values of a user’s entry (for example, subject rules) userattr will work if the users is remote. Though access controls are always evaluated on the remote server, you can also choose to have them evaluated on both the server containing the database link and the remote server.

  • Page 113: Managing Connections To The Remote Server

    Creating and Maintaining Database Links Managing Connections to the Remote Server Each database link maintains a pool of connections to a remote server. You can configure the connections to optimize resources for your directory. You can change the connection attributes using the Directory Server Console or through the command line.

  • Page 114: Table 3-5 Database Link Connection Management Attributes

    Creating and Maintaining Database Links Connection lifetime (sec). How long a connection made between the database link and remote server remains open. You can keep connections between the database link and the remote server open for an unspecified time, or you can close them after a specific period of time.

  • Page 115: Detecting Errors During Normal Processing

    Creating and Maintaining Database Links Database Link Connection Management Attributes (Continued) Table 3-5 Attribute Name Description Number of times a database link attempts to bind to the nsBindRetryLimit remote server. A value of zero (0) indicates that the database link will try to bind only once. The default value is 3 attempts. Connection lifetime, in seconds.

  • Page 116: Managing Threaded Operations

    Creating and Maintaining Database Links If the remote server does not respond before the period has nsMaxResponseDelay passed, then an error is returned and the connection is flagged as down. All connections between the database link and remote server will be blocked for 30 seconds, protecting your server from a performance degradation.

  • Page 117: Advanced Feature: Configuring Cascading Chaining

    Creating and Maintaining Database Links While the database link waits for results from the remote server, it can process additional operations. By default, the number of threads used by the server is 20. However, when using database links, you can improve performance by increasing the number of threads available for processing operations.
  • Page 118 Creating and Maintaining Database Links The client application sends a modify request to server one. Server one contains a database link that forwards the operation to server two, which contains another database link. The database link on server two forwards the operations to server three, which contains the data the clients wants to modify in a database.
  • Page 119 Creating and Maintaining Database Links The root suffix , the sub suffixes dc=example,dc=com ou=people ou=groups are stored on Server A. The l=europe,dc=example,dc=com ou=groups suffixes are stored in on Server B, and the branch of the ou=people suffix is stored on Server C. l=europe,dc=example,dc=com With cascading configured on servers A, B, and C, a client request targeted at the entry would be routed by the...

  • Page 120: Configuring Cascading Chaining Defaults Using The Console

    Creating and Maintaining Database Links First the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the branch.

  • Page 121: Configuring Cascading Chaining Using The Console

    Creating and Maintaining Database Links Select the “Check local ACI” checkbox if you want to enable the evaluation of local ACIs on the intermediate database links involved in cascading chaining. If you select this checkbox, you will need to add the appropriate local ACIs to a database on the servers that contain intermediate database links.

  • Page 122: Configuring Cascading Chaining From The Command Line

    Creating and Maintaining Database Links Configuring Cascading Chaining From the Command Line Configuring a cascade of database links through the command line involves the following steps: • Pointing one database link to the URL of the server containing the intermediate database link.
  • Page 123 Creating and Maintaining Database Links Creating the Proxy Administrative User ACI You need to create an ACI on the server that contains the intermediate database link that checks the rights of the first database link before translating the request to another server.
  • Page 124 Creating and Maintaining Database Links Setting this attribute to on in the cn=default instance config,cn=chaining entry means that all new database link database,cn=plugins,cn=config instances will have the attribute set to on in their nsCheckLocalACI database_link_name entry. ,cn=chaining database,cn=plugins,cn=config Creating Client ACIs Because you have enabled local ACI evaluation, you need to create the appropriate client application ACIs on all intermediate database links as well as the final destination database.

  • Page 125: Summary Of Cascading Chaining Configuration Attributes

    Creating and Maintaining Database Links Summary of Cascading Chaining Configuration Attributes The following table describes the attributes used to configure intermediate database links in a cascading chain: Table 3-7 Cascading Chaining Configuration Attributes Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain. nsTransmittedControls Enter the following OIDs to the database links involved in the cascading chain: nsTransmittedControls: 2.16.840.1.113730.3.4.12...

  • Page 126: Configuring Server One

    Creating and Maintaining Database Links Configuring Server One First, use the command-line utility to add a database link to server ldapmodify one. To use the utility, type the following to change to the directory containing the utility: cd /usr/netscape/servers/shared/bin Run the utility as follows: ldapmodify -a -D "cn=directory manager"...
  • Page 127 Creating and Maintaining Database Links Then specify the configuration information for the database link, DBLink1, on server one as follows: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: l=Zanzibar,c=africa,ou=people,dc=example,dc=com nsfarmserverurl: ldap://africa.example.com:389/ nsmultiplexorbinddn: cn=server1 proxy admin,cn=config nsmultiplexorcredentials: secret cn: DBLink1 nsCheckLocalACI:off cn="l=Zanzibar,c=africa,ou=people,dc=example,dc=com",cn=mapping tree,cn=config...

  • Page 128: Configuring Server Two

    Creating and Maintaining Database Links Configuring Server Two Next, you create a proxy administrative user on server two. This administrative user will be used to allow server one to bind and authenticate to server two. Bear in mind that it is useful to choose a proxy administrative user name which is specific to server one as it is the proxy administrative user which will allow server one to bind to server two.
  • Page 129 Creating and Maintaining Database Links Since database link DBLink2 is the intermediate database link in your cascading chaining configuration, you need to set the to on, to allow the nsCheckLocalACI server to check whether or not it should allow the client and proxy administrative user access to the database link.

  • Page 130: Configuring Server Three

    Creating and Maintaining Database Links NOTE To create these ACIs it is assumed that the database corresponding to the suffix already c=africa,ou=people,dc=example,dc=com exists to hold the entry. This database needs to be associated with a suffix above the suffix specified in the attribute of nsslapd-suffix each database link.
  • Page 131 Creating and Maintaining Database Links dn: cn=server2 proxy admin,cn=config objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: server2 proxy admin sn: server2 proxy admin userPassword: secret description: Entry for use by database links Then you need to add the same local proxy authorization ACI to server three as you did on server two.

  • Page 132: Using Referrals

    Using Referrals Using Referrals You can use referrals to tell client applications which server to contact for a specific piece of information. This redirection occurs when a client application requests a directory entry that does not exist on the local server or when a database has been taken offline for maintenance.

  • Page 133: Creating Smart Referrals

    Using Referrals Setting a Default Referral From the Command Line Use the command-line utility to add a default referral to the ldapmodify entry in your directory configuration file. cn=config For example, to add a new default referral from your Directory Server, , to a server named , add a new line to the example.com...

  • Page 134: Creating Smart Referrals Using The Directory Server Console

    Using Referrals Creating Smart Referrals Using the Directory Server Console On the Directory Server Console, select the Directory tab. Browse through the tree in the left navigation pane and select the entry for which you want to add the referral. Double-click the entry.

  • Page 135: Creating Smart Referrals From The Command Line

    Using Referrals Creating Smart Referrals From the Command Line Use the command-line utility to create smart referrals from the ldapmodify command line. To create a smart referral, create the relevant directory entry and add the Referral object class. This object class allows a single attribute, .

  • Page 136: Creating Suffix Referrals

    Using Referrals Creating Suffix Referrals The following procedure describes creating a referral in a suffix. This means that the suffix processes operations using a referral rather than a database or database link. For more information about referrals, refer to Netscape Directory Server Deployment Guide.
  • Page 137 Using Referrals For example, to add a new suffix referral to the ou=people,dc=example,dc=com root suffix, you do an . First, type the following to change to the ldapmodify directory containing the utility: cd /usr/netscape/servers/shared/bin Then, run as follows: ldapmodify ldapmodify -a -h example.com -p 389 -D "cn=directory manager" -w secret utility binds to the server and prepares it to add information to ldapmodify...
  • Page 138 Using Referrals Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 139: Chapter 4 Populating Directory Databases

    Chapter 4 Populating Directory Databases Databases contain the directory data managed by your Netscape Directory Server (Directory Server). This chapter describes the following procedures for populating your directory databases: • Importing Data (page 139) • Exporting Data (page 146) • Backing Up and Restoring Data (page 150) •...

  • Page 140: Table 4-1 Import Method Comparison

    Importing Data Table 4-1 Import Method Comparison Import Initialize Database Overwrites database LDAP operations Add, modify, delete Add only Performance More time consuming Fast Partition speciality Works on all partitions Local partitions only Response to server failure Best effort (all changes made Atomic (all changes are up to the point of the failure lost after a failure)
  • Page 141 Importing Data To import data from the Directory Server Console: On the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and select Import Database. You can also import by going to the Configuration tab and selecting “Import” from the Console menu.

  • Page 142: Initializing A Database From The Console

    Importing Data Initializing a Database From the Console You can overwrite the existing data in a database. The following section describes using the console to initialize databases. You must be logged in as the Directory Manager in order to initialize a database. This is because you cannot import an LDIF file that contains a root entry unless you bind to the directory as the Directory Manager (Root DN).

  • Page 143: Importing From The Command Line

    Importing Data Importing From the Command Line You can use three methods for importing data through the command line: • Using —This import method overwrites the contents of your database ldif2db and requires the server to be stopped. • Using —This import method overwrites the contents of your ldif2db.pl database while the server is still running.
  • Page 144 Importing Data Two examples of performing an import using follow: ldif2db Windows batch file: ldif2db.bat -n Database1 -i c:\netscape\servers\slapd-dirserver\ldif\demo.ldif -i c:\netscape\servers\slapd-dirserver\ldif\demo2.ldif UNIX shell script: ldif2db -n Database1 -i /usr/netscape/servers/slapd-dirserver/ldif/demo.ldif -i /usr/netscape/servers/slapd-dirserver/ldif/demo2.ldif The following table describes the options used in the examples: ldif2db Option Name Description...
  • Page 145 Importing Data Run the perl script. ldif2db.pl For more information about using this perl script, refer to Netscape Directory Server Configuration, Command, and File Reference. The following examples import an LDIF file using the script. You do ldif2db.pl not need root privileges to run the script, but you must authenticate as the directory manager.

  • Page 146: Exporting Data

    Exporting Data To import LDIF using ldif2ldap From the command line, change to the following directory: serverID /usr/netscape/servers/slapd- where serverID is the name of your Directory Server. Run the command-line script. ldif2ldap For more information about using this script, refer to Netscape Directory Server Configuration, Command, and File Reference.

  • Page 147: Figure 4-1 Splitting A Database Contents Into Two Databases

    Exporting Data Splitting a Database Contents into Two Databases Figure 4-1 To populate the new databases requires exporting the contents of database one and importing it into the new databases one and two. You can use the Directory Server Console or command-line utilities to export data. The following sections describe these methods in detail: •...

  • Page 148: Exporting A Single Database To Ldif Using The Console

    Exporting Data To export directory data to LDIF from the Directory Server Console while the server is running: On the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and click Export Database(s). To export all of your databases, you can also select the Configuration tab and select Export from the Console menu.

  • Page 149: Exporting To Ldif From The Command Line

    Exporting Data Expand the Data tree in the left navigation pane. Expand the suffix maintained by the database you want to export. Select the database under the suffix that you want to export. Right-click the database and select Export Database. You can also select Export Database from the Object menu.

  • Page 150: Backing Up And Restoring Data

    Backing Up and Restoring Data Option Name Description Specifies the name of the database from which the file is being exported. Defines the output file in which the server saves the exported LDIF. This file is stored by default in the directory where the command-line script resides.

  • Page 151: Backing Up All Databases From The Server Console

    Backing Up and Restoring Data Backing Up All Databases From the Server Console When you back up your databases from the Directory Server Console, the server copies all of the database contents and associated index files to a backup location. You can perform a backup while the server is running.

  • Page 152: Backing Up A Single Database

    Backing Up and Restoring Data Run the command-line script. db2bak For more information about using this script, refer to Netscape Directory Server Configuration, Command, and File Reference. Two examples of performing an import using follow: db2bak Windows batch file: db2bak \usr\netscape\servers\slapd-dirserver\bak\bak_20010701103056 UNIX shell script: db2bak /usr/netscape/servers/slapd-dirserver/bak/bak_20010701103056 You can specify the backup directory and output file where the server saves the...

  • Page 153: Backing Up The Dse.ldif Configuration File

    Backing Up and Restoring Data Backing Up the dse.ldif Configuration File Directory Server automatically backs up the configuration file. When dse.ldif you start your Directory Server, the directory creates a backup of the file dse.ldif automatically in a file named in the dse.ldif.startOK serverID...

  • Page 154: Restoring Your Database From The Command Line

    Backing Up and Restoring Data where serverID is the name of your Directory Server and backup_name is the name of the backup file. Click OK to restore your databases. Restoring Your Database From the Command Line You can restore your databases from the command line by using the following scripts: •...

  • Page 155: Restoring A Single Database

    Backing Up and Restoring Data Using bak2db.pl Perl Script To restore your directory from the command line while the server is running: At the command prompt, change to the following directory: serverID /usr/netscape/servers/slapd- where serverID is the name of your Directory Server. Run the perl script.

  • Page 156: Restoring Databases That Include Replicated Entries

    Backing Up and Restoring Data If the server is running, type the following to shut it down: ./stop-slapd Change to the directory containing the backup you want to restore. Copy all of the files to the directory containing the database you want to overwrite with your backup.

  • Page 157: Restoring The Dse.ldif Configuration File

    Enabling and Disabling Read-Only Mode For information on managing replication, see “Managing Replication,” on page 275. Restoring the dse.ldif Configuration File To restore the configuration file, stop the server, then use the procedure dse.ldif outlined in “Restoring a Single Database,” on page 155 to copy the backup copy of file into your directory.
  • Page 158 Enabling and Disabling Read-Only Mode Before performing an import or restore operation, you should ensure that the databases affected by the operation are not in read-only mode. If they are, use the following procedure to make them available for updates. Disabling Read-Only Mode On the Directory Server Console, select the Configuration tab, and expand the Data tree.

  • Page 159: Chapter 5 Advanced Entry Management

    Chapter 5 Advanced Entry Management You can group the entries contained by your directory to simplify the management of user accounts. Netscape Directory Server (Directory Server) supports a variety of methods for grouping entries and sharing attributes between entries. This chapter describes the following grouping mechanisms and their procedures: •...

  • Page 160: Managing Static Groups

    Using Groups Managing Static Groups Static groups allow you to group entries by specifying the same group value in the DN attribute of any number of users. This section includes the following procedures for creating and modifying static groups: • Adding a New Static Group •...

  • Page 161: Managing Dynamic Groups

    Using Groups Modifying a Static Group In the Directory Server Console, select the Directory tab. The directory contents appear in the left pane. Double-click the entry you want to modify or select Open from the Object menu. The Edit Group dialog box appears. Make your changes to the group information.

  • Page 162: Using Roles

    Using Roles Double-click the entry you want to modify or select Properties from the Object menu. The Edit Group dialog box appears. Make your changes to the group information. Click OK. To view your changes, go to the View menu and select Refresh. Using Roles Roles are a new entry grouping mechanism that unify the static and dynamic groups described in the previous sections.

  • Page 163: Managing Roles Using The Console

    Using Roles • Remove a particular role from a given entry. You can do everything you would normally do with static groups with managed roles, and you can filter members using filtered roles as you used to do with dynamic groups. Roles are easier to use than groups, more flexible in their implementation, and reduce client complexity.

  • Page 164: Creating A Managed Role

    Using Roles • Deleting a Role When you create a role, you need to decide whether a user can add themselves or remove themselves from the role. Refer to “Using Roles Securely,” on page 171 for more information about roles and access control. Creating a Managed Role Managed roles allow you to create an explicit enumerated list of members.

  • Page 165: Creating A Filtered Role

    Using Roles Creating a Filtered Role You assign entries to a filtered role depending upon a particular attribute contained by each entry. You do this by specifying an LDAP filter. Entries that match the filter are said to possess the role. To create and add members to a filtered role: Follow steps 1-5 of “Creating a Managed Role,”...
  • Page 166 Using Roles To create and add members to a nested role: Follow steps 1-5 of “Creating a Managed Role,” on page 164. Click Members in the left pane. A search dialog box appears briefly. In the right pane, select Nested Role. Click Add to add roles to the list.The members of the nested role are members of other existing roles.

  • Page 167: Modifying A Role Entry

    Using Roles Click OK once you have finished modifying the roles to save your changes. Modifying a Role Entry To edit an existing role: On the Directory Server Console, select the Directory tab. Browse the navigation tree in the left pane to locate the base DN for your role. Roles appear in the right pane with other entries.

  • Page 168: Managing Roles Using The Command Line

    Using Roles Browse the navigation tree in the left pane to locate the base DN for your role. Roles appear in the right pane with other entries. Select the role. Select Activate from the Object menu. You can also right-click the role and select Activate from the menu. The role is reactivated.

  • Page 169: Examples: Managed Role Definition

    Using Roles • Members of a filtered role are entries that match the filter specified in the attribute. nsRoleFilter • Members of a nested role are members of the roles specified in the nsRoleDN attributes of the nested role definition entry. Table 5-1 lists the new object classes and attributes associated with each type of role.

  • Page 170: Example: Filtered Role Definition

    Using Roles Notice that the object class inherits from the nsManagedRoleDefinition object classes. LDAPsubentry nsRoleDefinition nsSimpleRoleDefinition Assign the role to a marketing staff member named Bob by doing an ldapmodify as follows: ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389 dn: cn=Bob,ou=people,dc=example,dc=com changetype: modify add: nsRoleDN...

