1. Manuals
  2. Brands
  3. Netscape Manuals
  4. Server
  5. NETSCAPE DIRECTORY SERVER 6.1 -...
  6. Administrator's manual

Netscape DIRECTORY SERVER 6.1 - ADMINISTRATOR Administrator's Manual

Hide thumbs
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
Table of Contents

Advertisement

Quick Links

Download this manual
Administrator's Guide
Netscape Directory Server
Version 6.1
August 2002

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR and is the answer not in the manual?

Questions and answers

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR

  • Page 1 Administrator’s Guide Netscape Directory Server Version 6.1 August 2002...
  • Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law. Your right to copy this documentation is limited by copyright law.

  • Page 3: Table Of Contents

    Contents List of Figures ..............19 List of Tables .
  • Page 4 Cloning a Directory Server ............. . 41 Creating a New Directory Server Instance .
  • Page 5 Using Referential Integrity with Replication ..........73 Configuring the Supplier Server .
  • Page 6 Advanced Feature: Tuning Database Link Performance ........116 Managing Connections to the Remote Server .
  • Page 7 Restoring All Databases ............. 157 Restoring All Databases from the Console .
  • Page 8 Editing an Existing CoS ............183 Deleting a CoS .
  • Page 9 Defining Group Access - groupdn Keyword ......... . . 216 Examples .
  • Page 10 Chapter 7 User Account Management ......... . 263 Managing the Password Policy .
  • Page 11 Initializing the Replicas for Single-Master Replication ........300 Configuring Multi-Master Replication .
  • Page 12 Solving Potential Interoperability Problems ..........334 Troubleshooting Replication-Related Problems .
  • Page 13 Deleting Browsing Indexes From the Command Line ........371 Deleting a Browsing Index Entry .
  • Page 14 Viewing the Audit Log ............402 Configuring the Audit Log .
  • Page 15 Chapter 14 Tuning Directory Server Performance ....... . . 431 Tuning Server Performance .
  • Page 16 PTA Plug-In ............... 457 Referential Integrity Postoperation Plug-In .
  • Page 17 Simple Replication Scenario ............491 Multi-Master Replication Scenario .
  • Page 18 Search Filter Syntax ..............521 Using Attributes in Search Filters .

  • Page 19: List Of Figures

    List of Figures Figure 1-1 Viewing the Bind DN ........... . . 35 Figure 3-1 A Sample Directory Tree with One Root Suffix .
  • Page 20 Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 21: List Of Tables

    List of Tables Table 2-1 Entry Templates and Corresponding Object Classes ......47 Table 2-2 Description of ldapmodify Parameters Used for Adding Entries .
  • Page 22 Table 10-2 System indexes ............350 Table 10-3 Attribute Name Quick Reference Table .
  • Page 23 Table 15-25 Details of Presence Plig-In ..........457 Table 15-26 Details of PTA Plug-In .
  • Page 24 Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 25: Introduction

    Introduction Netscape Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.

  • Page 26: Prerequisite Reading

    Prerequisite Reading • Multiple databases—Provides a simple way of breaking down your directory data to simplify the implementation of replication and chaining in your directory service. • Password Policy and Account Lockout—Allows you to define a set of rules that govern how passwords and user accounts are managed in the Directory Server.

  • Page 27: Conventions Used In This Book

    Conventions Used in This Book Conventions Used in This Book This section explains the conventions used in this book. —This typeface is used for any text that appears on the computer Monospaced font screen or text that you should type. It is also used for filenames, functions, and examples.

  • Page 28: Related Information

    Related Information Related Information The document set for Directory Server also contains the following guides: • Netscape Directory Server Installation Guide. Contains procedures for installing your Directory Server as well as procedures for migrating from a previous installation of Directory Server. •...

  • Page 29: Part 1 Administering Netscape Directory Server

    Part 1 Administering Netscape Directory Server Chapter 1, “Introduction to Netscape Directory Server” Chapter 2, “Creating Directory Entries” Chapter 3, “Configuring Directory Databases” Chapter 4, “Populating Directory Databases” Chapter 5, “Advanced Entry Management” Chapter 6, “Managing Access Control” Chapter 7, “User Account Management” Chapter 8, “Managing Replication”...
  • Page 30 Chapter 11, “Managing SSL” Chapter 12, “Monitoring Server and Database Activity” Chapter 13, “Monitoring Directory Server Using SNMP” Chapter 14, “Tuning Directory Server Performance” Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 31: Chapter 1 Introduction To Netscape Directory Server

    Chapter 1 Introduction to Netscape Directory Server Netscape Directory Server (Directory Server) product includes a Directory Server, an Administration Server to manage multiple server instances, and Netscape Console to manage server instances through a graphical interface. This chapter provides overview information about the Directory Server, and the most basic tasks you need to start administering a directory service.

  • Page 32: Overview Of Directory Server Management

    Overview of Directory Server Management Overview of Directory Server Management The Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources. It is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server runs as the process or service on your machine.

  • Page 33: Copying Entry Dns To The Clipboard

    Using the Directory Server Console Start Netscape Console by entering the following command: # serverRoot/startconsole The Console login window is displayed. Or, if your configuration directory (the directory that contains the suffix) is stored in a separate o=NetscapeRoot instance of Directory Server, a window is displayed requesting the administrator user id, password, and the URL of the Netscape Administration Server for that Directory Server.

  • Page 34: Configuring The Directory Manager

    Configuring the Directory Manager Configuring the Directory Manager The Directory Manager is the privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the entry you define as Directory Manager. You initially defined this entry during installation. The default cn=Directory Manager The password for this user is defined in the attribute.

  • Page 35: Changing Login Identity

    Starting and Stopping the Directory Server Changing Login Identity You can log in with the Directory Manager DN when you first start the Netscape Console. At any time, you can choose to log in as a different user, without having to stop and restart the Console.

  • Page 36: Starting/Stopping The Server From The Console

    Starting and Stopping the Directory Server NOTE On UNIX systems, rebooting the system does not automatically start the process. This is because the directory does not slapd automatically create startup or run command ( ) scripts. Check your operating system documentation for details on adding these scripts.

  • Page 37: Starting/Stopping The Server From The Command Line

    Configuring LDAP Parameters Starting/Stopping the Server From the Command Line Use one of the following scripts: serverRoot/slapd-serverID/start-slapd serverRoot/slapd-serverID/stop-slapd where serverID is the identifier you specified for the server when you installed it. On UNIX, both of these scripts must run with the same UID and GID as the Directory Server.

  • Page 38: Placing The Entire Directory Server In Read-Only Mode

    Configuring LDAP Parameters • You need to change the configuration or user directory port or secure port number configured for Netscape Administration Server. See Managing Servers with Netscape Console for information. • If you have other Netscape servers installed that point to the configuration or user directory, you need to update those servers to point to the new port number.

  • Page 39: Tracking Modifications To Directory Entries

    Configuring LDAP Parameters Click Save and then restart the server. NOTE This operation also makes the Directory Server configuration read-only; therefore, you cannot update the server configuration, enable or disable plug-ins, or even restart the Directory Server while it is in read-only mode. For information on placing a single database in read-only mode, refer to “Enabling Read-Only Mode,”...

  • Page 40: Starting The Server With Ssl Enabled

    Starting the Server with SSL Enabled Select the Track Entry Modification Times checkbox. The server adds the , and creatorsName createTimestamp modifiersName attributes to every newly created or modified entry. modifyTimestamp Click Save and then restart the server. See “Starting and Stopping the Directory Server,” on page 35 for more information.

  • Page 41: Cloning A Directory Server

    Cloning a Directory Server To create certificate databases, you must use the administration server and the Certificate Setup Wizard. For information on certificate databases, certificate aliases, SSL, and obtaining a server certificate, see Managing Servers with Netscape Console. For information on using SSL with your Directory Server, see Chapter 11, “Managing SSL.”...

  • Page 42: Cloning The Directory Configuration

    Starting the Server in Referral Mode Enter the password for this user in the Password for Root DN field, and confirm it by entering it again in the Confirm Password field. If running the server on a UNIX host, enter the user ID for the Directory Server daemon, in the Server Runtime User ID field.

  • Page 43: Using The Refer Command

    Starting the Server in Referral Mode Using the refer Command On a UNIX machine, to start the Directory Server in referral mode follow these steps: Go to the directory under your installation directory: /bin/slapd/server prompt% cd serverRoot/slapd-serverID/bin/slapd/server Run the command as follows: refer # ./ns-slapd refer -D instance_dir -r referral_url [-p port] where where instance_dir is the directory instance for which queries will be...
  • Page 44 Starting the Server in Referral Mode Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 45: Chapter 2 Creating Directory Entries

    Chapter 2 Creating Directory Entries This chapter discusses how to use the Directory Server Console and the command-line utilities to modify the contents of ldapmodify ldapdelete your directory. During the planning phase of your directory deployment, you should characterize the types of data that your directory will contain. You should read Netscape Directory Server Deployment Guide before creating entries and modifying the default schema.

  • Page 46: Creating A Root Entry

    Managing Entries From the Directory Console • Deleting Directory Entries This section assumes some basic knowledge of object classes and attributes. For an introduction to object classes and attributes, refer to Netscape Directory Server Deployment Guide. For information on the definition and use of all schema provided with Netscape server products, refer to the Netscape Directory Server Schema Reference.

  • Page 47: Creating Directory Entries

    Managing Entries From the Directory Console In the New Object window, select the object class corresponding to the new entry. The object class you select must contain the attribute you used to name the suffix. For example, if you are creating the entry corresponding to the suffix , then you can choose the ou=people,dc=example,dc=com object class (or another object class that allows the...

  • Page 48: Creating An Entry Using A Predefined Template

    Managing Entries From the Directory Console These templates contain fields representing all the mandatory attributes, and some of the commonly used optional attributes. To create an entry using one of these templates, refer to “Creating an Entry Using a Predefined Template,” on page 48. To create any other type of entry, refer to “Creating Other Types of Entries,”...

  • Page 49: Modifying Directory Entries

    Managing Entries From the Directory Console Click OK. If you selected an object class related to a type of entry for which a predefined template is available, the corresponding Create window is displayed. (See “Creating an Entry Using a Predefined Template,” on page 48). In all other cases, the Property Editor is displayed.

  • Page 50: Displaying The Property Editor

    Managing Entries From the Directory Console Displaying the Property Editor You can start the Property Editor in several ways: • From the Directory tab, by right-clicking an entry in the left or right pane, and selecting Properties from the pop-up menu. •...

  • Page 51: Adding An Attribute To An Entry

    Managing Entries From the Directory Console Click OK in the Property Editor when you have finished editing the entry. The Property Editor is dismissed. Adding an Attribute to an Entry Before you can add an attribute to an entry, the entry must contain an object class that either requires or allows the attribute.

  • Page 52: Removing An Attribute Value

    Managing Entries From the Directory Console Type in the name of the new attribute value. Click OK in the Property Editor when you have finished editing the entry. The Property Editor is dismissed. Removing an Attribute Value To remove an attribute value from an entry: On the Directory tab of the Directory Server Console, right-click the entry you want to modify and select Properties from the pop-up menu.
  • Page 53 Managing Entries From the Directory Console You can assign only one language subtype per attribute instance in an entry. To assign multiple language subtypes, add another attribute instance to the entry and then assign the new language subtype. For example, the following is illegal: cn;lang-ja;lang-en-GB:Smith Instead, use: cn: lang-ja: ja_value...

  • Page 54: Deleting Directory Entries

    Managing Entries From the Command Line From the Subtype drop-down list you can also assign one of two other subtypes: binary, or pronunciation. Click OK. The Add Attribute window is dismissed. When you have finished defining the information for the entry, click OK in the Property Editor.

  • Page 55: Providing Input From The Command Line

    Managing Entries From the Command Line • Adding and Modifying Entries Using ldapmodify • Deleting Entries Using ldapdelete • Using Special Characters You cannot modify your directory unless the appropriate access NOTE control rules have been set. For information on creating access control rules for your directory, see Chapter 6, “Managing Access Control.”...

  • Page 56: Creating A Root Entry From The Command Line

    Managing Entries From the Command Line For example: dn: dc=example,dc=com dn: ou=People, dc=example,dc=com People subtree entries. dn: ou=Group, dc=example,dc=com Group subtree entries. Creating a Root Entry From the Command Line You can use the command-line utility to create a new root entry in a ldapmodify database.

  • Page 57: Adding Entries Using Ldif

    Managing Entries From the Command Line Adding Entries Using LDIF You can use an LDIF file to add multiple entries or to import an entire database. To add entries using an LDIF file and the Directory Server Console: Define the entries in an LDIF file. LDIF is described in Appendix A, “LDAP Data Interchange Format.”...

  • Page 58: Adding Entries Using Ldapmodify

    Managing Entries From the Command Line To create a database suffix (such as ) using dc=example,dc=com ldapmodify must bind to the directory as the Directory Manager. Adding Entries Using ldapmodify Here is a typical example of how to use the utility to add entries to the ldapmodify directory.

  • Page 59: Modifying Entries Using Ldapmodify

    Managing Entries From the Command Line Description of ldapmodify Parameters Used for Adding Entries (Continued) Table 2-2 Parameter Name Description Optional parameter that specifies the file containing the LDIF update statements used to define the modifications. If you do not supply this parameter, the update statements are read from stdin.

  • Page 60: Deleting Entries Using Ldapdelete

    Managing Entries From the Command Line Description of ldapmodify Parameters Used for Modifying Entries (Continued) Table 2-3 Parameter Name Description Specifies the password associated with the distinguished name specified in the -D parameter. Specifies the name of the host on which the server is running. Specifies the port number that the server uses.

  • Page 61: Using Special Characters

    Managing Entries From the Command Line • You have created a database administrator that has the authority to modify the entries, and whose distinguished name is cn=Directory Manager, dc=example,dc=com • The database administrator’s password is King-Pin • The server is located on cyclops •...

  • Page 62: Ldif Update Statements

    LDIF Update Statements -D "cn=Barbara Jensen,ou=Product Development,dc=example,dc=com" Depending on the command-line utility you use, you should use either single or double quotation marks for this purpose. Refer to your operating system documentation for more information. In addition, if you are using DNs that contain commas, you must escape the commas with a backslash (\).

  • Page 63: Adding An Entry Using Ldif

    LDIF Update Statements change_operation_identifier list_of_attributes A dash (-) must be used to denote the end of a change operation if subsequent change operations are specified. For example, the following statement adds the telephone number and manager attributes to the entry: dn: cn=Lisa Jangles,ou=People,dc=example,dc=com changetype: modify add: telephonenumber...
  • Page 64 LDIF Update Statements dn: ou=People, dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit ou: People ou: Marketing dn: cn=Pete Minsky,ou=People,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Pete Minsky givenName: Pete sn: Minsky ou: People ou: Marketing uid: pminsky dn: cn=Sue Jacobs,ou=People,dc=example,dc=com changetype: add...

  • Page 65: Renaming An Entry Using Ldif

    LDIF Update Statements objectclass: top objectclass: organizationalUnit ou: example.com Bolivia\, S.A. dn: cn=Carla Flores,ou=example.com Bolivia\, S.A.,dc=example,dc=com changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Carla Flores givenName: Carla sn: Flores ou: example.com Bolivia\, S.A. uid: cflores Renaming an Entry Using LDIF to change an entry’s relative distinguished name (RDN).

  • Page 66: A Note On Renaming Entries

    LDIF Update Statements The following example can be used to rename Sue Jacobs to Susan Jacobs: dn: cn=Sue Jacobs,ou=Marketing,dc=example,dc=com changetype: modrdn newrdn: cn=Susan Jacobs deleteoldrdn: 0 Because , this example retains the existing RDN as a value in the deleteoldrdn new entry.

  • Page 67: Modifying An Entry Using Ldif

    LDIF Update Statements Modifying an Entry Using LDIF to add, replace, or remove attributes and/or attribute changetype:modify values to the entry. When you specify , you must also provide changetype:modify a change operation to indicate how the entry is to be modified. Change operations can be as follows: •...
  • Page 68 LDIF Update Statements For example, the following LDIF update statement adds a telephone number to the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-1212 The following example adds two telephone numbers to the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify add: telephonenumber telephonenumber: 555-1212 telephonenumber: 555-6789...

  • Page 69: Changing An Attribute Value Using Ldif

    LDIF Update Statements For example, you could use the following command: ldapmodify prompt% ldapmodify -D userDN -w user_passwd >version: 1 >dn: cn=Barney Fife,ou=People,dc=example,dc=com >changetype: modify >add: userCertificate >userCertificate;binary:< file: BarneysCert NOTE You can use the standard LDIF notation only with the ldapmodify command, not with other command-line utilities.

  • Page 70: Deleting All Values Of An Attribute Using Ldif

    LDIF Update Statements Barney’s entry is now as follows: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-5678 telephonenumber: 555-4321 Deleting All Values of an Attribute Using LDIF with the delete operation to delete an attribute from an changetype:modify entry.

  • Page 71: Deleting An Entry Using Ldif

    LDIF Update Statements Barney’s entry then becomes: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-5678 Deleting an Entry Using LDIF to delete an entry from your directory. You can only changetype:delete delete leaf entries. Therefore, when you delete an entry, make sure that no other entries exist under that entry in the directory tree.

  • Page 72: Modifying An Entry In An Internationalized Directory

    Maintaining Referential Integrity Modifying an Entry in an Internationalized Directory If the attribute values in your directory are associated with one or more languages other than English, the attribute values are associated with language tags. When using the command-line utility to modify an attribute that has an ldapmodify associated language tag, you must match the value and language tag exactly or the modify operation will fail.

  • Page 73: Using Referential Integrity With Replication

    Maintaining Referential Integrity NOTE The referential integrity plug-in should only be enabled on one master replica in a multi-master replication environment, to avoid conflict resolution loops. When enabling the plug-in on servers issuing chaining requests, be sure to analyze your performance resource and time needs as well as your integrity needs.

  • Page 74: Configuring The Supplier Server

    Maintaining Referential Integrity • In the context of multi-master replication, you should enable it on just one master. Configuring the Supplier Server When your replication environment satisfies the conditions listed above, you can enable the referential integrity plug-in. Enable the referential integrity plug-in. This task is described in “Enabling/Disabling Referential Integrity,”...

  • Page 75: Recording Updates In The Change Log

    Maintaining Referential Integrity Recording Updates in the Change Log You can decide to record updates in the replication change log instead of recording them in the default location, that is in the file in the referint directory. You must do this if you want referential serverRoot/slapd-serverID/logs integrity updates to be replicated to consumer servers in the context of replication.

  • Page 76: From The Directory Server Console

    Maintaining Referential Integrity • 604,800 seconds (updates occur once a week) You can modify the update interval from the Directory Server Console. From the Directory Server Console On the Directory Server Console, select the Configuration tab. For information on starting the Directory Server Console, refer to “Using the Directory Server Console,”...
  • Page 77 Maintaining Referential Integrity For your changes to be taken into account, go to the Tasks tab, and select Restart the Directory Server. NOTE For best performance, the attributes set for updating should also be indexed. For information on indexing, see Chapter 8, “Managing Indexes.”...
  • Page 78 Maintaining Referential Integrity Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 79: Chapter 3 Configuring Directory Databases

    Chapter 3 Configuring Directory Databases Your directory is made up of databases over which you can distribute your directory tree. This chapter describes how to create suffixes, the branch points for your directory tree, and how to create the databases associated with each suffix. This chapter also describes how to create database links to reference databases on remote servers and how to use referrals to point clients to external sources of directory data.

  • Page 80: Creating Suffixes

    Creating and Maintaining Suffixes A Sample Directory Tree with One Root Suffix Figure 3-1 suffix and all the entries and nodes below it might be stored in one ou=people database, the suffix on another database, and the ou=groups ou=contractors suffix on yet another database. This section describes creating suffixes on your Directory Server and associating them with databases.

  • Page 81: Figure 3-2 A Sample Directory Tree With Two Root Suffixes

    Creating and Maintaining Suffixes A Sample Directory Tree with Two Root Suffixes Figure 3-2 You can also create root suffixes to exclude portions of your directory tree from search operations. For example, Corporation might want to exclude example.com their European office from a search on the general Corporation example.com directory.

  • Page 82: Creating A New Root Suffix Using The Console

    Creating and Maintaining Suffixes A Sample Directory Tree with a Sub Suffix Figure 3-4 This section describes creating root and sub suffixes for your directory using either the Directory Server Console or the command line. This section contains the following procedures: •...

  • Page 83: Creating A New Sub Suffix Using The Console

    Creating and Maintaining Suffixes If you selected the “Create associated database automatically” checkbox in step 4, enter a unique name for the new database in the “Database name” field. For the name, you can use a combination of alphanumeric, dash ( ), and underscore ( ) characters;...

  • Page 84: Creating Root And Sub Suffixes From The Command Line

    Creating and Maintaining Suffixes Click OK to create the new sub suffix. The suffix appears automatically under its root suffix in the Data tree in the left navigation pane. Creating Root and Sub Suffixes From the Command Line Use the command-line utility to add new suffixes to your directory ldapmodify configuration file.

  • Page 85: Table 3-1 Suffix Attributes

    Creating and Maintaining Suffixes To create a sub suffix for groups under this root suffix, you would do an operation to add the following entry: ldapmodify dn: cn="ou=groups,dc=example,dc=com",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: GroupData nsslapd-parent-suffix: "dc=example,dc=com" cn: ou=groups,dc=example,dc=com NOTE If you want to maintain your suffixes using the Directory Server...
  • Page 86 Creating and Maintaining Suffixes Suffix Attributes (Continued) Table 3-1 Attribute Name Value Determines how the suffix handles operations. This attribute takes nsslapd-state the following values: • backend: the backend (database) is used to process all operations. • disabled: the database is not available for processing operations.

