Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual

Table of Contents

Quick Links

Download this manual

Administrator's Guide

Netscape Directory Server

Version 6.2

December 2003

Table of Contents

Troubleshooting

Need help?

Do you have a question about the NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR and is the answer not in the manual?

Questions and answers

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR

Page 1 Administrator’s Guide Netscape Directory Server Version 6.2 December 2003...
Page 2 Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed by the license agreement for the Software and applicable copyright law.
Page 3: Table Of Contents
Contents List of Figures ..............19 List of Tables .
Page 4 Cloning a Directory Server ............. . 41 Creating a New Directory Server Instance .
Page 5 How Referential Integrity Works ............72 Using Referential Integrity with Replication .
Page 6 Database Links and Access Control Evaluation ......... 115 Advanced Feature: Tuning Database Link Performance .
Page 7 Backing Up the dse.ldif Configuration File ..........157 Restoring All Databases .
Page 8 Creating a New CoS ............. . 181 Editing an Existing CoS .
Page 9 Examples ............... 216 Defining Group Access - groupdn Keyword .
Page 10 Chapter 7 User Account Management ......... . 265 Managing the Password Policy .
Page 11 Configuring the Read-Write Replica on the Supplier Server ......304 Initializing the Replicas for Single-Master Replication ........306 Configuring Multi-Master Replication .
Page 12 Monitoring Replication Status From Administration Express ......342 Solving Common Replication Conflicts ........... 344 Solving Naming Conflicts .
Page 13 Running the vlvindex Script ............381 Setting Access Control for VLV Information .
Page 14 Defining a Log File Deletion Policy ........... 415 Access Log .
Page 15 Setting Up SNMP on UNIX ............443 Configuring the AIX SNMP Daemon .
Page 16 CRYPT Password Storage Plug-In ........... . 470 NS-MTA-MD5 Password Storage Plug-In .
Page 17 Configuring Attribute Uniqueness Plug-Ins From the Directory Server Console ... . . 503 Configuring Attribute Uniqueness Plug-Ins from the Command Line ..... 504 Turning the Plug-in On or Off .
Page 18 Searching the Schema Entry ............537 Using LDAP_BASEDN .
Page 19: List Of Figures
List of Figures Figure 1-1 Viewing the Bind DN ........... . . 35 Figure 3-1 A Sample Directory Tree with One Root Suffix .
Page 20 Netscape Directory Server Administrator’s Guide • December 2003...
Page 21: List Of Tables
List of Tables Table 2-1 Entry Templates and Corresponding Object Classes ......47 Table 2-2 Description of ldapmodify Parameters Used for Adding Entries .
Page 22 Table 10-2 System Indexes ............366 Table 10-3 Attribute Name Quick Reference Table .
Page 23 Table 15-25 Details of Presence Plig-In ..........473 Table 15-26 Details of PTA Plug-In .
Page 24 Netscape Directory Server Administrator’s Guide • December 2003...
Page 25: Introduction
Introduction Netscape Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
Page 26: Prerequisite Reading
Prerequisite Reading • Resource-limits by bind DN—Gives you the power to control the amount of server resources allocated to search operations based on the bind DN of the client. • Multiple databases—Provides a simple way of breaking down your directory data to simplify the implementation of replication and chaining in your directory service.
Page 27: Conventions Used In This Book
Conventions Used in This Book Also, Managing Servers with Netscape Console contains general background information on how to use Netscape servers. You should read and understand the concepts in that book before you attempt to administer Directory Server. Conventions Used in This Book This section explains the conventions used in this book.
Page 28: Related Information
Related Information Related Information The document set for Directory Server also contains the following guides: • Netscape Directory Server Installation Guide. Contains procedures for installing your Directory Server as well as procedures for migrating from a previous installation of Directory Server. •...
Page 29: Part 1 Administering Netscape Directory Server
Part 1 Administering Netscape Directory Server Chapter 1, “Introduction to Netscape Directory Server” Chapter 2, “Creating Directory Entries” Chapter 3, “Configuring Directory Databases” Chapter 4, “Populating Directory Databases” Chapter 5, “Advanced Entry Management” Chapter 6, “Managing Access Control” Chapter 7, “User Account Management” Chapter 8, “Managing Replication”...
Page 30 Chapter 11, “Managing SSL” Chapter 12, “Monitoring Server and Database Activity” Chapter 13, “Monitoring Directory Server Using SNMP” Chapter 14, “Tuning Directory Server Performance” Netscape Directory Server Administrator’s Guide • December 2003...
Page 31: Chapter 1 Introduction To Netscape Directory Server
Chapter 1 Introduction to Netscape Directory Server Netscape Directory Server (Directory Server) product includes a Directory Server, an Administration Server to manage multiple server instances, and Netscape Console to manage server instances through a graphical interface. This chapter provides overview information about the Directory Server, and the most basic tasks you need to start administering a directory service.