  • Page 171: Example: Nested Role Definition

    Using Roles Example: Nested Role Definition You want to create a role that contains both the marketing staff and sales managers contained by the roles you created in the previous examples. The nested role you create using appears as follows: ldapmodify dn: cn=MarketingSales,ou=people,dc=example,dc=com objectclass: top...

  • Page 172: Assigning Class Of Service

    Assigning Class of Service To prevent users from removing the attribute, use the following ACIs nsRoleDN depending upon the type of role being used. Managed roles. For entries that are members of a managed role, use the following ACI to prevent users from unlocking themselves by removing the appropriate nsRoleDN aci: (targetattr=”nsRoleDN”) (targattrfilters=”...

  • Page 173: About Cos

    Assigning Class of Service • Managing CoS Using the Console • Managing CoS From the Command Line • Creating Role-Based Attributes • Access Control and CoS About CoS Clients of the Directory Server read the attributes on a user’s entry. With CoS, some attribute values may not be stored with the entry itself.

  • Page 174: About The Cos Template Entry

    Assigning Class of Service There are 3 types of CoS, defined using three types of CoS definition entries: • Pointer CoS—A pointer CoS identifies the template entry using the template DN only. • Indirect CoS—An indirect CoS identifies the template entry using the value of one of the target entry’s attributes.

  • Page 175: How A Pointer Cos Works

    Assigning Class of Service How a Pointer CoS Works You create a CoS that shares a common postal code with all of the entries stored under . The three entries for this CoS appear as illustrated in dc=example,dc=com Figure 5-1. Sample Pointer CoS Figure 5-1 In this example, the template entry is identified by its DN,...

  • Page 176: How A Classic Cos Works

    Assigning Class of Service Sample Indirect CoS Figure 5-2 In this example, the target entry for William Holiday contains the indirect specifier, attribute. William’s manager is Carla Fuentes, so the manager manager attribute contains a pointer to the DN of the template entry, cn=Carla .

  • Page 177: Managing Cos Using The Console

    Assigning Class of Service Sample Classic CoS Figure 5-3 In this example, the Cos definition entry’s attribute specifies the cosSpecifier attribute. This attribute, in combination with the template DN, employeeType identify the template entry as . The template cn=sales,cn=exampleUS,cn=data entry then provides the value of the attribute to the target entry.
  • Page 178 Assigning Class of Service Go to the Object menu and select New > Class of Service. You can also right click the entry and select New > Class of Service. The Create New Class of Service dialog displays. Select General in the left pane. In the right pane, enter the name of your new class of service in the “Class Name”...

  • Page 179: Editing An Existing Cos

    Assigning Class of Service Using the value of one of the target entry’s attribute. If you choose to have the template entry identified by the value of one of the target entry’s attributes (an indirect CoS), enter the attribute name in the “Attribute Name” field. Be sure to select an attribute which contains DN values.

  • Page 180: Managing Cos From The Command Line

    Assigning Class of Service Right-click the CoS and select Delete. A dialog box appears asking you to confirm the deletion. Click Yes. The Deleted Entries dialog box appears to inform you that the CoS was successfully deleted. Click OK. Managing CoS From the Command Line Because all configuration information and template data is stored as entries in the directory, you can use standard LDAP tools for CoS configuration and management.

  • Page 181: Table 5-3 Cos Definition Entry Attributes

    Assigning Class of Service Table 5-3 lists attributes that you can use in your CoS definition entries. Table 5-3 CoS Definition Entry Attributes Attribute Definition Provides the name of the attribute for which you want to generate a value. cosAttribute You can specify more than one cosAttribute value.

  • Page 182: Table 5-4 Cos Definitions

    Assigning Class of Service For example, you might create a pointer CoS definition entry that contains an qualifier as follows: override dn: cn=pointerCoS,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=exampleUS,cn=data cosAttribute: postalCode override This pointer CoS definition entry indicates that it is associated with a template entry, , that generates the value of the cn=exampleUS,cn=data...

  • Page 183: Creating The Cos Template Entry From The Command Line

    Assigning Class of Service CoS Definitions (Continued) Table 5-4 CoS Type CoS definition Classic CoS objectclass: top bbjectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn: DN_string cosSpecifier: attribute_name cosAttribute: list_of_attributes qualifier Creating the CoS Template Entry From the Command Line The CoS template entry also inherits from the object class.

  • Page 184: Example Of A Pointer Cos

    Assigning Class of Service Templates that contain no attribute are considered the lowest cosPriority priority. In the case where two or more templates are considered to supply an attribute value and they have the same (or no) priority, a value is chosen arbitrarily.

  • Page 185: Example Of An Indirect Cos

    Assigning Class of Service Next, you create the template entry as follows: dn: cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 44438 The CoS template entry ( ) supplies cn=exampleUS,dn=cata,dc=example,dc=com the value stored in its attribute to any entries located under the postalCode suffix.

  • Page 186: Example Of A Classic Cos

    Assigning Class of Service You create a second template entry for the manager Sue Jacobs as follows: dn:cn=Sue Jacobs,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate departmentNumber: 71776 The definition entry looks in the target entries (the entries under ) for entries containing the attribute (because this dc=example,dc=com...

  • Page 187: Creating Role-Based Attributes

    Assigning Class of Service Next, you create the template entries for the sales and marketing departments as follows: dn: cn=sales,cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 44438 dn: cn=marketing,cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 99111 The classic CoS definition entry applies to all entries under the suffix.

  • Page 188: Access Control And Cos

    Assigning Class of Service objectclass: nsFilteredRoleDefinition cn: ManagerRole nsRoleFilter: o=managers Description: filtered role for managers The classic CoS definition entry would look as follows: dn: cn=managerCOS,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectlass: cosClassicDefinition cosTemplateDn: cn=managerCOS,dc=example,dc=com cosSpecifier: nsRole cosAttribute: mailboxquota override attribute provides a value that, in combination with the cosTemplateDn attribute specified in the...

  • Page 189: Chapter 6 Managing Access Control

    Chapter 6 Managing Access Control Netscape Directory Server (Directory Server) provides you with the ability to control access to your directory. This chapter describes the access control mechanism. This section includes the following topics: • Access Control Principles (page 190) •...

  • Page 190: Access Control Principles

    Access Control Principles Access Control Principles The mechanism by which you define access is called access control. When the server receives a request, it uses the authentication information provided by the user in the bind operation, and the access control instructions (ACIs) defined in the server to allow or deny access to directory information.

  • Page 191: Aci Placement

    Access Control Principles ACI Placement If an entry containing an ACI does not have any child entries, the ACI applies to that entry only. If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a direct consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs for every entry between the one requested and the directory suffix, as well as the ACIs on the entry itself.

  • Page 192: Aci Limitations

    Access Control Principles For example, if you deny write permission at the directory’s root level, then none of the users can write to the directory regardless of the specific permissions you grant them. To grant a specific user write permissions to the directory, you have to restrict the scope of the original denial for write permission so that it does not include the user.

  • Page 193: Default Acis

    Default ACIs • Access control rules are always evaluated on the local server. Therefore, it is not necessary to specify the hostname or port number of the server in LDAP URLs used in ACI keywords. If you do, the LDAP URL will not be taken into account at all.

  • Page 194: Creating Acis Manually

    Creating ACIs Manually Creating ACIs Manually You can create access control instructions manually using LDIF statements, and add them to your directory tree using the utility. The following ldapmodify sections explain in detail how to create the LDIF statements. LDIF ACI statements can be very complex. However, if you are setting access control for a large number of directory entries, using LDIF is the preferred method over using the Console because of the time it can save.

  • Page 195: Example Aci

    Creating ACIs Manually You can have multiple permission-bind rule pairs for each target. This allows you to efficiently set multiple access controls for a given target. For example: target(permission bind_rule)(permission bind_rule)... If you have several ACRs in one ACI statement, the syntax is of the form: aci: (target)(version 3.0;acl "name";permission bind_rule;...

  • Page 196: Table 6-1 Ldif Target Keywords

    Creating ACIs Manually where: indicates the type of target keyword equal (=) indicates that the target is the object specified in the , and expression not equal (!=) indicates the target is not the object specified in the expression identifies the target expression The quotation marks ("") around are required.
  • Page 197 Creating ACIs Manually This identifies the distinguished name of the entry to which the access control rule applies. For example: (target = "ldap:///uid=bjensen,dc=example,dc=com") NOTE If the DN of the entry to which the access control rule applies contains a comma, you must escape the comma with a single backslash (\).

  • Page 198: Targeting Attributes

    Creating ACIs Manually Some other valid examples follow: • (target="ldap:///uid=*,dc=example,dc=com") Matches every entry in the entire tree that has the attribute in example.com the entry’s RDN. • (target="ldap:///uid=*,ou=*,dc=example,dc=com") Matches every entry in the tree whose distinguished name example.com contains the attributes.

  • Page 199: Targeting Both An Entry And Attributes

    Creating ACIs Manually You can target multiple attributes by using the keyword with the targetattr following syntax: (targetattr = "attribute1 || attribute2 ... || attributen") Where attribute is the name of the attribute you want to target. For example, to target the common name attribute you would use: (targetattr = "cn") To target an entry’s common name, surname, and uid attributes, you would use the following:...

  • Page 200: Targeting Attribute Values Using Ldap Filters

    Creating ACIs Manually where is a standard LDAP search filter. For more information on the LDAP_filter syntax of LDAP search filters, see Appendix B, “Finding Directory Entries.” For example, suppose that all entries in the accounting department include the , and all entries in the engineering department attribute- value pair ou=accounting include the attribute- value pair...
  • Page 201 Creating ACIs Manually For example, you might grant all users in your organization permission to modify attribute in their own entry. However, you would also want to nsRoleDN ensure that they do not give themselves certain key roles such as “Top Level Administrator.”...

  • Page 202: Targeting A Single Directory Entry

    Creating ACIs Manually Targeting a Single Directory Entry Targeting a single directory entry is not straightforward because it goes against the design philosophy of the access control mechanism. However, it can be done: • By creating a bind rule that matches user input in the bind request with an attribute value stored in the targeted entry.

  • Page 203: Allowing Or Denying Access

    Creating ACIs Manually Allowing or Denying Access You can either explicitly allow or deny access permissions to your directory tree. For more guidelines on when to allow and when to deny access, refer to the Netscape Directory Server Deployment Guide. NOTE From the Server Console, you cannot explicitly deny access, but only grant permissions.

  • Page 204: Rights Required For Ldap Operations

    Creating ACIs Manually Rights are granted independently of one another. This means, for example, that a user who is granted add rights can create an entry but cannot delete it if delete rights have not been specifically granted. Therefore, when planning the access control policy for your directory, you must ensure that you grant rights in a way that makes sense for users.

  • Page 205: Permissions Syntax

    Creating ACIs Manually Comparing the value of an attribute: • Grant compare permission on the attribute type. Searching for entries: • Grant search permission on each attribute type used in the search filter. • Grant read permission on attribute types used in the entry. The permissions you need to set up to allow users to search the directory are more readily understood with an example.

  • Page 206: Bind Rules

    Bind Rules Bind Rules Depending on the ACIs defined for the directory, for certain operations, you need to bind to the directory. Binding means logging in or authenticating yourself to the directory by providing a bind DN and password, or, if using SSL, a certificate. The credentials provided in the bind operation, and the circumstances of the bind determine whether access to the directory is allowed or denied.
  • Page 207 Bind Rules NOTE The timeofday keyword also supports the inequality expressions (<, <=, >, >=). This is the only keyword that supports these expressions. The quotation marks ( ) around and the delimiting semicolon (;) are expression "" required. The expressions you can use depend on the associated keyword The following table lists each keyword and the associated expressions.

  • Page 208: Anonymous Access (Anyone Keyword)

    Bind Rules LDIF Bind Rule Keywords (Continued) Table 6-2 Keyword Valid Expressions Wildcard Allowed? none authmethod simple sasl authentication_method The sections that follow contain further detail on bind rule syntax for each keyword. Defining User Access - userdn Keyword User access is defined using the keyword.

  • Page 209: General Access (All Keyword)

    Bind Rules From the Server Console, you define anonymous access through the Access Control Editor. See “Creating ACIs From the Console,” on page 224. General Access (all Keyword) You can use bind rules to indicate that a permission applies to anyone who has successfully bound to the directory;...

  • Page 210: Wildcards

    Bind Rules Wildcards You can also specify a set of users by using the wildcard character (*). For example, specifying a user DN of indicates that only users uid=u*,dc=example,dc=com with a bind DN beginning with the letter will be allowed or denied access based on the permissions you set.
  • Page 211 Bind Rules The bind rule is evaluated to be true if the user is accessing the entry represented by the DN with which the user bound to the directory. That is, if the user has bound as and the user is attempting an uid=ssarette dc=example,dc=com operation on the...

  • Page 212: Examples

    Bind Rules For example, if you want to grant write access to every user’s child entries, you would create the following ACI on the node: dc=example,dc=com aci:(version 3.0; acl "parent access"; allow (write) userdn="ldap:///parent";) userdn = "ldap:///dc=example,dc=com???(|(ou=engineering) (ou=sales))"; The bind rule is evaluated to be true if the user belongs to the engineering or sales subtree.

  • Page 213: Defining Access Based On Value Matching

    Bind Rules aci: (version 3.0; acl "Administrators-write"; allow (write) groupdn="ldap:///cn=Administrators,dc=example,dc=com";) Groupdn keyword containing logical OR of LDAP URLs: groupdn = "ldap:///cn=Administrators,dc=example,dc=com" || "ldap:///cn=Mail Administrators,dc=example,dc=com"; The bind rule is evaluated to be true if the bind DN belongs to either the Administrators or the Mail Administrators group.

  • Page 214: Using The Userattr Keyword

    Bind Rules This example is based on DN matching. However, you can match any attribute of the entry used in the bind with the targeted entry. For example, you could create an ACI that allowed any user whose attribute is “beer” to read all the favoriteDrink entries of other users that have the same value for favoriteDrink...
  • Page 215 Bind Rules The following example grants a manager full access to his or her employees’ entries: aci: (target="ldap:///dc=example,dc=com")(targetattr=*) (version 3.0; acl "manager-write"; allow (all) userattr = "manager#USERDN";) Example with GROUPDN Bind Type The following is an example of the keyword associated with a bind userattr based on a group DN: userattr = "owner#GROUPDN"...
  • Page 216 Bind Rules NOTE This example assumes that you have added the attribute to the schema, and that all exampleEmployeeReportsTo employee entries contain this attribute. It also assumes that the value of this attribute is the DN of a role entry. For information on designing your schema, refer to Netscape Directory Server Deployment Guide.

  • Page 217: Using The Userattr Keyword With Inheritance

    Bind Rules Using the userattr Keyword With Inheritance When you use the keyword to associate the entry used to bind with the userattr target entry, the ACI applies only to the target specified and not to the entries below it. In some circumstances, you might want to extend the application of the ACI several levels below the targeted entry.

  • Page 218: Figure 6-1 Using Inheritance With The Userattr Keyword

    Bind Rules Using Inheritance With the userattr Keyword Figure 6-1 In this example, if you did not use inheritance you would have to do one of the following to achieve the same result: • Explicitly set read and search access for user on the bjensen cn=Profiles...

  • Page 219: Defining Access From A Specific Ip Address

    Bind Rules This ACI grants managers all rights on the entries of employees that report to them. However, because access rights are evaluated on the entry being created, this type of ACI would also allow any employee to create an entry in which the manager attribute is set to their own DN.

  • Page 220: Defining Access From A Specific Domain

    Bind Rules The bind rule is evaluated to be true if the client accessing the directory is located at the named IP address. This can be useful for allowing certain kinds of directory access only from a specific subnet or machine. For example, you could use a wildcard IP address such as 12.3.45.* to specify a specific subnetwork or 123.45.6.*+255.255.255.115 to specify a subnetwork mask.

  • Page 221: Examples

    Bind Rules Defining Access at a Specific Time of Day or Day of Week You can use bind rules to specify that binding can only occur at a certain time of day or on a certain day of the week. For example, you can set a rule that will allow access only if it is between the hours of 8 am and 5 pm Monday through Friday.

  • Page 222: Defining Access Based On Authentication Method

    Bind Rules timeofday > "0800"; The bind rule is evaluated to be true if the client is accessing the directory at any time after 8 am. timeofday < "1800"; The bind rule is evaluated to be true if the client is accessing the directory at any time before 6 pm.

  • Page 223: Examples

    Bind Rules You cannot set up authentication-based bind rules through the Access Control Editor. The LDIF syntax for setting a bind rule based on an authentication method is as follows: authmethod = "authentication_method" where , or authentication_method "sasl sasl_mechanism" none simple Examples The following are examples of the...

  • Page 224: Creating Acis From The Console

    Creating ACIs From the Console (groupdn = "ldap:///cn=administrators,dc=example,dc=com" or groupdn = "ldap:///cn=mail administrators,dc=example,dc=com" and dns = "*.example.com";) The trailing semicolon (;) is a required delimiter that must appear after the final bind rule. Boolean expressions are evaluated in the following order: •...

  • Page 225: Displaying The Access Control Editor

    Creating ACIs From the Console See “Access Control Usage Examples,” on page 229 for a collection of access control rules commonly used in Directory Server security policies, along with step-by-step instructions for using the Directory Server Console to create them. The Access Control Editor does not enable you to construct some of the more complex ACIs when you are in Visual editing mode.