  • Page 87: Maintaining Suffixes

    Creating and Maintaining Suffixes Suffix Attributes (Continued) Table 3-1 Attribute Name Value nsslapd-parent-suffix Provides the DN of the parent entry for a sub suffix. By default, this attribute is not present, which means that the suffix is regarded as a root suffix.

  • Page 88: Enabling Referrals Only During Update Operations

    Creating and Maintaining Suffixes Click Add to add the referral to the list. You can enter multiple referrals. The directory will return the entire list of referrals in response to requests from client applications. Click Save. Enabling Referrals Only During Update Operations You may want to configure your directory to redirect update and write requests made by client applications to a read-only database.

  • Page 89: Deleting A Suffix

    Creating and Maintaining Databases To disable a suffix: On the Directory Server Console select the Configuration tab. Under Data in the left navigation pane, click the suffix you want to disable. Click the Suffix Setting tab. Deselect the “Enable this suffix” checkbox. A red dot appears on the Suffix Setting tab to alert you to changes that need to be saved.

  • Page 90: Creating Databases

    Creating and Maintaining Databases This section contains information about creating databases to contain your directory data, deleting databases, and making databases temporarily read-only. Creating Databases Directory Server supports the use of multiple databases over which you can distribute your directory tree. There are two ways you can distribute your data across multiple databases: •...
  • Page 91 Creating and Maintaining Databases Database one contains the data for plus the data for ou=people , so that clients can conduct searches based at dc=example,dc=com . Database two contains the data for , and dc=example,dc=com ou=groups database three contains the data for ou=contractors •...

  • Page 92: Creating A New Database For An Existing Suffix Using The Console

    Creating and Maintaining Databases Creating a New Database for an Existing Suffix Using the Console The following procedure describes adding a database to a suffix you have already created: In the Directory Server Console, select the Configuration tab. In the left pane, expand Data then click the suffix to which you want to add the new database.

  • Page 93: Adding Multiple Databases For A Single Suffix

    Creating and Maintaining Databases Add a new entry to the configuration file by performing an as follows: ldapmodify ldapmodify -a -h example1 -p 389 -D "cn=directory manager" -w secret utility binds to the server and prepares it to add an entry to the ldapmodify configuration file.

  • Page 94: Adding The Custom Distribution Function To A Suffix

    Creating and Maintaining Databases Once Netscape Professional Services has helped you create a custom distribution logic plug-in, you need to add it to your directory. The following procedures describe adding distribution logic to a suffix in your directory. Adding the Custom Distribution Function to a Suffix The distribution logic is a function declared in a suffix.

  • Page 95: Maintaining Directory Databases

    Creating and Maintaining Databases For more information about using the command-line utility, refer to ldapmodify “Adding and Modifying Entries Using ldapmodify,” on page 57. Maintaining Directory Databases This section describes jobs associated with maintaining your directory databases. It includes the following procedures: •...

  • Page 96: Deleting A Database

    Creating and Maintaining Database Links Making a Database Read-Only From the Command Line If you want to manually place a database into read-only mode, you must change the read-only attribute, , to . To do so, use the nsslapd-readonly ldapmodify command-line utility.

  • Page 97: Configuring The Chaining Policy

    Creating and Maintaining Database Links You can create and configure a database link using Directory Server Console or the command line. The following sections describe the procedures for creating and maintaining a database link: • Configuring the Chaining Policy • Creating a New Database Link •...

  • Page 98: Table 3-2 Components Allowed To Chain

    Creating and Maintaining Database Links You must also create an ACI on the remote server to allow the plug-in you specify to perform its operations on the remote server. You create the ACI in the suffix assigned to the database link. The following table lists component names, the potential side-effects of allowing them to chain internal operations, and the permissions they need in the ACI you create on the remote server:...
  • Page 99 Creating and Maintaining Database Links Components Allowed to Chain (Continued) Table 3-2 Component Name Description Permissions Referential This plug-in ensures that updates made to attributes Read, write, search, and integrity plug-in containing DNs are propagated to all entries that contain compare pointers to the attribute.
  • Page 100 Creating and Maintaining Database Links The following sections describe how to specify components you want to allow to chain using the console and from the command line. Chaining Component Operations Using the Console On the Directory Server Console, select the Configuration tab. Expand Data in the left pane and click Database Link Settings.

  • Page 101: Chaining Ldap Controls

    Creating and Maintaining Database Links After allowing the component to chain, you must create an ACI in the suffix on the remote server to which the operation will be chained. For example, you would create the following ACI for the referential integrity component: aci: (targetattr "*")(target="ldap:///ou=customers,l=us,dc=example,dc=com") (version 3.0;...

  • Page 102: Creating A New Database Link

    Creating and Maintaining Database Links Select the Settings tab in the right window. To add an LDAP control to the list, click Add. The “Select control OIDs to add” dialog box displays. Select the OID of a control you want to add to the list and click OK. To delete a control from the list, select it from the “LDAP controls forwarded to the remote server”...

  • Page 103: Creating A New Database Link Using The Console

    Creating and Maintaining Database Links Suffix information. You create a suffix in your directory tree that is managed by the database link, not a regular database. This suffix corresponds to the suffix on the remote server that contains the data. Bind credentials.

  • Page 104: Creating A Database Link From The Command Line

    Creating and Maintaining Database Links Enter the name of the new database link in the “Database link name” field. Use only ASCII (7-bit) characters for naming the database link. This value cannot contain commas, tabs, an equals sign (=), asterisk (*), backslash (\), forward slash (/), plus sign (+), quote (‘), double quote (“), or a question mark (?).
  • Page 105 Creating and Maintaining Database Links Your new instance must be located in the cn=chaining database,cn=plugins, entry. cn=config Default configuration attributes are contained in the cn=default config, entry. These configuration cn=chaining database,cn=plugins,cn=config attributes apply to all database links at creation time. Changes to the default configuration only affect new database links.
  • Page 106 Creating and Maintaining Database Links Providing Bind Credentials For a request from a client application to be chained to a remote server, you can provide special bind credentials for the client application. This gives the remote server the proxied authorization rights needed to chain operations. If you do not specify bind credentials, the database link binds to the remote server as anonymous.
  • Page 107 Creating and Maintaining Database Links The database link on server A binds to server B using a special user as defined in attribute and a user password as defined in the nsMultiplexorBindDN attribute. In this example, server A uses the nsMultiplexorCredentials following bind credentials: nsMultiplexorBindDN: cn=proxy admin,cn=config...
  • Page 108 Creating and Maintaining Database Links For more information on ACIs, refer to “Managing Access Control,” on page 193. For more information about the proxy authentication control, refer to the C-SDK documentation at http://enterprise.netscape.com/docs NOTE When a database link is used by a client application to create or modify entries, the attributes creatorsName modifiersName...

  • Page 109: Table 3-4 Database Link Configuration Attributes

    Creating and Maintaining Database Links In this sample LDAP URL, the database link first contacts the server example.com on the standard port to service an operation. If it does not respond, the database link then contacts the server on port 389. If this server fails, it then us.example.com contacts on port 1000.
  • Page 110 Creating and Maintaining Database Links Database Link Configuration Attributes (Continued) Table 3-4 Attributes Value Password for the administrative user, given in plain text. If no nsMultiplexorCredentials password is provided, it means that users can bind as anonymous. The password is encrypted in the configuration file. Reserved for advanced use only.
  • Page 111 Creating and Maintaining Database Links First, use the command-line utility to add a database link to server A. ldapmodify Type the following to change to the directory containing the utility: cd serverRoot/shared/bin Run the script as follows: ldapmodify -a -p 389 -D "cn=directory manager" -w secret -h us.example.com Then specify the configuration information for the database link: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config...
  • Page 112 Creating and Maintaining Database Links nsslapd-state: backend nsslapd-backend: DBLink1 nsslapd-parent-suffix: "ou=people,dc=example,dc=com" cn: l=Zanzibar,ou=people,dc=example,dc=com In the first section, the attribute contains the suffix on server B nsslapd-suffix that you want to chain to from server A. The attribute contains nsFarmServerURL the LDAP URL of server B. The second section creates a new suffix, allowing the server to route requests made to the new database link.

  • Page 113: Chaining Using Ssl

    Creating and Maintaining Database Links NOTE When a user binds to a database link, the user’s identity is sent to the remote server. Access controls are always evaluated on the remote server. For the user to successfully modify or write data to the remote server, you need to set up the correct access controls on the remote server.

  • Page 114: Maintaining Database Links

    Creating and Maintaining Database Links Maintaining Database Links This section describe how to update and delete existing database links. It contains the following procedures: • Updating Remote Server Authentication Information • Deleting Database Links Updating Remote Server Authentication Information To update the bind DN and password used by the database link to connect to the remote server: On the Directory Server Console, select the Configuration tab.

  • Page 115: Database Links And Access Control Evaluation

    Creating and Maintaining Database Links From the Object menu, select Delete. You can also right-click the database link and select Delete from the pop-up menu. The Deleting Database Link confirmation dialog box is displayed. Click Yes to confirm that you want to delete the database link. A progress dialog box appears telling you the steps the Directory Server completes during the deletion.

  • Page 116: Advanced Feature: Tuning Database Link Performance

    Creating and Maintaining Database Links • ACIs that refer to values of a user’s entry (for example, subject rules) userattr will work if the users is remote. Though access controls are always evaluated on the remote server, you can also choose to have them evaluated on both the server containing the database link and the remote server.

  • Page 117: Managing Connections To The Remote Server

    Creating and Maintaining Database Links Managing Connections to the Remote Server Each database link maintains a pool of connections to a remote server. You can configure the connections to optimize resources for your directory. You can change the connection attributes using the Directory Server Console or through the command line.

  • Page 118: Table 3-5 Database Link Connection Management Attributes

    Creating and Maintaining Database Links Connection lifetime (sec). How long a connection made between the database link and remote server remains open. You can keep connections between the database link and the remote server open for an unspecified time, or you can close them after a specific period of time.

  • Page 119: Detecting Errors During Normal Processing

    Creating and Maintaining Database Links Database Link Connection Management Attributes (Continued) Table 3-5 Attribute Name Description Number of times a database link attempts to bind to the nsBindRetryLimit remote server. A value of zero (0) indicates that the database link will try to bind only once. The default value is 3 attempts. Connection lifetime, in seconds.

  • Page 120: Managing Threaded Operations

    Creating and Maintaining Database Links If the remote server does not respond before the period has nsMaxResponseDelay passed, then an error is returned and the connection is flagged as down. All connections between the database link and remote server will be blocked for 30 seconds, protecting your server from a performance degradation.

  • Page 121: Advanced Feature: Configuring Cascading Chaining

    Creating and Maintaining Database Links While the database link waits for results from the remote server, it can process additional operations. By default, the number of threads used by the server is 20. However, when using database links, you can improve performance by increasing the number of threads available for processing operations.
  • Page 122 Creating and Maintaining Database Links The client application sends a modify request to server one. Server one contains a database link that forwards the operation to server two, which contains another database link. The database link on server two forwards the operations to server three, which contains the data the clients wants to modify in a database.
  • Page 123 Creating and Maintaining Database Links The root suffix , the sub suffixes dc=example,dc=com ou=people ou=groups are stored on Server A. The l=europe,dc=example,dc=com ou=groups suffixes are stored in on Server B, and the branch of the ou=people suffix is stored on Server C. l=europe,dc=example,dc=com With cascading configured on servers A, B, and C, a client request targeted at the entry would be routed by the...

  • Page 124: Configuring Cascading Chaining Defaults Using The Console

    Creating and Maintaining Database Links First the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the branch.

  • Page 125: Configuring Cascading Chaining Using The Console

    Creating and Maintaining Database Links Select the “Check local ACI” checkbox if you want to enable the evaluation of local ACIs on the intermediate database links involved in cascading chaining. If you select this checkbox, you will need to add the appropriate local ACIs to a database on the servers that contain intermediate database links.

  • Page 126: Configuring Cascading Chaining From The Command Line

    Creating and Maintaining Database Links Configuring Cascading Chaining From the Command Line Configuring a cascade of database links through the command line involves the following steps: • Pointing one database link to the URL of the server containing the intermediate database link.
  • Page 127 Creating and Maintaining Database Links Creating the Proxy Administrative User ACI You need to create an ACI on the server that contains the intermediate database link that checks the rights of the first database link before translating the request to another server.
  • Page 128 Creating and Maintaining Database Links Setting this attribute to on in the cn=default instance config,cn=chaining entry means that all new database link database,cn=plugins,cn=config instances will have the attribute set to on in their nsCheckLocalACI database_link_name entry. ,cn=chaining database,cn=plugins,cn=config Creating Client ACIs Because you have enabled local ACI evaluation, you need to create the appropriate client application ACIs on all intermediate database links as well as the final destination database.

  • Page 129: Summary Of Cascading Chaining Configuration Attributes

    Creating and Maintaining Database Links Summary of Cascading Chaining Configuration Attributes The following table describes the attributes used to configure intermediate database links in a cascading chain: Table 3-7 Cascading Chaining Configuration Attributes Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain. nsTransmittedControls Enter the following OIDs to the database links involved in the cascading chain: nsTransmittedControls: 2.16.840.1.113730.3.4.12...

  • Page 130: Configuring Server One

    Creating and Maintaining Database Links Configuring Server One First, use the command-line utility to add a database link to server ldapmodify one. To use the utility, type the following to change to the directory containing the utility: cd serverRoot/shared/bin Run the utility as follows: ldapmodify -a -D "cn=directory manager"...
  • Page 131 Creating and Maintaining Database Links Then specify the configuration information for the database link, DBLink1, on server one as follows: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: l=Zanzibar,c=africa,ou=people,dc=example,dc=com nsfarmserverurl: ldap://africa.example.com:389/ nsmultiplexorbinddn: cn=server1 proxy admin,cn=config nsmultiplexorcredentials: secret cn: DBLink1 nsCheckLocalACI:off cn="l=Zanzibar,c=africa,ou=people,dc=example,dc=com",cn=mapping tree,cn=config...

  • Page 132: Configuring Server Two

    Creating and Maintaining Database Links Configuring Server Two Next, you create a proxy administrative user on server two. This administrative user will be used to allow server one to bind and authenticate to server two. Bear in mind that it is useful to choose a proxy administrative user name which is specific to server one as it is the proxy administrative user which will allow server one to bind to server two.
  • Page 133 Creating and Maintaining Database Links Since database link DBLink2 is the intermediate database link in your cascading chaining configuration, you need to set the to on, to allow the nsCheckLocalACI server to check whether or not it should allow the client and proxy administrative user access to the database link.

  • Page 134: Configuring Server Three

    Creating and Maintaining Database Links NOTE To create these ACIs it is assumed that the database corresponding to the suffix already c=africa,ou=people,dc=example,dc=com exists to hold the entry. This database needs to be associated with a suffix above the suffix specified in the attribute of nsslapd-suffix each database link.
  • Page 135 Creating and Maintaining Database Links dn: cn=server2 proxy admin,cn=config objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: server2 proxy admin sn: server2 proxy admin userPassword: secret description: Entry for use by database links Then you need to add the same local proxy authorization ACI to server three as you did on server two.

  • Page 136: Using Referrals

    Using Referrals Using Referrals You can use referrals to tell client applications which server to contact for a specific piece of information. This redirection occurs when a client application requests a directory entry that does not exist on the local server or when a database has been taken offline for maintenance.

  • Page 137: Setting A Default Referral From The Command Line

    Using Referrals Setting a Default Referral From the Command Line Use the command-line utility to add a default referral to the ldapmodify entry in your directory configuration file. cn=config For example, to add a new default referral from your Directory Server, , to a server named , add a new line to the example.com...

  • Page 138: Creating Smart Referrals Using The Directory Server Console

    Using Referrals Creating Smart Referrals Using the Directory Server Console On the Directory Server Console, select the Directory tab. Browse through the tree in the left navigation pane and select the entry for which you want to add the referral. Double-click the entry.

  • Page 139: Creating Smart Referrals From The Command Line

    Using Referrals Creating Smart Referrals From the Command Line Use the command-line utility to create smart referrals from the ldapmodify command line. To create a smart referral, create the relevant directory entry and add the Referral object class. This object class allows a single attribute, .

  • Page 140: Creating Suffix Referrals

    Using Referrals Creating Suffix Referrals The following procedure describes creating a referral in a suffix. This means that the suffix processes operations using a referral rather than a database or database link. For more information about referrals, refer to Netscape Directory Server Deployment Guide.
  • Page 141 Using Referrals For example, to add a new suffix referral to the ou=people,dc=example,dc=com root suffix, you do an . First, type the following to change to the ldapmodify directory containing the utility: cd serverRoot/shared/bin Then, run as follows: ldapmodify ldapmodify -a -h example.com -p 389 -D "cn=directory manager" -w secret utility binds to the server and prepares it to add information to ldapmodify...
  • Page 142 Using Referrals Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 143: Chapter 4 Populating Directory Databases

    Chapter 4 Populating Directory Databases Databases contain the directory data managed by your Netscape Directory Server (Directory Server). This chapter describes the following procedures for populating your directory databases: • Importing Data (page 143) • Exporting Data (page 150) • Backing Up and Restoring Data (page 154) •...

  • Page 144: Performing An Import From The Console

    Importing Data Table 4-1 Import Method Comparison Import Initialize Database Overwrites database LDAP operations Add, modify, delete Add only Performance More time consuming Fast Partition speciality Works on all partitions Local partitions only Response to server failure Best effort (all changes made Atomic (all changes are up to the point of the failure lost after a failure)
  • Page 145 Importing Data To import data from the Directory Server Console: On the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and select Import Database. You can also import by going to the Configuration tab and selecting “Import” from the Console menu.

  • Page 146: Initializing A Database From The Console

    Importing Data Initializing a Database From the Console You can overwrite the existing data in a database. The following section describes using the console to initialize databases. You must be logged in as the Directory Manager in order to initialize a database. This is because you cannot import an LDIF file that contains a root entry unless you bind to the directory as the Directory Manager (Root DN).

  • Page 147: Importing From The Command Line

    Importing Data Importing From the Command Line You can use three methods for importing data through the command line: • Using —This import method overwrites the contents of your database ldif2db and requires the server to be stopped. • Using —This import method overwrites the contents of your ldif2db.pl database while the server is still running.

  • Page 148: Importing Using The Ldif2Db.pl Perl Script

    Importing Data Windows batch file: ldif2db.bat -n Database1 -i c:\netscape\servers\slapd-dirserver\ldif\demo.ldif -i c:\netscape\servers\slapd-dirserver\ldif\demo2.ldif UNIX shell script: ldif2db -n Database1 -i /usr/netscape/servers/slapd-dirserver/ldif/demo.ldif -i /usr/netscape/servers/slapd-dirserver/ldif/demo2.ldif The following table describes the options used in the examples: ldif2db Option Description Specifies the full path name of the LDIF file(s) to be imported. This option is required.

  • Page 149: Importing Using The Ldif2Ldap Command-Line Script

    Importing Data The following examples import an LDIF file using the script. You do ldif2db.pl not need root privileges to run the script, but you must authenticate as the directory manager. Windows batch file (as shown in the example, you need to run the script from the directory): ..\bin\slapd\admin\bin\perl ..\bin\slapd\admin\bin\perl ldif2db.pl -D "cn=Directory Manager"...

  • Page 150: Exporting Data

    Exporting Data Two examples of performing an import using follow: ldif2ldap Windows batch file: ldif2ldap "cn=Directory Manager" secret c:\netscape\servers\slapd-dirserver\ldif\demo.ldif UNIX shell script: ldif2ldap "cn=Directory Manager" secret /usr/netscape/servers/slapd-dirserver/ldif/demo.ldif script requires you to specify the DN of the administrative user, the ldif2ldap password of the administrative user, and the absolute path and file name of the LDIF file(s) to be imported.

  • Page 151: Exporting Directory Data To Ldif Using The Console

    Exporting Data Splitting a Database Contents into Two Databases Figure 4-1 To populate the new databases requires exporting the contents of database one and importing it into the new databases one and two. You can use the Directory Server Console or command-line utilities to export data. The following sections describe these methods in detail: •...

  • Page 152: Exporting A Single Database To Ldif Using The Console

    Exporting Data To export directory data to LDIF from the Directory Server Console while the server is running: On the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and click Export Database(s). To export all of your databases, you can also select the Configuration tab and select Export from the Console menu.

  • Page 153: Exporting To Ldif From The Command Line

    Exporting Data Expand the Data tree in the left navigation pane. Expand the suffix maintained by the database you want to export. Select the database under the suffix that you want to export. Right-click the database and select Export Database. You can also select Export Database from the Object menu.

  • Page 154: Backing Up And Restoring Data

    Backing Up and Restoring Data Option Description Specifies the name of the database from which the file is being exported. Defines the output file in which the server saves the exported LDIF. This file is stored by default in the directory where the command-line script resides.

  • Page 155: Backing Up All Databases From The Server Console

    Backing Up and Restoring Data Backing Up All Databases From the Server Console When you back up your databases from the Directory Server Console, the server copies all of the database contents and associated index files to a backup location. You can perform a backup while the server is running.

  • Page 156: Backing Up A Single Database

    Backing Up and Restoring Data Two examples of performing an import using follow: db2bak Windows batch file: db2bak \usr\netscape\servers\slapd-dirserver\bak\bak_20010701103056 UNIX shell script: db2bak /usr/netscape/servers/slapd-dirserver/bak/bak_20010701103056 You can specify the backup directory and output file where the server saves the exported LDIF file. If you do not specify a directory and output file, the directory will store the file by default in the directory where the command-line script resides.

  • Page 157: Restoring All Databases

    Backing Up and Restoring Data When you make modifications to the file, the file is first backed up to a dse.ldif file called in the directory before serverRoot/slapd-serverID/config dse.ldif.bak the directory writes the modifications to the file. dse.ldif Restoring All Databases The following procedures describe restoring all of the databases in your directory using the Directory Server Console and from the command line.