Page 32: Overview Of Directory Server Management
Overview of Directory Server Management Overview of Directory Server Management The Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources. It is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server runs as the process or service on your machine.
Page 33: Copying Entry Dns To The Clipboard
Using the Directory Server Console Start Netscape Console by entering the following command: serverRoot/startconsole The Console login window is displayed. Or, if your configuration directory (the directory that contains the suffix) is stored in a separate o=NetscapeRoot instance of Directory Server, a window is displayed requesting the administrator user id, password, and the URL of the Netscape Administration Server for that Directory Server.
Page 34: Configuring The Directory Manager
Configuring the Directory Manager Configuring the Directory Manager The Directory Manager is the privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the entry you define as Directory Manager. You initially defined this entry during installation. The default cn=Directory Manager The password for this user is defined in the attribute.
Page 35: Changing Login Identity
Starting and Stopping the Directory Server Changing Login Identity You can log in with the Directory Manager DN when you first start the Netscape Console. At any time, you can choose to log in as a different user, without having to stop and restart the Console. To change your login in Netscape Console: In the Directory Server Console, select the Tasks tab.
Page 36: Starting/Stopping The Server From The Console
Starting and Stopping the Directory Server NOTE On UNIX systems, rebooting the system does not automatically start the process. This is because the directory does not slapd automatically create startup or run command ( ) scripts. Check your operating system documentation for details on adding these scripts.
Page 37: Starting/Stopping The Server From The Command Line
Configuring LDAP Parameters Starting/Stopping the Server From the Command Line Use one of the following scripts: serverRoot/slapd-serverID/start-slapd serverRoot/slapd-serverID/stop-slapd where is the identifier you specified for the server when you installed it. serverID On UNIX, both of these scripts must run with the same UID and GID as the Directory Server.
Page 38: Placing The Entire Directory Server In Read-Only Mode
Configuring LDAP Parameters • You need to change the configuration or user directory port or secure port number configured for Netscape Administration Server. See Managing Servers with Netscape Console for information. • If you have other Netscape servers installed that point to the configuration or user directory, you need to update those servers to point to the new port number.
Page 39: Tracking Modifications To Directory Entries
Configuring LDAP Parameters Click Save and then restart the server. NOTE This operation also makes the Directory Server configuration read-only; therefore, you cannot update the server configuration, enable or disable plug-ins, or even restart the Directory Server while it is in read-only mode. For information on placing a single database in read-only mode, refer to “Enabling Read-Only Mode,”...
Page 40: Starting The Server With Ssl Enabled
Starting the Server with SSL Enabled Select the Track Entry Modification Times checkbox. The server adds the , and creatorsName createTimestamp modifiersName attributes to every newly created or modified entry. modifyTimestamp Click Save and then restart the server. See “Starting and Stopping the Directory Server,” on page 35 for more information.
Page 41: Cloning A Directory Server
Cloning a Directory Server To create certificate databases, you must use the administration server and the Certificate Setup Wizard. For information on certificate databases, certificate aliases, SSL, and obtaining a server certificate, see Managing Servers with Netscape Console. For information on using SSL with your Directory Server, see Chapter 11, “Managing SSL.”...
Page 42: Cloning The Directory Configuration
Starting the Server in Referral Mode Enter the password for this user in the Password for Root DN field, and confirm it by entering it again in the Confirm Password field. If running the server on a UNIX host, enter the user ID for the Directory Server daemon, in the Server Runtime User ID field.
Page 43: Using The Refer Command
Starting the Server in Referral Mode Using the refer Command On a UNIX machine, to start the Directory Server in referral mode follow these steps: Go to the directory under your installation directory: /bin/slapd/server cd serverRoot/slapd-serverID/bin/slapd/server Run the command as follows: refer ./ns-slapd refer -D instance_dir [-p port] -r referral_url where where...
Page 44 Starting the Server in Referral Mode Netscape Directory Server Administrator’s Guide • December 2003...
Page 45: Chapter 2 Creating Directory Entries
Chapter 2 Creating Directory Entries This chapter discusses how to use the Directory Server Console and the command-line utilities to modify the contents of ldapmodify ldapdelete your directory. During the planning phase of your directory deployment, you should characterize the types of data that your directory will contain. You should read Netscape Directory Server Deployment Guide before creating entries and modifying the default schema.
Page 46: Creating A Root Entry
Managing Entries From the Directory Console • Deleting Directory Entries This section assumes some basic knowledge of object classes and attributes. For an introduction to object classes and attributes, refer to Netscape Directory Server Deployment Guide. For information on the definition and use of all schema provided with Netscape server products, refer to the Netscape Directory Server Schema Reference.
Page 47: Creating Directory Entries
Managing Entries From the Directory Console In the New Object window, select the object class corresponding to the new entry. The object class you select must contain the attribute you used to name the suffix. For example, if you are creating the entry corresponding to the suffix , then you can choose the ou=people,dc=example,dc=com object class (or another object class that allows the...