  • Page 226: Figure 6-2 Selecting An Object In The Navigation Tree To Set Access Control L

    Creating ACIs From the Console Selecting an Object in the Navigation Tree to Set Access Control l Figure 6-2 Click New. The Access Control Editor is displayed as shown in Figure 6-3. Figure 6-3 Access Control Editor Window Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 227: Viewing Current Acis

    Creating ACIs From the Console For information on navigating through the Access Control dialog boxes, refer to the online help. Viewing Current ACIs If you want to see what ACIs apply to a particular subtree in your directory, follow these steps: On the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu.
  • Page 228 Creating ACIs From the Console Click OK to dismiss the Add Users and Groups window. The entries you selected are now listed on the Users/Groups tab in the ACI editor. In the Access Control Editor, click the Rights tab, and use the checkboxes to select the rights to grant.

  • Page 229: Access Control Usage Examples

    Access Control Usage Examples Editing an ACI To edit an ACI: On the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu. The Access Control Manager window is displayed. It contains the list of ACIs belonging to the entry.
  • Page 230 Access Control Usage Examples ’s business is to offer a web hosting service and internet access. Part of example.com ’s web hosting service is to host the directories of client companies. example.com actually hosts and partially manages the directories of two example.com medium-sized companies, HostedCompany1, and HostedCompany2.

  • Page 231: Granting Anonymous Access

    Access Control Usage Examples Granting Anonymous Access Most directories are run such that you can anonymously access at least one suffix for read, search, or compare. For example, you might want to set these permissions if you are running a corporate personnel directory that you want employees to be able to search, such as a phonebook.
  • Page 232 Access Control Usage Examples Click OK in the Access Control Editor window. The new ACI is added to the ones listed in the Access Control Manager window. ACI “Anonymous World” In LDIF, to grant read and search access of the individual subscribers subtree to the world, while denying access to information on unlisted subscribers, you could write the following statement: aci: (targetfilter= "(!(unlistedSubscriber=yes))")

  • Page 233: Granting Write Access To Personal Entries

    Access Control Usage Examples In the attribute table, tick the checkboxes for the homePhone , and attributes. homePostalAddress mail All other checkboxes should be clear. This task is made easier if you click the Check None button to clear the checkoxes for all attributes in the table, then click the Name header to organize them alphabetically, and select the appropriate ones.
  • Page 234 Access Control Usage Examples From the Console, you can set this permission by doing the following: On the Directory tab, right click the node in the left navigation example.com tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager.
  • Page 235 Access Control Usage Examples In LDIF, to grant subscribers the right to update their password and example.com home telephone number, you would write the following statement: aci: (targetattr="userPassword || homePhone") (version 3.0; acl "Write Subscribers"; allow (write) userdn= "ldap://self" and authmethod="ssl";) This example assumes that the is added to the...

  • Page 236: Restricting Access To Key Roles

    Access Control Usage Examples In the attribute table, tick the checkboxes for the homePhone , and attributes. homePostalAddress mail All other checkboxes should be clear. This task is made easier if you click the Check None button to clear the checkoxes for all attributes in the table, then click the Name header to organize them alphabetically, and select the appropriate ones.
  • Page 237 Access Control Usage Examples This example assumes that the ACI is added to the entry. ou=example-people,dc=example,dc=com From the Console, you can set this permission by doing the following: On the Directory tab, right click the node in the left navigation example.com tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager.

  • Page 238: Granting A Group Full Access To A Suffix

    Access Control Usage Examples Granting a Group Full Access to a Suffix Most directories have a group that is used to identify certain corporate functions. These groups can be given full access to all or part of the directory. By applying the access rights to the group, you can avoid setting the access rights for each member individually.

  • Page 239: Granting Rights To Add And Delete Group Entries

    Access Control Usage Examples Click the Add button to list the HR group in the list of users who are granted access permission. Click OK to dismiss the Add Users and Groups dialog box. On the Rights tab, click the Check All button. All checkboxes are ticked, except for Proxy rights.
  • Page 240 Access Control Usage Examples From the Console, you can set this permission by doing the following: On the Directory tab, right click the Social Committee entry under the node in the left navigation tree, and choose Set Access example.com Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor.

  • Page 241: Granting Conditional Access To A Group Or Role

    Access Control Usage Examples ACI “Delete Group” In LDIF, to grant employees the right to modify or delete a group example.com entry which they own under the , you would write ou=Social Comittee branch the following statement: aci: (target="ou=social committee,dc=example,dc=com) (targattrfilters="del=objectClass:(objectClass=groupOfNames)") (version 3.0;...
  • Page 242 Access Control Usage Examples aci: (target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com") (targetattr= "*") (version 3.0; acl "HostedCompany1"; allow (all) (roledn="ldap:///cn=DirectoryAdmin,ou=HostedCompany1, ou=corporate-clients, dc=example,dc=com") and (authmethod="ssl") and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and timeofday <= "1800") and (ip="255.255.123.234"); ) This example assumes that the ACI is added to the ou=HostedCompany1, entry.

  • Page 243: Denying Access

    Access Control Usage Examples On the Times tab, select the block time corresponding to Monday through Thursday, and 8 am to 6 pm. A message appears below the table that specifies what time block you have selected. To enforce SSL authentication from HostedCompany1 administrators, switch to manual editing by clicking the Edit Manually button.
  • Page 244 Access Control Usage Examples From the Console, you can set this permission by doing the following: On the Directory tab, right click the subscribers entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager.
  • Page 245 Access Control Usage Examples aci: (targetattr="connectionTime || accountBalance") (version 3.0; acl "Billing Info Deny"; deny (write) userdn= "ldap:///self";) This example assumes that the relevant attributes have been created in the schema, and that the ACI is added to the entry. ou=subscribers,dc=example,dc=com From the Console, you can set this permission by doing the following: On the Directory tab, right click the subscribers entry under the...

  • Page 246: Setting A Target Using Filtering

    Access Control Usage Examples Click OK. The new ACI is added to the ones listed in the Access Control Manager window. Setting a Target Using Filtering If you want to set access controls that allow access to a number of entries that are spread across the directory, you may want to use a filter to set the target.

  • Page 247: Defining Permissions For Dns That Contain A Comma

    Access Control Usage Examples From the Console, you can set this permission by doing the following: On the Directory tab, right click the entry under the example-people node in the left navigation tree, and choose Set Access example.com Permissions from the pop-up menu to display the Access Control Manager. Click New to display the Access Control Editor.

  • Page 248: Proxied Authorization Aci Example

    Access Control Usage Examples dn: dc=example.com Bolivia\, S.A.,dc=com objectClass: top objectClass: organization aci: (target="ldap:///dc=example.com Bolivia\, S.A.,dc=com")(targetattr=*) (version 3.0; acl "aci 2"; allow (all) groupdn = "ldap:///cn=Directory Administrators,dc=example.com Bolivia\, S.A.,dc=com";) Proxied Authorization ACI Example For this example, suppose: • The client application’s bind DN is "uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com"...

  • Page 249: Viewing The Acis For An Entry

    Viewing the ACIs for an Entry In the above example, if the client wanted to perform an command, ldapsearch the command would include the following controls: #ldapmodify -D "uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com" -w secretpwd -y "uid=AcctAdministrator,ou=Administrators,dc=example,dc=com" Note that the client binds as itself, but is granted the privileges of the proxy entry. The client does not need the password of the proxy entry.

  • Page 250: Macro Aci Example

    Advanced Access Control: Using Macro ACIs Macros are placeholders that are used to represent a DN, or a portion of a DN, in an ACI. You can use a macro to represent a DN in the target portion of the ACI, or in the bind rule portion, or both.

  • Page 251: Figure 6-4 Example Directory Tree For Macro Acis

    Advanced Access Control: Using Macro ACIs Example directory tree for Macro ACIs Figure 6-4 The following ACI is located on the dc=hostedCompany1,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1, dc=example,dc=com";) Chapter 6 Managing Access Control...

  • Page 252: Macro Aci Syntax

    Advanced Access Control: Using Macro ACIs The following ACI is located on the dc=subdomain1,dc=hostedCompany1, node: dc=example,dc=com aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1, dc=hostedCompany1,dc=example,dc=com";) The following ACI is located on the dc=hostedCompany2,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2, dc=example,dc=com";) The following ACI is located on the...

  • Page 253: Macro Matching For ($Dn)

    Advanced Access Control: Using Macro ACIs • [$dn] • ($attr.attrName), where attrName represents an attribute contained in the target entry To simplify the discussion in this section, the ACI keywords used to provide bind credentials such as , and , are collectively called userdn roledn groupdn...

  • Page 254: Macro Matching For [$Dn]

    Advanced Access Control: Using Macro ACIs aci: (target="ldap:///ou=*,($dn),dc=example,dc=com") (targetattr = "*") (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc=com" In this case, if the string matching ($dn) in the target is dc=subdomain1, , then the same string is used in the subject. The ACI above is dc=hostedCompany1 expanded as follows: aci: (target="ldap:///ou=Groups,dc=subdomain1,dc=hostedCompany1,...

  • Page 255: Macro Matching For ($Attr.attrname)

    Advanced Access Control: Using Macro ACIs Replace [$dn] in subject with dc=hostedCompany1 The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups, . In this case, if the bind DN is not dc=hostedCompany1,dc=example,dc=com" a member of that group, the ACI is not evaluated. If it is a member, the ACI is evaluated.

  • Page 256: Access Control And Replication

    Access Control and Replication In order to evaluate the part of the ACI, the server looks at the attribute roledn stored in the targeted entry, and uses the value of this attribute to expand the macro. Therefore, in the example, the is expanded as follows: roledn roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,...

  • Page 257: Compatibility With Earlier Releases

    Compatibility with Earlier Releases To set the error log level from the Console: On the Console, click the Directory tab, right click the config node, and choose Properties from the pop-up menu. This displays the Property Editor for the entry. cn=config Scroll down the list of attribute value pairs to locate the attribute.
  • Page 258 Compatibility with Earlier Releases Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 259: Chapter 7 User Account Management

    Chapter 7 User Account Management When a user connects to your Netscape Directory Server (Directory Server), first the user is authenticated. Then, the directory can grant access rights and resource limits to the user depending upon the identity established during authentication. This chapter describes tasks for user account management, including configuring the password and account lockout policy for your directory, denying groups of users access to the directory, and limiting system resources available to users...

  • Page 260: Configuring The Password Policy

    Managing the Password Policy This section provides information about configuring your password and account lockout policies. It includes the following procedures: • Configuring the Password Policy • Setting User Passwords • Configuring the Account Lockout Policy • Managing the Password Policy in a Replicated Environment Configuring the Password Policy The password policy you configure applies to all users within the directory except for the Directory Manager.
  • Page 261 Managing the Password Policy You can specify that users must change their password the first time they log on by selecting the “User must change password after reset” checkbox. If you select this checkbox, only the Directory Manager is authorized to reset the users’s password (using the field described in step 9).

  • Page 262: Configuring The Password Policy Using The Command-Line

    Managing the Password Policy Configuring the Password Policy Using the Command-Line This section describes the attributes you set to create a password policy for your server. Use ldapmodify to change these attributes in the entry. cn=config Table 7-1 describes the attributes you can use to configure your password policy: Table 7-1 Password Policy Attributes Attribute Name...

  • Page 263: Table 7-1 Password Policy Attributes

    Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition Indicates the number of seconds before a warning message is sent to users passwordWarning whose password is about to expire. Depending on the LDAP client application, users may be prompted to change their password when the warning is sent.

  • Page 264: Setting User Passwords

    Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition This attribute indicates whether the directory stores a password history. passwordHistory When set to on, the directory stores the number of passwords you specify in the passwordInHistory attribute in a history. If a user attempts to reuse one of the password, the password will be rejected.

  • Page 265: Configuring The Account Lockout Policy

    Managing the Password Policy For information on creating and modifying directory entries, see Chapter 2, “Creating Directory Entries.” For information on inactivating user accounts, refer to“Inactivating Users and Roles,” on page 268. You can also use the Users and Groups area of the Netscape Administration Server or the Directory Server Gateway to set or reset user passwords.

  • Page 266: Configuring The Account Lockout Policy Using The Command Line

    Managing the Password Policy Set the interval you want users to be locked out of the directory. Select the Lockout Forever radio button to lock users out until their passwords have been reset by the administrator. Set a specific lockout period by selecting the Lockout duration radio button and entering the time (in minutes) in the text box.

  • Page 267: Managing The Password Policy In A Replicated Environment

    Managing the Password Policy Account Lockout Policy Attributes (Continued) Table 7-2 Attribute Name Definition This attribute specifies the time in seconds after which the password passwordResetFailureCount failure counter will be reset. Each time an invalid password is sent from the user’s account, the password failure counter is incremented.

  • Page 268: Inactivating Users And Roles

    Inactivating Users and Roles When configuration a password policy in a replicated environment, consider the following points: • Warnings from the server of an impending password expiration will be issued by all replicas. This information is kept locally on each server, so if a user binds to several replicas in turn, they will be issued the same warning several times.

  • Page 269: Inactivating User And Roles Using The Console

    Inactivating Users and Roles • Activating User and Roles Using the Command Line CAUTION You cannot inactivate the root entry (the entry corresponding to the root or sub suffix) on a database. For more information on creating the entry for a root or sub suffix, refer to Chapter 2, “Creating Directory Entries”...

  • Page 270: Activating User And Roles Using The Console

    Inactivating Users and Roles Option Name Description The DN of the directory administrator. The password of the directory administrator. Port used by the server. Name of the server on which the directory resides DN of the user account or role you want to inactivate. For more information about running the script, refer to ns-inactivate.pl...

  • Page 271: Activating User And Roles Using The Command Line

    Setting Resource Limits Based on the Bind DN Activating User and Roles Using the Command Line To activate a user account, use the script. The following example ns-activate.pl describes using the script to activate Joe Frasier’s user account: ns-activate.pl ns-activate.pl -D "Directory Manager" -w secretpwd -p 389 -h example.com -I "uid=jfrasier,ou=people,dc=example,dc=com"...

  • Page 272: Setting Resource Limits Using The Console

    Setting Resource Limits Based on the Bind DN NOTE The Directory Manager receives unlimited resources by default. The resource limits you set for the client application takes precedence over the default resource limits you set for in the global server configuration. This section gives procedures for the following: •...
  • Page 273 Setting Resource Limits Based on the Bind DN Attribute Description Specifies the maximum number of entries the server returns to nsSizeLimit a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit. Specifies the maximum time the server spends processing a nsTimeLimit search operation.
  • Page 274 Setting Resource Limits Based on the Bind DN Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 275: Chapter 8 Managing Replication

    Chapter 8 Managing Replication Replication is the mechanism by which directory data is automatically copied from one Netscape Directory Server (Directory Server) to another; it is an important mechanism for extending your directory service beyond a single server configuration. This chapter describes the tasks to be performed on the supplier servers and the consumer servers to set up single master replication, multi-master replication, and cascading replication.

  • Page 276: Replication Overview

    Replication Overview For conceptual information on how you can use replication in your directory deployment, see the Netscape Directory Server Deployment Guide. Replication Overview Replication is the mechanism by which directory data is automatically copied from one Directory Server to another. Updates of any kind—entry additions, modifications, or even deletions—are automatically mirrored to other Directory Servers using replication.

  • Page 277: Change Log

    Replication Overview • In the case of cascading replication, the hub supplier holds a read-only replica that it supplies to consumers. For more information, refer to “Cascading Replication,” on page 283. • In the case of multi-master replication, both masters are suppliers and consumers for the same read-write replica.

  • Page 278: Replication Identity

    Replication Overview The replication mechanism also requires that one database correspond to one suffix. This means that you cannot replicate a suffix (or namespace) that is distributed over two or more databases using custom distribution logic. For more information on this topic, refer to “Creating and Maintaining Databases,” on page Replication Identity When replication occurs between two servers, the replication process uses a special entry, often referred to as the Replication Manager entry, to identify replication...

  • Page 279: Replication Agreement

    Replication Overview Replication Agreement Directory Servers use replication agreements to define their replication configuration. A replication agreement describes replication between one supplier and one consumer only. The agreement is configured on the supplier server. It specifies: • The database to be replicated •...

  • Page 280: Replication Scenarios

    Replication Scenarios Replication Scenarios This section describes the most commonly used replication scenarios: • Single-Master Replication • Multi-Master Replication • Cascading Replication You can combine these basic scenarios to build the replication environment that best suits your needs. Whatever replication scenario you choose to implement, remember NOTE to consider schema replication.

  • Page 281: Multi-Master Replication

    Replication Scenarios Single-Master Replication Figure 8-1 In this particular configuration the suffix receives ou=people,dc=example,dc=com a large number of search requests. Therefore, to distribute the load, this tree, which is mastered on Server A, is replicated to two read-only replicas located on Server B and Server C.

  • Page 282: Figure 8-2 Multi-Master Replication

    Replication Scenarios This type of configuration can work with any number of consumer servers. Each consumer server holds a read-only replica. The consumers can receive updates from both suppliers. The consumers also have referrals defined for both suppliers which are used to forward any update requests that they receive. Such scenarios are called multi-master configurations.

  • Page 283: Cascading Replication

    Replication Scenarios For information on setting up multi-master replication with two supplier servers and two consumer servers, refer to “Configuring Multi-Master Replication,” on page 296. Cascading Replication In a cascading replication scenario, one server, often called a hub supplier, acts both as a consumer and a supplier for a particular replica.