  • Page 158: Restoring Your Database From The Command Line

    Backing Up and Restoring Data Restoring Your Database From the Command Line You can restore your databases from the command line by using the following scripts: • Using the command-line script. This script requires the server to be bak2db shut down. •...

  • Page 159: Restoring A Single Database

    Backing Up and Restoring Data Windows batch file: ..\bin\slapd\admin\bin\perl bak2db.pl -D "cn=Directory Manager" -w secret -a \usr\netscape\servers\slapd-dirserver\bak\mybak_20010701103056 UNIX shell script: bak2db.pl -D "cn=Directory Manager" -w secret -a /usr/netscape/servers/slapd-dirserver/bak/mybak_20010701103056 The following table describes the options used in the examples: bak2db.pl Option Description Defines the full path and name of the input file.

  • Page 160: Restoring The Dse.ldif Configuration File

    Backing Up and Restoring Data database will be erased during the restore operation. A message will be logged to the supplier servers’ log files indicating that reinitialization is required.If you are restoring a database containing data received from a supplier server, then one of two situations can occur: •...

  • Page 161: Enabling And Disabling Read-Only Mode

    Enabling and Disabling Read-Only Mode Enabling and Disabling Read-Only Mode Before performing certain operations of export or backup on your Directory Server, you can enable read-only mode on any of the databases to ensure you have a faithful image of the state of these databases at a given time. The Directory Server Console and the command-line utilities do not automatically put the directory in read-only mode before export or backup operations because this would make your directory unavailable for updates.
  • Page 162 Enabling and Disabling Read-Only Mode Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 163: Chapter 5 Advanced Entry Management

    Chapter 5 Advanced Entry Management You can group the entries contained by your directory to simplify the management of user accounts. Netscape Directory Server (Directory Server) supports a variety of methods for grouping entries and sharing attributes between entries. This chapter describes the following grouping mechanisms and their procedures: •...

  • Page 164: Managing Static Groups

    Using Groups Managing Static Groups Static groups allow you to group entries by specifying the same group value in the DN attribute of any number of users. This section includes the following procedures for creating and modifying static groups: • Adding a New Static Group •...

  • Page 165: Modifying A Static Group

    Using Groups Modifying a Static Group In the Directory Server Console, select the Directory tab. The directory contents appear in the left pane. Double-click the entry you want to modify or select Open from the Object menu. The Edit Group dialog box appears. Make your changes to the group information.

  • Page 166: Using Roles

    Using Roles Double-click the entry you want to modify or select Properties from the Object menu. The Edit Group dialog box appears. Make your changes to the group information. Click OK. To view your changes, go to the View menu and select Refresh. Using Roles Roles are a new entry grouping mechanism that unify the static and dynamic groups described in the previous sections.

  • Page 167: Managing Roles Using The Console

    Using Roles • Remove a particular role from a given entry. You can do everything you would normally do with static groups with managed roles, and you can filter members using filtered roles as you used to do with dynamic groups. Roles are easier to use than groups, more flexible in their implementation, and reduce client complexity.

  • Page 168: Creating A Managed Role

    Using Roles • Deleting a Role When you create a role, you need to decide whether a user can add themselves or remove themselves from the role. Refer to “Using Roles Securely,” on page 175 for more information about roles and access control. Creating a Managed Role Managed roles allow you to create an explicit enumerated list of members.

  • Page 169: Creating A Filtered Role

    Using Roles Creating a Filtered Role You assign entries to a filtered role depending upon a particular attribute contained by each entry. You do this by specifying an LDAP filter. Entries that match the filter are said to possess the role. To create and add members to a filtered role: Follow steps 1-5 of “Creating a Managed Role,”...

  • Page 170: Viewing And Editing An Entry's Roles

    Using Roles To create and add members to a nested role: Follow steps 1-5 of “Creating a Managed Role,” on page 168. Click Members in the left pane. A search dialog box appears briefly. In the right pane, select Nested Role. Click Add to add roles to the list.The members of the nested role are members of other existing roles.

  • Page 171: Modifying A Role Entry

    Using Roles Click OK once you have finished modifying the roles to save your changes. Modifying a Role Entry To edit an existing role: On the Directory Server Console, select the Directory tab. Browse the navigation tree in the left pane to locate the base DN for your role. Roles appear in the right pane with other entries.

  • Page 172: Deleting A Role

    Using Roles Browse the navigation tree in the left pane to locate the base DN for your role. Roles appear in the right pane with other entries. Select the role. Select Activate from the Object menu. You can also right-click the role and select Activate from the menu. The role is reactivated.

  • Page 173: Examples: Managed Role Definition

    Using Roles • Members of a filtered role are entries that match the filter specified in the attribute. nsRoleFilter • Members of a nested role are members of the roles specified in the nsRoleDN attributes of the nested role definition entry. Table 5-1 lists the new object classes and attributes associated with each type of role.

  • Page 174: Example: Filtered Role Definition

    Using Roles Notice that the object class inherits from the nsManagedRoleDefinition object classes. LDAPsubentry nsRoleDefinition nsSimpleRoleDefinition Assign the role to a marketing staff member named Bob by doing an ldapmodify as follows: ldapmodify -D "cn=Directory Manager" -w secret -h host -p 389 dn: cn=Bob,ou=people,dc=example,dc=com changetype: modify add: nsRoleDN...

  • Page 175: Example: Nested Role Definition

    Using Roles Example: Nested Role Definition You want to create a role that contains both the marketing staff and sales managers contained by the roles you created in the previous examples. The nested role you create using appears as follows: ldapmodify dn: cn=MarketingSales,ou=people,dc=example,dc=com objectclass: top...

  • Page 176: Assigning Class Of Service

    Assigning Class of Service To prevent users from removing the attribute, use the following ACIs nsRoleDN depending upon the type of role being used. Managed roles. For entries that are members of a managed role, use the following ACI to prevent users from unlocking themselves by removing the appropriate nsRoleDN aci: (targetattr=”nsRoleDN”) (targattrfilters=”...

  • Page 177: About Cos

    Assigning Class of Service • Managing CoS Using the Console • Managing CoS From the Command Line • Creating Role-Based Attributes • Access Control and CoS About CoS Clients of the Directory Server read the attributes on a user’s entry. With CoS, some attribute values may not be stored with the entry itself.

  • Page 178: About The Cos Template Entry

    Assigning Class of Service There are 3 types of CoS, defined using three types of CoS definition entries: • Pointer CoS—A pointer CoS identifies the template entry using the template DN only. • Indirect CoS—An indirect CoS identifies the template entry using the value of one of the target entry’s attributes.

  • Page 179: How A Pointer Cos Works

    Assigning Class of Service How a Pointer CoS Works You create a CoS that shares a common postal code with all of the entries stored under . The three entries for this CoS appear as illustrated in dc=example,dc=com Figure 5-1. Sample Pointer CoS Figure 5-1 In this example, the template entry is identified by its DN,...

  • Page 180: How A Classic Cos Works

    Assigning Class of Service Sample Indirect CoS Figure 5-2 In this example, the target entry for William Holiday contains the indirect specifier, attribute. William’s manager is Carla Fuentes, so the manager manager attribute contains a pointer to the DN of the template entry, cn=Carla .

  • Page 181: Managing Cos Using The Console

    Assigning Class of Service Sample Classic CoS Figure 5-3 In this example, the Cos definition entry’s attribute specifies the cosSpecifier attribute. This attribute, in combination with the template DN, employeeType identify the template entry as . The template cn=sales,cn=exampleUS,cn=data entry then provides the value of the attribute to the target entry.
  • Page 182 Assigning Class of Service Go to the Object menu and select New > Class of Service. You can also right click the entry and select New > Class of Service. The Create New Class of Service dialog displays. Select General in the left pane. In the right pane, enter the name of your new class of service in the “Class Name”...

  • Page 183: Editing An Existing Cos

    Assigning Class of Service Using the value of one of the target entry’s attribute. If you choose to have the template entry identified by the value of one of the target entry’s attributes (an indirect CoS), enter the attribute name in the “Attribute Name” field. Be sure to select an attribute which contains DN values.

  • Page 184: Managing Cos From The Command Line

    Assigning Class of Service Right-click the CoS and select Delete. A dialog box appears asking you to confirm the deletion. Click Yes. The Deleted Entries dialog box appears to inform you that the CoS was successfully deleted. Click OK. Managing CoS From the Command Line Because all configuration information and template data is stored as entries in the directory, you can use standard LDAP tools for CoS configuration and management.

  • Page 185: Table 5-3 Cos Definition Entry Attributes

    Assigning Class of Service Table 5-3 lists attributes that you can use in your CoS definition entries. Table 5-3 CoS Definition Entry Attributes Attribute Definition Provides the name of the attribute for which you want to generate a value. cosAttribute You can specify more than one cosAttribute value.

  • Page 186: Table 5-4 Cos Definitions

    Assigning Class of Service For example, you might create a pointer CoS definition entry that contains an qualifier as follows: override dn: cn=pointerCoS,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=exampleUS,cn=data cosAttribute: postalCode override This pointer CoS definition entry indicates that it is associated with a template entry, , that generates the value of the cn=exampleUS,cn=data...

  • Page 187: Creating The Cos Template Entry From The Command Line

    Assigning Class of Service CoS Definitions (Continued) Table 5-4 CoS Type CoS definition Classic CoS objectclass: top bbjectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn: DN_string cosSpecifier: attribute_name cosAttribute: list_of_attributes qualifier Creating the CoS Template Entry From the Command Line The CoS template entry also inherits from the object class.

  • Page 188: Example Of A Pointer Cos

    Assigning Class of Service Templates that contain no attribute are considered the lowest cosPriority priority. In the case where two or more templates are considered to supply an attribute value and they have the same (or no) priority, a value is chosen arbitrarily.

  • Page 189: Example Of An Indirect Cos

    Assigning Class of Service Next, you create the template entry as follows: dn: cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 44438 The CoS template entry ( ) supplies cn=exampleUS,dn=cata,dc=example,dc=com the value stored in its attribute to any entries located under the postalCode suffix.

  • Page 190: Example Of A Classic Cos

    Assigning Class of Service You create a second template entry for the manager Sue Jacobs as follows: dn:cn=Sue Jacobs,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate departmentNumber: 71776 The definition entry looks in the target entries (the entries under ) for entries containing the attribute (because this dc=example,dc=com...

  • Page 191: Creating Role-Based Attributes

    Assigning Class of Service Next, you create the template entries for the sales and marketing departments as follows: dn: cn=sales,cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 44438 dn: cn=marketing,cn=exampleUS,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: extensibleobject objectclass: cosTemplate postalCode: 99111 The classic CoS definition entry applies to all entries under the suffix.

  • Page 192: Access Control And Cos

    Assigning Class of Service objectclass: nsFilteredRoleDefinition cn: ManagerRole nsRoleFilter: o=managers Description: filtered role for managers The classic CoS definition entry would look as follows: dn: cn=managerCOS,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectlass: cosClassicDefinition cosTemplateDn: cn=managerCOS,dc=example,dc=com cosSpecifier: nsRole cosAttribute: mailboxquota override attribute provides a value that, in combination with the cosTemplateDn attribute specified in the...

  • Page 193: Chapter 6 Managing Access Control

    Chapter 6 Managing Access Control Netscape Directory Server (Directory Server) provides you with the ability to control access to your directory. This chapter describes the access control mechanism. This section includes the following topics: • Access Control Principles (page 194) •...

  • Page 194: Access Control Principles

    Access Control Principles Access Control Principles The mechanism by which you define access is called access control. When the server receives a request, it uses the authentication information provided by the user in the bind operation, and the access control instructions (ACIs) defined in the server to allow or deny access to directory information.

  • Page 195: Aci Placement

    Access Control Principles ACI Placement If an entry containing an ACI does not have any child entries, the ACI applies to that entry only. If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a direct consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs for every entry between the one requested and the directory suffix, as well as the ACIs on the entry itself.

  • Page 196: Aci Limitations

    Access Control Principles For example, if you deny write permission at the directory’s root level, then none of the users can write to the directory regardless of the specific permissions you grant them. To grant a specific user write permissions to the directory, you have to restrict the scope of the original denial for write permission so that it does not include the user.

  • Page 197: Default Acis

    Default ACIs • Access control rules are always evaluated on the local server. Therefore, it is not necessary to specify the hostname or port number of the server in LDAP URLs used in ACI keywords. If you do, the LDAP URL will not be taken into account at all.

  • Page 198: Creating Acis Manually

    Creating ACIs Manually Creating ACIs Manually You can create access control instructions manually using LDIF statements, and add them to your directory tree using the utility. The following ldapmodify sections explain in detail how to create the LDIF statements. LDIF ACI statements can be very complex. However, if you are setting access control for a large number of directory entries, using LDIF is the preferred method over using the console because of the time it can save.

  • Page 199: Example Aci

    Creating ACIs Manually You can have multiple permission-bind rule pairs for each target. This allows you to efficiently set multiple access controls for a given target. For example: target(permission bind_rule)(permission bind_rule)... If you have several ACRs in one ACI statement, the syntax is of the form: aci: (target)(version 3.0;acl "name";permission bind_rule;...

  • Page 200: Table 6-1 Ldif Target Keywords

    Creating ACIs Manually where: indicates the type of target keyword equal (=) indicates that the target is the object specified in the , and expression not equal (!=) indicates the target is not the object specified in the expression identifies the target expression The quotation marks ("") around are required.

  • Page 201: Targeting A Directory Entry

    Creating ACIs Manually the result would be to allow all values of the target attribute. The first ACL ( acl1 will allow and the second ACL ( ) will allow . The result of these two ACLs acl2 will be the same as the one resulting from using an ACL of the form: acl3: ( targetattr="*"...
  • Page 202 Creating ACIs Manually • (target="ldap:///uid=*,dc=example,dc=com") Matches every entry in the entire tree that has the attribute in example.com the entry’s RDN. • (target="ldap:///uid=*Anderson,dc=example,dc=com") Matches every entry directly under the node with a ending example.com in Anderson. • (target="ldap:///uid=C*A,dc=example,dc=com") Matches every entry directly under the node with a example.com beginning with C and ending with A.

  • Page 203: Targeting Attributes

    Creating ACIs Manually NOTE You cannot use wildcards in the suffix part of a distinguished name. That is, if your directory uses the suffixes c=US c=GB then you cannot use the following target to reference both suffixes: (target="ldap:///dc=example,c=*"). Neither can you use a target such as uid=bjensen,dc=*.com Targeting Attributes In addition to targeting directory entries, you can also target one or more attributes...

  • Page 204: Targeting Both An Entry And Attributes

    Creating ACIs Manually If, however, you target the tree’s branch point , then all the entries beneath the branch point ou=Marketing,dc=example,dc=com that can contain a password attribute are affected by the ACI. Targeting Both an Entry and Attributes By default, the entry targeted by an ACI containing a keyword is the targetattr entry on which the ACI is placed.

  • Page 205: Targeting Attribute Values Using Ldap Filters

    Creating ACIs Manually dn: dc=example,dc=com objectClass: top objectClass: organization aci: (targetattr="departmentNumber || manager") (targetfilter="(businessCategory=Engineering)") (version 3.0; acl "eng-admins-write"; allow (write) groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";) Although using LDAP filters can be useful when you are targeting entries and attributes that are spread across the directory, the results are sometimes unpredictable because filters do not directly name the object for which you are managing access.

  • Page 206: Targeting A Single Directory Entry

    Creating ACIs Manually When creating an entry, if a filter applies to an attribute in the new entry, then each instance of that attribute must satisfy the filter. When deleting an entry, if a filter applies to an attribute in the entry, then each instance of that attribute must also satisfy the filter.

  • Page 207: Defining Permissions

    Creating ACIs Manually aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl "Default anonymous access"; allow (read, search) userdn="ldap:///anyone";) This ACI can apply only to the entry. o=NetscapeRoot The risk associated with these methods is that your directory tree might change in the future, and you would have to remember to modify this ACI. Defining Permissions Permissions specify the type of access you are allowing or denying.
  • Page 208 Creating ACIs Manually Delete. Indicates whether users can delete entries. This permission applies only to the delete operation. Search. Indicates whether users can search for the directory data. Users must have Search and Read rights in order to view the data returned as part of a search result. This permission applies only to the search operation.

  • Page 209: Rights Required For Ldap Operations

    Creating ACIs Manually Rights Required for LDAP Operations This section describes the rights you need to grant to users depending on the type of LDAP operation you want to authorize them to perform. Adding an entry: • Grant add permission on the entry being added. •...

  • Page 210: Permissions Syntax

    Bind Rules The permissions you need to set up to allow users to search the directory are more readily understood with an example. Consider the following ldapsearch operation: " " % ldapsearch -h host -s base -b uid=bkolics,dc=example,dc=com objectclass=* mail The following ACI is used to determine whether user can be granted bkolics...

  • Page 211: Bind Rule Syntax

    Bind Rules Bind rules can be simple. For example, a bind rule can simply state that the person accessing the directory must belong to a specific group. Bind rules can also be more complex. For example, a bind rule can state that a person must belong to a specific group and must log in from a machine with a specific IP address, between 8 am and 5 pm.

  • Page 212: Table 6-2 Ldif Bind Rule Keywords

    Bind Rules Table 6-2 LDIF Bind Rule Keywords Keyword Valid Expressions Wildcard Allowed? ldap:///distinguished_name yes, in DN only userdn ldap:///all ldap:///anyone ldap:///self ldap:///parent ldap:///suffix??sub?(filter) ldap:///DN || DN groupdn ldap:///DN || DN roledn attribute#bindType or userattr attribute#value IP_address DNS_host_name dayofweek 0 - 2359 timeofday none authmethod...

  • Page 213: Defining User Access - Userdn Keyword

    Bind Rules Defining User Access - userdn Keyword User access is defined using the keyword. The keyword requires userdn userdn one or more valid distinguished names in the following format : userdn = "ldap:///dn [|| ldap:///dn]...[||ldap:///dn]" where can be a DN or one of the expressions , or anyone self...

  • Page 214: Self Access (Self Keyword)

    Bind Rules Self Access (self Keyword) Specifies that users are granted or denied access to their own entries. In this case, access is granted or denied if the bind DN matches the DN of the targeted entry. From the Server Console, you set up self access on the Access Control Editor. For more information, see “Creating ACIs From the Console,”...
  • Page 215 Bind Rules Userdn keyword containing an LDAP URL: userdn = "ldap:///uid=*,dc=example,dc=com"; The bind rule is evaluated to be true if the user binds to the directory using any distinguished name of the specified pattern. For example, both of the following bind DNs would be evaluated to be true: uid=ssarette,dc=example,dc=com uid=tjaz,ou=Accounting,dc=example,dc=com...

  • Page 216: Defining Group Access - Groupdn Keyword

    Bind Rules The bind rule is evaluated to be true for any valid bind DN. To be true, a valid distinguished name and password must have been presented by the user during the bind operation. For example, if you want to grant read access to the entire tree to all authenticated users, you would create the following ACI on the node: dc=example,dc=com...

  • Page 217: Examples

    Bind Rules keyword requires one or more valid distinguished names in the groupdn following format : groupdn="ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]" The bind rule is evaluated to be true if the bind DN belongs to the named group. NOTE If a DN contains a comma, the comma must be escaped by a backslash (\).

  • Page 218: Defining Access Based On Value Matching

    Bind Rules roledn = "ldap:///dn [|| ldap:///dn]... [|| ldap:///dn]" The bind rule is evaluated to be true if the bind DN belongs to the specified role. If a DN contains a comma, the comma must be escaped by a NOTE backslash (\).
  • Page 219 Bind Rules userattr = "attrName#attrValue" where: • is the name of the attribute used for value matching attrName • is one of bindType USERDN,GROUPDN,LDAPURL • is any string representing an attribute value attrValue The following sections provide examples of the keyword with the userattr various possible bind types.
  • Page 220 Bind Rules If you are using static groups that are under the same suffix as the targeted entry, you can use the following expression: userattr = "ldap:///dc=example,dc=com?owner#GROUPDN" In this example, the group entry is under the suffix. The dc=example,dc=com server can process this type of syntax more quickly than the previous example. (By default, is not an allowed entry in a user’s entry.

  • Page 221: Using The Userattr Keyword With Inheritance

    Bind Rules Example With LDAPURL Bind Type The following is an example of the keyword associated with a bind userattr based on an LDAP filter: userattr = "myfilter#LDAPURL" The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter attribute of the targeted entry.

  • Page 222: Figure 6-1 Using Inheritance With The Userattr Keyword

    Bind Rules For example, userattr = "parent[0,1].manager#USERDN" This bind rule is evaluated to be true if the bindDN matches the manager attribute of the targeted entry. The permissions granted when the bind rule is evaluated to be true apply to the target entry and to all entries immediately below it. Example With userattr Inheritance The example in Figure 6-1 indicates that user is allowed to read and...

  • Page 223: Granting Add Permission Using The Userattr Keyword

    Bind Rules Granting Add Permission Using the userattr Keyword If you use the keyword in conjunction with permissions, you userattr might find that the behavior of the server is not what you expect. Typically, when a new entry is created in the directory, Directory Server evaluates access rights on the entry being created, and not on the parent entry.

  • Page 224: Defining Access From A Specific Ip Address

    Bind Rules Defining Access From a Specific IP Address Using bind rules, you can indicate that the bind operation must originate from a specific IP address. This is often used to force all directory updates to occur from a given machine or network domain. The LDIF syntax for setting a bind rule based on an IP address is as follows: ip = "IP_address"...

  • Page 225: Defining Access At A Specific Time Of Day Or Day Of Week

    Bind Rules keyword requires a fully qualified DNS domain name. Granting access to a host without specifying the domain creates a potential security threat. For example, the following expression is allowed but not recommended: dns = "legend.eng"; You should use a fully qualified name such as: dns = "legend.eng.example.com";...