Page 48: Creating An Entry Using A Predefined Template
Managing Entries From the Directory Console These templates contain fields representing all the mandatory attributes, and some of the commonly used optional attributes. To create an entry using one of these templates, refer to “Creating an Entry Using a Predefined Template,” on page 48. To create any other type of entry, refer to “Creating Other Types of Entries,”...
Page 49: Modifying Directory Entries
Managing Entries From the Directory Console Click OK. If you selected an object class related to a type of entry for which a predefined template is available, the corresponding Create window is displayed. (See “Creating an Entry Using a Predefined Template,” on page 48). In all other cases, the Property Editor is displayed.
Page 50: Displaying The Property Editor
Managing Entries From the Directory Console Displaying the Property Editor You can start the Property Editor in several ways: • From the Directory tab, by right-clicking an entry in the left or right pane, and selecting Properties from the pop-up menu. •...
Page 51: Adding An Attribute To An Entry
Managing Entries From the Directory Console Click OK in the Property Editor when you have finished editing the entry. The Property Editor is dismissed. Adding an Attribute to an Entry Before you can add an attribute to an entry, the entry must contain an object class that either requires or allows the attribute.
Page 52: Adding Attribute Values
Managing Entries From the Directory Console When determining the value to set, you must consider all elements of the LDAP add and modify operations used to add the attributes, not just the single attribute. The list of what is included in determining this size is as follows: •...
Page 53: Adding An Attribute Subtype
Managing Entries From the Directory Console Click the cursor in the text box that contains the attribute value you want to remove, and click Delete Value. If you want to remove the entire attribute and all its values from the entry, select Delete Attribute from the Edit menu.
Page 54 Managing Entries From the Directory Console Although you can store binary data within an attribute that does not contain the subtype, for example, , the subtype indicates to clients binary jpegphoto binary that multiple variants of the attribute type may exist. Pronunciation Subtype Assigning the pronunciation subtype to an attribute indicates that the attribute value is a phonetic representation.
Page 55: Deleting Directory Entries
Managing Entries From the Command Line Deleting Directory Entries To delete entries using the Directory Server Console: In the Directory Server Console, select the Directory tab. For information on starting the Directory Server Console, refer to “Using the Directory Server Console,” on page 32. Right-click the entry you want to delete in the navigation tree, or in the right pane, and select Delete from the pop-up menu.
Page 56: Providing Input From The Command Line
Managing Entries From the Command Line Providing Input From the Command Line When you provide input to the utilities directly from ldapmodify ldapdelete the command line, you must use LDIF statements. For detailed information on LDIF statements, refer to “LDIF Update Statements,” on page 62. utilities read the statements that you enter in ldapmodify ldapdelete...
Page 57: Creating A Root Entry From The Command Line
Managing Entries From the Command Line Creating a Root Entry From the Command Line You can use the command-line utility to create a new root entry in a ldapmodify database. For example, you might add the new root entry as follows: prompt>...
Page 58: Adding And Modifying Entries Using Ldapmodify
Managing Entries From the Command Line Adding and Modifying Entries Using ldapmodify You use the command to add and modify entries in an existing ldapmodify Directory Server database. The command opens a connection to the ldapmodify specified server using the distinguished name and password you supply, and modifies the entries based on LDIF update statements contained in a specified file.
Page 59: Modifying Entries Using Ldapmodify
Managing Entries From the Command Line In this example, the LDIF statements in the file do not specify a change new.ldif type. They follow the format defined in “LDIF File Format,” on page 517. To add the entries, you must enter the following command: ldapmodify -a -D "cn=Directory Manager,dc=example,dc=comd"...
Page 60: Deleting Entries Using Ldapdelete
Managing Entries From the Command Line • The database administrator’s password is King-Pin • The server is located on cyclops • The server uses port number To modify the entries, you must first create the file with the modify_statements appropriate LDIF update statements, and then enter the following command: ldapmodify -D "cn=Directory Manager,dc=example,dc=com"...
Page 61: Table 2-4 Description Of Ldapdelete Parameters Used For Deleting Entries
Managing Entries From the Command Line You can only delete entries at the end of a branch. You cannot delete entries that are branch points in the directory tree. For example, of the following three entries: ou=People,dc=example,dc=com cn=Paula Simon,ou=People,dc=example,dc=com cn=Jerry O’Connor,ou=People,dc=example,dc=com you can delete only the last two entries.
Page 62: Using Special Characters
LDIF Update Statements Table 2-4 Description of ldapdelete Parameters Used for Deleting Entries (Continued) Parameter Name Description Specifies the name of the host on which the server is running. Specifies the port number that the server uses. For full information on parameters, refer to the Netscape Directory ldapdelete Server Configuration, Command, and File Reference.