  • Page 284: Figure 8-3 Cascading Replication

    Replication Scenarios Cascading Replication Figure 8-3 For information on setting up cascading replication, refer to “Configuring Cascading Replication,” on page 301. You can combine multi-master and cascading replication. For NOTE example, in the multi-master scenario illustrated in Figure 8-2 on page 282, Server C and Server D could be hub suppliers that would replicated to any number of consumer servers.

  • Page 285: Summary Of Steps For Complex Replication Configurations

    Summary of Steps for Complex Replication Configurations Summary of Steps for Complex Replication Configurations If you are configuring replication for a large number of servers, and your configuration is relatively complex, for reasons of efficiency you should proceed in the following order: On all consumer servers: Create the replica databases Create the Replication Manager or supplier bind DN entry...

  • Page 286: Detailed Replication Tasks

    Detailed Replication Tasks NOTE It is very important to create and configure all replicas before you attempt to create a replication agreement. This also means that when you create the replication agreement, you can choose to initialize consumers immediately. Detailed Replication Tasks This section contains a description of the tasks you need to perform to configure replication.

  • Page 287: Configuring Supplier Settings

    Detailed Replication Tasks For example, you could create an entry cn=Replication Manager,cn=config under the tree on the consumer server. This would be the supplier bind cn=config DN that all suppliers would use to bind to the consumer to perform replication operations.

  • Page 288: Configuring A Read-Write Replica

    Detailed Replication Tasks To configure supplier settings: In the Directory Server Console, click the Configuration tab. For information on starting the Directory Server Console, “Using the Directory Server Console,” on page 28. In the left navigation tree, highlight the Replication node. In the right navigation window, click the Supplier Settings tab.

  • Page 289: Configuring A Read-Only Replica

    Detailed Replication Tasks In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). The replica ID must be unique for a given suffix. Make sure you specify an ID that is different from the IDs used for read-write replicas on this server and on other servers.

  • Page 290: Configuring A Hub Supplier

    Detailed Replication Tasks Click Add. You supplier bind DN will appear in the Current Supplier DNs or entry DNs to which the supplier’s certificate is mapped field directly above. Repeat the operation for every supplier bind DN you want to include in the list.

  • Page 291: Creating A Replication Agreement

    Detailed Replication Tasks In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). You must specify the same replica ID as for the read-write replica that supplies updates to this replica. The replica ID must be unique for a given suffix. In the Common Settings section specify a purge delay in the Purge delay field.

  • Page 292: Configuring Single-Master Replication

    Configuring Single-Master Replication To create a replication agreement: On the Directory Server Console, click the Configuration tab. For information on starting the Directory Server Console, “Using the Directory Server Console,” on page 28. In the navigation tree, expand the Replication folder, right-click the database to replicate, and select New Replication Agreement.
  • Page 293 Configuring Single-Master Replication Create the entry corresponding to the supplier bind DN on the consumer server, if it does not exist. This is the special entry that the supplier will use to bind. In the Directory Server Console, click the Directory tab, and create an entry.

  • Page 294: Configuring The Read-Write Replica On The Supplier Server

    Configuring Single-Master Replication Click Add. You supplier bind DN will appear in the Current Supplier DNs or entry DNs to which the supplier’s certificate is mapped field directly above. Repeat the operation for every supplier bind DN you want to include in the list.
  • Page 295 Configuring Single-Master Replication Set the change log parameters (number and age). You must clear the unlimited checkboxes if you want to specify different values. Click Save to save the supplier settings. Specify the replication settings required for a read-write replica. In the navigation tree on the Configuration tab, expand the Replication node and highlight the database to replicate.

  • Page 296: Initializing The Replicas For Single-Master Replication

    Configuring Multi-Master Replication Initializing the Replicas for Single-Master Replication You can initialize the read-only replicas from the Replication Agreement Wizard, or at anytime afterwards. For information on initializing read-only replicas, refer to “Initializing Consumers,” on page 309. When you have finished, the replication agreement is set up. Configuring Multi-Master Replication This section provides information on configuring multi-master replication.
  • Page 297 Configuring Multi-Master Replication Specify a attribute-value pair. userPassword If you have enabled the password expiration policy, or intend to do so in the future, you must remember to disable it to prevent replication from failing due to passwords expiring. To disable the password expiration policy on the attribute, add the userPassword...

  • Page 298: Configuring The Read-Write Replicas On The Supplier Servers

    Configuring Multi-Master Replication Repeat the operation for every supplier bind DN you want to include in the list. Click Save when you have finished. This supplier bind DN should correspond to the entry created in Step 2. Note that the supplier bind DN corresponds to a privileged user, because it is not subject to access control.
  • Page 299 Configuring Multi-Master Replication Set the change log parameters (number and age). You must clear the unlimited checkboxes if you want to specify different values. Click Save to save the supplier settings. Create the entry corresponding to the supplier bind DN, if it does not exist. For multi-master replication, it is necessary to create this supplier bind DN on the supplier servers (as well as the consumers), because they act as both consumer and supplier to the other supplier servers.
  • Page 300 Configuring Multi-Master Replication In the Common Settings section specify a purge delay in the Purge delay field. This option indicates how often the state information stored in the replicated entries is purged. In the Replica Update Settings section, specify the supplier bind DN or entry DN that the supplier will use to bind to the replica.

  • Page 301: Initializing The Replicas For Multi-Master Replication

    Configuring Cascading Replication One with supplier Server A, where A is declared as a consumer for the replica. During this operation, do not initialize Server A from Server B if you have already initialized Server B from Server A in Step 4. One for each consumer, Server C and Server D.

  • Page 302: Configuring The Read-Only Replica On The Consumer Server

    Configuring Cascading Replication To set up cascading replication such as the configuration shown in Figure 8-3 on page 284, between the supplier on Server A that holds a read-write replica, the consumer/supplier on Hub Server B that holds a read-only replica, and the consumer on Server C that holds a read-only replica, you need to perform the following procedures: •...
  • Page 303 Configuring Cascading Replication In the Replica Update Settings section, specify the bind DN or entry DN that the supplier will use to bind to the replica.You can now specify multiple supplier bind DNs per replica but only one supplier DN per replication agreement.

  • Page 304: Configuring The Read-Only Replica On The Hub Supplier

    Configuring Cascading Replication When you have configured the replicas on each server, and the necessary replication agreements between servers, you can initialize the read-only replicas on the hub supplier, and on the consumer. You can perform this task from the replication agreement wizard while you are configuring the supplier server and the hub supplier server, or at any time afterwards.
  • Page 305 Configuring Cascading Replication In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). You must specify the same replica ID as for the read-write replica that supplies updates to this replica. The replica ID must be unique for a given suffix.

  • Page 306: Configuring The Read-Write Replica On The Supplier Server

    Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Perform these steps on the supplier server that holds the original copy of the database: Specify the supplier settings for the server. In the Directory Server Console, click the Configuration tab. In the navigation tree, highlight the Replication node.

  • Page 307: Initializing The Replicas For Cascading Replication

    Making a Replica Updatable In the Common Settings section specify a purge delay in the Purge delay field. This option indicates how often the state information stored in the replicated entries is purged. Click Save to save the replication settings for the database. Initializing the Replicas for Cascading Replication In the case of cascading replication, you should initialize replicas in the following...

  • Page 308: Deleting The Change Log

    Deleting the Change Log Deleting the Change Log The change log is a record of all modifications on a given replica that the supplier uses to replay these modifications to replicas on consumer servers (or masters in the case of multi-master replication). In the event of a supplier server going offline, it is important to be able to delete the changelog because it no longer holds a true record of all modifications, and, as a result, should not be used as a basis for replication.

  • Page 309: Moving The Change Log To A New Location

    Initializing Consumers Moving the Change Log to a New Location To delete the change log while the server is still running and continuing to log changes, you simply move the change log to a new location. By moving the change log, a new change log is created in the directory you specify, and the old change log is deleted.

  • Page 310: Online Consumer Initialization Using The Console

    Initializing Consumers Manual consumer initialization using the command line, is a more effective method of initializing a large number of consumers from a single LDIF file. Online Consumer Initialization Using the Console Online consumer initialization using the console is the easiest way to initialize or reinitialize a consumer.

  • Page 311: Manual Consumer Initialization Using The Command Line

    Initializing Consumers To update this window, right-click the replicated database icon in the navigation tree, and choose Refresh Replication Agreements. When online consumer initialization finishes, the status changes to reflect this. For more information about monitoring replication and initialization status, see “Monitoring Replication Status,”...

  • Page 312: Exporting A Replica To Ldif

    Forcing Replication Updates Exporting a Replica to LDIF You can convert the replica to LDIF using one of the following three procedures: When you create a replication agreement by selecting “Create consumer initialization file” in the Initialize Consumer dialog box of the Replication Wizard.

  • Page 313: Forcing Replication Updates From The Console

    Forcing Replication Updates Note that if you have configured replication agreements to always keep the supplier server and the consumer server in sync, this is not sufficient to bring back up-to-date a server that has been offline for over five minutes. The reason is that with the “Always Keep in Sync”...
  • Page 314 Forcing Replication Updates You can copy this example and give it a meaningful name, for example, . You must provide actual values for the variables listed in replicate_now.sh Code Example 8-1. NOTE You must run this script as it cannot be configured to run automatically as soon as the server, which was offline, comes back online again.

  • Page 315: Table 8-1 Replicate_Now Variables

    Forcing Replication Updates Replicate_Now Script Example (Continued) Code Example 8-1 /^nsds5ReplicaUpdateSchedule: / { s = 1; print $0; } /^$/ { if ( $s == 1 ) { print "-" ; print ""; } else { print "nsds5ReplicaUpdateSchedule: 0000-2359 0123456"; print "-"...

  • Page 316: Replication Over Ssl

    Replication Over SSL If you want the update operation to occur over an SSL connection, you must modify the command in the script with the appropriate parameters ldapmodify and values. For more information on the command, refer to ldapmodify “Managing Entries From the Command Line,” on page 50 and Netscape Directory Server Configuration, Command, and File Reference.

  • Page 317: Configuring Replication Over Ssl Using The Replication Wizard

    Replication Over SSL Configuring Replication Over SSL Using the Replication Wizard On the Directory Server Console of the supplier server, click the Configuration tab, expand the Replication folder and select the database that you want to replicate. Right-click the database, and choose New Replication Agreement from the drop-down menu.

  • Page 318: Replication With Earlier Releases

    Replication with Earlier Releases Select “SSL Client Authentication” or “Simple Authentication. If you select SSL Client Authentication, the supplier and consumer servers will use certificates to authenticate to each other. If you select Simple Authentication, the supplier and consumer servers will use a bind DN and password to authenticate to each other.

  • Page 319: Configuring Directory Server As A Consumer Of A Legacy Directory Server

    Replication with Earlier Releases Configuring Directory Server as a Consumer of a Legacy Directory Server If you intend to use your Directory Server as a consumer of an earlier release of Directory Server, you must configure it as follows: On the Directory Server Console, click the Configuration tab. For information on starting the Directory Server Console, “Using the Directory Server Console,”...

  • Page 320: Using The Retro Change Log Plug-In

    Using the Retro Change Log Plug-In NOTE The Directory Server Console will not prevent you from configuring a database as a read-write replica and enabling legacy consumer settings. This makes migration easier because you can configure your Directory Server as you want it to be after the migration, and activate legacy consumer settings just for the duration of the transition.

  • Page 321: Enabling The Retro Change Log Plug-In

    Using the Retro Change Log Plug-In Attributes of a Retro Change Log Entry (Continued) Table 8-2 Attribute Definition For add and modify operations, contains the changes made to changes the entry, in LDIF format. In the case of modrdn operations, specifies the new RDN of newRDN the entry.

  • Page 322: Trimming The Retro Change Log

    Using the Retro Change Log Plug-In Restart the server. For information on restarting the server, refer to “Starting and Stopping the Directory Server,” on page 31. The retro change log is created in the directory tree under a special suffix cn=changelog The procedure for enabling the retro change log plug-in from Directory Server Console is the same as for all Directory Server plug-ins.

  • Page 323: Retro Change Log And The Access Control Policy

    Monitoring Replication Status As a general rule, you should not perform add or modify operations on the retro change log entries, although you can delete entries to trim the size of the change log. The only time you will need to peform a modify operation on the retro change log, is to modify the default access control policy.

  • Page 324: Solving Common Replication Conflicts

    Solving Common Replication Conflicts Table 8-3 Directory Server Console - Replication Status Table Header Description Agreement Contains the name you provided when you set up the replication agreement. Replica suffix Contains the suffix that is replicated Supplier Specifies the supplier server in the agreement. Consumer Specifies the consumer server in the agreement.

  • Page 325: Solving Naming Conflicts

    Solving Common Replication Conflicts prompt% ldapsearch -D adminDN -w passwd -b "dc=example,dc=com" "nsds5ReplConflict=*" For performance reasons, if you find that you have many conflicting entries every day, you may want to index the attribute. For information on nsds5ReplConflict indexing, refer to Chapter 10, “Managing Indexes.” This section contains the procedures for the following conflict resolution procedures: •...
  • Page 326 Solving Common Replication Conflicts Renaming an Entry with a Multi-Valued Naming Attribute To rename an entry that has a multi-valued naming attribute: Rename the entry using a new value for the naming attribute, and keep the old RDN. For example: prompt% ldapmodify -D adminDN -w passwd >dn: nsuniqueid=66446001-1dd211b2+uid=adamss,dc=example,dc=com >changetype: modrdn...

  • Page 327: Solving Orphan Entry Conflicts

    Solving Common Replication Conflicts Remove the old RDN value of the naming attribute, and the conflict marker attribute. For example: prompt% ldapmodify -D adminDN -w passwd >dn: cn=TempValue,dc=example,dc=com >changetype: modify >delete: dc >dc: pubs >- >delete: nsds5ReplConflict >- You cannot delete the unique identifier attribute NOTE nsuniqueid Rename the entry with the intended attribute-value pair.

  • Page 328: Solving Potential Interoperability Problems

    Solving Common Replication Conflicts • If the conflict resolution procedure finds a deleted entry with a matching unique identifier, the glue entry is a resurrection of that entry, with the addition of the object class, and the attribute. glue nsds5ReplConflict In such cases, you can either modify the glue entry to remove the object glue...
  • Page 329 Solving Common Replication Conflicts For more information on the command, refer to “Managing Entries ldapmodify From the Command Line,” on page 50 and Netscape Directory Server Configuration, Command, and File Reference. Chapter 8 Managing Replication...
  • Page 330 Solving Common Replication Conflicts Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 331: Chapter 9 Extending The Directory Schema

    Chapter 9 Extending the Directory Schema Netscape Directory Server (Directory Server) comes with a standard schema that includes hundreds of object classes and attributes. While the standard object classes and attributes should meet most of your requirements, you may need to extend your schema by creating new object classes and attributes.

  • Page 332: Managing Attributes

    Managing Attributes To extend the directory schema you should proceed in the following order: Create new attributes. See “Creating Attributes,” on page 333 for information. Create an object class to contain the new attributes and add the attributes to the object class.

  • Page 333: Creating Attributes

    Managing Attributes Attributes Tab Reference (Continued) Table 9-1 Field or Pane Description The object identifier of the attribute. An OID is a string, usually of dotted decimal numbers, that uniquely identifies an object, such as an object class or an attribute. If you do not specify an OID, the Directory Server automatically uses attribute_name-oid.

  • Page 334: Editing Attributes

    Managing Attributes Click Create. The Create Attribute dialog box is displayed. Enter a unique name for the attribute in the Attribute Name text box. Enter an object identifier for the attribute in the Attribute OID (Optional) text box. OIDs are described in Table 9-1 on page 332. Select a syntax that describes the data to be held by the attribute from the Syntax drop-down menu.

  • Page 335: Managing Object Classes

    Managing Object Classes To make the attribute multivalued, select the Multi-Valued checkbox. The Directory Server allows more than one instance of a multivalued attribute per entry. When you have finished editing the attribute, click OK. Deleting Attributes You can delete only attributes that you have created. You cannot delete standard attributes.

  • Page 336: Table 9-2 Object Classes Tab Reference

    Managing Object Classes Viewing Object Classes To view information about all object classes that currently exist in your directory schema: On the Directory Server Console, select the Configuration tab. In the navigation tree, select the Schema folder and then select the Object Classes tab in the right pane.

  • Page 337: Creating Object Classes

    Managing Object Classes Object Classes Tab Reference (Continued) Table 9-2 Field or Pane Description Allowed Attributes Contains a list of attributes that may be present in entries that use this object class. Includes inherited attributes. Creating Object Classes You create an object class by giving it a unique name, selecting a parent object for the new object class, and adding required and optional attributes.

  • Page 338: Editing Object Classes

    Managing Object Classes To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button. You cannot remove either allowed or required attributes that are inherited from the parent object classes.

  • Page 339: Turning Schema Checking On And Off

    Turning Schema Checking On and Off To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button. You cannot remove either allowed or required inherited attributes. When you are satisfied with you the object class definition, click OK to dismiss the dialog box.
  • Page 340 Turning Schema Checking On and Off Highlight the server icon at the top of the navigation tree, then select the Settings tab in the right pane. To enable schema checking, check the “Enable Schema Checking” checkbox; clear it to turn off schema checking. Click Save.

  • Page 341: Chapter 10 Managing Indexes

    Chapter 10 Managing Indexes The Netscape Directory Server Deployment Guide guide introduced the concept of indexing, the costs and benefits and the different types of index shipped with Netscape Directory Server (Directory Server). This chapter begins with a description of the searching algorithm itself, so as to place the indexing mechanism in context, and then describes how to create, delete and manage indexes.