  • Page 226: Examples

    Bind Rules dayofweek = "day1, day2 ..." The possible values for the dayofweek keyword are the English three-letter abbreviations for the days of the week: sun, mon, tue, wed, thu, fri, sat. Examples The following are examples of the syntax: timeofday dayofweek timeofday = "1200";...

  • Page 227: Defining Access Based On Authentication Method

    Bind Rules Defining Access Based on Authentication Method You can set bind rules that state that a client must bind to the directory using a specific authentication method. The authentication methods available are: • None—Authentication is not required. This is the default. It represents anonymous access.

  • Page 228: Using Boolean Bind Rules

    Bind Rules authmethod = "ssl"; The bind rule is evaluated to be true if the client authenticates to the directory using a certificate over LDAPS. This is not evaluated to be true if the client authenticates using simple authentication (bind DN and password) over ldaps. authmethod = "sasl DIGEST-MD5";...

  • Page 229: Creating Acis From The Console

    Creating ACIs From the Console Because Boolean expressions are evaluated from left to right, in the first case, bind rule A is evaluated before bind rule B, and in the second case, bind rule B is evaluated before bind rule A. is evaluated before the Boolean and Boolean However, the Boolean...

  • Page 230: Displaying The Access Control Editor

    Creating ACIs From the Console In the Access Control Editor, you can click on the Edit Manually button at any time to check the LDIF representation of the changes you make through the graphical interface. Displaying the Access Control Editor Start the Directory Server Console.

  • Page 231: Viewing Current Acis

    Creating ACIs From the Console Click New. The Access Control Editor is displayed as shown in Figure 6-3. Access Control Editor Window Figure 6-3 For information on navigating through the Access Control dialog boxes, refer to the online help. Viewing Current ACIs If you want to see what ACIs apply to a particular subtree in your directory, follow these steps: On the Directory tab, right-click the top entry in the subtree, and choose Set...

  • Page 232: Creating A New Aci

    Creating ACIs From the Console Creating a New ACI To create a new ACI: Display the Access Control Editor. This task is explained in “Displaying the Access Control Editor,” on page 230. If the view displayed is different from Figure 6-3 on page 231, click the Edit Visually button.

  • Page 233: Editing An Aci

    Creating ACIs From the Console Click the Hosts tab, then the Add button to display the Add Host Filter dialog box. You can specify a hostname or an IP address. If you specify an IP address, you can use the wildcard character (*). Click the Times tab to display the table showing at what times access is allowed.

  • Page 234: Deleting An Aci

    Access Control Usage Examples Deleting an ACI To delete an ACI: On the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu. The Access Control Manager window is displayed. It contains the list of ACIs belonging to the entry.

  • Page 235: Granting Anonymous Access

    Access Control Usage Examples • Grant all employees the right to create group entries under the example.com Social Committee branch of the directory, and to delete group entries that they own (see “Granting Rights to Add and Delete Group Entries,” on page 243). employees the right to add themselves to group entries •...
  • Page 236 Access Control Usage Examples This example assumes that the is added to the dc=example,dc=com entry Note that the userPassword attribute is excluded from the scope of the ACI. From the Console, you can set this permission by doing the following: On the Directory tab, right click the node in the left navigation example.com...

  • Page 237: Granting Write Access To Personal Entries

    Access Control Usage Examples This example assumes that the ACI is added to the entry. It also assumes that every subscriber ou=subscribers,dc=example,dc=com entry has an attribute which is set to yes or no. The target unlistedSubscriber definition filters out the unlisted subscribers based on the value of this attribute. For details on the filter definition, refer to “Setting a Target Using Filtering,”...
  • Page 238 Access Control Usage Examples It is also ’s policy to let their subscribers update their own personal example.com information in the tree provided that they establish an SSL example.com connection to the directory. This is illustrated in the ACI “Write Subscribers” example.
  • Page 239 Access Control Usage Examples On the Targets tab, click This Entry to display the suffix dc=example,dc=com in the target directory entry field. In the attribute table, tick the checkboxes for , and attributes. homePhone homePostalAddress userPassword All other checkboxes should be clear. This task is made easier if you click the Check None button to clear the checkoxes for all attributes in the table, then clikc the Name header to organize them alphabetically, and select the appropriate ones.
  • Page 240 Access Control Usage Examples On the Users/Groups tab, in the ACI name field, type "Write Subscribers". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area to Special Rights, and select Self from the Search results list.

  • Page 241: Restricting Access To Key Roles

    Access Control Usage Examples Restricting Access to Key Roles You can use role definitions in the directory to identify functions that are critical to your business, the administration of your network and directory, or another purpose. For example, you might create a role by identifying a subset of your superAdmin system administrators that are available at a particular time of day and day of the...

  • Page 242: Granting A Group Full Access To A Suffix

    Access Control Usage Examples Click the Add button to list Self in the list of users who are granted access permission. Click OK to dismiss the Add Users and Groups dialog box. On the Rights tab, tick the checkbox for write. Make sure the other checkboxes are clear.

  • Page 243: Granting Rights To Add And Delete Group Entries

    Access Control Usage Examples aci: (version 3.0; acl "HR"; allow (all) userdn= "ldap:///cn=HRgroup,ou=example-people,dc=example,dc=com";) This example assumes that the ACI is added to the entry. ou=example-people,dc=example,dc=com From the Console, you can set this permission by doing the following: On the Directory tab, right click the entry under the example.com-people node in the left navigation tree, and choose Set Access...
  • Page 244 Access Control Usage Examples for example, there is an active social committee that is organized example.com into various clubs: tennis, swimming, skiing, role-playing, etc. Any example.com employee can create a group entry representing a new club. This is illustrated in the ACI “Create Group”...
  • Page 245 Access Control Usage Examples Click OK to dismiss the Add Users and Groups dialog box. On the Rights tab, tick the checkbox for add. Make sure the other checkboxes are clear. On the Targets tab, click This Entry to display the ou=social committee, suffix in the target directory entry field.

  • Page 246: Granting Conditional Access To A Group Or Role

    Access Control Usage Examples Granting Conditional Access to a Group or Role In many cases, when you grant a group or role privileged access to the directory, you want to ensure that those privileges are protected from intruders trying to impersonate your privileged users.
  • Page 247 Access Control Usage Examples On the Users/Groups tab, in the ACI name field, type "HostedCompany1". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area to Users and Groups, and type DirectoryAdmin in the Search For field.

  • Page 248: Denying Access

    Access Control Usage Examples To enforce SSL authentication from HostedCompany1 administrators, switch to manual editing by clicking the Edit Manually button. Add the following to the end of the LDIF statement: and (authmethod="ssl") The LDIF statement should be similar to: aci: (targetattr = "*") (target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=co m") (version 3.0;...
  • Page 249 Access Control Usage Examples On the Users/Groups tab, in the ACI name field, type "Billing Info Read". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area in the Add Users and Groups dialog box to to Special Rights, and select Self from the Search results list.
  • Page 250 Access Control Usage Examples From the Console, you can set this permission by doing the following: On the Directory tab, right click the subscribers entry under the example.com node in the left navigation tree, and choose Set Access Permissions from the pop-up menu to display the Access Control Manager.

  • Page 251: Setting A Target Using Filtering

    Access Control Usage Examples Setting a Target Using Filtering If you want to set access controls that allow access to a number of entries that are spread across the directory, you may want to use a filter to set the target. Keep in mind that because search filters do not directly name the object for which you are managing access, it is easy to unintentionally allow or deny access to the wrong objects, especially as your directory becomes more complex.

  • Page 252: Defining Permissions For Dns That Contain A Comma

    Access Control Usage Examples On the Users/Groups tab, in the ACI name field, type "Group Members". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area in the Add Users and Groups dialog box to to Special Rights, and select All Authenticated Users from the Search results list.

  • Page 253: Proxied Authorization Aci Example

    Access Control Usage Examples Proxied Authorization ACI Example For this example, suppose: • The client application’s bind DN is "uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com" • The targeted subtree to which the client application is requesting access is ou=Accounting,dc=example,dc=com • An Accounting Administrator with access permissions to the subtree exists in the directory.

  • Page 254: Viewing The Acis For An Entry

    Viewing the ACIs for an Entry NOTE You cannot use the directory manager’s DN (Root DN) as a proxy DN. In addition, if Directory Server receives more than one proxied authentication control, an error is returned to the client application and the bind attempt is unsuccessful.

  • Page 255: Macro Aci Example

    Advanced Access Control: Using Macro ACIs Macro ACI Example The benefits of macro ACIs and how they work are best explained using an example. Figure 6-4 on page 256 shows a directory tree in which using macro ACIs is an effective way of reducing the overall number of ACIs. In this illustration, note the repeating pattern of subdomains with the same tree structure (ou=groups, ou=people).

  • Page 256: Figure 6-4 Example Directory Tree For Macro Acis

    Advanced Access Control: Using Macro ACIs Example directory tree for Macro ACIs Figure 6-4 The following ACI is located on the dc=hostedCompany1,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1, dc=example,dc=com";) Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 257: Macro Aci Syntax

    Advanced Access Control: Using Macro ACIs The following ACI is located on the dc=subdomain1,dc=hostedCompany1, node: dc=example,dc=com aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1, dc=hostedCompany1,dc=example,dc=com";) The following ACI is located on the dc=hostedCompany2,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2, dc=example,dc=com";) The following ACI is located on the...

  • Page 258: Macro Matching For ($Dn)

    Advanced Access Control: Using Macro ACIs • [$dn] • ($attr.attrName), where attrName represents an attribute contained in the target entry To simplify the discussion in this section, the ACI keywords used to provide bind credentials such as , and , are collectively called userdn roledn groupdn...

  • Page 259: Macro Matching For [$Dn]

    Advanced Access Control: Using Macro ACIs aci: (target="ldap:///ou=*,($dn),dc=example,dc=com") (targetattr = "*") (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc=com" In this case, if the string matching ($dn) in the target is dc=subdomain1, , then the same string is used in the subject. The ACI above is dc=hostedCompany1 expanded as follows: aci: (target="ldap:///ou=Groups,dc=subdomain1,dc=hostedCompany1,...

  • Page 260: Macro Matching For ($Attr.attrname)

    Advanced Access Control: Using Macro ACIs Replace [$dn] in subject with dc=hostedCompany1 The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups, . In this case, if the bind DN is not dc=hostedCompany1,dc=example,dc=com" a member of that group, the ACI is not evaluated. If it is a member, the ACI is evaluated.

  • Page 261: Access Control And Replication

    Access Control and Replication In order to evaluate the part of the ACI, the server looks at the attribute roledn stored in the targeted entry, and uses the value of this attribute to expand the macro. Therefore, in the example, the is expanded as follows: roledn roledn = "ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,...

  • Page 262: Compatibility With Earlier Releases

    Compatibility with Earlier Releases To set the error log level from the Console: On the Console, click the Directory tab, right click the config node, and choose Properties from the pop-up menu. This displays the Property Editor for the entry. cn=config Scroll down the list of attribute value pairs to locate the attribute.

  • Page 263: Chapter 7 User Account Management

    Chapter 7 User Account Management When a user connects to your Netscape Directory Server (Directory Server), first the user is authenticated. Then, the directory can grant access rights and resource limits to the user depending upon the identity established during authentication. This chapter describes tasks for user account management, including configuring the password and account lockout policy for your directory, denying groups of users access to the directory, and limiting system resources available to users...

  • Page 264: Configuring The Password Policy

    Managing the Password Policy Once you have established a password policy for your directory, you can protect your user passwords from potential threads by configuring an account lockout policy. Account lockout protects against hackers who try to break into the directory by repeatedly guessing a user’s password.
  • Page 265 Managing the Password Policy Select the Passwords tab in the right pane. This tab contains the password policy for the Directory Server. You can specify that users must change their password the first time they log on by selecting the “User must change password after reset” checkbox. If you select this checkbox, only the Directory Manager is authorized to reset the users’s password (using the field described in step 9).

  • Page 266: Configuring The Password Policy Using The Command-Line

    Managing the Password Policy When you have finished making changes to the password policy, click Save. Configuring the Password Policy Using the Command-Line This section describes the attributes you set to create a password policy for your server. Use ldapmodify to change these attributes in the entry.

  • Page 267: Table 7-1 Password Policy Attributes

    Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition Indicates the number of seconds before a warning message is sent to users passwordWarning whose password is about to expire. Depending on the LDAP client application, users may be prompted to change their password when the warning is sent.

  • Page 268: Setting User Passwords

    Managing the Password Policy Password Policy Attributes (Continued) Table 7-1 Attribute Name Definition This attribute indicates whether the directory stores a password history. passwordHistory When set to on, the directory stores the number of passwords you specify in the passwordInHistory attribute in a history. If a user attempts to reuse one of the password, the password will be rejected.

  • Page 269: Configuring The Account Lockout Policy

    Managing the Password Policy For information on creating and modifying directory entries, see Chapter 2, “Creating Directory Entries.” For information on inactivating user accounts, refer to“Inactivating Users and Roles,” on page 272. You can also use the Users and Groups area of the Netscape Administration Server or the Directory Server Gateway to set or reset user passwords.

  • Page 270: Configuring The Account Lockout Policy Using The Command Line

    Managing the Password Policy Set the interval you want users to be locked out of the directory. Select the Lockout Forever radio button to lock users out until their passwords have been reset by the administrator. Set a specific lockout period by selecting the Lockout duration radio button and entering the time (in minutes) in the text box.

  • Page 271: Managing The Password Policy In A Replicated Environment

    Managing the Password Policy Account Lockout Policy Attributes (Continued) Table 7-2 Attribute Name Definition This attribute specifies the time in seconds after which the password passwordResetFailureCount failure counter will be reset. Each time an invalid password is sent from the user’s account, the password failure counter is incremented.

  • Page 272: Inactivating Users And Roles

    Inactivating Users and Roles When configuration a password policy in a replicated environment, consider the following points: • Warnings from the server of an impending password expiration will be issued by all replicas. This information is kept locally on each server, so if a user binds to several replicas in turn, they will be issued the same warning several times.

  • Page 273: Inactivating User And Roles Using The Console

    Inactivating Users and Roles • Activating User and Roles Using the Command Line CAUTION You cannot inactivate the root entry (the entry corresponding to the root or sub suffix) on a database. For more information on creating the entry for a root or sub suffix, refer to Chapter 2, “Creating Directory Entries”...

  • Page 274: Activating User And Roles Using The Console

    Inactivating Users and Roles Option Name Description The DN of the directory administrator. The password of the directory administrator. Port used by the server. Name of the server on which the directory resides DN of the user account or role you want to inactivate. For more information about running the script, refer to ns-inactivate.pl...

  • Page 275: Activating User And Roles Using The Command Line

    Setting Resource Limits Based on the Bind DN Activating User and Roles Using the Command Line To activate a user account, use the script. The following example ns-activate.pl describes using the script to activate Joe Frasier’s user account: ns-activate.pl ns-activate.pl -D "Directory Manager" -w secretpwd -p 389 -h example.com -I "uid=jfrasier,ou=people,dc=example,dc=com"...

  • Page 276: Setting Resource Limits Using The Console

    Setting Resource Limits Based on the Bind DN NOTE The Directory Manager receives unlimited resources by default. The resource limits you set for the client application takes precedence over the default resource limits you set for in the global server configuration. This section gives procedures for the following: •...
  • Page 277 Setting Resource Limits Based on the Bind DN Attribute Description Specifies the maximum number of entries the server returns to nsSizeLimit a client application in response to a search operation. Giving this attribute a value of -1 indicates that there is no limit. Specifies the maximum time the server spends processing a nsTimeLimit search operation.
  • Page 278 Setting Resource Limits Based on the Bind DN Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 279: Chapter 8 Managing Replication

    Chapter 8 Managing Replication Replication is the mechanism by which directory data is automatically copied from one Netscape Directory Server (Directory Server) to another; it is an important mechanism for extending your directory service beyond a single server configuration. This chapter describes the tasks to be performed on the supplier servers and the consumer servers to set up single master replication, multi-master replication, and cascading replication.

  • Page 280: Replication Overview

    Replication Overview • Troubleshooting Replication-Related Problems (page 330) For conceptual information on how you can use replication in your directory deployment, see the Netscape Directory Server Deployment Guide. Replication Overview Replication is the mechanism by which directory data is automatically copied from one Directory Server to another.

  • Page 281: Change Log

    Replication Overview • In the case of cascading replication, the hub supplier holds a read-only replica that it supplies to consumers. For more information, refer to “Cascading Replication,” on page 287. • In the case of multi-master replication, both masters are suppliers and consumers for the same read-write replica.

  • Page 282: Replication Identity

    Replication Overview The replication mechanism also requires that one database correspond to one suffix. This means that you cannot replicate a suffix (or namespace) that is distributed over two or more databases using custom distribution logic. For more information on this topic, refer to “Creating and Maintaining Databases,” on page Replication Identity When replication occurs between two servers, the replication process uses a special entry, often referred to as the Replication Manager entry, to identify replication...

  • Page 283: Replication Agreement

    Replication Overview Replication Agreement Directory Servers use replication agreements to define their replication configuration. A replication agreement describes replication between one supplier and one consumer only. The agreement is configured on the supplier server. It specifies: • The database to be replicated •...

  • Page 284: Replication Scenarios

    Replication Scenarios Replication Scenarios This section describes the most commonly used replication scenarios: • Single-Master Replication • Multi-Master Replication • Cascading Replication You can combine these basic scenarios to build the replication environment that best suits your needs. Whatever replication scenario you choose to implement, remember NOTE to consider schema replication.

  • Page 285: Multi-Master Replication

    Replication Scenarios Single-Master Replication Figure 8-1 In this particular configuration the suffix receives ou=people,dc=example,dc=com a large number of search requests. Therefore, to distribute the load, this tree, which is mastered on Server A, is replicated to two read-only replicas located on Server B and Server C.

  • Page 286: Figure 8-2 Multi-Master Replication

    Replication Scenarios This type of configuration can work with any number of consumer servers. Each consumer server holds a read-only replica. The consumers can receive updates from both suppliers. The consumers also have referrals defined for both suppliers which are used to forward any update requests that they receive. Such scenarios are called multi-master configurations.

  • Page 287: Cascading Replication

    Replication Scenarios For information on setting up multi-master replication with two supplier servers and two consumer servers, refer to “Configuring Multi-Master Replication,” on page 300. Cascading Replication In a cascading replication scenario, one server, often called a hub supplier, acts both as a consumer and a supplier for a particular replica.

  • Page 288: Figure 8-3 Cascading Replication

    Replication Scenarios Cascading Replication Figure 8-3 For information on setting up cascading replication, refer to “Configuring Cascading Replication,” on page 305. You can combine multi-master and cascading replication. For NOTE example, in the multi-master scenario illustrated in Figure 8-2 on page 286, Server C and Server D could be hub suppliers that would replicated to any number of consumer servers.

  • Page 289: Summary Of Steps For Complex Replication Configurations

    Summary of Steps for Complex Replication Configurations Summary of Steps for Complex Replication Configurations If you are configuring replication for a large number of servers, and your configuration is relatively complex, for reasons of efficiency you should proceed in the following order: On all consumer servers: Create the replica databases Create the Replication Manager or supplier bind DN entry...

  • Page 290: Detailed Replication Tasks

    Detailed Replication Tasks NOTE It is very important to create and configure all replicas before you attempt to create a replication agreement. This also means that when you create the replication agreement, you can choose to initialize consumers immediately. Detailed Replication Tasks This section contains a description of the tasks you need to perform to configure replication.

  • Page 291: Configuring Supplier Settings

    Detailed Replication Tasks For example, you could create an entry cn=Replication Manager,cn=config under the tree on the consumer server. This would be the supplier bind cn=config DN that all suppliers would use to bind to the consumer to perform replication operations.

  • Page 292: Configuring A Read-Write Replica

    Detailed Replication Tasks To configure supplier settings: In the Directory Server Console, click the Configuration tab. For information on starting the Directory Server Console, “Using the Directory Server Console,” on page 32. In the left navigation tree, highlight the Replication node. In the right navigation window, click the Supplier Settings tab.

  • Page 293: Configuring A Read-Only Replica

    Detailed Replication Tasks In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). The replica ID must be unique for a given suffix. Make sure you specify an ID that is different from the IDs used for read-write replicas on this server and on other servers.

  • Page 294: Configuring A Hub Supplier

    Detailed Replication Tasks Click Add. You supplier bind DN will appear in the Current Supplier DNs or entry DNs to which the supplier’s certificate is mapped field directly above. Repeat the operation for every supplier bind DN you want to include in the list.

  • Page 295: Creating A Replication Agreement

    Detailed Replication Tasks In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). You must specify the same replica ID as for the read-write replica that supplies updates to this replica. The replica ID must be unique for a given suffix. In the Common Settings section specify a purge delay in the Purge delay field.

  • Page 296: Configuring Single-Master Replication

    Configuring Single-Master Replication To create a replication agreement: On the Directory Server Console, click the Configuration tab. For information on starting the Directory Server Console, “Using the Directory Server Console,” on page 32. In the navigation tree, expand the Replication folder, right-click the database to replicate, and select New Replication Agreement.
  • Page 297 Configuring Single-Master Replication Create the entry corresponding to the supplier bind DN on the consumer server, if it does not exist. This is the special entry that the supplier will use to bind. In the Directory Server Console, click the Directory tab, and create an entry.

  • Page 298: Configuring The Read-Write Replica On The Supplier Server

    Configuring Single-Master Replication Click Add. You supplier bind DN will appear in the Current Supplier DNs or entry DNs to which the supplier’s certificate is mapped field directly above. Repeat the operation for every supplier bind DN you want to include in the list.
  • Page 299 Configuring Single-Master Replication Set the change log parameters (number and age). You must clear the unlimited checkboxes if you want to specify different values. Click Save to save the supplier settings. Specify the replication settings required for a read-write replica. In the navigation tree on the Configuration tab, expand the Replication node and highlight the database to replicate.