Page 63 LDIF Update Statements • Specify a change type that defines how a specific entry is to be modified ( delete modify modrdn • Specify a series of attributes and their changed values. A change type is required unless you use with the parameter.
Page 64: Adding An Entry Using Ldif
LDIF Update Statements The following sections describe the change types in detail. Adding an Entry Using LDIF to add an entry to your directory. When you add an entry, changetype: add make sure to create an entry representing a branch point before you try to create new entries under that branch.
Page 65: Renaming An Entry Using Ldif
LDIF Update Statements sn: Jacobs ou: People ou: Marketing uid: sjacobs dn: ou=Groups,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit ou: Groups dn: cn=Administrators,ou=Groups,dc=example,dc=com changetype: add objectclass: top objectclass: groupOfNames member: cn=Sue Jacobs,ou=People,dc=example,dc=com member: cn=Pete Minsky,ou=People,dc=example,dc=com cn: Administrators dn: ou=example.com Bolivia\, S.A.,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalUnit...
Page 66: A Note On Renaming Entries
LDIF Update Statements cn=Barry Nixon And the RDN for: ou=People,dc=example,dc=com ou=People Therefore, this rename operation allows you to change the left-most value in an entry’s distinguished name. For example, the entry cn=Sue Jacobs,ou=People,dc=example,dc=com can be modified to be: cn=Susan Jacobs,ou=People,dc=example,dc=com but it cannot be modified to be: cn=Sue Jacobs,ou=old employees,dc=example,dc=com The following example can be used to rename Sue Jacobs to Susan Jacobs:...
Page 67: Modifying An Entry Using Ldif
LDIF Update Statements Also, for the same reasons that you cannot delete an entry if it is a branch point, you cannot rename an entry if it has any children. Doing so would orphan the children in the tree, which is not allowed by the LDAP protocol. For example, of the following three entries: ou=People,dc=example,dc=com cn=Paula Simon,ou=People,dc=example,dc=com...
Page 68: Adding Attributes To Existing Entries Using Ldif
LDIF Update Statements • Deleting a Specific Attribute Value Using LDIF Adding Attributes to Existing Entries Using LDIF You use with the add operation to add an attribute and an changetype:modify attribute value to an entry. For example, the following LDIF update statement adds a telephone number to the entry: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify...
Page 69: Changing An Attribute Value Using Ldif
LDIF Update Statements If you use this standard notation, you do not need to specify the ldapmodify -b parameter. However, you must add the following line to the beginning of your LDIF file, or your LDIF update statements: version:1 For example, you could use the following command: ldapmodify prompt>...
Page 70: Deleting All Values Of An Attribute Using Ldif
LDIF Update Statements dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify delete: telephonenumber telephonenumber: 555-1212 add: telephonenumber telephonenumber: 555-4321 Barney’s entry is now as follows: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-5678 telephonenumber: 555-4321 Deleting All Values of an Attribute Using LDIF with the delete operation to delete an attribute from an changetype:modify entry.
Page 71: Deleting An Entry Using Ldif
LDIF Update Statements To delete the 555-1212 telephone number from this entry, use the following LDIF update statement: dn: cn=Barney Fife,ou=People,dc=example,dc=com changetype: modify delete: telephonenumber telephonenumber: 555-1212 Barney’s entry then becomes: cn=Barney Fife,ou=People,dc=example,dc=com objectClass: inetOrgPerson cn: Barney Fife sn: Fife telephonenumber: 555-5678 Deleting an Entry Using LDIF to delete an entry from your directory.
Page 72: Modifying An Entry In An Internationalized Directory
Maintaining Referential Integrity Modifying an Entry in an Internationalized Directory If the attribute values in your directory are associated with one or more languages other than English, the attribute values are associated with language tags. When using the command-line utility to modify an attribute that has an ldapmodify associated language tag, you must match the value and language tag exactly or the modify operation will fail.
Page 73: Using Referential Integrity With Replication
Maintaining Referential Integrity NOTE The referential integrity plug-in should only be enabled on one master replica in a multi-master replication environment, to avoid conflict resolution loops. When enabling the plug-in on servers issuing chaining requests, be sure to analyze your performance resource and time needs as well as your integrity needs.
Page 74: Configuring The Supplier Server
Maintaining Referential Integrity • In the context of multi-master replication, you should enable it on just one master. Configuring the Supplier Server When your replication environment satisfies the conditions listed above, you can enable the referential integrity plug-in. Enable the referential integrity plug-in. This task is described in “Enabling/Disabling Referential Integrity,”...
Page 75: Recording Updates In The Change Log
Maintaining Referential Integrity Recording Updates in the Change Log You can decide to record updates in the replication change log instead of recording them in the default location, that is in the file in the referint directory. You must do this if you want referential serverRoot/slapd-serverID/logs integrity updates to be replicated to consumer servers in the context of replication.