  • Page 342: About Index Types

    About Indexes About Index Types Indexes are stored in files in the directory’s databases. The names of the files are based on the indexed attribute, not the type of index contained in the file. Each index file may contain multiple types of indexes if multiple indexes are maintained for the specific attribute.

  • Page 343: About Default, System, And Standard Indexes

    About Indexes NOTE Substring indexes are limited to a minimum of three characters for each entry. • International index—The international index speeds up searches for information in international directories. The process for creating an international index is similar to the process for creating regular indexes, except that you apply a matching rule by associating a locale (OID) with the attributes to be indexed.

  • Page 344: Overview Of System Indexes

    About Indexes Default indexes (Continued) Table 10-1 Attribute Pres Purpose Improves the performance of the most common mail types of user directory searches. Used by the Netscape Messaging Server. mailHost Improves Netscape server performance. This member index is also used by the referential integrity plug-in.

  • Page 345: Overview Of Standard Indexes

    About Indexes System indexes (Continued) Table 10-2 Attribute Pres Purpose Used to help accelerate subtree searches in the dnComp directory. Used to help accelerate subtree searches in the objectClass directory. Speeds up entry retrieval based on DN searches. entryDN Enhances directory performance during one-level parentID searches.
  • Page 346 About Indexes The directory examines the incoming request to make sure that the specified base DN matches a suffix contained by one or more of its databases or database links. If they do match, the directory processes the request. If they do not match, the directory returns an error to the client indicating that the suffix does not match.
  • Page 347 About Indexes See Netscape Directory Server Configuration, Command, and File Reference for further information about these attributes. In addition, the directory uses a variation of the metaphone phonetic algorithm to perform searches on an approximate index. Each value is treated as a sequence of words, and a phonetic code is generated for each word.

  • Page 348: Balancing The Benefits Of Indexing

    About Indexes Balancing the Benefits of Indexing Before you create new indexes, balance the benefits of maintaining indexes against the costs. Keep in mind that: • Approximate indexes are not efficient for attributes commonly containing numbers, such as telephone numbers. •...
  • Page 349 About Indexes ou: Manufacturing ou: people telephonenumber: 408 555 8834 description: Manufacturing lead for the Z238 line. Further suppose that the Directory Server is maintaining the following indexes: • Equality, approximate, and substring indexes for common name and surname attributes •...

  • Page 350: Creating Indexes

    Creating Indexes Creating Indexes This section describes how to create presence, equality, approximate, substring and international indexes for specific attributes using the Directory Server Console and the command line. NOTE Given that this version of Directory Server can operate in either a single or multi-database environment, you need to remember to create your new indexes in every database instance, since newly created indexes are not automatically created in the other...

  • Page 351: Creating Indexes From The Command Line

    Creating Indexes Expand the Data node, then expand the suffix of the database you want to index and select the database. Select the Indexes tab in the right pane. NOTE Do not click on the Database Settings node because this will take you to the Default Index Settings window and not the window for configuring indexes per database.

  • Page 352: Adding An Index Entry

    Creating Indexes Creating indexes from the command line involves two steps: • Using the command-line utility to add a new index entry or edit ldapmodify an existing index entry. • Running the perl script to generate the new set of indexes to be db2index.pl maintained by the server.
  • Page 353 Creating Indexes First, type the following to change to the directory containing the utility: cd /usr/netscape/servers/shared/bin Run the command-line utility as follows: ldapmodify ldapmodify -a -h server -p 389 -D "cn=directory manager" -w password utility binds to the server and prepares it to add an entry to the ldapmodify configuration file.

  • Page 354: Running The Db2Index.pl Script

    Creating Indexes You can use the keyword in the attribute to specify that no none nsIndexType indexes are to be maintained for the attribute. For example, suppose you want to temporarily disable the sn indexes you just created on the database,.

  • Page 355: Creating Browsing Indexes From The Server Console

    Creating Indexes Two examples of generating indexes using the follow: db2index.pl Windows batch file (you need to run the script from the . directory as shown in the example): ..\bin\slapd\admin\bin\perl ..\bin\slapd\admin\bin\perl db2index.pl -D "cn=Directory Manager" -w password -n ExampleServer -t sn UNIX shell script: db2index.pl -D "cn=Directory Manager"...

  • Page 356: Creating Browsing Indexes From The Command Line

    Creating Indexes The Create Browsing Index dialog box appears displaying the status of the index creation. You can click on the Status Logs box to view the status of the indexes created. Click Close to close the Create Browsing Index dialog box. The new index is immediately active for any new data that you add to your directory.
  • Page 357 Creating Indexes NOTE You can only create browsing indexes in ldbm databases. For example, you want to create a browsing index to accelerate an ldapsearch the entry held in the database where the search "dc=example,dc=com" Example1 base is , the search filter is "dc=example,dc=com"...

  • Page 358: Running The Vlvindex Script

    Creating Indexes The second entry you add specifies the sorting order you want for the returned attributes: dn:cn=sort_cn_givenname_o_ou_sn,cn="dc=example,dc=com",cn=Example1, cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvIndex cn:cn=sort_cn_givenname_o_ou_sn vlvsort:cn givenname o ou sn contains the browsing index sort identifier. We recommend you use a sort identifier which clearly identifies the search sorting order for the browsing index you create, such as the explicit sort identifier cn=sort_cn_givenname_o_ou_sn...

  • Page 359: Deleting Indexes

    Deleting Indexes Windows batch file (you need to run the script from the . directory as shown in the example): ..\bin\slapd\admin\bin\perl ..\bin\slapd\admin\bin\perl vlvindex -n Example1 -T "dc=example,dc=com" UNIX shell script: vlvindex -n Example1 -T "dc=example,dc=com" The following table describes the options used in the examples: vlvindex Option Name...

  • Page 360: Deleting Indexes From The Server Console

    Deleting Indexes CAUTION You must not delete system indexes as deleting them can significantly affect Directory Server performance. System indexes are located in the cn=index,cn=instance,cn=ldbm entry and the database,cn=plugins,cn=config cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config entry. Take care when deleting default indexes as this can also affect how Directory Server works.

  • Page 361: Deleting Indexes From The Command Line

    Deleting Indexes Deleting Indexes From the Command Line You can browsing index, or virtual list view (VLV) indexes using the ldapdelete command-line utility as follows: • Delete an entire index entry or delete unwanted index types from an existing index entry using the command-line utility.

  • Page 362: Running The Db2Index.pl Script

    Deleting Indexes Perform the as follows: ldapdelete ldapdelete -D "cn=Directory Manager" -w password -h ExampleServer -p845 "cn=sn,cn=index,cn=Example1,dn=ldbm database, cn=plugins,dn=config" The following table describes the options used in the example: ldapdelete Option Name Description Specifies the distinguished name with which to authenticate to the server.

  • Page 363: Deleting Browsing Indexes From The Server Console

    Deleting Indexes Two examples of generating the new set of indexes to be maintained by the server using follow: db2index.pl Windows batch file (you need to run the script from the . directory as shown in the example): ..\bin\slapd\admin\bin\perl ..\bin\slapd\admin\bin\perl db2index.pl -D "cn=Directory Manager" -w password -n Example1 UNIX shell script: db2index.pl -D "cn=Directory Manager"...

  • Page 364: Deleting Browsing Indexes From The Command Line

    Deleting Indexes The Delete Browsing Index dialog box appears displaying the status of the index deletion. Deleting Browsing Indexes From the Command Line Deleting a browsing index, or virtual list view (VLV) index from the command line involves two steps: •...
  • Page 365 Deleting Indexes dn:cn=sort_cn_givenname_o_ou_sn,cn="dc=example,dc=com",cn=Example1, cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvIndex cn:cn=sort_cn_givenname_o_ou_sn vlvsort:cn givenname o ou sn To run the command-line utility, type the following to change to the ldapdelete directory containing the utility: cd /usr/netscape/servers/shared/bin Perform the as follows: ldapdelete ldapdelete -D "cn=Directory Manager" -w password -h ExampleServer -p 845 "cn="dc=example,dc=com",cn=Example1,cn=ldbm database,cn=plugins,cn=config"...

  • Page 366: Running The Vlvindex Script

    Deleting Indexes Running the vlvindex Script Once you have deleted browsing indexing entries or deleted unwanted attribute types from existing browsing indexing entries, run the script to generate vlvindex the new set of browsing indexes to be maintained by the Directory Server. Once you run the script, the new set of browsing indexes is active for any new data you add to your directory and any existing data in your directory.

  • Page 367: Managing Indexes

    Managing Indexes Managing Indexes Each index that the directory uses is composed of a table of index keys and matching entry ID lists. This entry ID list is used by the directory to build a list of candidate entries that may match a client application’s search request (see “About Indexes,”...

  • Page 368: When All Ids Threshold Is Too Low

    Managing Indexes When All IDs Threshold is Too Low When you set the All IDs Threshold too low, too many index keys will contain the All IDs token. This can result in too many directory searches examining every entry in your directory. The performance hit on searches can be considerable. For example, suppose you are managing an equality index on the common name ) attribute.
  • Page 369 Managing Indexes If your directory size is stable, set the All IDs Threshold to about 5 percent of the total number of entries stored in your directory. That is, if you have 50,000 entries in your directory, set the All IDs Threshold to 2,500. If, you plan to add large numbers of entries to your directory in the near future, you should carefully consider your All IDs Threshold value.

  • Page 370: All Ids Threshold Tuning Advice For Service Providers And Extranets

    Managing Indexes The strategy you should choose depends on your directory deployment needs. Consider the cost of rebuilding your databases (and all associated consumer servers) versus potential affects on performance as your All IDs Threshold value moves away from the ideal setting of 5 percent. It may make sense for you to have a different All IDs Threshold on NOTE a consumer server as it can be tuned to service different searches.

  • Page 371: Changing The All Ids Threshold Value

    Managing Indexes • Your database cache size and entry cache size may be set incorrectly. See Chapter 14, “Tuning Directory Server Performance” for more information. Carefully examine these possibilities first before changing your All IDs Threshold value. If you think that your server is suffering from an All IDs Threshold that is too low, look in your access log.

  • Page 372: Attribute Name Quick Reference Table

    Attribute Name Quick Reference Table Initialize all your databases using ldif2db See Chapter 4, “Populating Directory Databases.” Restart your Directory Server. After you increase your All IDs Threshold value, examine your database cache size. Increasing your All IDs Threshold can result in larger memory requirements caused by larger entry ID lists.
  • Page 373 Attribute Name Quick Reference Table Attribute Name Quick Reference Table (Continued) Table 10-3 stateOrProvinceName street streetAddress organization organizationalUnitName facsimileTelephoneNumber userId mail rfc822mailbox mobile mobileTelephoneNumber pager pagerTelephoneNumber friendlyCountryName labeledUri labeledUri timeToLive domainComponent authorCn documentAuthorCommonName authorSn documentAuthorSurname drink favoriteDrink Chapter 10 Managing Indexes...
  • Page 374 Attribute Name Quick Reference Table Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 375: Chapter 11 Managing Ssl

    Chapter 11 Managing SSL To provide secure communications over the network, Netscape Directory Server (Directory Server) includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of Secure Sockets Layer (SSL). This chapter describes how to use SSL with your Directory Server in the following sections: •...
  • Page 376 Introduction to SSL in the Directory Server Using SSL with simple authentication ensures confidentiality and data integrity. The benefits of using a certificate to authenticate to the Directory Server, instead of a bind DN and password, include: • Improved efficiency—When you are using applications that prompt you once for your certificate database password, and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password.

  • Page 377: Obtaining And Installing Server Certificates

    Obtaining and Installing Server Certificates For a complete description of SSL, internet security, and certificates, see Managing Servers with Netscape Console. Obtaining and Installing Server Certificates This section describes the process of creating a certificate database, obtaining and installing a certificate for use with your Directory Server, and configuring Directory Server to trust the certification authority’s (CA) certificate.
  • Page 378 Obtaining and Installing Server Certificates Enter the Requestor Information in the blank text fields, then click Next. Enter the following information: Server Name. Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups, for example, dir.example.com Organization.
  • Page 379 Obtaining and Installing Server Certificates -----BEGIN NEW CERTIFICATE REQUEST----- MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1JOSUEx LDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF0aW9uMRwwG gYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNA DCBiQKBgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7ug0EfgSLR0f+K41eNqqR ftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n/zMyahxtV7+mT8GOFFigFfuxa xMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABoAAwDQYK -----END NEW CERTIFICATE REQUEST----- Send the email message to the CA. Once you have emailed your request, you must wait for the CA to respond with your certificate.
  • Page 380 Obtaining and Installing Server Certificates -----BEGIN CERTIFICATE----- MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3 -----END CERTIFICATE----- Check that the certificate information displayed is correct, and click Next. Specify a name for the certificate, and click Next. Verify the certificate by providing the password that protects the private key. This password is the same as the one you provided in “Step 1: Generate a Certificate Request,”...

  • Page 381: Activating Ssl

    Activating SSL Specify a name for the certificate, and click Next. Select the purpose of trusting this Certificate Authority (you can select both): Accepting connections from clients (Client Authentication). The server checks that the client’s certificate has been issued by a trusted Certificate Authority.
  • Page 382 Activating SSL To activate SSL communications: Set the secure port you want the server to use for SSL communications. See “Changing Directory Server Port Numbers,” on page 33 for information. The encrypted port number that you specify must not be the same port number you use for normal LDAP communications.

  • Page 383: Setting Security Preferences

    Setting Security Preferences If you want Netscape Console to use SSL during communications with Directory Server, select Use SSL in Netscape Console. Click Save. Restart the Directory Server. See “Starting the Server with SSL Enabled,” on page 36 for more information. Setting Security Preferences You can choose the type of ciphers you want to use for SSL communications.
  • Page 384 Setting Security Preferences To select the ciphers you want the server to use: Make sure SSL is enabled for your server. For information, see “Activating SSL,” on page 381. On the Directory Server Console, select the Configuration tab and then select the topmost entry in the navigation tree in the left pane.

  • Page 385: Using Certificate-Based Authentication

    Using Certificate-Based Authentication Using Certificate-Based Authentication Directory Server allows you to use certificate-based authentication for the command-line tools (which are LDAP clients) and for replication communications. Certificate-based authentication can occur between: • An LDAP client connecting to the Directory Server •...

  • Page 386: Configuring Ldap Clients To Use Ssl

    Configuring LDAP Clients to Use SSL Allowing/Requiring Client Authentication If you have configured Netscape Console to connect to your Directory Server using SSL and your Directory Server requires client authentication, you can no longer use Netscape Console to manage any of your Netscape servers. You will have to use the appropriate command-line utilities instead.
  • Page 387 Configuring LDAP Clients to Use SSL The following procedure describes how to use Netscape Communicator 4.7 to perform these tasks. To create a certificate, it is sufficient to start Netscape Communicator 4.7. If it does not already exist, the certificate database will be created. Use Communicator to connect to your Certificate Authority.
  • Page 388 Configuring LDAP Clients to Use SSL You must convert the client certificate into binary format using the certutil utility. To do this: Download the utility from certutil http://www.mozilla.org/projects/security/pki/nss/tools/ as follows: certutil cert7.db_path user_cert_name user_cert.bin certutil -L -d -r > where cert7.db_path is the location of your certificate database, user_cert_name is the name you gave to your certificate when you installed it, and user_cert.bin is the name you must specify for the output file that will contain the binary certificate.
  • Page 389 Configuring LDAP Clients to Use SSL Click Set Value. A file selector is displayed. Use it to select the binary file you created in Step 6. For information on using the Directory Server Console to edit entries, refer to “Modifying Directory Entries,” on page 45. You can now use SSL with your LDAP clients.
  • Page 390 Configuring LDAP Clients to Use SSL Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 391: Chapter 12 Monitoring Server And Database Activity

    Chapter 12 Monitoring Server and Database Activity This chapter describes monitoring database and Netscape Directory Server (Directory Server) logs. This chapter contains the following sections: • Viewing and Configuring Log Files (page 391) • Manual Log File Rotation (page 397) •...

  • Page 392: Defining A Log File Rotation Policy

    Viewing and Configuring Log Files The following sections describe how to define your log file creation and deletion policy, and how to view and configure each type of log. Defining a Log File Rotation Policy If you want the directory to periodically archive the current log and start a new one, you can define a log file rotation policy from Directory Server Console.

  • Page 393: Access Log

    Viewing and Configuring Log Files • The minimum amount of free disk space. When the free disk space reaches this minimum value, the oldest archived log is automatically deleted. The default is MB. This parameter is ignored in the number of log files is set to •...

  • Page 394: Error Log

    Viewing and Configuring Log Files To configure the access log for your directory: In the Directory Server Console, select the Configuration tab. Then, in the navigation tree, expand the Logs folder and select the Access Log icon. The access log configuration attributes are displayed in the right pane. To enable access logging, select the Enable Logging checkbox.

  • Page 395: Configuring The Error Log

    Viewing and Configuring Log Files To refresh the current display, click Refresh. Select the Continuous checkbox if you want the display to refresh automatically every ten seconds. To view an archived error log, select it from the Select Log pull-down menu. To specify a different number of messages, enter the number you want to view in the “Lines to show”...

  • Page 396: Audit Log

    Viewing and Configuring Log Files If you want to set the log level, Ctrl+click the options you want the directory to include in the Log Level list box. For more information about log level options, see “Log Level” in the Netscape Directory Server Configuration, Command, and File Reference.