  • Page 300: Initializing The Replicas For Single-Master Replication

    Configuring Multi-Master Replication Initializing the Replicas for Single-Master Replication You can initialize the read-only replicas from the Replication Agreement Wizard, or at anytime afterwards. For information on initializing read-only replicas, refer to “Initializing Consumers,” on page 313. When you have finished, the replication agreement is set up. Configuring Multi-Master Replication This section provides information on configuring multi-master replication.
  • Page 301 Configuring Multi-Master Replication Specify a attribute-value pair. userPassword If you have enabled the password expiration policy, or intend to do so in the future, you must remember to disable it to prevent replication from failing due to passwords expiring. To disable the password expiration policy on the attribute, add the userPassword...

  • Page 302: Configuring The Read-Write Replicas On The Supplier Servers

    Configuring Multi-Master Replication Repeat the operation for every supplier bind DN you want to include in the list. Click Save when you have finished. This supplier bind DN should correspond to the entry created in Step 2. Note that the supplier bind DN corresponds to a privileged user, because it is not subject to access control.
  • Page 303 Configuring Multi-Master Replication Set the change log parameters (number and age). You must clear the unlimited checkboxes if you want to specify different values. Click Save to save the supplier settings. Create the entry corresponding to the supplier bind DN, if it does not exist. For multi-master replication, it is necessary to create this supplier bind DN on the supplier servers (as well as the consumers), because they act as both consumer and supplier to the other supplier servers.
  • Page 304 Configuring Multi-Master Replication In the Common Settings section specify a purge delay in the Purge delay field. This option indicates how often the state information stored in the replicated entries is purged. In the Replica Update Settings section, specify the supplier bind DN or entry DN that the supplier will use to bind to the replica.

  • Page 305: Initializing The Replicas For Multi-Master Replication

    Configuring Cascading Replication One with supplier Server A, where A is declared as a consumer for the replica. During this operation, do not initialize Server A from Server B if you have already initialized Server B from Server A in Step 4. One for each consumer, Server C and Server D.

  • Page 306: Configuring The Read-Only Replica On The Consumer Server

    Configuring Cascading Replication To set up cascading replication such as the configuration shown in Figure 8-3 on page 288, between the supplier on Server A that holds a read-write replica, the consumer/supplier on Hub Server B that holds a read-only replica, and the consumer on Server C that holds a read-only replica, you need to perform the following procedures: •...
  • Page 307 Configuring Cascading Replication In the Replica Update Settings section, specify the bind DN or entry DN that the supplier will use to bind to the replica.You can now specify multiple supplier bind DNs per replica but only one supplier DN per replication agreement.

  • Page 308: Configuring The Read-Only Replica On The Hub Supplier

    Configuring Cascading Replication When you have configured the replicas on each server, and the necessary replication agreements between servers, you can initialize the read-only replicas on the hub supplier, and on the consumer. You can perform this task from the replication agreement wizard while you are configuring the supplier server and the hub supplier server, or at any time afterwards.
  • Page 309 Configuring Cascading Replication In the Common Settings section, specify a Replica ID (an integer between 1 and 254 inclusive). You must specify the same replica ID as for the read-write replica that supplies updates to this replica. The replica ID must be unique for a given suffix.

  • Page 310: Configuring The Read-Write Replica On The Supplier Server

    Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Perform these steps on the supplier server that holds the original copy of the database: Specify the supplier settings for the server. In the Directory Server Console, click the Configuration tab. In the navigation tree, highlight the Replication node.

  • Page 311: Initializing The Replicas For Cascading Replication

    Making a Replica Updatable In the Common Settings section specify a purge delay in the Purge delay field. This option indicates how often the state information stored in the replicated entries is purged. Click Save to save the replication settings for the database. Initializing the Replicas for Cascading Replication In the case of cascading replication, you should initialize replicas in the following...

  • Page 312: Deleting The Change Log

    Deleting the Change Log Deleting the Change Log The change log is a record of all modifications on a given replica that the supplier uses to replay these modifications to replicas on consumer servers (or masters in the case of multi-master replication). In the event of a supplier server going offline, it is important to be able to delete the changelog because it no longer holds a true record of all modifications, and, as a result, should not be used as a basis for replication.

  • Page 313: Moving The Change Log To A New Location

    Initializing Consumers Moving the Change Log to a New Location To delete the change log while the server is still running and continuing to log changes, you simply move the change log to a new location. By moving the change log, a new change log is created in the directory you specify, and the old change log is deleted.

  • Page 314: Online Consumer Initialization Using The Console

    Initializing Consumers Manual consumer initialization using the command line, is a more effective method of initializing a large number of consumers from a single LDIF file. Online Consumer Initialization Using the Console Online consumer initialization using the console is the easiest way to initialize or reinitialize a consumer.

  • Page 315: Manual Consumer Initialization Using The Command Line

    Initializing Consumers To update this window, right-click the replicated database icon in the navigation tree, and choose Refresh Replication Agreements. When online consumer initialization finishes, the status changes to reflect this. For more information about monitoring replication and initialization status, see “Monitoring Replication Status,”...

  • Page 316: Exporting A Replica To Ldif

    Forcing Replication Updates Exporting a Replica to LDIF You can convert the replica to LDIF using one of the following three procedures: When you create a replication agreement by selecting “Create consumer initialization file” in the Initialize Consumer dialog box of the Replication Wizard.

  • Page 317: Forcing Replication Updates From The Console

    Forcing Replication Updates Note that if you have configured replication agreements to always keep the supplier server and the consumer server in sync, this is not sufficient to bring back up-to-date a server that has been offline for over five minutes. The reason is that with the “Always Keep in Sync”...
  • Page 318 Forcing Replication Updates You can copy this example and give it a meaningful name, for example, . You must provide actual values for the variables listed in replicate_now.sh Code Example 8-1. NOTE You must run this script as it cannot be configured to run automatically as soon as the server, which was offline, comes back online again.

  • Page 319: Table 8-1 Replicate_Now Variables

    Forcing Replication Updates Replicate_Now Script Example (Continued) Code Example 8-1 /^nsds5ReplicaUpdateSchedule: / { s = 1; print $0; } /^$/ { if ( $s == 1 ) { print "-" ; print ""; } else { print "nsds5ReplicaUpdateSchedule: 0000-2359 0123456"; print "-"...

  • Page 320: Replication Over Ssl

    Replication Over SSL If you want the update operation to occur over an SSL connection, you must modify the command in the script with the appropriate parameters ldapmodify and values. For more information on the command, refer to ldapmodify “Managing Entries From the Command Line,” on page 54 and Netscape Directory Server Configuration, Command, and File Reference.

  • Page 321: Configuring Replication Over Ssl Using The Replication Wizard

    Replication Over SSL Configuring Replication Over SSL Using the Replication Wizard On the Directory Server Console of the supplier server, click the Configuration tab, expand the Replication folder and select the database that you want to replicate. Right-click the database, and choose New Replication Agreement from the drop-down menu.

  • Page 322: Replication With Earlier Releases

    Replication with Earlier Releases Select “SSL Client Authentication” or “Simple Authentication. If you select SSL Client Authentication, the supplier and consumer servers will use certificates to authenticate to each other. If you select Simple Authentication, the supplier and consumer servers will use a bind DN and password to authenticate to each other.

  • Page 323: Configuring Directory Server As A Consumer Of A Legacy Directory Server

    Replication with Earlier Releases Configuring Directory Server as a Consumer of a Legacy Directory Server If you intend to use your Directory Server as a consumer of an earlier release of Directory Server, you must configure it as follows: On the Directory Server Console, click the Configuration tab. For information on starting the Directory Server Console, “Using the Directory Server Console,”...

  • Page 324: Using The Retro Change Log Plug-In

    Using the Retro Change Log Plug-In NOTE The Directory Server Console will not prevent you from configuring a database as a read-write replica and enabling legacy consumer settings. This makes migration easier because you can configure your Directory Server as you want it to be after the migration, and activate legacy consumer settings just for the duration of the transition.

  • Page 325: Enabling The Retro Change Log Plug-In

    Using the Retro Change Log Plug-In Attributes of a Retro Change Log Entry (Continued) Table 8-2 Attribute Definition For add and modify operations, contains the changes made to changes the entry, in LDIF format. In the case of modrdn operations, specifies the new RDN of newRDN the entry.

  • Page 326: Trimming The Retro Change Log

    Using the Retro Change Log Plug-In Restart the server. For information on restarting the server, refer to “Starting and Stopping the Directory Server,” on page 35. The retro change log is created in the directory tree under a special suffix cn=changelog The procedure for enabling the retro change log plug-in from Directory Server Console is the same as for all Directory Server plug-ins.

  • Page 327: Retro Change Log And The Access Control Policy

    Monitoring Replication Status As a general rule, you should not perform add or modify operations on the retro change log entries, although you can delete entries to trim the size of the change log. The only time you will need to peform a modify operation on the retro change log, is to modify the default access control policy.

  • Page 328: Monitoring Replication Status From Administration Express

    Monitoring Replication Status Select the Status tab, and then in the left navigation tree, select Replication Status. In the right pane, a table appears that contains information about each of the replication agreements configured for this server. Click Refresh to update the contents of the tab. The status information displayed is described in Table 8-3.
  • Page 329 Monitoring Replication Status script, which is explained in detail in the template-repl-monitor.pl Netscape Directory Server Configuration, Command, and File Reference, enables you to monitor replication status to a greater extent by providing these functionalities: • Lists, for each master replica on each Directory Server discovered, server URL or alias, replica ID, replica root, and maximum change sequence number maxcsn •...

  • Page 330: Solving Common Replication Conflicts

    Solving Common Replication Conflicts In the “Configuration file” field, type the path to the configuration file you created in Step 1 and click OK. The replication-status page appears; by default, the page gets refreshed every 300 seconds. Solving Common Replication Conflicts Multi-master replication uses a loose consistency replication model.

  • Page 331: Solving Naming Conflicts

    Solving Common Replication Conflicts Solving Naming Conflicts When two entries are created with the same DN on different servers, during replication, the automatic conflict resolution procedure renames the last entry created by including the entry’s unique identifier in the DN. Every directory entry includes a unique identifier given by the operational attribute .

  • Page 332: Renaming An Entry With A Single-Valued Naming Attribute

    Solving Common Replication Conflicts NOTE You cannot delete the unique identifier attribute nsuniqueid For more information on the command, refer to “Managing Entries ldapmodify From the Command Line,” on page 54 and Netscape Directory Server Configuration, Command, and File Reference. Renaming an Entry with a Single-Valued Naming Attribute To rename an entry that has a single-valued naming attribute: Rename the entry using a different naming attribute, and keep the old RDN.

  • Page 333: Solving Orphan Entry Conflicts

    Solving Common Replication Conflicts Rename the entry with the intended attribute-value pair. For example: prompt% ldapmodify -D adminDN -w passwd >dn: cn=TempValue,dc=example,dc=com >changetype: modrdn >newrdn: dc=NewValue >deleteoldrdn: 1 By setting the value of the attribute to , you delete the deleteoldrdn temporary attribute-value pair TempValue.

  • Page 334: Solving Potential Interoperability Problems

    Solving Common Replication Conflicts Solving Potential Interoperability Problems For reasons of interoperability with applications that rely on attribute uniqueness such as a mail server, you might need to restrict access to the entries which contain attribute. If you do not restrict access to these entries, then nsds5ReplConflict the applications requiring one attribute only, will pick up both the original entry and the conflict resolution entry containing the...

  • Page 335: Troubleshooting Replication-Related Problems

    Troubleshooting Replication-Related Problems Troubleshooting Replication-Related Problems script, which is explained in detail in the Netscape template-cl-dump.pl Directory Server Configuration, Command, and File Reference, enables you to troubleshoot replication-related problems. Depending on the usage options, the script can selectively dump a particular replica: •...
  • Page 336 Troubleshooting Replication-Related Problems Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 337: Chapter 9 Extending The Directory Schema

    Chapter 9 Extending the Directory Schema Netscape Directory Server (Directory Server) comes with a standard schema that includes hundreds of object classes and attributes. While the standard object classes and attributes should meet most of your requirements, you may need to extend your schema by creating new object classes and attributes.

  • Page 338: Managing Attributes

    Managing Attributes To extend the directory schema you should proceed in the following order: Create new attributes. See “Creating Attributes,” on page 339 for information. Create an object class to contain the new attributes and add the attributes to the object class.

  • Page 339: Creating Attributes

    Managing Attributes Attributes Tab Reference (Continued) Table 9-1 Field or Pane Description The object identifier of the attribute. An OID is a string, usually of dotted decimal numbers, that uniquely identifies an object, such as an object class or an attribute. If you do not specify an OID, the Directory Server automatically uses attribute_name-oid.

  • Page 340: Editing Attributes

    Managing Attributes Click Create. The Create Attribute dialog box is displayed. Enter a unique name for the attribute in the Attribute Name text box. Enter an object identifier for the attribute in the Attribute OID (Optional) text box. OIDs are described in Table 9-1 on page 338. Select a syntax that describes the data to be held by the attribute from the Syntax drop-down menu.

  • Page 341: Deleting Attributes

    Managing Object Classes To make the attribute multivalued, select the Multi-Valued checkbox. The Directory Server allows more than one instance of a multivalued attribute per entry. When you have finished editing the attribute, click OK. Deleting Attributes You can delete only attributes that you have created. You cannot delete standard attributes.

  • Page 342: Viewing Object Classes

    Managing Object Classes Viewing Object Classes To view information about all object classes that currently exist in your directory schema: On the Directory Server Console, select the Configuration tab. In the navigation tree, select the Schema folder and then select the Object Classes tab in the right pane.

  • Page 343: Creating Object Classes

    Managing Object Classes Object Classes Tab Reference (Continued) Table 9-2 Field or Pane Description Allowed Attributes Contains a list of attributes that may be present in entries that use this object class. Includes inherited attributes. Creating Object Classes You create an object class by giving it a unique name, selecting a parent object for the new object class, and adding required and optional attributes.

  • Page 344: Editing Object Classes

    Managing Object Classes To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button. You cannot remove either allowed or required attributes that are inherited from the parent object classes.

  • Page 345: Deleting Object Classes

    Turning Schema Checking On and Off To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button. You cannot remove either allowed or required inherited attributes. When you are satisfied with you the object class definition, click OK to dismiss the dialog box.
  • Page 346 Turning Schema Checking On and Off Highlight the server icon at the top of the navigation tree, then select the Settings tab in the right pane. To enable schema checking, check the “Enable Schema Checking” checkbox; clear it to turn off schema checking. Click Save.

  • Page 347: Chapter 10 Managing Indexes

    Chapter 10 Managing Indexes The Netscape Directory Server Deployment Guide guide introduced the concept of indexing, the costs and benefits and different types of index shipped with Netscape Directory Server (Directory Server). This chapter begins with a description of the searching algorithm itself, so as to place the indexing mechanism in context, and then describes how to create, delete and manage indexes.

  • Page 348: About Index Types

    About Indexes About Index Types Indexes are stored in files in the directory’s databases. The names of the files are based on the indexed attribute, not the type of index contained in the file. Each index file may contain multiple types of indexes if multiple indexes are maintained for the specific attribute.

  • Page 349: About Default, System, And Standard Indexes

    About Indexes would return all the entries in your directory with telephone numbers that contain • International index—The international index speeds up searches for information in international directories. The process for creating an international index is similar to the process for creating regular indexes, except that you apply a matching rule by associating a locale (OID) with the attributes to be indexed.

  • Page 350: Overview Of System Indexes

    About Indexes Default indexes (Continued) Table 10-1 Attribute Pres Purpose Improves the performance of the most common mail types of user directory searches. Used by the Netscape Messaging Server. mailHost Improves Netscape server performance. This member index is also used by the referential integrity plug-in.

  • Page 351: Overview Of Standard Indexes

    About Indexes System indexes (Continued) Table 10-2 Attribute Pres Purpose Used to help accelerate subtree searches in the dnComp directory. Used to help accelerate subtree searches in the objectClass directory. Speeds up entry retrieval based on DN searches. entryDN Enhances directory performance during one-level parentID searches.
  • Page 352 About Indexes The directory examines the incoming request to make sure that the specified base DN matches a suffix contained by one or more of its databases or database links. If they do match, the directory processes the request. If they do not match, the directory returns an error to the client indicating that the suffix does not match.
  • Page 353 About Indexes See Netscape Directory Server Configuration, Command, and File Reference for further information about these attributes. In addition, the directory uses a variation of the metaphone phonetic algorithm to perform searches on an approximate index. Each value is treated as a sequence of words, and a phonetic code is generated for each word.

  • Page 354: Balancing The Benefits Of Indexing

    About Indexes Balancing the Benefits of Indexing Before you create new indexes, balance the benefits of maintaining indexes against the costs. Keep in mind that: • Approximate indexes are not efficient for attributes commonly containing numbers, such as telephone numbers. •...
  • Page 355 About Indexes ou: Manufacturing ou: people telephonenumber: 408 555 8834 description: Manufacturing lead for the Z238 line. Further suppose that the Directory Server is maintaining the following indexes: • Equality, approximate, and substring indexes for common name and surname attributes •...

  • Page 356: Creating Indexes

    Creating Indexes Creating Indexes This section describes how to create presence, equality, approximate, substring, and international indexes for specific attributes using the Directory Server Console and the command line. NOTE Given that this version of Directory Server can operate in either a single or multi-database environment, you need to remember to create your new indexes in every database instance, since newly created indexes are not automatically created in the other...

  • Page 357: Creating Indexes From The Command Line

    Creating Indexes Expand the Data node, expand the suffix of the database you want to index, and select the database. Select the Indexes tab in the right pane. NOTE Do not click on the Database Settings node because this will take you to the Default Index Settings window and not the window for configuring indexes per database.

  • Page 358: Adding An Index Entry

    Creating Indexes Creating indexes from the command line involves two steps: • Using the command-line utility to add a new index entry or edit ldapmodify an existing index entry. • Running the perl script to generate the new set of indexes to be db2index.pl maintained by the server.
  • Page 359 Creating Indexes First, type the following to change to the directory containing the utility: cd serverRoot/shared/bin Run the command-line utility as follows: ldapmodify ldapmodify -a -h server -p 389 -D "cn=directory manager" -w password utility binds to the server and prepares it to add an entry to the ldapmodify configuration file.

  • Page 360: Running The Db2Index.pl Script

    Creating Indexes You can use the keyword in the attribute to specify that no none nsIndexType indexes are to be maintained for the attribute. For example, suppose you want to temporarily disable the sn indexes you just created on the database,.

  • Page 361: Creating Browsing Indexes From The Server Console

    Creating Indexes Two examples of generating indexes using the follow: db2index.pl Windows batch file (you need to run the script from the directory as shown in the example): ..\bin\slapd\admin\bin\perl ..\bin\slapd\admin\bin\perl db2index.pl -D "cn=Directory Manager" -w password -n ExampleServer -t sn UNIX shell script: db2index.pl -D "cn=Directory Manager"...

  • Page 362: Creating Browsing Indexes From The Command Line

    Creating Indexes Click Close to close the Create Browsing Index dialog box. The new index is immediately active for any new data that you add to your directory. You do not have to restart your server. Note that the default access control for VLV information is for it to be allowed for anyone who has authenticated.

  • Page 363: Adding A Browsing Index Entry

    Creating Indexes Adding a Browsing Index Entry The type of browsing index entry you want to create depends on the type of attribute sorting you want to accelerate. It is important to take the ldapsearch following into account: • The scope of the search (base, one, sub). For more information on the option, which allows you to ldapsearch -s...
  • Page 364 Creating Indexes Next, you need to add two browsing index entries which define your browsing index. The first entry you add specifies the base, scope, and filter of the browsing index: dn: cn="dc=example,dc=com",cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvSearch cn:"dc=example,dc=com" vlvbase:"dc=example,dc=com" vlvscope:one vlvfilter:(|(objectclass=*)(objectclass=ldapsubentry)) contains the browsing index identifier, which specifies the entry on which you want to create the browsing index, in this example, the "dc=example,dc=com"...

  • Page 365: Running The Vlvindex Script

    Creating Indexes NOTE This first browsing index entry must be added to the cn=instanceName,cn=ldbm database,cn=plugins,cn=config directory tree node and the second entry must be a child of the first entry. Running the vlvindex Script Once you have created the two browsing indexing entries or added additional attribute types to an existing indexing browsing entries, run the script to vlvindex...

  • Page 366: Setting Access Control For Vlv Information

    Deleting Indexes Setting Access Control for VLV Information Note that the default access control for the VLV index information is for it to be allowed for anyone who has authenticated. If a site requires anonymous users to use the VLV index information, modify the access control set for cn: VLV Request in the Directory Server’s configuration.

  • Page 367: Deleting Indexes From The Server Console

    Deleting Indexes • Deleting Browsing Indexes From the Server Console • Deleting Browsing Indexes From the Command Line CAUTION You must not delete system indexes as deleting them can significantly affect Directory Server performance. System indexes are located in the cn=index,cn=instance,cn=ldbm entry and the database,cn=plugins,cn=config...

  • Page 368: Deleting Indexes From The Command Line

    Deleting Indexes The Delete Browsing Index dialog box appears displaying the status of the index deletion. You can click on the Status Logs button to view the status of the indexes deleted. Once the indexing is complete, click on Close to close the Delete Browsing Index box.