Page 76: From The Directory Server Console
Maintaining Referential Integrity • 604,800 seconds (updates occur once a week) You can modify the update interval from the Directory Server Console. From the Directory Server Console In the Directory Server Console, select the Configuration tab. For information on starting the Directory Server Console, refer to “Using the Directory Server Console,”...
Page 77 Maintaining Referential Integrity Expand the Plugins folder in the navigation tree, and select the Referential Integrity Postoperation plug-in. The settings for the plug-in are displayed in the right pane. In the Arguments section, use the Add and Delete buttons to modify the attributes in the list.
Page 78 Maintaining Referential Integrity Netscape Directory Server Administrator’s Guide • December 2003...
Page 79: Chapter 3 Configuring Directory Databases
Chapter 3 Configuring Directory Databases Your directory is made up of databases over which you can distribute your directory tree. This chapter describes how to create suffixes, the branch points for your directory tree, and how to create the databases associated with each suffix. This chapter also describes how to create database links to reference databases on remote servers and how to use referrals to point clients to external sources of directory data.
Page 80: Creating Suffixes
Creating and Maintaining Suffixes A suffix is a node of your directory tree associated with a particular database. You create these special nodes using the Database tab on the Directory Server Console. For example, a simple directory tree might appear as illustrated in Figure 3-1.
Page 81: Figure 3-2 A Sample Directory Tree With Two Root Suffixes
Creating and Maintaining Suffixes Figure 3-2 A Sample Directory Tree with Two Root Suffixes You can also create root suffixes to exclude portions of your directory tree from search operations. For example, Corporation might want to example.com exclude their European office from a search on the general example.com Corporation directory.
Page 82: Creating A New Root Suffix Using The Console
Creating and Maintaining Suffixes Figure 3-4 A Sample Directory Tree with a Sub Suffix This section describes creating root and sub suffixes for your directory using either the Directory Server Console or the command line. This section contains the following procedures: •...
Page 83: Creating A New Sub Suffix Using The Console
Creating and Maintaining Suffixes If you selected the “Create associated database automatically” checkbox in step 4, enter a unique name for the new database in the “Database name” field. For the name, you can use a combination of alphanumeric, dash ( ), and underscore ( ) characters;...
Page 84: Creating Root And Sub Suffixes From The Command Line
Creating and Maintaining Suffixes Click OK to create the new sub suffix. The suffix appears automatically under its root suffix in the Data tree in the left navigation pane. Creating Root and Sub Suffixes From the Command Line Use the command-line utility to add new suffixes to your directory ldapmodify configuration file.
Page 85: Table 3-1 Suffix Attributes
Creating and Maintaining Suffixes To create a sub suffix for groups under this root suffix, you would do an operation to add the following entry: ldapmodify dn: cn="ou=groups,dc=example,dc=com",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: GroupData nsslapd-parent-suffix: "dc=example,dc=com" cn: ou=groups,dc=example,dc=com NOTE If you want to maintain your suffixes using the Directory Server...
Page 86 Creating and Maintaining Suffixes Table 3-1 Suffix Attributes (Continued) Attribute Name Value Determines how the suffix handles operations. This attribute takes nsslapd-state the following values: • backend: the backend (database) is used to process all operations. • disabled: the database is not available for processing operations.
Page 87: Maintaining Suffixes
Creating and Maintaining Suffixes Table 3-1 Suffix Attributes (Continued) Attribute Name Value nsslapd-parent-suffix Provides the DN of the parent entry for a sub suffix. By default, this attribute is not present, which means that the suffix is regarded as a root suffix.
Page 88: Enabling Referrals Only During Update Operations
Creating and Maintaining Suffixes Click the Referrals tab. Enter an LDAP URL in the “Enter a new referral” field or click Construct to be guided through the creation of an LDAP URL. For more information about the structure of LDAP URLs, see Appendix C, “LDAP URLs.”...
Page 89: Disabling A Suffix
Creating and Maintaining Suffixes Disabling a Suffix Sometime you may need to take down a database for maintenance, but the data the database contains is not replicated. Rather than returning a referral, you can disable the suffix responsible for the database. Once you disable a suffix, the contents of the database related to the suffix are invisible to client applications when they perform LDAP operations such as search, add, and modify.
Page 90: Creating And Maintaining Databases
Creating and Maintaining Databases Click OK to delete the suffix. A progress dialog box is displayed that tells you the steps being completed by the console. Creating and Maintaining Databases After you create suffixes for organizing your directory data, you create databases to contain your directory data.
Page 91 Creating and Maintaining Databases This division of the tree corresponds to three databases as follows: Database one contains the data for plus the data for ou=people , so that clients can conduct searches based at dc=example,dc=com . Database two contains the data for , and dc=example,dc=com ou=groups...