  • Page 397: Manual Log File Rotation

    Manual Log File Rotation To configure audit logging: On the Directory Server Console, select the Configuration tab. Then, in the navigation tree, expand the Logs folder and select the Audit Log icon. The audit log configuration attributes are displayed in the right pane. To enable audit logging, select the Enable Logging checkbox.

  • Page 398: Monitoring Server Activity

    Monitoring Server Activity Restart the server. See “Starting and Stopping the Directory Server,” on page 31 for instructions. Monitoring Server Activity You can monitor your Directory Server’s current activities from either the Directory Server Console or the command line. You can also monitor the activity of the caches for all of your database.

  • Page 399: General Information (Server)

    Monitoring Server Activity • Current Resource Usage • Connection Status • Global Database Cache Information General Information (Server) The server provides the following general information: • Server version—Identifies the current server version. • Configuration DN—Identifies the distinguished name that you must use as a search base to obtain these results using the command-line utility.

  • Page 400: Current Resource Usage

    Monitoring Server Activity Server Performance Monitoring - Resource Summary (Continued) Table 12-1 Resource Usage since startup Average per minute Operations Initiated Total number of operations initiated Average number of operations since server startup. Operations include per minute since server startup. any client requests for server action, such as searches, adds, and modifies.

  • Page 401: Connection Status

    Monitoring Server Activity Server Performance Monitoring - Current Resource Usage (Continued) Table 12-2 Resource Current total Threads Waiting to Write to Total number of threads waiting to write to the client. Threads may not be Client immediately written when the server must pause while sending data to a client.

  • Page 402: Global Database Cache Information

    Monitoring Server Activity Global Database Cache Information The Global Database Cache Information table in the Directory Server Console contains the following information: Table 12-4 Server Performance Monitoring - Global Database Cache Table Header Description Hits Indicates the number of times the server could process a request by obtaining data from the cache rather than by going to the disk.
  • Page 403 Monitoring Server Activity For information on searching the Directory Server, see “Using ldapsearch,” on page 504. The monitoring attributes for your server are found in the cn=monitor,cn=config entry. When you monitor your server’s activities using , you see the ldapsearch following information: •...

  • Page 404: Monitoring Database Activity

    Monitoring Database Activity • : Identifies the number of threads waiting to read data from a readwaiters client. • : Identifies the number of operations the server has initiated opsinitiated since it started. • : Identifies the number of operations the server has completed opscompleted since it started.

  • Page 405: Viewing Database Performance Monitors

    Monitoring Database Activity Viewing Database Performance Monitors To monitor your database’s activities: On the Directory Server Console, select the Status tab. In the navigation tree, expand the Performance Counters folder and select the database that you want to monitor. The tab displays current information about database activity. If the server is currently not running, this tab will not provide performance monitoring information.

  • Page 406: Database Cache Information Table

    Monitoring Database Activity Database Performance Monitoring - Summary Information (Continued) Table 12-5 Performance Metric Current Total Entry cache hits Indicates the total number of successful entry cache lookups. That is, the total number of times the server could process a search request by obtaining data from the cache rather than by going to disk.

  • Page 407: Database File-Specific Table

    Monitoring Database Activity Table 12-6 Database Performance Monitoring - Database Cache Information Performance Metric Current Total Hits Indicates the number of times the database cache successfully supplied a requested page. A page is a buffer of the size 2K. Tries Indicates the number of times the database cache was asked for a page.

  • Page 408: Monitoring Databases From The Command Line

    Monitoring Database Activity Database Performance Monitoring - Database File-Specific table (Continued) Table 12-7 Performance Metric Current Total Cache misses Number of times that a search result failed to hit the cache on this specific file. That is, a search that required data from this file was performed and the required data could not be found in the cache.
  • Page 409 Monitoring Database Activity • : Provides the same information as described in currententrycachesize “Current entry cache size (in entries),” on page 406 in Table 12-5. • : Provides the same information as described in maxentrycachesize “Maximum entry cache size (in entries),” on page 406 in Table 12-5. •...

  • Page 410: Monitoring Database Link Activity

    Monitoring Database Link Activity Monitoring Database Link Activity You can monitor the activity of your database links from the command line using the monitoring attributes. Use the command-line utility to return the ldapsearch attribute values that interest you. The monitoring attributes are stored in the following entry: cn=monitor,cn=database_link_name,cn=chaining database,cn=plugins,cn=config...
  • Page 411 Monitoring Database Link Activity Database Link Monitoring Attributes (Continued) Table 12-8 Attribute Name Description Number of open connections for normal nsOperationConnectionCount operations. Number of open connections for bind operations. nsBindConnectionCount For more information about , see the Netscape Directory Server ldapsearch Configuration, Command, and File Reference.
  • Page 412 Monitoring Database Link Activity Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 413: Chapter 13 Monitoring Directory Server Using Snmp

    Chapter 13 Monitoring Directory Server Using SNMP The server and database activity monitoring log setup described in Chapter 12, “Monitoring Server and Database Activity” is specific to Netscape Directory Server (Directory Server). You can also monitor your Directory Server using the Simple Network Management Protocol (SNMP) which is a management protocol used for monitoring network activity which can be used to monitor a wide range of devices in real time.

  • Page 414: About Snmp

    About SNMP About SNMP SNMP is a protocol used to exchange data about network activity. With SNMP, data travels between a managed device and a network management station (NMS) where users remotely manage the network. A managed device is anything that runs SNMP, such as hosts, routers, and your Directory Server.

  • Page 415: Nms-Initiated Communication

    About SNMP • Managed Device-Initiated Communication NMS-Initiated Communication NMS-initiated communication is the most common type of communication between an NMS and a managed device. In this type of communication, the NMS either requests information from the managed device or changes the value of a variable stored on the managed device.

  • Page 416: Overview Of The Directory Server Management Information Base

    Overview of the Directory Server Management Information Base Overview of the Directory Server Management Information Base Each Netscape server has its own MIB. The Directory Server’s MIB is a file called . This MIB contains definitions for variables pertaining to netscape-ldap.mib network management for the directory.

  • Page 417: Table 13-1 Operations Table Managed Objects And Descriptions

    Overview of the Directory Server Management Information Base Table 13-1 Operations Table Managed Objects and Descriptions Managed Object Description The number of anonymous binds to the directory since server startup. dsAnonymousBinds The number of unauthenticated binds to the directory since server dsUnauthBinds startup.

  • Page 418: The Entries Table

    Overview of the Directory Server Management Information Base Operations Table Managed Objects and Descriptions (Continued) Table 13-1 Managed Object Description The number of referrals returned by this directory in response to client dsReferrals requests since server startup. The number of operations forwarded to this directory that did not meet dsSecurityErrors security requirements.

  • Page 419: Setting Up Snmp

    Setting Up SNMP Setting Up SNMP The steps for configuring SNMP monitoring for your directory depend on whether you run your directory on Windows NT, UNIX or AIX. This section contains the following procedures : • Setting Up SNMP on Windows NT •...

  • Page 420: Configuring The Aix Snmp Daemon

    Setting Up SNMP On AIX machines, configure the AIX SNMP Daemon. See “Configuring the AIX SNMP Daemon,” on page 420 for information. Enable the directory subagent. See “Configuring SNMP for the Directory Server,” on page 422 for information. Start the directory subagent. See “Starting and Stopping the SNMP Subagent on UNIX,”...

  • Page 421: Starting And Stopping The Snmp Subagent On Unix

    Starting and Stopping the SNMP Subagent on UNIX Starting and Stopping the SNMP Subagent on UNIX To start, stop, and restart the SNMP subagent for a directory running on UNIX: On the Directory Server Console, select the Configuration tab and then select the top most entry in the navigation tree in the left pane.

  • Page 422: Configuring Snmp For The Directory Server

    Configuring SNMP for the Directory Server NOTE If you add another server instance and you want the instance to be part of the SNMP network, you must restart the subagent. Configuring SNMP for the Directory Server To configure SNMP settings from the Directory Server Console: Make sure the Directory Server is running.

  • Page 423: Chapter 14 Tuning Directory Server Performance

    Chapter 14 Tuning Directory Server Performance This chapter describes the tools provided with Netscape Directory Server (Directory Server) to help optimize performance. It also provides tips to improve the performance of your directory. This chapter contains the following sections: • Tuning Server Performance (page 423) •...

  • Page 424: Tuning Database Performance

    Tuning Database Performance To configure Directory Server to optimize performance: On the Directory Server Console, select the Configuration tab and then select the topmost entry in the navigation tree in the left pane. The tabs that are displayed in the right pane control server-wide configuration attributes.

  • Page 425: Optimizing Search Performance

    Tuning Database Performance • Changing the Database Checkpoint Interval • Disabling Durable Transactions • Specifying Transaction Batching Optimizing Search Performance You can improve server performance on searches by tuning database settings. The database attributes that affect performance mainly define the amount of memory available to the server.
  • Page 426 Tuning Database Performance • The attributes of each database that you use to store directory data, including the server configuration data in the database. On these NetscapeRoot databases, you can change the following attributes to improve performance: The maximum number of entries you want the server to keep in memory (maximum entries in cache attribute) The amount of memory you want to make available for cached entries (memory available for cache attribute)

  • Page 427: Tuning Transaction Logging

    Tuning Database Performance Enter the amount of memory you want to make available for cached entries in the Memory Available for Cache field. If you are creating a very large database from LDIF, set this attribute as large as possible, depending on the memory available on your machine. The larger this parameter, the faster your database will be created.

  • Page 428: Changing The Location Of The Database Transaction Log

    Tuning Database Performance Changing the Location of the Database Transaction Log By default, the database transaction log file is stored in the directory along with the database /usr/netscape/servers/slapd-serverID/db files themselves. Because the purpose of the transaction log is to aid in the recovery of a directory database that was shut down abnormally, it is a good idea to store the database transaction log on a different disk from the one containing the directory database.

  • Page 429: Disabling Durable Transactions

    Tuning Database Performance databases after a disorderly shutdown and require more disk space due to large database transaction log files. Therefore, you should only modify only this attribute if you are familiar with database optimization and can fully assess the effect of the change.

  • Page 430: Specifying Transaction Batching

    Miscellaneous Tuning Tips Use the command-line utility to add the ldapmodify attribute to the nsslapd-db-durable-transactions cn=config,cn=ldbm entry, and set the value of this attribute to database,cn=plugins,cn=config For information on the syntax of the nsslapd-db-durable-transactions attribute, see the Netscape Directory Server Configuration, Command, and File Reference.

  • Page 431: Avoid Creating Entries Under The Cn=Config Entry In The Dse.ldif File

    Miscellaneous Tuning Tips Avoid Creating Entries Under the cn=config Entry in the dse.ldif File entry in the simple, flat configuration file is not stored in cn=config dse.ldif the same highly scalable database as regular entries. As a result, if many entries, and particularly entries that are likely to be updated frequently, are stored under , performance will probably suffer.
  • Page 432 Miscellaneous Tuning Tips Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 433: Part 2 Plug-Ins Reference

    Part 2 Plug-Ins Reference Chapter 15, “Administering Directory Server Plug-Ins” Chapter 16, “Using the Pass-Through Authentication Plug-In” Chapter 17, “Using the Attribute Uniqueness Plug-In” Chapter 18, “Configuring IM Presence Information”...
  • Page 434 Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 435: Chapter 15 Administering Directory Server Plug-Ins

    Chapter 15 Administering Directory Server Plug-Ins Netscape Directory Server (Directory Server) plug-ins extend the functionality of the server. Directory Server ships with several plug-ins to help you manage your directory. This chapter contains general information on the types of plug-ins available, and how to enable or disable them.

  • Page 436: Acl Plug-In

    Server Plug-in Functionality Reference Details of 7-Bit Check Plug-In (Continued) Table 15-1 Plug-in Name 7-bit check (NS7bitAtt) Description Checks certain attributes are 7-bit clean on | off Configurable Options Default Setting Configurable list of attributes (uid mail userpassword) followed by "," and Arguments then suffix(ex) on which the check is to occur None...

  • Page 437: Acl Preoperation Plug-In

    Server Plug-in Functionality Reference ACL Preoperation Plug-In Table 15-3 Details of Preoperation Plug-In ACL preoperation Plug-in Name DN of Configuration cn=ACL preoperation,cn=plugins,cn=config Entry ACL access check plug-in Description Configurable on | off Options Default Setting Configurable None Arguments Dependencies database None Performance Related Information...

  • Page 438: Boolean Syntax Plug-In

    Server Plug-in Functionality Reference Boolean Syntax Plug-In Table 15-5 Details of Boolean Syntax Plug-In Boolean Syntax Plug-in Name DN of Configuration cn=Boolean Syntax,cn=plugins,cn=config Entry Syntax for handling booleans Description Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in.

  • Page 439: Case Ignore String Syntax Plug-In

    Server Plug-in Functionality Reference Case Ignore String Syntax Plug-In Table 15-7 Details of Case Ignore String Syntax Plug-In Case Ignore String Syntax Plug-in Name DN of Configuration cn=Case Ignore String Syntax,cn=plugins,cn=config Entry Syntax for handling case-insensitive strings Description Configurable on | off Options Default Setting Configurable...

  • Page 440: Class Of Service Plug-In

    Server Plug-in Functionality Reference Class of Service Plug-In Table 15-9 Details of Class of Service Plug-In Class of Service Plug-in Name DN of Configuration cn=Class of Service,cn=plugins,cn=config Entry Allows for sharing of attributes between entries Description Configurable on | off Options Default Setting Configurable...

  • Page 441: Distinguished Name Syntax Plug-In

    Server Plug-in Functionality Reference Distinguished Name Syntax Plug-In Table 15-11 Details of Distinguished Name Syntax Plug-In Distinguished Name Syntax Plug-in Name DN of Configuration cn=Distinguished Name Syntax,cn=plugins,cn=config Entry Syntax for handling DNs Description Configurable on | off Options Default Setting Configurable None Arguments...

  • Page 442: Integer Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-12 Details of Generalized Time Syntax Plug-In (Continued) Plug-in Name Generalized Time Syntax Further Information The Generalized Time String consists of the following: four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication.

  • Page 443: Ldbm Database Plug-In

    Server Plug-in Functionality Reference Table 15-14 Details of Internationalization Plug-In (Continued) Plug-in Name Internationalization Plugin Configurable on | off Options Default Setting The Internationalization has one argument which must not be Configurable Arguments modified: /usr/netscape/servers/slapd-serverID/config/slapd-c ollations.conf This directory stores the collation orders and locales used by the internationalization plug-in.

  • Page 444: Legacy Replication Plug-In

    Server Plug-in Functionality Reference Legacy Replication Plug-In Table 15-16 Details of Legacy Replication Plug-In Legacy Replication plug-in Plug-in Name DN of Configuration cn=Legacy Replication Entry plug-in,cn=plugins,cn=config Enables Netscape Directory Server 6.02 to be a consumer of a 4.1 Description supplier on | off Configurable Options...

  • Page 445: Octet String Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-17 Details of Multimaster Replication Plug-In (Continued) Plug-in Name Multimaster Replication Plugin Further Information You can turn this plug-in off if you only have one server which will never replicate. See also Chapter 8, “Managing Replication.” Octet String Syntax Plug-in Table 15-18 Details of Octet String Syntax Plug-In Plug-in Name...

  • Page 446: Crypt Password Storage Plug-In

    Server Plug-in Functionality Reference Table 15-19 Details of CLEAR Password Storage Plug-In (Continued) Plug-in Name CLEAR Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in. You should leave Performance Related Information this plug-in running at all times. Chapter 7, “User Account Management.”...

  • Page 447: Sha Password Storage Plug-In

    Server Plug-in Functionality Reference Table 15-21 Details of NS-MTA-MD5 Password Storage Plug-In (Continued) Plug-in Name NS-MTA-MD5 Description NS-MTA-MD5 password storage scheme for password encryption on | off Configurable Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape Related Information recommends that you leave this plug-in running at all times.

  • Page 448: Ssha Password Storage Plug-In

    Server Plug-in Functionality Reference SSHA Password Storage Plug-In Table 15-23 Details of SSHA Password Storage Plug-In SSHA Plug-in Name DN of Configuration cn=SSHA,cn=Password Storage Entry Schemes,cn=plugins,cn=config SSHA password storage scheme for password encryption Description Configurable on | off Options Default Setting Configurable None Arguments...

  • Page 449: Pta Plug-In

    Server Plug-in Functionality Reference PTA Plug-In Table 15-25 Details of PTA Plug-In Pass-Through Authentication Plugin Plug-in Name DN of Configuration cn=Pass Through Entry Authentication,cn=plugins,cn=config Enables pass-through authentication, the mechanism which allows Description one directory to consult another to authenticate bind requests. This plug-in is not listed in Directory Server Console if you use the same server for your user directory and configuration directory.

  • Page 450: Retro Change Log Plug-In

    Server Plug-in Functionality Reference Table 15-26 Details of Referential Integrity Postoperation Plug-In (Continued) Plug-in Name Referential Integrity Postoperation Configurable When enabled the post operation Referential Integrity plug-in Arguments performs integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation.

  • Page 451: Roles Plug-In

    Server Plug-in Functionality Reference Table 15-27 Details of Retro Change Log Plug-In (Continued) Plug-in Name Retro Changelog Plugin Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occuring in the Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server.