  • Page 369: Running The Db2Index.pl Script

    Deleting Indexes To run the command-line utility, type the following to change to the ldapdelete directory containing the utility: cd serverRoot/shared/bin Perform the as follows: ldapdelete ldapdelete -D "cn=Directory Manager" -w password -h ExampleServer -p845 "cn=sn,cn=index,cn=Example1,dn=ldbm database, cn=plugins,dn=config" The following table describes the options used in the example: ldapdelete Option...

  • Page 370: Deleting Browsing Indexes From The Server Console

    Deleting Indexes Run the perl script. db2index.pl For more information about using the perl script, refer to db2index.pl Netscape Directory Server Configuration, Command, and File Reference. Two examples of generating the new set of indexes to be maintained by the server using follow: db2index.pl...

  • Page 371: Deleting Browsing Indexes From The Command Line

    Deleting Indexes Select the entry from which you want to delete the index in the navigation tree, for example, , and select Delete Browsing Index from the Object People menu.You can also select and right-click the entry for which you want to create the index in the navigation tree and choose Delete Browsing Index from the pop-up menu.
  • Page 372 Deleting Indexes To delete this browsing index you need to delete the two corresponding browsing index entries which follow: dn: cn="dc=example,dc=com",cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvSearch cn:"dc=example,dc=com" vlvbase:"dc=example,dc=com vlvscope:one vlvfilter:(|(objectclass=*)(objectclass=ldapsubentry)) dn:cn=sort_cn_givenname_o_ou_sn,cn="dc=example,dc=com",cn=Example1, cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvIndex cn:cn=sort_cn_givenname_o_ou_sn vlvsort:cn givenname o ou sn To run the command-line utility, type the following to change to the ldapdelete directory containing the utility:...

  • Page 373: Running The Vlvindex Script

    Deleting Indexes For full information on options, refer to the Netscape Directory Server ldapdelete Configuration, Command, and File Reference. Once you have deleted these two browsing index entries, the browsing index for operations on the entry " held in the accelerating ldapsearch dc=example,dc=com"...

  • Page 374: Managing Indexes

    Managing Indexes For more information about the script, see the Netscape Directory Server vlvindex Configuration, Command, and File Reference. Managing Indexes Each index that the directory uses is composed of a table of index keys and matching entry ID lists. This entry ID list is used by the directory to build a list of candidate entries that may match a client application’s search request (see “About Indexes,”...

  • Page 375: Drawbacks Of The All Ids Mechanism

    Managing Indexes Drawbacks of the All IDs Mechanism Performance problems can occur if the All IDs threshold is set either too low (this is the most common problem) or too high for your directory’s size. When All IDs Threshold is Too Low When you set the All IDs Threshold too low, too many index keys will contain the All IDs token.

  • Page 376: All Ids Threshold Tuning Advice For Single-Enterprise Directories

    Managing Indexes All IDs Threshold Tuning Advice for Single- Enterprise Directories Be careful when changing the default All IDs Threshold value for your server. If you change the threshold to an inappropriate value, you can compromise rather than improve your server performance. This tuning advice is intended primarily for single-enterprise directories of up to 80,000 entries.

  • Page 377: All Ids Threshold Tuning Advice For Service Providers And Extranets

    Managing Indexes • Find a value that is a bit high for your current needs but that will work well for your future needs. For example, if your current directory contains 50,000 entries, try setting the All IDs Threshold to 20,000—that is 40 percent of 50,000 (which puts it within range of your current directory needs) and 2 percent of 1,000,000 (which puts it within range of your future directory needs).

  • Page 378: Symptoms Of An Inappropriate All Ids Threshold Value

    Managing Indexes Symptoms of an Inappropriate All IDs Threshold Value When your All IDs Threshold is set incorrectly, you will see poor search performance. However, poor search performance can be caused by other factors. For example: • Your users are performing a lot of searches for which you are not maintaining an index.

  • Page 379: Changing The All Ids Threshold Value

    Managing Indexes Changing the All IDs Threshold Value To change the All IDs Threshold value for your server: Shut down your Directory Server. Export all of your directory databases to LDIF using the command line. For more information, see Chapter 4, “Populating Directory Databases.” Edit the file with the text editor of serverRoot/slapd-serverID/config/dse.ldif...

  • Page 380: Attribute Name Quick Reference Table

    Attribute Name Quick Reference Table Attribute Name Quick Reference Table Table 10-3 lists all attributes which have a primary or real name as well as an alias. When creating indexes be sure to use the primary name. Attribute Name Quick Reference Table Table 10-3 Attribute Primary Name Attribute Alias...

  • Page 381: Chapter 11 Managing Ssl

    Chapter 11 Managing SSL To provide secure communications over the network, Netscape Directory Server (Directory Server) includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of Secure Sockets Layer (SSL). This chapter describes how to use SSL with your Directory Server in the following sections: •...

  • Page 382: Enabling Ssl: Summary Of Steps

    Introduction to SSL in the Directory Server Using SSL with simple authentication ensures confidentiality and data integrity. The benefits of using a certificate to authenticate to the Directory Server, instead of a bind DN and password, include: • Improved efficiency—When you are using applications that prompt you once for your certificate database password, and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password.

  • Page 383: Obtaining And Installing Server Certificates

    Obtaining and Installing Server Certificates For a complete description of SSL, internet security, and certificates, check the appendixes included in Managing Servers with Netscape Console. Obtaining and Installing Server Certificates This section describes the process of creating a certificate database, obtaining and installing a certificate for use with your Directory Server, and configuring Directory Server to trust the certification authority’s (CA) certificate.

  • Page 384: Step 2: Send The Certificate Request

    Obtaining and Installing Server Certificates Enter the Requestor Information in the blank text fields, then click Next. Enter the following information: Server Name. Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups, for example, dir.example.com Organization.

  • Page 385: Step 3: Install The Certificate

    Obtaining and Installing Server Certificates -----BEGIN NEW CERTIFICATE REQUEST----- MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1JOSUEx LDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF0aW9uMRwwG gYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNA DCBiQKBgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7ug0EfgSLR0f+K41eNqqR ftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n/zMyahxtV7+mT8GOFFigFfuxa xMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABoAAwDQYK -----END NEW CERTIFICATE REQUEST----- Send the email message to the CA. Once you have emailed your request, you must wait for the CA to respond with your certificate.

  • Page 386: Step 4: Trust The Certificate Authority

    Obtaining and Installing Server Certificates -----BEGIN CERTIFICATE----- MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3 -----END CERTIFICATE----- Check that the certificate information displayed is correct, and click Next. Specify a name for the certificate, and click Next. Verify the certificate by providing the password that protects the private key. This password is the same as the one you provided in “Step 1: Generate a Certificate Request,”...

  • Page 387: Step 5: Confirm That Your New Certificates Are Installed

    Activating SSL Specify a name for the certificate, and click Next. Select the purpose of trusting this Certificate Authority (you can select both): Accepting connections from clients (Client Authentication). The server checks that the client’s certificate has been issued by a trusted Certificate Authority.
  • Page 388 Activating SSL To activate SSL communications: Set the secure port you want the server to use for SSL communications. See “Changing Directory Server Port Numbers,” on page 37 for information. The encrypted port number that you specify must not be the same port number you use for normal LDAP communications.

  • Page 389: Setting Security Preferences

    Setting Security Preferences If you want Netscape Console to use SSL during communications with Directory Server, select Use SSL in Netscape Console. If you configured Directory Server for certificate based client authentication, you can further configure the server to verify the authenticity of requests by selecting the “Check hostname against name in certificate for outbound SSL connections”...
  • Page 390 Setting Security Preferences When a client initiates an SSL connection with a server, the client tells the server what ciphers it prefers to use to encrypt information. In any two-way encryption process, both parties must use the same ciphers. There are a number of ciphers available.

  • Page 391: Using Certificate-Based Authentication

    Using Certificate-Based Authentication CAUTION Avoid selecting the cipher because the server will use this none,MD5 option if no other ciphers are available on the client. It is not secure because encryption doesn’t occur. In order to continue using the Netscape Console with SSL, you must select at least one of the following ciphers: •...

  • Page 392: Allowing/Requiring Client Authentication

    Using Certificate-Based Authentication Enable SSL on the server, or on both servers involved in replication. For information on enabling SSL, refer to “Activating SSL,” on page 387. NOTE If Netscape Console connects to Directory Server over SSL, selecting “Require client authentication” disables communication. This is because although Netscape Console supports SSL, it does not have a certificate to use for client authentication.

  • Page 393: Configuring Ldap Clients To Use Ssl

    Configuring LDAP Clients to Use SSL Configuring LDAP Clients to Use SSL If you want all the users of your Directory Server to use SSL or certificate-based authentication when they connect using LDAP client applications, you must make sure they perform the following tasks: •...
  • Page 394 Configuring LDAP Clients to Use SSL On the client system, obtain a client certificate from the CA. On your client system, install your client certificate. Regardless of how you receive your certificate (either in email or on a web page), there should be a link that you click to install the certificate. Click it and step through the dialog boxes that Communicator presents to you.
  • Page 395 Configuring LDAP Clients to Use SSL NOTE Do not map your certificate-based-authentication certificate to a distinguished name under . If you map cn=config cn=monitor your certificate to a DN under , your cn=config cn=monitor bind will fail. Map your certificate to a target located elsewhere in the directory information tree.
  • Page 396 Configuring LDAP Clients to Use SSL Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 397: Chapter 12 Monitoring Server And Database Activity

    Chapter 12 Monitoring Server and Database Activity This chapter describes monitoring database and Netscape Directory Server (Directory Server) logs. This chapter contains the following sections: • Viewing and Configuring Log Files (page 397) • Manual Log File Rotation (page 404) •...

  • Page 398: Defining A Log File Rotation Policy

    Viewing and Configuring Log Files The following sections describe how to define your log file creation and deletion policy, and how to view and configure each type of log. Defining a Log File Rotation Policy If you want the directory to periodically archive the current log and start a new one, you can define a log file rotation policy from Directory Server Console.

  • Page 399: Access Log

    Viewing and Configuring Log Files NOTE The log deletion policy only makes sense if you have previously defined a log file rotation policy. Log file deletion will not work if you have just one log file. The server evaluates the log file deletion policy at the time of log rotation.

  • Page 400: Configuring The Access Log

    Viewing and Configuring Log Files To display a different number of messages, enter the number you want to view in the “Lines to show” text box and then click Refresh. You can display messages containing a string you specify. To do this, enter the string in the “Show only lines containing”...

  • Page 401: Error Log

    Viewing and Configuring Log Files Error Log The error log contains detailed messages of errors and events the directory experiences during normal operations. This section contains the following procedures: • Viewing the Error Log • Configuring the Error Log Viewing the Error Log To view the error log: On the Directory Server Console, select the Status tab, then in the navigation tree, expand the Logs folder and select the Error Log icon.

  • Page 402: Audit Log

    Viewing and Configuring Log Files Enter the full path and filename you want the directory to use for the error log in the Log File field. The default is serverRoot/slapd-serverID/logs/error Set the maximum number of logs, log size, and periodicity of archiving. For information on these parameters, see “Defining a Log File Rotation Policy,”...

  • Page 403: Configuring The Audit Log

    Viewing and Configuring Log Files To refresh the current display, click Refresh. Select the Continuous checkbox if you want the display to refresh automatically every ten seconds. To view an archived audit log, select it from the Select Log pull-down menu. To display a different number of messages, enter the number you want to view in the “Lines to show”...

  • Page 404: Manual Log File Rotation

    Manual Log File Rotation Manual Log File Rotation The Directory Server supports automatic log file rotation for all three logs. However, you can manually rotate log files if you have not set automatic log file creation or deletion policies. By default, access, error, and audit log files can be found in the following location: serverRoot/slapd-serverID/logs/ To manually rotate log files:...

  • Page 405: Viewing The Server Performance Monitor

    Monitoring Server Activity Viewing the Server Performance Monitor To monitor your server’s activities using Directory Server Console: On the Directory Server Console, select the Status tab. In the navigation tree, select Performance Counters. The Status tab in the right pane displays current information about server activity.

  • Page 406: Resource Summary

    Monitoring Server Activity Database generation number. Possibly obsolete: A unique identifier that is created only when you create your directory database without a machine data entry in the LDIF file. Current change log number. This is the number corresponding to the last change made to your directory.

  • Page 407: Connection Status

    Monitoring Server Activity Table 12-2 Server Performance Monitoring - Current Resource Usage Resource Current total Active Threads Current number of active threads used for handling requests. Additional threads may be created by internal server tasks, such as replication or chaining. Open Connections Total number of open connections.

  • Page 408: Global Database Cache Information

    Monitoring Server Activity Server Performance Monitoring - Connection Status (Continued) Table 12-3 Table Header Description Started Indicates the number of operations initiated by this connection. Completed Indicates the number of operations completed by the server for this connection. Bound as Indicates the distinguished name used by the client to bind to the server.

  • Page 409: Monitoring Your Server From The Command Line

    Monitoring Server Activity Server Performance Monitoring - Global Database Cache (Continued) Table 12-4 Table Header Description Read-write page evicts Indicates the number of read-write pages discarded from the cache to make room for new pages. This value differs from Pages Written Out in that these are discarded read-write pages that have not been modified.
  • Page 410 Monitoring Server Activity —The number of operations initiated by this connection. opsinitiated —The number of operations completed. opscompleted —The distinguished name used by this connection to connect to the binddn directory. —The field shown if the connection is blocked for read or write. By default, this information is available to you only if you bind to the directory as the Directory Manager.

  • Page 411: Monitoring Database Activity

    Monitoring Database Activity • : Solaris 2.x only. Indicates the current level of thread concurrency concurrency. • : Identifies the DN of each directory database. backendmonitordn Monitoring Database Activity You can monitor your database’s current activities from Directory Server Console or from the command line.

  • Page 412: General Information (Database)

    Monitoring Database Activity • Summary Information Table • Database Cache Information Table • Database File-Specific Table General Information (Database) The directory provides the following general database information: • Database—Identifies the type of database that you are monitoring. • Configuration DN—Identifies the distinguished name that you must use as a search base to obtain these results using the command-line utility.

  • Page 413: Database Cache Information Table

    Monitoring Database Activity Database Performance Monitoring - Summary Information (Continued) Table 12-5 Performance Metric Current Total Maximum entry cache Indicates the size of the entry cache maintained by the directory. This value is size (in bytes) managed by the “Maximum Cache Size” attribute. See “Tuning Database Performance,”...

  • Page 414: Database File-Specific Table

    Monitoring Database Activity Database Performance Monitoring - Database Cache Information (Continued) Table 12-6 Performance Metric Current Total Read-only page evicts Indicates the number of read-only pages discarded from the cache to make room for new pages. Read-write page evicts Indicates the number of read-write pages discarded from the cache to make room for new pages.
  • Page 415 Monitoring Database Activity ldapsearch -h directory.example.com -s base -b "cn=monitor,cn=Example,cn=ldbm database,cn=plugins, cn=config" "objectclass=*" In this example, the ldapsearch operation looks for the database. For Example information on searching the directory, see “Using ldapsearch,” on page 514. When you monitor your server’s activities, you see the following information: •...

  • Page 416: Monitoring Database Link Activity

    Monitoring Database Link Activity Next the following information for each file that makes up your database is displayed: • number: Indicates the name of the file. provides a number dbfilename- sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given this same numerical identifier.

  • Page 417: Table 12-8 Database Link Monitoring Attributes

    Monitoring Database Link Activity Table 12-8 Database Link Monitoring Attributes Attribute Name Description Number of add operations received. nsAddCount Number of delete operations received. nsDeleteCount Number of modify operations received. nsModifyCount Number of rename operations received. nsRenameCount Number of base level searches received. nsSearchBaseCount Number of one-level searches received.
  • Page 418 Monitoring Database Link Activity Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 419: Chapter 13 Monitoring Directory Server Using Snmp

    Chapter 13 Monitoring Directory Server Using SNMP The server and database activity monitoring log setup described in Chapter 12, “Monitoring Server and Database Activity” is specific to Netscape Directory Server (Directory Server). You can also monitor your Directory Server using the Simple Network Management Protocol (SNMP) which is a management protocol used for monitoring network activity which can be used to monitor a wide range of devices in real time.

  • Page 420: About Snmp

    About SNMP About SNMP SNMP is a protocol used to exchange data about network activity. With SNMP, data travels between a managed device and a network management station (NMS) where users remotely manage the network. A managed device is anything that runs SNMP, such as hosts, routers, and your Directory Server.

  • Page 421: Nms-Initiated Communication

    About SNMP • Managed Device-Initiated Communication NMS-Initiated Communication NMS-initiated communication is the most common type of communication between an NMS and a managed device. In this type of communication, the NMS either requests information from the managed device or changes the value of a variable stored on the managed device.

  • Page 422: Overview Of The Directory Server Management Information Base

    Overview of the Directory Server Management Information Base Overview of the Directory Server Management Information Base Each Netscape server has its own MIB. The Directory Server’s MIB is a file called . This MIB contains definitions for variables pertaining to netscape-ldap.mib network management for the directory.

  • Page 423: Table 13-1 Operations Table - Managed Objects And Descriptions

    Overview of the Directory Server Management Information Base Table 13-1 Operations Table - Managed Objects and Descriptions Managed Object Description The number of anonymous binds to the directory since server startup. dsAnonymousBinds The number of unauthenticated binds to the directory since server dsUnauthBinds startup.

  • Page 424: Entries Table

    Overview of the Directory Server Management Information Base Operations Table - Managed Objects and Descriptions (Continued) Table 13-1 Managed Object Description The number of referrals returned by this directory in response to client dsReferrals requests since server startup. The number of operations forwarded to this directory that did not meet dsSecurityErrors security requirements.

  • Page 425: Interaction Table

    Overview of the Directory Server Management Information Base Interaction Table The Interaction Table provides statistical information about the interaction of this Directory Server with peer Directory Servers. This table: • Contains statistical information for the last five Directory Servers with which this Directory Server has attempted to communicate.

  • Page 426: Setting Up Snmp

    Setting Up SNMP Interaction Table - Managed Objects and Descriptions (Continued) Table 13-3 Managed Object Description The number of failures since the last time an attempt to contact this dsFailuresSinceLastSuccess Directory Server was successful. If there has been no successful attempts, this counter will contain the number of failures since this entry was created.

  • Page 427: Setting Up Snmp On Unix

    Setting Up SNMP Setting Up SNMP on UNIX To set up SNMP support for your Directory Server on a UNIX machine: Configure and start the master agent using the Administration Server Console. If you are using the default port settings (161 for SNMP and 199 for SMUX) then you need to be root user.

  • Page 428: Starting And Stopping The Snmp Subagent On Unix

    Starting and Stopping the SNMP Subagent on UNIX NOTE Do not use the loopback address 127.0.0.1; use the real IP address instead. If you need more information, see your related system documentation. Starting and Stopping the SNMP Subagent on UNIX To start, stop, and restart the SNMP subagent for a directory running on UNIX: On the Directory Server Console, select the Configuration tab and then select the top most entry in the navigation tree in the left pane.

  • Page 429: Configuring Snmp For The Directory Server

    Configuring SNMP for the Directory Server Select SNMP from the Service list. Click Start to start the SNMP Service, click Stop to stop the SNMP Service, or click Stop then Start to restart the SNMP Service. Stopping the directory does not stop the directory subagent. If you want to stop the subagent, you must do so from the Control Panel.
  • Page 430 Configuring SNMP for the Directory Server Click Save. Restart the subagent (UNIX), or restart the SNMP service (Windows NT). See “Starting and Stopping the SNMP Subagent on UNIX,” on page 428 or “Starting and Stopping the SNMP Service on Windows NT,” on page 428 for information as appropriate.

  • Page 431: Chapter 14 Tuning Directory Server Performance

    Chapter 14 Tuning Directory Server Performance This chapter describes the tools provided with Netscape Directory Server (Directory Server) to help optimize performance. It also provides tips to improve the performance of your directory. This chapter contains the following sections: • Tuning Server Performance (page 431) •...

  • Page 432: Tuning Database Performance

    Tuning Database Performance To configure Directory Server to optimize performance: On the Directory Server Console, select the Configuration tab and then select the topmost entry in the navigation tree in the left pane. The tabs that are displayed in the right pane control server-wide configuration attributes.

  • Page 433: Optimizing Search Performance

    Tuning Database Performance • Changing the Database Checkpoint Interval • Disabling Durable Transactions • Specifying Transaction Batching Optimizing Search Performance You can improve server performance on searches by tuning database settings. The database attributes that affect performance mainly define the amount of memory available to the server.
  • Page 434 Tuning Database Performance • The attributes of each database that you use to store directory data, including the server configuration data in the database. On these NetscapeRoot databases, you can change the following attributes to improve performance: The maximum number of entries you want the server to keep in memory (maximum entries in cache attribute) The amount of memory you want to make available for cached entries (memory available for cache attribute)

  • Page 435: Tuning Transaction Logging

    Tuning Database Performance Enter the amount of memory you want to make available for cached entries in the Memory Available for Cache field. If you are creating a very large database from LDIF, set this attribute as large as possible, depending on the memory available on your machine. The larger this parameter, the faster your database will be created.

  • Page 436: Changing The Location Of The Database Transaction Log

    Tuning Database Performance Changing the Location of the Database Transaction Log By default, the database transaction log file is stored in the directory along with the database files themselves. serverRoot/slapd-serverID/db Because the purpose of the transaction log is to aid in the recovery of a directory database that was shut down abnormally, it is a good idea to store the database transaction log on a different disk from the one containing the directory database.

  • Page 437: Disabling Durable Transactions

    Tuning Database Performance databases after a disorderly shutdown and require more disk space due to large database transaction log files. Therefore, you should only modify only this attribute if you are familiar with database optimization and can fully assess the effect of the change.

  • Page 438: Specifying Transaction Batching

    Miscellaneous Tuning Tips Use the command-line utility to add the ldapmodify attribute to the nsslapd-db-durable-transactions cn=config,cn=ldbm entry, and set the value of this attribute to database,cn=plugins,cn=config For information on the syntax of the nsslapd-db-durable-transactions attribute, see the Netscape Directory Server Configuration, Command, and File Reference.