Page 92: Creating A New Database For An Existing Suffix Using The Console
Creating and Maintaining Databases Database one contains people with names from A-K and database two contains people with names from L-Z. Database three contains the data, and ou=groups database four contains the data. ou=contractors You need to use the custom distribution plug-in to distribute data from a single suffix across multiple databases.
Page 93: Creating A New Database For A Single Suffix From The Command Line
Creating and Maintaining Databases In the “Create database in” field, enter the path to the directory where you want to store the new database. You can also click Browse to locate a directory on your local machine. By default, the directory stores the new database in this directory: serverRoot/slapd-serverID/db Click OK.
Page 94: Adding Multiple Databases For A Single Suffix
Creating and Maintaining Databases Adding Multiple Databases for a Single Suffix You can distribute a single suffix across multiple databases. However, to distribute the suffix you need to create a custom distribution function to extend the directory. For more information on creating a custom distribution function, contact Netscape Professional Services.
Page 95: Maintaining Directory Databases
Creating and Maintaining Databases Select the Databases tab in the right window. Click Add to associate additional databases with the suffix. The “Database List” dialog box is displayed. Select a database from the list and click OK. Enter the path to your distribution library in the “Distribution library” field, or click Browse to locate a distribution library on your local machine.
Page 96: Deleting A Database
Creating and Maintaining Databases If your Directory Server manages multiple databases, you can place all of them into read-only mode at the same time by placing your entire server in read-only mode. For more information, see “Placing the Entire Directory Server in Read-Only Mode,”...
Page 97: Creating And Maintaining Database Links
Creating and Maintaining Database Links From the Object menu, select Delete. You can also right-click the database and select Delete from the pop-up menu. The Deleting Database confirmation dialog box is displayed. Click Yes to confirm that you want to delete the database. A progress dialog box appears telling you the steps the Directory Server completes during the deletion.
Page 98: Configuring The Chaining Policy
Creating and Maintaining Database Links Configuring the Chaining Policy These procedures describe configuring how your Directory Server chains requests made by client applications to directory servers that contain database links. This chaining policy applies to all database links you create on your Directory Server.
Page 99 Creating and Maintaining Database Links Table 3-2 Components Allowed to Chain (Continued) Component Name Description Permissions 4.0 plug-ins This component name represents all Directory Server 4.0 Depends upon the 4.0 plug-ins. The 4.0 plug-ins share the same chaining policy. plug-in you are Specify the following in the allowing to chain nsActiveChainingComponents attribute:...
Page 100 Creating and Maintaining Database Links NOTE You cannot chain the following components: • Roles plug-in • Password policy component • Replication plug-ins When enabling the Referential Integrity plug-in on servers issuing chaining requests, be sure to analyze your performance resource and time needs as well as your integrity needs.
Page 101: Chaining Ldap Controls
Creating and Maintaining Database Links aci: (targetattr "*")(target="ldap:///ou=customers,l=us,dc=example,dc=com") (version 3.0; acl "RefInt Access for chaining"; allow (read,write,search,compare) userdn = "ldap:///cn=referential integrity postoperation,cn=plugins,cn=config";) Chaining Component Operations From the Command Line You can specify components you want to include in chaining using the attribute in the nsActiveChainingComponents cn=config,cn=chaining...
Page 102 Creating and Maintaining Database Links • Loop detection—This control keeps track of the number of times the server chains with another server. When the count reaches a number you configure, a loop is detected and the client application is notified. For more information about using this control, refer to “Detecting Loops,”...
Page 103: Creating A New Database Link
Creating and Maintaining Database Links Table 3-3 LDAP Controls and Their OIDs Control Name Virtual list view (VLV) 2.16.840.1.113730.3.4.9 Server side sorting 1.2.840.113556.1.4.473 Managed DSA 2.16.840.1.113730.3.4.2 Loop detection 1.3.6.1.4.1.1466.29539.12 For more information about LDAP controls, refer to the LDAP C-SDK documentation on http://enterprise.netscape.com/docs Creating a New Database Link...
Page 104 Creating and Maintaining Database Links Right-click Data in the left navigation pane and select New Root Suffix or New Sub Suffix from the pop-up menu. A “Create New Suffix” dialog box is displayed. Enter the name of the suffix on the remote server to which you want to chain in the “New suffix”...
Page 105: Creating A Database Link From The Command Line
Creating and Maintaining Database Links Enter the name of a failover server in the “Failover Server(s)” field and specify a port number in the “Port” field. The default port number is . Click Add to add the failover server to the list. You can specify multiple failover servers.
Page 106 Creating and Maintaining Database Links • Providing an LDAP URL • Providing a List of Failover Servers • Summary of Cascading Chaining Configuration Attributes • Database Link Configuration Example Providing Suffix Information Use the attribute to define the suffix managed by your database nsslapd-suffix link.
Page 107 Creating and Maintaining Database Links to provide a user DN for the database link in the ldapmodify attribute of the nsMultiplexorBindDN cn=database_link_name,cn=chaining entry. database,cn=plugins,cn=config CAUTION cannot be that of the Directory nsMultiplexorBindDN Manager. to provide a user password for the database link in the ldapmodify attribute of the nsMultiplexorCredentials...