  • Page 452: Telephone Syntax Plug-In

    Server Plug-in Functionality Reference Telephone Syntax Plug-In Table 15-29 Details of Telephone Syntax Plug-In Telephone Syntax Plug-in Name DN of Configuration cn=Telephone Syntax,cn=plugins,cn=config Entry Syntax for handling telephone numbers Description Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in.
  • Page 453 Server Plug-in Functionality Reference Table 15-30 Details of UID Uniqueness Plug-In (Continued) Plug-in Name UID Uniqueness plug-in Configurable Enter the following arguments: Arguments "DN" "DN"... if you want to check for uid attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid"...

  • Page 454: Uri Plug-In

    Enabling and Disabling Plug-Ins From the Server Console URI Plug-in Table 15-31 Details of URI Plug-In URI Syntax Plug-in Name DN of Configuration cn=URI Syntax,cn=plugins,cn=config Entry Syntax for handling URIs (Unique Resource Identifiers) including Description URLs (Unique Resource Locators) on | off Configurable Options Default Setting...

  • Page 455: Chapter 16 Using The Pass-Through Authentication Plug-In

    Chapter 16 Using the Pass-Through Authentication Plug-In Pass-through authentication (PTA) is a mechanism by which one directory server consults another to authenticate bind requests. The PTA plug-in provides this functionality; allowing a directory server to accept simple bind operations (password based) for entries not stored in its local database. Netscape Directory Server (Directory Server) uses PTA to allow you to administer your user and configuration directories on separate instances of Directory Server.
  • Page 456 How Directory Server Uses PTA The user directory in this example acts as the PTA directory, that is, the server that passes through bind requests to another directory server. The configuration directory acts as the authenticating directory, that is, the server that contains the entry and verifies the bind credentials of the requesting client.

  • Page 457: Pta Plug-In Syntax

    PTA Plug-In Syntax nsslapd-pluginarg0: ldap://config.example.com/ou=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.02 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin The user directory is now configured to send all bind requests for entries whose DN contains to the configuration directory o=NetscapeRoot configdir.example.com When installation is complete, the...

  • Page 458: Table 16-1 Pta Plug-In Parameters

    PTA Plug-In Syntax Notes: • The LDAP URL (ldap|ldaps://authDS/subtree) must be separated from the optional parameters (maxconns, maxops, timeout, ldver, connlifetime) by a single space. • If you explicitly define any of the optional parameters, you must define all of them, even if you specify only the default values.

  • Page 459: Configuring The Pta Plug-In

    Configuring the PTA Plug-In PTA Plug-In Parameters (Continued) Table 16-1 Variable Definition maxconns Optional. The maximum number of connections the PTA directory can simultaneously open to the authenticating directory. The default is 3. See “Configuring the Optional Parameters,” on page 463 for more information. maxops Optional.
  • Page 460 Configuring the PTA Plug-In Restart Directory Server. Before you configure any of the parameters discussed in this section, the PTA plug-in entry must be present in the file. If this entry does not exist, you dse.ldif must create it with the appropriate syntax, as described in “PTA Plug-In Syntax,” on page 457.

  • Page 461: Configuring The Servers To Use A Secure Connection

    Configuring the PTA Plug-In When you enable the plug-in, you must also check that the plug-in initialization function is properly defined. The entry cn=Pass Through Authentication,cn=plugins,cn=config should contain the following attribute-value pairs: nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.extension nsslapd-pluginInitfunc: passthruauth_init where extension is always on HP-UX, on all other UNIX platforms, and on Windows.

  • Page 462: Specifying The Authenticating Directory Server

    Configuring the PTA Plug-In Restart the server. For information on restarting the server, refer to “Starting and Stopping the Directory Server,” on page 31. Specifying the Authenticating Directory Server The authenticating directory contains the bind credentials for the entry with which the client is attempting to bind.

  • Page 463: Configuring The Optional Parameters

    Configuring the PTA Plug-In Specifying the Pass-Through Subtree The PTA directory passes through bind requests to the authenticating directory from all clients whose DN is defined in the pass-through subtree. You specify the subtree by replacing the subtree parameter in the LDAP URL of the PTA directory. The pass-through subtree must not exist in the PTA directory.
  • Page 464 Configuring the PTA Plug-In • The time limit you want the PTA directory server to wait for a response from the authenticating directory server. In the PTA syntax, this parameter is represented as timeout. The default value is seconds (five minutes). •...

  • Page 465: Pta Plug-In Syntax Examples

    PTA Plug-In Syntax Examples PTA Plug-In Syntax Examples This section contains the following examples of PTA plug-in syntax in the file: dse.ldif • Specifying One Authenticating Directory Server and One Subtree • Specifying Multiple Authenticating Directory Servers • Specifying One Authenticating Directory Server and Multiple Subtrees •...

  • Page 466: Specifying One Authenticating Directory Server And Multiple Subtrees

    PTA Plug-In Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://config-dir.example.com/ou=NetscapeRoot nsslapd-pluginarg1: ldap://config2-dir.example.com/ou=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.02 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin Specifying One Authenticating Directory Server and Multiple Subtrees...

  • Page 467: Specifyingdifferentoptionalparametersandsubtreesfordifferentauthenticatingdirectoryservers

    PTA Plug-In Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://config-dir.example.com/ou=NetscapeRoot 10,5,300,3,300 nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.02 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers If you want to specify a different pass-through subtree and optional parameter...
  • Page 468 PTA Plug-In Syntax Examples Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 469: Chapter 17 Using The Attribute Uniqueness Plug-In

    Chapter 17 Using the Attribute Uniqueness Plug-In The attribute uniqueness plug-in can be used to ensure that the attributes you specify always have unique values in the directory. You must create a new instance of the plug-in for every attribute for which you want to ensure unique values. Netscape Directory Server (Directory Server), provides a uid uniqueness plug-in that can be used to manage the uniqueness of the uid attribute.
  • Page 470 Overview of the Attribute Uniqueness Plug-In If an update operation applies to an attribute and suffix monitored by the plug-in, and it would cause two entries to have the same attribute value, then the server terminates the operation and returns an error to the LDAP_CONSTRAINT_VIOLATION client.

  • Page 471: Overview Of The Uid Uniqueness Plug-In

    Overview of the UID Uniqueness Plug-in Overview of the UID Uniqueness Plug-in Directory Server provides an instance of the attribute uniqueness plug-in, the Uid Uniqueness plug-in. By default, the plug-in ensures that values given to the uid attribute are unique in the suffix you configured when installing the directory (the suffix corresponding to the database).
  • Page 472 Attribute Uniqueness Plug-In Syntax nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 6.02 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: Enforce unique attribute values Notes: • You can specify any name you like in the attribute to name the plug-in. The name should be descriptive. This attribute does not contain the name of the attribute which is checked for uniqueness.

  • Page 473: Table 17-1 Attribute Uniqueness Plug-In Variables

    Attribute Uniqueness Plug-In Syntax • You can specify only one attribute on which the uniqueness check will be performed. • If the attribute begins with attribute_name, nsslapd-pluginarg0 attribute= then the server expects that the attribute will include a nsslapd-pluginarg1 markerObjectClass The variable components of the attribute uniqueness plug-in syntax are described in Table 17-1.

  • Page 474: Creating An Instance Of The Attribute Uniqueness Plug-In

    Creating an Instance of the Attribute Uniqueness Plug-In Creating an Instance of the Attribute Uniqueness Plug-In If you want to ensure that a particular attribute in your directory always has unique values, you must create an instance of the attribute uniqueness plug-in for the attribute you want to check.

  • Page 475: Configuring Attribute Uniqueness Plug-Ins

    Configuring Attribute Uniqueness Plug-Ins Configuring Attribute Uniqueness Plug-Ins This section explains how to use Directory Server Console to view the plug-ins configured for your directory, and how to modify the configuration of the attribute uniqueness plug-ins. Viewing Plug-In Configuration Information From the Directory Server Console, you can display the configuration entry for attribute uniqueness plug-ins as follows: On the Directory Server Console, click the Directory tab.
  • Page 476 Configuring Attribute Uniqueness Plug-Ins To modify an attribute uniqueness plug-in configuration from the Directory Server Console Configuration tab: On the Directory Server Console, select the Configuration tab, then in the navigation tree, expand the Plugins folder, and select the attribute uniqueness plug-in that you want to modify.

  • Page 477: Specifying A Suffix Or Subtree

    Configuring Attribute Uniqueness Plug-Ins Turning the Plug-in On or Off To turn the plug-in on from the command line, you must create an LDIF file that contains the following LDIF update statements: dn: cn=descriptive_plugin_name,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginenabled nsslapd-pluginenabled: on Use the command to import the LDIF file into the directory.

  • Page 478: Using The Markerobjectclass And Requiredobjectclass Keywords

    Configuring Attribute Uniqueness Plug-Ins Using the markerObjectClass and requiredObjectClass Keywords Instead of specifying a suffix or subtree in the configuration of an attribute uniqueness plug-in, you can specify to perform the check under the entry belonging to the DN of the updated entry that has the object class specified in the keyword.

  • Page 479: Attribute Uniqueness Plug-In Syntax Examples

    Attribute Uniqueness Plug-In Syntax Examples markerObjectClass=ou nsslapd-pluginarg1: requiredObjectClass=person nsslapd-pluginarg2: nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 6.02 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: Enforce unique attribute values You cannot repeat the keywords markerObjectClass requiredObjectClass by incrementing the counter in the attribute suffix. nsslapd-pluginarg NOTE attribute always contains the name of nsslapd-pluginarg0...

  • Page 480: Specifying One Attribute And Multiple Subtrees

    Attribute Uniqueness Plug-In Syntax Examples Specifying One Attribute and Multiple Subtrees This example configures the plug-in to ensure the uniqueness of the attribute mail under the l=Chicago,dc=example,dc=com l=Boston,dc=example,dc=com subtrees. dn: cn=mail uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: mail uniqueness nsslapd-pluginPath: /usr/netscape/servers/lib/uid-plugin.so nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation...

  • Page 481: Replication And The Attribute Uniqueness Plug-In

    Replication and the Attribute Uniqueness Plug-In Replication and the Attribute Uniqueness Plug-In When you use the attribute uniqueness plug-ins on Directory Servers involved in a replication agreement, you must think carefully about how to configure the plug-in on each server. Consider the following cases: •...
  • Page 482 Replication and the Attribute Uniqueness Plug-In When these conditions are met, attribute uniqueness conflicts are reported as naming conflicts at replication time. Naming conflicts require manual resolution. For information on how to resolve replication conflicts, refer to “Solving Common Replication Conflicts,” on page 324. Netscape Directory Server Administrator’s Guide •...

  • Page 483: Chapter 18 Configuring Im Presence Information

    Chapter 18 Configuring IM Presence Information Netscape Directory Server (Directory Server) 6.0 includes a preview release of a new feature called Instant Messenger (IM) Presence Information. This chapter provides an overview of this feature and information that will help you configure Directory Server to provide an IM user’s online-status information as a part of the user-profile information stored in the directory.

  • Page 484: Schema For The Presence Plug-In

    Schema For the Presence Plug-In Making the presence information available via a directory provides an easy, efficient, and unified way of looking at a user’s online status. In organizations where directory is generally deployed to store user-profile information, presence information can be added to the directory schema and the online status of users becomes available to everyone within the organization without having to worry about the details of how this information is queried or obtained.

  • Page 485: Performance-Related Information

    Performance-Related Information The file lists the default object classes with the allowed attributes that must be added to a user’s entry in order for presence information to be available for that user: objectclass: nsAIMpresence attributeTypes: nsAIMid syntax DirectoryString attributeTypes: nsAIMStatusGraphic syntax Binary NO-USER-MODIFICATION USAGE directoryOperation attributeTypes: nsAIMStatusText syntax DirectoryString NO-USER-MODIFICATION USAGE directoryOperation...

  • Page 486: Setting Resource Limits Based On Bind Dn

    Troubleshooting Setting Resource Limits Based on Bind DN You can control or set limits on search operations for directory data using special operational attribute values on the client application binding to the directory. Table 18-1 lists attributes that you can use to set search-operation limits. Table 18-1 Attributes for Setting Limits On Search Operations Parameter...

  • Page 487: Part 3

    Part 3 Appendixes Appendix A, “LDAP Data Interchange Format” Appendix B, “Finding Directory Entries” Appendix C, “LDAP URLs” Appendix D, “Internationalization”...
  • Page 488 Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 489: Appendix A Ldap Data Interchange Format

    Appendix A LDAP Data Interchange Format Netscape Directory Server (Directory Server) uses the LDAP Data Interchange Format (LDIF) to describe a directory and directory entries in text format. LDIF is commonly used to build the initial directory database or to add large numbers of entries to the directory all at once.
  • Page 490 LDIF File Format The basic form of a directory entry represented in LDIF is as follows: dn: distinguished_name objectClass: object_class objectClass: object_class attribute_type[;subtype]:attribute_value attribute_type[;subtype]:attribute_value You must supply the DN and at least one object class definition. In addition, you must include any attributes required by the object classes that you define for the entry.

  • Page 491: Continuing Lines In Ldif

    LDIF File Format LDIF Fields (Continued) Table A-1 Field Definition [subtype] Optional. Specifies a subtype, either language, binary, or pronunciation. Use this tag to identify the language in which the corresponding attribute value is expressed, or whether the attribute value is binary or a pronunciation of an attribute value.
  • Page 492 LDIF File Format If you use this standard notation, you do not need to specify the ldapmodify -b parameter. However, you must add the following line to the beginning of your LDIF file, or your LDIF update statements: version:1 For example, you could use the following command: ldapmodify prompt% ldapmodify -D userDN -w user_passwd...

  • Page 493: Specifying Directory Entries Using Ldif

    Specifying Directory Entries Using LDIF Specifying Directory Entries Using LDIF You can store many types of entries in your directory. This section concentrates on three of the most common types of entries used in a directory: organization, organizational unit, and organizational person entries. The object classes defined for an entry are what indicate whether the entry represents an organization, an organizational unit, an organizational person, or some other type of entry.

  • Page 494: Table A-2 Ldif Elements In Organization Entries

    Specifying Directory Entries Using LDIF The organization name in the following example uses a comma: dn: o="example.com Chile\\, S.A." objectclass: top objectclass: organization o: “example.com Chile\\, S.A.” description: Fictional company for example purposes telephonenumber: 555-5556 Each element of the LDIF-formatted organization entry is defined in Table A-2. LDIF Elements in Organization Entries Table A-2 LDIF Element...

  • Page 495: Table A-3 Ldif Elements In Organizational Unit Entries

    Specifying Directory Entries Using LDIF Specifying Organizational Unit Entries Organizational unit entries are often used to represent major branch points, or subdirectories, in your directory tree. They correspond to major, reasonably static entities within your enterprise, such as a subtree that contains people, or a subtree that contains groups.

  • Page 496: Specifying Organizational Person Entries

    Specifying Directory Entries Using LDIF LDIF Elements in Organizational Unit Entries (Continued) Table A-3 LDIF Element Description ou: organizational_unit_name Attribute that specifies the organizational unit’s name. list_of_attributes Specifies the list of optional attributes that you want to maintain for the entry. See the Netscape Directory Server Schema Reference for a list of the attributes you can use with this object class.

  • Page 497: Defining Directories Using Ldif

    Defining Directories Using LDIF Table A-4 LDIF Elements in Person Entries LDIF Element Description dn: distinguished_name Specifies the distinguished name for the entry. A DN is required. If there is a comma in the DN, the comma must be escaped with a backslash (\). For example, dn:uid=bjensen,ou=people,o=example.com Bolivia\,S.A.
  • Page 498 Defining Directories Using LDIF To create a directory using LDIF, follow these steps: Create an ASCII file containing the entries you want to add in LDIF format. Make sure each entry is separated from the next by an empty line. You should use just one line, and the first line of the file must not be blank or else the utility will exit.

  • Page 499: Ldif File Example

    Defining Directories Using LDIF LDIF File Example The following example shows an LDIF file that contains one organization, two organizational units, and three organizational person entries: dn: o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organization o: example.com Corp description: Fictional organization for example purposes dn: ou=People,o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organizationalUnit...

  • Page 500: Storing Information In Multiple Languages

    Storing Information in Multiple Languages dn: cn=Robert Wong,ou=People,example.com Corp,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Robert Wong cn: Bob Wong sn: Wong givenName: Robert givenName: Bob mail: bwong@example.com userPassword: {sha}nn2msx761 telephoneNumber: 2881 roomNumber: 211 ou: Manufacturing ou: people dn: ou=Groups,o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organizationalUnit...
  • Page 501 Storing Information in Multiple Languages For example, suppose Corporation has offices in the United States example.com and France and wants employees to be able to view directory information in their native language. When adding directory entries, the directory administrator chooses to provide attribute values in both English and French. When adding a directory entry for a new employee, Babs Jensen, the administrator creates the following LDIF entry: dn: uid=bjensen,ou=people,dc=example,dc=com...
  • Page 502 Storing Information in Multiple Languages Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 503: Appendix B Finding Directory Entries

    Appendix B Finding Directory Entries You can find entries in your directory using any LDAP client. Most clients provide some form of a search interface that allows you to easily search the directory and retrieve entry information. NOTE You cannot search the directory unless the appropriate access control has been set in your directory.

  • Page 504: Using Ldapsearch

    Using ldapsearch On Directory Server Console, select the Directory tab. Depending on the DN you used to authenticate to the directory, this tab displays the contents of the directory that you have access permissions to view. You can browse through the contents of the tree or right-click an entry and select Search from the pop-up menu.