  • Page 439: Avoid Creating Entries Under The Cn=Config Entry In The Dse.ldif File

    Miscellaneous Tuning Tips Avoid Creating Entries Under the cn=config Entry in the dse.ldif File entry in the simple, flat configuration file is not stored in cn=config dse.ldif the same highly scalable database as regular entries. As a result, if many entries, and particularly entries that are likely to be updated frequently, are stored under , performance will probably suffer.
  • Page 440 Miscellaneous Tuning Tips Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 441: Part 2 Plug-Ins Reference

    Part 2 Plug-Ins Reference Chapter 15, “Administering Directory Server Plug-Ins” Chapter 16, “Using the Pass-Through Authentication Plug-In” Chapter 17, “Using the Attribute Uniqueness Plug-In” Chapter 18, “Configuring IM Presence Information”...
  • Page 442 Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 443: Chapter 15 Administering Directory Server Plug-Ins

    Chapter 15 Administering Directory Server Plug-Ins Netscape Directory Server (Directory Server) plug-ins extend the functionality of the server. Directory Server ships with several plug-ins to help you manage your directory. This chapter contains general information on the types of plug-ins available, and how to enable or disable them.

  • Page 444: Acl Plug-In

    Server Plug-in Functionality Reference Details of 7-Bit Check Plug-In (Continued) Table 15-1 Description Checks certain attributes are 7-bit clean Configurable on | off Options Default Setting list of attributes (uid mail userpassword) followed by "," and Configurable Arguments then suffix(ex) on which the check is to occur None Dependencies None...

  • Page 445: Acl Preoperation Plug-In

    Server Plug-in Functionality Reference ACL Preoperation Plug-In Table 15-3 Details of Preoperation Plug-In ACL preoperation Plug-in Name DN of Configuration cn=ACL preoperation,cn=plugins,cn=config Entry ACL access check plug-in Description Configurable on | off Options Default Setting Configurable None Arguments Dependencies database None Performance Related Information...

  • Page 446: Boolean Syntax Plug-In

    Server Plug-in Functionality Reference Boolean Syntax Plug-In Table 15-5 Details of Boolean Syntax Plug-In Boolean Syntax Plug-in Name DN of Configuration cn=Boolean Syntax,cn=plugins,cn=config Entry Syntax for handling booleans Description Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in.

  • Page 447: Case Ignore String Syntax Plug-In

    Server Plug-in Functionality Reference Case Ignore String Syntax Plug-In Table 15-7 Details of Case Ignore String Syntax Plug-In Case Ignore String Syntax Plug-in Name DN of Configuration cn=Case Ignore String Syntax,cn=plugins,cn=config Entry Syntax for handling case-insensitive strings Description Configurable on | off Options Default Setting Configurable...

  • Page 448: Class Of Service Plug-In

    Server Plug-in Functionality Reference Class of Service Plug-In Table 15-9 Details of Class of Service Plug-In Class of Service Plug-in Name DN of Configuration cn=Class of Service,cn=plugins,cn=config Entry Allows for sharing of attributes between entries Description Configurable on | off Options Default Setting Configurable...

  • Page 449: Distinguished Name Syntax Plug-In

    Server Plug-in Functionality Reference Distinguished Name Syntax Plug-In Table 15-11 Details of Distinguished Name Syntax Plug-In Distinguished Name Syntax Plug-in Name DN of Configuration cn=Distinguished Name Syntax,cn=plugins,cn=config Entry Syntax for handling DNs Description Configurable on | off Options Default Setting Configurable None Arguments...

  • Page 450: Integer Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-12 Details of Generalized Time Syntax Plug-In (Continued) Further Information The Generalized Time String consists of the following: four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication.

  • Page 451: Ldbm Database Plug-In

    Server Plug-in Functionality Reference Table 15-14 Details of Internationalization Plug-In (Continued) Configurable on | off Options Default Setting Configurable The Internationalization has one argument which must not be Arguments modified: serverRoot/slapd-serverID/config/slapd-collations.conf This directory stores the collation orders and locales used by the internationalization plug-in.

  • Page 452: Legacy Replication Plug-In

    Server Plug-in Functionality Reference Legacy Replication Plug-In Table 15-16 Details of Legacy Replication Plug-In Legacy Replication plug-in Plug-in Name DN of Configuration cn=Legacy Replication Entry plug-in,cn=plugins,cn=config Enables this version of Directory Server to be a consumer of a 4.1 Description supplier on | off Configurable...

  • Page 453: Octet String Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-17 Details of Multimaster Replication Plug-In (Continued) Further Information You can turn this plug-in off if you only have one server which will never replicate. See also Chapter 8, “Managing Replication.” Octet String Syntax Plug-in Table 15-18 Details of Octet String Syntax Plug-In Octet String Syntax Plug-in Name...

  • Page 454: Crypt Password Storage Plug-In

    Server Plug-in Functionality Reference Table 15-19 Details of CLEAR Password Storage Plug-In (Continued) Dependencies None Performance Do not modify the configuration of this plug-in. You should leave Related Information this plug-in running at all times. Further Information Chapter 7, “User Account Management.” CRYPT Password Storage Plug-In Table 15-20 Details of CRYPT Password Storage Plug-In Plug-in Name...

  • Page 455: Sha Password Storage Plug-In

    Server Plug-in Functionality Reference Table 15-21 Details of NS-MTA-MD5 Password Storage Plug-In (Continued) Default Setting Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in. Netscape Performance Related Information recommends that you leave this plug-in running at all times. You cannot choose to encrypt passwords using the NS-MTA-MD5 Further Information password storage scheme.

  • Page 456: Ssha Password Storage Plug-In

    Server Plug-in Functionality Reference SSHA Password Storage Plug-In Table 15-23 Details of SSHA Password Storage Plug-In SSHA Plug-in Name DN of Configuration cn=SSHA,cn=Password Storage Entry Schemes,cn=plugins,cn=config SSHA password storage scheme for password encryption Description Configurable on | off Options Default Setting Configurable None Arguments...

  • Page 457: Presence Plug-In

    Server Plug-in Functionality Reference Presence Plug-In Table 15-25 Details of Presence Plig-In Presence Plug-in Name DN of Configuration cn=Presence,cn=plugins,cn=config Entry Syntax used for handling postal addresses Description Configurable on | off Options Default Setting Configurable None Arguments Dependencies database Check the reference provided in Further Information. Performance Related Information Further Information...

  • Page 458: Referential Integrity Postoperation Plug-In

    Server Plug-in Functionality Reference Table 15-26 Details of PTA Plug-In (Continued) Performance Chapter 16, “Using the Pass-Through Authentication Plug-In.” Related Information Further Information Chapter 16, “Using the Pass-Through Authentication Plug-In.” Referential Integrity Postoperation Plug-In Table 15-27 Details of Referential Integrity Postoperation Plug-In Plug-in Name Referential Integrity Postoperation DN of Configuration...

  • Page 459: Retro Change Log Plug-In

    Server Plug-in Functionality Reference Table 15-27 Details of Referential Integrity Postoperation Plug-In (Continued) Performance You should enable the Referential Integrity plug-in on only one Related Information master in a multimaster replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers you must be sure to analyze your performance resource and time needs as well as your integrity needs.

  • Page 460: Space Insensitive String Syntax Plug-In

    Server Plug-in Functionality Reference Table 15-29 Details of Roles Plug-In (Continued) DN of Configuration cn=Roles Plugin,cn=plugins,cn=config Entry Description Enables the use of roles in the Directory Server Configurable on | off Options Default Setting None Configurable Arguments None Dependencies Do not modify the configuration of this plug-in. You should leave Performance Related Information this plug-in running at all times.

  • Page 461: State Change Plug-In

    Server Plug-in Functionality Reference Table 15-30 Details of Space Insensitive String Syntax Plug-In (Continued) Further Information This plug-in enables the Directory Server to support space and case insensitive values. Applications can now search the directory using entries with ASCII space characters. For example, applications that use AOL Screen Names™...

  • Page 462: Telephone Syntax Plug-In

    Server Plug-in Functionality Reference Telephone Syntax Plug-In Table 15-32 Details of Telephone Syntax Plug-In Telephone Syntax Plug-in Name DN of Configuration cn=Telephone Syntax,cn=plugins,cn=config Entry Syntax for handling telephone numbers Description Configurable on | off Options Default Setting Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in.
  • Page 463 Server Plug-in Functionality Reference Table 15-33 Details of UID Uniqueness Plug-In (Continued) Configurable Enter the following arguments: Arguments "DN" "DN"... if you want to check for uid attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid" MarkerObjectclass = "ObjectClassName" and optionally requiredObjectClass = "ObjectClassName"...

  • Page 464: Uri Plug-In

    Enabling and Disabling Plug-Ins From the Server Console URI Plug-in Table 15-34 Details of URI Plug-In URI Syntax Plug-in Name DN of Configuration cn=URI Syntax,cn=plugins,cn=config Entry Syntax for handling URIs (Unique Resource Identifiers) including Description URLs (Unique Resource Locators) on | off Configurable Options Default Setting...

  • Page 465: Chapter 16 Using The Pass-Through Authentication Plug-In

    Chapter 16 Using the Pass-Through Authentication Plug-In Pass-through authentication (PTA) is a mechanism by which one directory server consults another to authenticate bind requests. The PTA plug-in provides this functionality; allowing a directory server to accept simple bind operations (password based) for entries not stored in its local database. Netscape Directory Server (Directory Server) uses PTA to allow you to administer your user and configuration directories on separate instances of Directory Server.
  • Page 466 How Directory Server Uses PTA The user directory in this example acts as the PTA directory, that is, the server that passes through bind requests to another directory server. The configuration directory acts as the authenticating directory, that is, the server that contains the entry and verifies the bind credentials of the requesting client.

  • Page 467: Pta Plug-In Syntax

    PTA Plug-In Syntax nsslapd-pluginarg0: ldap://config.example.com/ou=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.1 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin The user directory is now configured to send all bind requests for entries whose DN contains to the configuration directory o=NetscapeRoot configdir.example.com When installation is complete, the...

  • Page 468: Table 16-1 Pta Plug-In Parameters

    PTA Plug-In Syntax Notes: • The LDAP URL (ldap|ldaps://authDS/subtree) must be separated from the optional parameters (maxconns, maxops, timeout, ldver, connlifetime) by a single space. • If you explicitly define any of the optional parameters, you must define all of them, even if you specify only the default values.

  • Page 469: Configuring The Pta Plug-In

    Configuring the PTA Plug-In PTA Plug-In Parameters (Continued) Table 16-1 Variable Definition maxconns Optional. The maximum number of connections the PTA directory can simultaneously open to the authenticating directory. The default is 3. See “Configuring the Optional Parameters,” on page 473 for more information. maxops Optional.

  • Page 470: Turning The Plug-In On Or Off

    Configuring the PTA Plug-In Restart Directory Server. Before you configure any of the parameters discussed in this section, the PTA plug-in entry must be present in the file. If this entry does not exist, you dse.ldif must create it with the appropriate syntax, as described in “PTA Plug-In Syntax,” on page 467.

  • Page 471: Configuring The Servers To Use A Secure Connection

    Configuring the PTA Plug-In When you enable the plug-in, you must also check that the plug-in initialization function is properly defined. The entry cn=Pass Through Authentication,cn=plugins,cn=config should contain the following attribute-value pairs: nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.extension nsslapd-pluginInitfunc: passthruauth_init where extension is always on HP-UX, on all other UNIX platforms, and on Windows.

  • Page 472: Specifying The Authenticating Directory Server

    Configuring the PTA Plug-In Restart the server. For information on restarting the server, refer to “Starting and Stopping the Directory Server,” on page 35. Specifying the Authenticating Directory Server The authenticating directory contains the bind credentials for the entry with which the client is attempting to bind.

  • Page 473: Specifying The Pass-Through Subtree

    Configuring the PTA Plug-In Specifying the Pass-Through Subtree The PTA directory passes through bind requests to the authenticating directory from all clients whose DN is defined in the pass-through subtree. You specify the subtree by replacing the subtree parameter in the LDAP URL of the PTA directory. The pass-through subtree must not exist in the PTA directory.
  • Page 474 Configuring the PTA Plug-In • The time limit you want the PTA directory server to wait for a response from the authenticating directory server. In the PTA syntax, this parameter is represented as timeout. The default value is seconds (five minutes). •...

  • Page 475: Pta Plug-In Syntax Examples

    PTA Plug-In Syntax Examples PTA Plug-In Syntax Examples This section contains the following examples of PTA plug-in syntax in the file: dse.ldif • Specifying One Authenticating Directory Server and One Subtree • Specifying Multiple Authenticating Directory Servers • Specifying One Authenticating Directory Server and Multiple Subtrees •...

  • Page 476: Specifying One Authenticating Directory Server And Multiple Subtrees

    PTA Plug-In Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://config-dir.example.com/ou=NetscapeRoot nsslapd-pluginarg1: ldap://config2-dir.example.com/ou=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.1 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin Specifying One Authenticating Directory Server and Multiple Subtrees...

  • Page 477: Specifyingdifferentoptionalparametersandsubtreesfordifferentauthenticatingdirectoryservers

    PTA Plug-In Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://config-dir.example.com/ou=NetscapeRoot 10,5,300,3,300 nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.1 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers If you want to specify a different pass-through subtree and optional parameter...
  • Page 478 PTA Plug-In Syntax Examples Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 479: Chapter 17 Using The Attribute Uniqueness Plug-In

    Chapter 17 Using the Attribute Uniqueness Plug-In The attribute uniqueness plug-in can be used to ensure that the attributes you specify always have unique values in the directory. You must create a new instance of the plug-in for every attribute for which you want to ensure unique values. Netscape Directory Server (Directory Server), provides a uid uniqueness plug-in that can be used to manage the uniqueness of the uid attribute.
  • Page 480 Overview of the Attribute Uniqueness Plug-In If an update operation applies to an attribute and suffix monitored by the plug-in, and it would cause two entries to have the same attribute value, then the server terminates the operation and returns an error to the LDAP_CONSTRAINT_VIOLATION client.

  • Page 481: Overview Of The Uid Uniqueness Plug-In

    Overview of the UID Uniqueness Plug-in Overview of the UID Uniqueness Plug-in Directory Server provides an instance of the attribute uniqueness plug-in, the Uid Uniqueness plug-in. By default, the plug-in ensures that values given to the uid attribute are unique in the suffix you configured when installing the directory (the suffix corresponding to the database).
  • Page 482 Attribute Uniqueness Plug-In Syntax nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 6.1 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: Enforce unique attribute values Notes: • You can specify any name you like in the attribute to name the plug-in. The name should be descriptive. This attribute does not contain the name of the attribute which is checked for uniqueness.

  • Page 483: Table 17-1 Attribute Uniqueness Plug-In Variables

    Attribute Uniqueness Plug-In Syntax • You can specify only one attribute on which the uniqueness check will be performed. • If the attribute begins with attribute_name, nsslapd-pluginarg0 attribute= then the server expects that the attribute will include a nsslapd-pluginarg1 markerObjectClass The variable components of the attribute uniqueness plug-in syntax are described in Table 17-1.

  • Page 484: Creating An Instance Of The Attribute Uniqueness Plug-In

    Creating an Instance of the Attribute Uniqueness Plug-In Creating an Instance of the Attribute Uniqueness Plug-In If you want to ensure that a particular attribute in your directory always has unique values, you must create an instance of the attribute uniqueness plug-in for the attribute you want to check.

  • Page 485: Configuring Attribute Uniqueness Plug-Ins

    Configuring Attribute Uniqueness Plug-Ins Configuring Attribute Uniqueness Plug-Ins This section explains how to use Directory Server Console to view the plug-ins configured for your directory, and how to modify the configuration of the attribute uniqueness plug-ins. Viewing Plug-In Configuration Information From the Directory Server Console, you can display the configuration entry for attribute uniqueness plug-ins as follows: On the Directory Server Console, click the Directory tab.

  • Page 486: Configuring Attribute Uniqueness Plug-Ins From The Command Line

    Configuring Attribute Uniqueness Plug-Ins To modify an attribute uniqueness plug-in configuration from the Directory Server Console Configuration tab: On the Directory Server Console, select the Configuration tab, then in the navigation tree, expand the Plugins folder, and select the attribute uniqueness plug-in that you want to modify.

  • Page 487: Turning The Plug-In On Or Off

    Configuring Attribute Uniqueness Plug-Ins Turning the Plug-in On or Off To turn the plug-in on from the command line, you must create an LDIF file that contains the following LDIF update statements: dn: cn=descriptive_plugin_name,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginenabled nsslapd-pluginenabled: on Use the command to import the LDIF file into the directory.

  • Page 488: Using The Markerobjectclass And Requiredobjectclass Keywords

    Configuring Attribute Uniqueness Plug-Ins Using the markerObjectClass and requiredObjectClass Keywords Instead of specifying a suffix or subtree in the configuration of an attribute uniqueness plug-in, you can specify to perform the check under the entry belonging to the DN of the updated entry that has the object class specified in the keyword.

  • Page 489: Attribute Uniqueness Plug-In Syntax Examples

    Attribute Uniqueness Plug-In Syntax Examples markerObjectClass=ou nsslapd-pluginarg1: requiredObjectClass=person nsslapd-pluginarg2: nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 6.1 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: Enforce unique attribute values You cannot repeat the keywords markerObjectClass requiredObjectClass by incrementing the counter in the attribute suffix. nsslapd-pluginarg NOTE attribute always contains the name of nsslapd-pluginarg0...

  • Page 490: Specifying One Attribute And Multiple Subtrees

    Attribute Uniqueness Plug-In Syntax Examples Specifying One Attribute and Multiple Subtrees This example configures the plug-in to ensure the uniqueness of the attribute mail under the l=Chicago,dc=example,dc=com l=Boston,dc=example,dc=com subtrees. dn: cn=mail uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: mail uniqueness nsslapd-pluginPath: /usr/netscape/servers/lib/uid-plugin.so nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation...

  • Page 491: Replication And The Attribute Uniqueness Plug-In

    Replication and the Attribute Uniqueness Plug-In Replication and the Attribute Uniqueness Plug-In When you use the attribute uniqueness plug-ins on Directory Servers involved in a replication agreement, you must think carefully about how to configure the plug-in on each server. Consider the following cases: •...
  • Page 492 Replication and the Attribute Uniqueness Plug-In When these conditions are met, attribute uniqueness conflicts are reported as naming conflicts at replication time. Naming conflicts require manual resolution. For information on how to resolve replication conflicts, refer to “Solving Common Replication Conflicts,” on page 330. Netscape Directory Server Administrator’s Guide •...

  • Page 493: Chapter 18 Configuring Im Presence Information

    Chapter 18 Configuring IM Presence Information Netscape Directory Server (Directory Server) 6.0 includes a preview release of a new feature called Instant Messenger (IM) Presence Information. This chapter provides an overview of this feature and information that will help you configure Directory Server to provide an IM user’s online-status information as a part of the user-profile information stored in the directory.

  • Page 494: Schema For The Presence Plug-In

    Schema For the Presence Plug-In Making the presence information available via a directory provides an easy, efficient, and unified way of looking at a user’s online status. In organizations where directory is generally deployed to store user-profile information, presence information can be added to the directory schema and the online status of users becomes available to everyone within the organization without having to worry about the details of how this information is queried or obtained.

  • Page 495: Performance-Related Information

    Performance-Related Information The file lists the default object classes with the allowed attributes that must be added to a user’s entry in order for presence information to be available for that user: objectclass: nsAIMpresence attributeTypes: nsAIMid syntax DirectoryString attributeTypes: nsAIMStatusGraphic syntax Binary NO-USER-MODIFICATION USAGE directoryOperation attributeTypes: nsAIMStatusText syntax DirectoryString NO-USER-MODIFICATION USAGE directoryOperation...

  • Page 496: Setting Resource Limits Based On Bind Dn

    Troubleshooting Setting Resource Limits Based on Bind DN You can control or set limits on search operations for directory data using special operational attribute values on the client application binding to the directory. Table 18-1 lists attributes that you can use to set search-operation limits. Table 18-1 Attributes for Setting Limits On Search Operations Parameter...

  • Page 497: Part 3

    Part 3 Appendixes Appendix A, “LDAP Data Interchange Format” Appendix B, “Finding Directory Entries” Appendix C, “LDAP URLs” Appendix D, “Internationalization”...
  • Page 498 Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 499: Appendix A Ldap Data Interchange Format

    Appendix A LDAP Data Interchange Format Netscape Directory Server (Directory Server) uses the LDAP Data Interchange Format (LDIF) to describe a directory and directory entries in text format. LDIF is commonly used to build the initial directory database or to add large numbers of entries to the directory all at once.
  • Page 500 LDIF File Format The basic form of a directory entry represented in LDIF is as follows: dn: distinguished_name objectClass: object_class objectClass: object_class attribute_type[;subtype]:attribute_value attribute_type[;subtype]:attribute_value You must supply the DN and at least one object class definition. In addition, you must include any attributes required by the object classes that you define for the entry.

  • Page 501: Continuing Lines In Ldif

    LDIF File Format LDIF Fields (Continued) Table A-1 Field Definition [subtype] Optional. Specifies a subtype, language, binary, or pronunciation. Use this tag to identify the language in which the corresponding attribute value is expressed, or whether the attribute value is binary or a pronunciation of an attribute value.
  • Page 502 LDIF File Format If you use this standard notation, you do not need to specify the ldapmodify -b parameter. However, you must add the following line to the beginning of your LDIF file, or your LDIF update statements: version:1 For example, you could use the following command: ldapmodify prompt% ldapmodify -D userDN -w user_passwd...