Page 108 Creating and Maintaining Database Links Server B must contain a user entry corresponding to the nsMultiplexorBindDN and you must set the proxy authentication rights for this user. To set the proxy authorization right, you need to set the “proxy” ACI as you would any other ACI. CAUTION Carefully examine access controls when enabling chaining to avoid giving access to restricted areas of your directory.
Page 109 Creating and Maintaining Database Links ldap://hostname:portnumber/ You specify the URL of the remote server using the attribute in nsFarmServerURL entry cn=database_link_name,cn=chaining database,cn=plugins,cn=config of the configuration file. For example, the might appear as nsFarmServerURL follows: nsFarmServerURL: ldap://example.com:389/ Do not forget to use the trailing slash (/) at the end of the URL. If you want to the database link to connect to the remote server using LDAP over SSL, the LDAP URL of the remote server takes the following form: ldaps://hostname:portnumber/...
Page 110: Table 3-4 Database Link Configuration Attributes
Creating and Maintaining Database Links Table 3-4 Database Link Configuration Attributes Attributes Value Gives the OID of LDAP controls forwarded by the database link to *nsTransmittedControls the remote data server. The suffix managed by the database link. Any changes you make to nsslapd-suffix this attribute after the entry has been created take effect only after you restart the server containing the database link.
Page 111 Creating and Maintaining Database Links Table 3-4 Database Link Configuration Attributes (Continued) Attributes Value Controls whether or not referrals are returned by scoped searches. nsReferralOnScopedSearch This attribute is for optimizing your directory, because returning referrals in response to scoped searches is more efficient. Takes the values on or off.
Page 112 Creating and Maintaining Database Links Run the script as follows: ldapmodify -a -p 389 -D "cn=directory manager" -w secret -h us.example.com Then specify the configuration information for the database link: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: l=Zanzibar,ou=people,dc=example,dc=com nsfarmserverurl: ldap://africa.example.com:389/ nsmultiplexorbinddn: cn=proxy admin,cn=config nsmultiplexorcredentials: secret...
Page 113: Chaining Using Ssl
Creating and Maintaining Database Links CAUTION Do not use the Directory Manager user as the proxy administrative user on the remote server. This creates a security hole. Add the following proxy authorization ACI to the l=Zanzibar, entry on server B: ou=people,dc=example,dc=com aci: (targetattr = "*")(version 3.0;...
Page 114: Maintaining Database Links
Creating and Maintaining Database Links For more information on enabling SSL, refer to “Enabling SSL: Summary of Steps,” on page 398. When you configure the database link and remote server to communicate using SSL, this does not mean that the client application making the operation request must also communicate using SSL.
Page 115: Deleting Database Links
Creating and Maintaining Database Links Deleting Database Links To delete a database link: In the Directory Server Console, select the Configuration tab. In the left navigation pane, locate the database link you want to delete and select it. From the Object menu, select Delete. You can also right-click the database link and select Delete from the pop-up menu.
Page 116 Creating and Maintaining Database Links • ACIs must be located with any groups they use. If the groups are dynamic, all users in the group must be located with the ACI and the group. If the group is static, it may refer to remote users. •...
Page 117: Advanced Feature: Tuning Database Link Performance
Creating and Maintaining Database Links Advanced Feature: Tuning Database Link Performance The following sections provide information on tuning the performance of your database links through connection and thread management. It contains the following parts: • Managing Connections to the Remote Server •...
Page 118: Table 3-5 Database Link Connection Management Attributes
Creating and Maintaining Database Links Maximum LDAP connection(s). Maximum number of LDAP connections that the database link establishes with the remote server. The default value is connections. Maximum bind retries. Number of times a database link attempts to bind to the remote server.
Page 119: Detecting Errors During Normal Processing
Creating and Maintaining Database Links Table 3-5 Database Link Connection Management Attributes (Continued) Attribute Name Description Maximum number of TCP connections that the database link nsBindConnectionsLimit establishes with the remote server. The default value is 3 connections. Maximum number of outstanding operations per LDAP nsConcurrentOperationsLimit connection.
Page 120: Table 3-6 Database Link Processing Error Detection Parameters
Creating and Maintaining Database Links The first attribute, , sets a maximum duration for an LDAP nsMaxResponseDelay operation to complete. If the operation takes more than the amount of time specified in this attribute, the database link’s server suspects that the remote server is no longer online.
Page 121: Managing Threaded Operations
Creating and Maintaining Database Links Managing Threaded Operations Generally, Directory Server performs best using a limited number of threads for processing operations. A limited number of threads can generally process operations very quickly, preventing the queue of operations waiting for a free thread from growing too long.