  • Page 505: Ldapsearch Command-Line Format

    Using ldapsearch ldapsearch Command-Line Format When you use , you must enter the command using the following ldapsearch format: ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes] where • optional_options represents a series of command-line options. These must be specified before the search filter, if any. •...
  • Page 506 Using ldapsearch Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the environment variable has LDAP_BASEDN been set to a base DN. The value specified in this option should be provided in double quotation marks.

  • Page 507: Ldapsearch Examples

    Using ldapsearch Specifies the scope of the search. The scope can be one of the following: • —Search only the entry specified in the option or defined base by the environment variable. LDAP_BASEDN • —Search only the immediate children of the entry specified in option.

  • Page 508: Returning All Entries

    Using ldapsearch • You have configured your directory to support anonymous access for search and read. You do not have to specify any bind information in order to perform the search. For more information on anonymous access, see “Defining User Access - userdn Keyword,”...

  • Page 509: Using Ldap_Basedn

    Using ldapsearch Using LDAP_BASEDN To make searching easier, you can set your search base using the LDAP_BASEDN environment variable. Doing this allows you to skip specifying the search base with the option (for information on how to set environment variables, see the documentation for your operating system).

  • Page 510: Specifying Dns That Contain Commas In Search Filters

    LDAP Search Filters then first finds all the entries with the surname Francis, and then all ldapsearch the entries with the givenname Richard. If an entry is found that matches both search criteria, then the entry is returned twice. For example, suppose you specified the previous search filters in a file named , and you set your search base using .

  • Page 511: Search Filter Syntax

    LDAP Search Filters For example, the following filter specifies a search for the common name Babs Jensen: cn=babs jensen This search filter returns all entries that contain the common name Babs Jensen. Searches for common name values are not case sensitive. When the common name attribute has values associated with a language tag, all of the values are returned.

  • Page 512: Using Operators In Search Filters

    LDAP Search Filters • (the person’s common name) • (the person’s surname, or last name, or family name) • (the person’s telephone number) telephoneNumber • (the name of the building in which the person resides) buildingName • (the locality where you can find the person) For a listing of the attributes associated with types of entries, see the Netscape Directory Server Schema Reference.

  • Page 513: Using Compound Search Filters

    LDAP Search Filters Search Filter Operators (Continued) Table B-1 Search type Operator Description Presence Returns entries containing one or more values for the specified attribute. For example, cn=* telephonenumber=* manager=* Approximate Returns entries containing the specified attribute with a value that is approximately equal to the value specified in the search filter.

  • Page 514: Search Filter Examples

    LDAP Search Filters Table B-2 Search Filter Boolean Operators Operator Symbol Description & All specified filters must be true for the statement to be true. For example, (&(filter)(filter)(filter)...) At least one specified filter must be true for the statement to be true. For example, (|(filter)(filter)(filter)...) The specified statement must not be true for the statement to be true.

  • Page 515: Searching An Internationalized Directory

    Searching an Internationalized Directory The following filter returns all entries whose organizational unit is Marketing and that have Julie Fulmer or Cindy Zwaska as a manager: (&(ou=Marketing)(|(manager=cn=Julie Fulmer,ou=Marketing,dc=example,dc=com)(manager=cn=Cindy Zwaska,ou=Marketing,dc=example,dc=com))) The following filter returns all entries that do not represent a person: (!(objectClass=person)) The following filter returns all entries that do not represent a person and whose common name is similar to...

  • Page 516: Matching Rule Filter Syntax

    Searching an Internationalized Directory Matching Rule Filter Syntax A matching rule provides special guidelines for how the directory compares strings during a search operation. In an international search, the matching rule tells the system what collation order and operator to use when performing the search operation.
  • Page 517 Searching an Internationalized Directory • Using a Language Tag and Suffix for the Matching Rule Using an OID for the Matching Rule Each locale supported by the directory server has an associated collation order OID. For a list of locales supported by the directory server and their associated OIDs, see Table D-1 on page 531.

  • Page 518: Using Wildcards In Matching Rule Filters

    Searching an Internationalized Directory For a list of locales supported by the directory server and their associated OIDs, see Table D-1 on page 531. For a list of relational operators and their equivalent suffixes, see Table B-3 on page 519. Using a Language Tag and Suffix for the Matching Rule As an alternative to using a relational operator-value pair, you can append a suffix that represents a specific operator to the language tag in the matching rule portion...

  • Page 519: International Search Examples

    Searching an Internationalized Directory • greater than or equal to (>=) • less than (<) • less than or equal to (<=) Approximate, or phonetic, and presence searches are supported only in English. As with a regular search operation, an international search uses ldapsearch operators to define the type of search.

  • Page 520: Less Than Or Equal To Example

    Searching an Internationalized Directory For example, to search for all surnames that come before the surname Marquez in the Spanish collation order, you could use any of the following matching rule filters: sn:2.16.840.1.113730.3.3.2.15.1:=< Marquez sn:es:=< Marquez sn:2.16.840.1.113730.3.3.2.15.1.1:=Marquez sn:es.1:=Marquez Less Than or Equal to Example When you perform a locale-specific search using the less than or equal to operator (<=) or suffix (.2), you search for all attribute values that come at or before the given attribute in a specific collation order.

  • Page 521: Greater Than Example

    Searching an Internationalized Directory For example, to search for all localities that come at or after Québec in the French collation order, you could use any of the following matching rule filters: locality:2.16.840.1.113730.3.3.2.18.1:=>= Québec locality:fr:=>= Québec locality:2.16.840.1.113730.3.3.2.18.1.4:=Québec locality:fr.4:=Québec Greater Than Example When you perform a locale-specific search using the greater than operator (>) or suffix (.5), you search for all attribute values that come at or before the given attribute in a specific collation order.
  • Page 522 Searching an Internationalized Directory Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 523: Appendix C Ldap Urls

    Appendix C LDAP URLs When you access the Netscape Directory Server (Directory Server) using a web-based client such as Directory Server Gateway, you must provide an LDAP URL identifying the Directory Server you wish to access. You also use LDAP URLs when managing Directory Server referrals or access control instructions.
  • Page 524 Components of an LDAP URL LDAP URL Components (Continued) Table C-1 Component Description base_dn Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search. If no base DN is specified, the search starts at the root of the directory tree. attributes The attributes to be returned.

  • Page 525: Escaping Unsafe Characters

    Escaping Unsafe Characters Escaping Unsafe Characters Any “unsafe” characters in the URL need to be represented by a special sequence of characters. This is called escaping unsafe characters. For example, a space is an unsafe character that must be represented as within the URL.

  • Page 526: Examples Of Ldap Urls

    Examples of LDAP URLs Examples of LDAP URLs Example 1: The following LDAP URL specifies a base search for the entry with the distinguished name dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com Because no port number is specified, the standard LDAP port number (389) is used. Because no attributes are specified, the search returns all attributes.
  • Page 527 Examples of LDAP URLs Example 4: The following LDAP URL specifies a search for entries that have the surname and are at any level under Jensen dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen) Because no attributes are specified, the search returns all attributes. Because the search scope is , the search encompasses the base entry and entries at all levels under the base entry.
  • Page 528 Examples of LDAP URLs Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 529: Appendix D Internationalization

    Appendix D Internationalization Netscape Directory Server (Directory Server) allows you to store, manage, and search for entries and their associated attributes in a number of different languages. An internationalized directory can be an invaluable corporate resource, providing employees and business partners with immediate access to the information they need in the languages they can understand.

  • Page 530: Identifying Supported Locales

    Identifying Supported Locales More specifically, a locale specifies: • Collation order—The collation order provides language and cultural-specific information about how the characters of a given language are to be sorted. It identifies things like the sequence of the letters in the alphabet, how to compare letters with accents with letters without accents, and if there are any characters that can be ignored when comparing strings.
  • Page 531 Identifying Supported Locales A language tag is a string that begins with the two-character lowercase language code that identifies the language (as defined in ISO standard 639). If necessary to distinguish regional differences in language, the language tag may also contain a country code, which is a two-character string (as defined in ISO standard 3166).

  • Page 532: Supported Language Subtypes

    Supported Language Subtypes Supported Locales (Continued) Table D-1 Locale Language Tag Collation Order Object Identifiers (OIDs) German 2.16.840.1.113730.3.3.2.7.1 Greek 2.16.840.1.113730.3.3.2.10.1 Hebrew 2.16.840.1.113730.3.3.2.27.1 Hungarian 2.16.840.1.113730.3.3.2.23.1 Icelandic 2.16.840.1.113730.3.3.2.24.1 Japanese 2.16.840.1.113730.3.3.2.28.1 Korean 2.16.840.1.113730.3.3.2.29.1 Latvian, Lettish 2.16.840.1.113730.3.3.2.31.1 Lithuanian 2.16.840.1.113730.3.3.2.30.1 Macedonian 2.16.840.1.113730.3.3.2.32.1 Norwegian 2.16.840.1.113730.3.3.2.35.1 Polish 2.16.840.1.113730.3.3.2.38.1 Romanian 2.16.840.1.113730.3.3.2.39.1...

  • Page 533: Table D-2 Supported Language Subtypes

    Supported Language Subtypes Table D-2 Supported Language Subtypes Language tag Language Afrikaans Byelorussian Bulgarian Catalan Czechoslovakian Danish German Greek English Spanish Basque Finnish Faroese French Irish Galician Croatian Hungarian Indonesian Icelandic Italian Japanese Korean Dutch Norwegian Polish Portuguese Romanian Appendix D Internationalization...
  • Page 534 Supported Language Subtypes Supported Language Subtypes (Continued) Table D-2 Language tag Language Russian Slovakian Slovenian Albanian Serbian Swedish Turkish Ukrainian Chinese Netscape Directory Server Administrator’s Guide • May 2002...

  • Page 535: Glossary

    Glossary access control instruction See ACI. ACI Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Access control list. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
  • Page 536 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
  • Page 537 browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Otherwise known as the virtual view index, speeds up the display of entries in the Directory Server Console.
  • Page 538 CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory. class of service See CoS. classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry’s attributes.
  • Page 539 DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. data master The server that is the master source of a particular piece of data. database link An implementation of chaining. The database link behaves like a database but has no persistent storage.
  • Page 540 DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as might point to a real machine called www.[yourdomain].[domain] where the server currently exists.
  • Page 541 HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Netscape Navigator how to display text, position graphics and form items, and display links to other pages. HTTP Hypertext Transfer Protocol.
  • Page 542 LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating directory servers using DNS and then completing the query via LDAP.
  • Page 543 matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. MD5 A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data, that is unique with high probability, and is mathematically extremely hard to produce a piece of data that will produce the same message digest.
  • Page 544 network management station See NMS. NIS Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, file systems, and network parameters throughout a network of computers. NMS Network Management Station.
  • Page 545 permission In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied. See access rights. PDU Protocol Data Unit. Encoded messages which form the basis of data exchanges between SNMP devices.
  • Page 546 RDN Relative distinguished name. The name of the actual entry itself, before the entry’s ancestors have been appended to the string to form the full distinguished name. referential integrity Mechanism that ensures that relationships between related entries are maintained within the directory. referral (1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request.
  • Page 547 root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine. root suffix The parent of one or more sub suffixes. A directory tree can contain more than one root suffix. schema Definitions describing what types of information can be stored as entries in the directory.
  • Page 548 single-master replication The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers. In a single-master replication scenario, the supplier server maintains a change log. SIR See supplier-initiated replication. slapd LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication.
  • Page 549 supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica. supplier-initiated replication Replication configuration where supplier servers replicate directory data to consumer servers. symmetric encryption Encryption that uses the same key for both encrypting and decrypting.
  • Page 550 virtual list view index Otherwise known as a browsing index, speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance. X.500 standard The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementations.

  • Page 551: Index

    Index targeting attributes 198 targeting entries 196 access control targeting using filters 199 ACI attribute 190 using the Access Control Editor 224 ACI syntax 194 value matching 213 allowing or denying access 203 Access Control Editor and replication 256 displaying 225 and schema checking 198 viewing current ACIs 227 anonymous access 208, 222, 231...
  • Page 552 cascading chaining 123 adding directory entries 54 creating from console 227 Administration Server dayofweek keyword 221 master agents and 414 deleting from console 229 agents dns keyword 220 master agent 414 editing from console 229 Unix 414 evaluation 191 Windows NT 414 examples of use 229 subagent 414 groupdn keyword 212...
  • Page 553 passwordInHistory 264 passwordMustChange 262 backing up data 150 passwordStorageScheme 264 all 150 ref 135 db2bak 151 removing a value 48 dse.ldif 153 roles 169 bak2db script 154 searching for 511 standard 331, 332 bak2db.pl perl script 155 syntax 334 base 64 encoding 491 targeting 198 base DN, ldapsearch and 509 user-defined 332...
  • Page 554 self keyword 209 overview 92 timeofday keyword 221 using SSL 109 user access change log 277 LDIF example 210 deleting 308 parent 209 using with referential integrity 71 self 209 change operations 59 user access example 233 add 63 userattr keyword 214 delete 63 userdn keyword 208 replace 63...
  • Page 555 example 176 manual consumer creation 311 overview 176 online consumer creation 310 client consumer server 276 using to find entries 503 continued lines client authentication in LDIF 491 over SSL 386 in LDIF update statements 59 code page 529 CoS definition entry attributes 181 collation order object classes 180...
  • Page 556 db2ldif 149 date format 530 export from console 147 dayofweek keyword 221 import 139 db2bak script 151 ldif2db 143 db2bak utility 151 ldif2db.pl 144 db2ldif utility 149 ldif2ldap 145 default referrals initialization 142 setting 132 making read-only 91 setting from console 132 monitoring from command-line 408 settings from command line 133 monitoring from server console 404...
  • Page 557 binding to 30 dynamic groups 161 changing bind DN 31 creating 161 configuration 33 modifying 161 controlling access 189 creating a root entry 42, 52 creating content 139 creating entries 43, 54 data 139 databases 75 end of file marker 51 deleting entries 50, 56 entries importing data 139...
  • Page 558 configuring 395 greater than or equal to search manually rotating 397 international example 520, 521 turning off 395 overview 512 turning on 395 groupdn keyword 212 viewing 394 LDIF examples 212 example groupdnattr keyword 214 cascading chaining 125 groups exporting data 146 access control 208 db2ldif 149 access control example 238...
  • Page 559 creating dynamically 351 dynamic changes to 351 jpeg images 491 presence 344 indexing 342 creating indexes from console 350 system indexes 344 indirect CoS example 175 language code overview 175 in LDIF entries 500 initializing databases 142 list of supported 531 initializing replicas language subtype 48 cascading replication 307...
  • Page 560 attributes with language tags 68 organizations 493 creating a root entry 52 internationalization and 500 creating entries 54 LDIF files DNs with commas and 57 continued lines 491 example 54, 55 creating directory using 497 example of use 54, 55 creating multiple entries 53 modifying entries 53, 55 example 499...
  • Page 561 database transaction 427 entries table 418 deletion policy 392 operations table 416 error log 394 modifying location of 397 attribute values 65 manual rotation 397 entries 63 manually rotating 397 international entries 68 rotation policy 392 modifying directory entries 55 login identity monetary format 530 changing 31...
  • Page 562 nsslapd-sizelimit attribute role in searching algorithm 346 parent access 209 nsslapd-timelimit attribute parent keyword 209 role in searching algorithm 346 parent object 337 pass-through authentication (PTA). See PTA plug-in password file SSL certificate 36 password policy object class account lockout 265 adding to an entry 46 attributes 262 creating 337...
  • Page 563 ACL preoperation plug-in 437 presence search binary syntax plug-in 437 example 514 Boolean syntax plug-in 438 syntax 513 case exact string syntax plug-in 438 pronunciation subtype 49 case ignore string syntax plug-in 439 Property Editor chaining database plug-in 439 displaying 46 Class of Service plug-in 440 protocol data units.
  • Page 564 modifying attributes 72 overview 276 overview 68 replica ID 289 using replication change log 71 replicate_now.sh script 314 with replication 69, 71 single-master 292 solving conflicts 324 Referential Integrity plug-in 95, 280 supplier server 276 referral mode 38 supplier-initiated 277 referral object class 135 unit of 277 referrals...
  • Page 565 access control 171 turning on or off 339 access to directory 213 search filters 510 activating 270 Boolean operators 513 attributes 169 contained in file 509 editing 166 examples 511, 514 filtered matching rule 516 creating 165 operators in 512 example 170 specifying attributes 511 inactivating 268...
  • Page 566 simple authentication 222 certificate password 36 chaining with 109 Simple Authentication and Security Layer (SASL). client authentication 386 See SASL authentication configuring clients to use 386 Simple Network Management Protocol. See SNMP enabling 381 Simple Sockets Layer. See SSL port number 33 single-master replication setting preferences 383 introduction 280...
  • Page 567 in directory server 75 targetfilter keyword 199 using referrals 83 targeting on update only 84 directory entries 196 with multiple databases 89 template entry. See CoS template entry. suffix referrals thread creating 136 concurrency on Solaris 401 creating from command line 136 monitoring 401, 403 creating from console 136 time format 530...
  • Page 568 userdn keyword 208 users activating 270 inactivating 268 UTF-8 529 value-based ACI 200 viewing attributes 332 wildcard in LDAP URL 210 in target 197 wildcards in international searches 518 in matching rule filters 518 Windows NT master agent 414 write right 203 Netscape Directory Server Administrator’s Guide •...

This manual is also suitable for:

Directory server 6.02

Table of Contents