  • Page 503: Specifying Directory Entries Using Ldif

    Specifying Directory Entries Using LDIF Specifying Directory Entries Using LDIF You can store many types of entries in your directory. This section concentrates on three of the most common types of entries used in a directory: organization, organizational unit, and organizational person entries. The object classes defined for an entry are what indicate whether the entry represents an organization, an organizational unit, an organizational person, or some other type of entry.

  • Page 504: Table A-2 Ldif Elements In Organization Entries

    Specifying Directory Entries Using LDIF The organization name in the following example uses a comma: dn: o="example.com Chile\\, S.A." objectclass: top objectclass: organization o: “example.com Chile\\, S.A.” description: Fictional company for example purposes telephonenumber: 555-5556 Each element of the LDIF-formatted organization entry is defined in Table A-2. LDIF Elements in Organization Entries Table A-2 LDIF Element...

  • Page 505: Specifying Organizational Unit Entries

    Specifying Directory Entries Using LDIF Specifying Organizational Unit Entries Organizational unit entries are often used to represent major branch points, or subdirectories, in your directory tree. They correspond to major, reasonably static entities within your enterprise, such as a subtree that contains people, or a subtree that contains groups.

  • Page 506: Specifying Organizational Person Entries

    Specifying Directory Entries Using LDIF LDIF Elements in Organizational Unit Entries (Continued) Table A-3 LDIF Element Description ou: organizational_unit_name Attribute that specifies the organizational unit’s name. list_of_attributes Specifies the list of optional attributes that you want to maintain for the entry. See the Netscape Directory Server Schema Reference for a list of the attributes you can use with this object class.

  • Page 507: Defining Directories Using Ldif

    Defining Directories Using LDIF Table A-4 LDIF Elements in Person Entries LDIF Element Description dn: distinguished_name Specifies the distinguished name for the entry. A DN is required. If there is a comma in the DN, the comma must be escaped with a backslash (\). For example, dn:uid=bjensen,ou=people,o=example.com Bolivia\,S.A.
  • Page 508 Defining Directories Using LDIF To create a directory using LDIF, follow these steps: Create an ASCII file containing the entries you want to add in LDIF format. Make sure each entry is separated from the next by an empty line. You should use just one line, and the first line of the file must not be blank or else the utility will exit.

  • Page 509: Ldif File Example

    Defining Directories Using LDIF LDIF File Example The following example shows an LDIF file that contains one organization, two organizational units, and three organizational person entries: dn: o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organization o: example.com Corp description: Fictional organization for example purposes dn: ou=People,o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organizationalUnit...

  • Page 510: Storing Information In Multiple Languages

    Storing Information in Multiple Languages dn: cn=Robert Wong,ou=People,example.com Corp,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Robert Wong cn: Bob Wong sn: Wong givenName: Robert givenName: Bob mail: bwong@example.com userPassword: {sha}nn2msx761 telephoneNumber: 2881 roomNumber: 211 ou: Manufacturing ou: people dn: ou=Groups,o=example.com Corp,dc=example,dc=com objectclass: top objectclass: organizationalUnit...
  • Page 511 Storing Information in Multiple Languages For example, suppose Corporation has offices in the United States example.com and France and wants employees to be able to view directory information in their native language. When adding directory entries, the directory administrator chooses to provide attribute values in both English and French. When adding a directory entry for a new employee, Babs Jensen, the administrator creates the following LDIF entry: dn: uid=bjensen,ou=people,dc=example,dc=com...
  • Page 512 Storing Information in Multiple Languages Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 513: Appendix B Finding Directory Entries

    Appendix B Finding Directory Entries You can find entries in your directory using any LDAP client. Most clients provide some form of a search interface that allows you to easily search the directory and retrieve entry information. NOTE You cannot search the directory unless the appropriate access control has been set in your directory.

  • Page 514: Using Ldapsearch

    Using ldapsearch On Directory Server Console, select the Directory tab. Depending on the DN you used to authenticate to the directory, this tab displays the contents of the directory that you have access permissions to view. You can browse through the contents of the tree or right-click an entry and select Search from the pop-up menu.

  • Page 515: Ldapsearch Command-Line Format

    Using ldapsearch ldapsearch Command-Line Format When you use , you must enter the command using the following ldapsearch format: ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes] where • optional_options represents a series of command-line options. These must be specified before the search filter, if any. •...
  • Page 516 Using ldapsearch Option Description Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the environment variable has LDAP_BASEDN been set to a base DN. The value specified in this option should be provided in double quotation marks.
  • Page 517 Using ldapsearch Option Description Specifies the scope of the search. The scope can be one of the following: • —Search only the entry specified in the option or defined base by the environment variable. LDAP_BASEDN • —Search only the immediate children of the entry specified in option.

  • Page 518: Ldapsearch Examples

    Using ldapsearch ldapsearch Examples In the next set of examples, suppose the following are true: • You want to perform a search of all entries in the directory. • You have configured your directory to support anonymous access for search and read.

  • Page 519: Searching The Schema Entry

    Using ldapsearch Searching the Schema Entry Directory Server stores all directory server schema in the special entry. cn=schema This entry contains information on every object class and attribute defined for your directory server. You can examine the contents of this entry as follows: ldapsearch -h mozilla -b "cn=schema"...

  • Page 520: Specifying Search Filters Using A File

    Using ldapsearch Specifying Search Filters Using a File You can enter search filters into a file instead of entering them on the command line. When you do this, specify each search filter on a separate line in the file. The command runs each search in the order in which it appears in the file.

  • Page 521: Ldap Search Filters

    LDAP Search Filters LDAP Search Filters Search filters select the entries to be returned for a search operation. They are most commonly used with the command-line utility. When you use ldapsearch , you can place multiple search filters in a file, with each filter on a ldapsearch separate line in the file, or you can specify a search filter directly on the command line.

  • Page 522: Using Attributes In Search Filters

    LDAP Search Filters Using Attributes in Search Filters When searching for an entry, you can specify attributes associated with that type of entry. For example, when you search for people entries, you can use the attribute to search for people with a specific common name. Examples of attributes that people entries might include: •...

  • Page 523: Using Compound Search Filters

    LDAP Search Filters Search Filter Operators (Continued) Table B-1 Search Type Operator Description Greater than or equal to >= Returns entries containing attributes that are greater than or equal to the specified value. For example, buildingname >= alpha Less than or equal to <= Returns entries containing attributes that are less than or equal to the specified value.

  • Page 524: Search Filter Examples

    LDAP Search Filters Table B-2 Search Filter Boolean Operators Operator Symbol Description & All specified filters must be true for the statement to be true. For example: (&(filter)(filter)(filter)...) At least one specified filter must be true for the statement to be true. For example: (|(filter)(filter)(filter)...) The specified statement must not be true for the statement to be true.

  • Page 525: Searching An Internationalized Directory

    Searching an Internationalized Directory The following filter returns all entries whose organizational unit is Marketing and that have Julie Fulmer or Cindy Zwaska as a manager: (&(ou=Marketing)(|(manager=cn=Julie Fulmer,ou=Marketing,dc=example,dc=com)(manager=cn=Cindy Zwaska,ou=Marketing,dc=example,dc=com))) The following filter returns all entries that do not represent a person: (!(objectClass=person)) The following filter returns all entries that do not represent a person and whose common name is similar to...

  • Page 526: Matching Rule Filter Syntax

    Searching an Internationalized Directory Matching Rule Filter Syntax A matching rule provides special guidelines for how the directory compares strings during a search operation. In an international search, the matching rule tells the system what collation order and operator to use when performing the search operation.
  • Page 527 Searching an Internationalized Directory • Using a Language Tag and Suffix for the Matching Rule Using an OID for the Matching Rule Each locale supported by the directory server has an associated collation order OID. For a list of locales supported by the directory server and their associated OIDs, see Table D-1 on page 541.

  • Page 528: Using Wildcards In Matching Rule Filters

    Searching an Internationalized Directory For a list of locales supported by the directory server and their associated OIDs, see Table D-1 on page 541. For a list of relational operators and their equivalent suffixes, see Table B-3 on page 529. Using a Language Tag and Suffix for the Matching Rule As an alternative to using a relational operator-value pair, you can append a suffix that represents a specific operator to the language tag in the matching rule portion...

  • Page 529: International Search Examples

    Searching an Internationalized Directory • greater than or equal to (>=) • less than (<) • less than or equal to (<=) Approximate, or phonetic, and presence searches are supported only in English. As with a regular search operation, an international search uses ldapsearch operators to define the type of search.

  • Page 530: Less Than Or Equal To Example

    Searching an Internationalized Directory For example, to search for all surnames that come before the surname Marquez in the Spanish collation order, you could use any of the following matching rule filters: sn:2.16.840.1.113730.3.3.2.15.1:=< Marquez sn:es:=< Marquez sn:2.16.840.1.113730.3.3.2.15.1.1:=Marquez sn:es.1:=Marquez Less Than or Equal to Example When you perform a locale-specific search using the less than or equal to operator (<=) or suffix (.2), you search for all attribute values that come at or before the given attribute in a specific collation order.

  • Page 531: Greater Than Example

    Searching an Internationalized Directory For example, to search for all localities that come at or after Québec in the French collation order, you could use any of the following matching rule filters: locality:2.16.840.1.113730.3.3.2.18.1:=>= Québec locality:fr:=>= Québec locality:2.16.840.1.113730.3.3.2.18.1.4:=Québec locality:fr.4:=Québec Greater Than Example When you perform a locale-specific search using the greater than operator (>) or suffix (.5), you search for all attribute values that come at or before the given attribute in a specific collation order.
  • Page 532 Searching an Internationalized Directory Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 533: Appendix C Ldap Urls

    Appendix C LDAP URLs When you access the Netscape Directory Server (Directory Server) using a web-based client such as Directory Server Gateway, you must provide an LDAP URL identifying the Directory Server you wish to access. You also use LDAP URLs when managing Directory Server referrals or access control instructions.
  • Page 534 Components of an LDAP URL LDAP URL Components (Continued) Table C-1 Component Description base_dn Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search. If no base DN is specified, the search starts at the root of the directory tree. attributes The attributes to be returned.

  • Page 535: Escaping Unsafe Characters

    Escaping Unsafe Characters Escaping Unsafe Characters Any “unsafe” characters in the URL need to be represented by a special sequence of characters. This is called escaping unsafe characters. For example, a space is an unsafe character that must be represented as within the URL.

  • Page 536: Examples Of Ldap Urls

    Examples of LDAP URLs Examples of LDAP URLs Example 1: The following LDAP URL specifies a base search for the entry with the distinguished name dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com Because no port number is specified, the standard LDAP port number (389) is used. Because no attributes are specified, the search returns all attributes.
  • Page 537 Examples of LDAP URLs Example 4: The following LDAP URL specifies a search for entries that have the surname and are at any level under Jensen dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen) Because no attributes are specified, the search returns all attributes. Because the search scope is , the search encompasses the base entry and entries at all levels under the base entry.
  • Page 538 Examples of LDAP URLs Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 539: Appendix D Internationalization

    Appendix D Internationalization Netscape Directory Server (Directory Server) allows you to store, manage, and search for entries and their associated attributes in a number of different languages. An internationalized directory can be an invaluable corporate resource, providing employees and business partners with immediate access to the information they need in the languages they can understand.

  • Page 540: Identifying Supported Locales

    Identifying Supported Locales More specifically, a locale specifies: • Collation order—The collation order provides language and cultural-specific information about how the characters of a given language are to be sorted. It identifies things like the sequence of the letters in the alphabet, how to compare letters with accents with letters without accents, and if there are any characters that can be ignored when comparing strings.
  • Page 541 Identifying Supported Locales A language tag is a string that begins with the two-character lowercase language code that identifies the language (as defined in ISO standard 639). If necessary to distinguish regional differences in language, the language tag may also contain a country code, which is a two-character string (as defined in ISO standard 3166).

  • Page 542: Supported Language Subtypes

    Supported Language Subtypes Supported Locales (Continued) Table D-1 Locale Language Tag Collation Order Object Identifiers (OIDs) German 2.16.840.1.113730.3.3.2.7.1 Greek 2.16.840.1.113730.3.3.2.10.1 Hebrew 2.16.840.1.113730.3.3.2.27.1 Hungarian 2.16.840.1.113730.3.3.2.23.1 Icelandic 2.16.840.1.113730.3.3.2.24.1 Japanese 2.16.840.1.113730.3.3.2.28.1 Korean 2.16.840.1.113730.3.3.2.29.1 Latvian, Lettish 2.16.840.1.113730.3.3.2.31.1 Lithuanian 2.16.840.1.113730.3.3.2.30.1 Macedonian 2.16.840.1.113730.3.3.2.32.1 Norwegian 2.16.840.1.113730.3.3.2.35.1 Polish 2.16.840.1.113730.3.3.2.38.1 Romanian 2.16.840.1.113730.3.3.2.39.1...

  • Page 543: Table D-2 Supported Language Subtypes

    Supported Language Subtypes Table D-2 Supported Language Subtypes Language tag Language Afrikaans Byelorussian Bulgarian Catalan Czechoslovakian Danish German Greek English Spanish Basque Finnish Faroese French Irish Galician Croatian Hungarian Indonesian Icelandic Italian Japanese Korean Dutch Norwegian Polish Portuguese Romanian Appendix D Internationalization...
  • Page 544 Supported Language Subtypes Supported Language Subtypes (Continued) Table D-2 Language tag Language Russian Slovakian Slovenian Albanian Serbian Swedish Turkish Ukrainian Chinese Netscape Directory Server Administrator’s Guide • August 2002...

  • Page 545: Glossary

    Glossary access control instruction See ACI. ACI Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Access control list. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
  • Page 546 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
  • Page 547 browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Otherwise known as the virtual view index, speeds up the display of entries in the Directory Server Console.
  • Page 548 CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory. class of service See CoS. classic CoS A classic CoS identifies the template entry by both its DN and the value of one of the target entry’s attributes.
  • Page 549 DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. data master The server that is the master source of a particular piece of data. database link An implementation of chaining. The database link behaves like a database but has no persistent storage.
  • Page 550 DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as might point to a real machine called www.[yourdomain].[domain] where the server currently exists.
  • Page 551 HTML Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Netscape Navigator how to display text, position graphics and form items, and display links to other pages. HTTP Hypertext Transfer Protocol.
  • Page 552 LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format LDAP client Software used to request and view LDAP entries from an LDAP Directory Server. See also browser. LDAP Data Interchange Format See LDAP Data Interchange Format. LDAP URL Provides the means of locating directory servers using DNS and then completing the query via LDAP.
  • Page 553 matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use. MD5 A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data, that is unique with high probability, and is mathematically extremely hard to produce a piece of data that will produce the same message digest.
  • Page 554 network management station See NMS. NIS Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, file systems, and network parameters throughout a network of computers. NMS Network Management Station.
  • Page 555 permission In the context of access control, the permission states whether access to the directory information is granted or denied, and the level of access that is granted or denied. See access rights. PDU Protocol Data Unit. Encoded messages which form the basis of data exchanges between SNMP devices.
  • Page 556 RDN Relative distinguished name. The name of the actual entry itself, before the entry’s ancestors have been appended to the string to form the full distinguished name. referential integrity Mechanism that ensures that relationships between related entries are maintained within the directory. referral (1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request.
  • Page 557 root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine. root suffix The parent of one or more sub suffixes. A directory tree can contain more than one root suffix. schema Definitions describing what types of information can be stored as entries in the directory.
  • Page 558 single-master replication The most basic replication scenario in which two servers each hold a copy of the same read-write replicas to consumer servers. In a single-master replication scenario, the supplier server maintains a change log. SIR See supplier-initiated replication. slapd LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication.
  • Page 559 supplier server In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica. supplier-initiated replication Replication configuration where supplier servers replicate directory data to consumer servers. symmetric encryption Encryption that uses the same key for both encrypting and decrypting.
  • Page 560 virtual list view index Otherwise known as a browsing index, speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance. X.500 standard The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementations.

  • Page 561: Index

    Index targeting attributes 203 targeting entries 201 access control targeting using filters 204 ACI attribute 194 using the Access Control Editor 229 ACI syntax 198 value matching 218 allowing or denying access 207 Access Control Editor and replication 261 displaying 230 and schema checking 203 viewing current ACIs 231 anonymous access 213, 227, 235...
  • Page 562 cascading chaining 127 adding directory entries 58 creating from console 232 Administration Server dayofweek keyword 225 master agents and 420 deleting from console 234 agents dns keyword 224 master agent 420 editing from console 233 Unix 420 evaluation 195 Windows NT 420 examples of use 234 subagent 420 groupdn keyword 216...
  • Page 563 passwordInHistory 268 passwordMustChange 266 backing up data 154 passwordStorageScheme 268 all 154 ref 139 db2bak 155 removing a value 52 dse.ldif 156 roles 173 bak2db script 158 searching for 522 standard 337, 338 bak2db.pl perl script 158 syntax 340 base 64 encoding 501 targeting 203 base DN, ldapsearch and 519 user-defined 338...
  • Page 564 self keyword 214 component operations,from command line 100 timeofday keyword 225 overview 96 user access using SSL 113 LDIF example 215 change log 281 parent 214 deleting 312 self 214 using with referential integrity 75 user access example 237 change operations 63 userattr keyword 218 add 67 userdn keyword 213...
  • Page 565 classic CoS consumer initialization example 180 manual consumer creation 315 overview 180 online consumer creation 314 client consumer server 280 using to find entries 513 continued lines client authentication in LDIF 501 over SSL 392 in LDIF update statements 63 code page 539 CoS definition entry attributes 185...
  • Page 566 export 150 in directory server 79 db2ldif 153 date format 540 export from console 151 dayofweek keyword 225 import 143 db2bak script 155 ldif2db 147 db2bak utility 155 ldif2db.pl 148 db2ldif utility 153 ldif2ldap 149 default referrals initialization 146 setting 136 making read-only 95 setting from console 136 monitoring from command-line 414...
  • Page 567 basic administration 31 durable transactions 437 binding to 34 dynamic groups 165 changing bind DN 35 creating 165 configuration 37 modifying 165 controlling access 193 creating a root entry 46, 56 creating content 143 creating entries 47, 58 data 143 databases 79 end of file marker 55 deleting entries 54, 60...
  • Page 568 access control information 261 glossary of terms 545 configuring 401 greater than or equal to search manually rotating 404 international example 530, 531 turning off 401 overview 523 turning on 401 groupdn keyword 216 viewing 401 LDIF examples 217 example groupdnattr keyword 218 cascading chaining 129 groups...
  • Page 569 international index 349 search filters and 525 presence index 348 supported locales 540 substring index 348 time format 540 virtual list view index 349 ip keyword 224 indexes creating dynamically 357 dynamic changes to 357 presence 350 indexing 348 creating indexes from console 356 jpeg images 501 system indexes 350 indirect CoS...
  • Page 570 security and 537 organizational unit 505 syntax 533 update statements 62 using to create directory 507 LDAP_BASEDN environment variable 519 LDIF entries ldapdelete utility 57 binary data in 501 deleting entries 60 commas in 504, 505, 507 DNs with commas and 61 creating 503 example 60 organizational person 506...
  • Page 571 locales using language tag and suffix 528 defined 539 using OID 527 location of files 540 using OID and suffix 527 supported 540 MD5 message authentication 391 locked accounts 269 metaphone phonetic algorithm 353 lockout duration 270 log files 397 directory server 422 access log 399 location of 422...
  • Page 572 interaction table 425 search filters and 522 location of 422 suffix 529 operations table 422 optional attributes network management station (NMS) creating 343 NMS-initiated communication 421 deleting 344, 345 editing 344 nsslapd-db-checkpoint-interval 437 editing in object class 344 nsslapd-db-durable-transactions 438 organization, specifying entries for 503 nsslapd-db-logdirectory 436 organizational person, specifying entries for 506...
  • Page 573 performance tuning URI plug-in 464 database 432 pointer CoS server 431 example 179 permissions overview 179 ACI syntax 198 port number allowing or denying access 207 directory server configuration 37 assigning rights 207 for SSL communications 37 overview 207 precedence rule precedence rule 195 ACI 195 plug-in functions 443...
  • Page 574 read right 207 configuration tips 289 configuring a hub supplier 294 read-only mode 412 configuring a read-only replica 293 database 161 configuring a read-write replica 292 read-only replica 280 configuring legacy replication 323 configuration 293 configuring SSL 321 read-write replica 280 configuring supplier settings 291 configuration 292 consumer server 280...
  • Page 575 dse.ldif 160 from console 157 SASL authentication 227 replicated entries 159 schema restoring the database 435 checking 345 retro change log creating new attributes 339 and access control 327 creating new object classes 343 attributes 324 deleting attributes 341 object class 324 deleting object classes 345 searching 327 editing object classes 344...
  • Page 576 restricting scope of one-level 351 restricting scope of subtree 351 entries table 424 specifying scope 517 interaction table 425 substring 522, 531 location of 422 operations table 422 searching algorithm monitoring the directory server 419 overview 351 NMS-initiated communication 421 Secure Sockets Layer, see SSL 40 overview 420 security...
  • Page 577 stop-slapd script 37 LDIF update statements 62 matching rule filter 526 sub suffix search filter 521 creating from command line 84 creating from console 83 system connections monitoring 407 subagent configuring 429 system indexes 350 enabling 429 system resources overview 420 monitoring 406 starting and stopping on Unix 428 starting and stopping on Windows NT 428...
  • Page 578 unique attribute plug-in 479 wildcard configuring 485 in LDAP URL 214 creating an instance of 484 in target 201 disabling 487 wildcards enabling 487 in international searches 528 examples 489 in matching rule filters 528 markerObjectClass 488 Windows NT requiredObjectClass 488 master agent 420 syntax 481 write right 207...

This manual is also suitable for:

Directory server 6.1

Table of Contents