Page 122: Overview Of Cascading Chaining
Creating and Maintaining Database Links Overview of Cascading Chaining Cascading chaining occurs when more than one hop is required for the directory to process a client application’s request. For example, consider the following scenario: The client application sends a modify request to server one. Server one contains a database link that forwards the operation to server two, which contains another database link.
Page 123 Creating and Maintaining Database Links The root suffix , the dc=example,dc=com ou=people ou=groups suffixes are stored on Server A. The l=europe,dc=example,dc=com suffixes are stored in on Server B, and the branch of the ou=groups ou=people suffix is stored on Server C. l=europe,dc=example,dc=com With cascading configured on servers A, B, and C, a client request targeted at entry would be routed by the...
Page 124: Configuring Cascading Chaining Defaults Using The Console
Creating and Maintaining Database Links First the client binds to Server A and chains to Server B using Database Link 1. Then Server B chains to the target database on Server C using Database Link 2 to access the data in the branch.
Page 125: Configuring Cascading Chaining Using The Console
Creating and Maintaining Database Links Select the “Check local ACI” checkbox if you want to enable the evaluation of local ACIs on the intermediate database links involved in cascading chaining. If you select this checkbox, you will need to add the appropriate local ACIs to a database on the servers that contain intermediate database links.
Page 126: Configuring Cascading Chaining From The Command Line
Creating and Maintaining Database Links Configuring Cascading Chaining From the Command Line Configuring a cascade of database links through the command line involves the following steps: • Pointing one database link to the URL of the server containing the intermediate database link.
Page 127 Creating and Maintaining Database Links Creating the Proxy Administrative User ACI You need to create an ACI on the server that contains the intermediate database link that checks the rights of the first database link before translating the request to another server.
Page 128 Creating and Maintaining Database Links Setting this attribute to on in the cn=default instance config,cn=chaining entry means that all new database link database,cn=plugins,cn=config instances will have the attribute set to on in their nsCheckLocalACI entry. cn=database_link_name,cn=chaining database,cn=plugins,cn=config Creating Client ACIs Because you have enabled local ACI evaluation, you need to create the appropriate client application ACIs on all intermediate database links as well as the final destination database.
Page 129: Summary Of Cascading Chaining Configuration Attributes
Creating and Maintaining Database Links Summary of Cascading Chaining Configuration Attributes The following table describes the attributes used to configure intermediate database links in a cascading chain: Cascading Chaining Configuration Attributes Table 3-7 Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain. nsTransmittedControls Enter the following OIDs to the database links involved in the cascading chain: nsTransmittedControls: 2.16.840.1.113730.3.4.12...
Page 130: Configuring Server One
Creating and Maintaining Database Links Configuring Server One First, use the command-line utility to add a database link to server ldapmodify one. To use the utility, type the following to change to the directory containing the utility: cd serverRoot/shared/bin Run the utility as follows: ldapmodify -a -D "cn=directory manager"...
Page 131 Creating and Maintaining Database Links Then specify the configuration information for the database link, DBLink1, on server one as follows: dn: cn=DBLink1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: l=Zanzibar,c=africa,ou=people,dc=example,dc=com nsfarmserverurl: ldap://africa.example.com:389/ nsmultiplexorbinddn: cn=server1 proxy admin,cn=config nsmultiplexorcredentials: secret cn: DBLink1 nsCheckLocalACI:off cn="l=Zanzibar,c=africa,ou=people,dc=example,dc=com",cn=mapping tree,cn=config...
Page 132: Configuring Server Two
Creating and Maintaining Database Links Configuring Server Two Next, you create a proxy administrative user on server two. This administrative user will be used to allow server one to bind and authenticate to server two. Bear in mind that it is useful to choose a proxy administrative user name which is specific to server one as it is the proxy administrative user which will allow server one to bind to server two.
Page 133 Creating and Maintaining Database Links Since database link DBLink2 is the intermediate database link in your cascading chaining configuration, you need to set the to on, to allow the nsCheckLocalACI server to check whether or not it should allow the client and proxy administrative user access to the database link.
Page 134: Configuring Server Three
Creating and Maintaining Database Links NOTE To create these ACIs it is assumed that the database corresponding to the suffix already c=africa,ou=people,dc=example,dc=com exists to hold the entry. This database needs to be associated with a suffix above the suffix specified in the nsslapd-suffix attribute of each database link.
Page 135 Creating and Maintaining Database Links dn: cn=server2 proxy admin,cn=config objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: server2 proxy admin sn: server2 proxy admin userPassword: secret description: Entry for use by database links Then you need to add the same local proxy authorization ACI to server three as you did on server two.
Page 136: Using Referrals
Using Referrals Using Referrals You can use referrals to tell client applications which server to contact for a specific piece of information. This redirection occurs when a client application requests a directory entry that does not exist on the local server or when a database has been taken offline for maintenance.
Page 137: Setting A Default Referral From The Command Line
Using Referrals Setting a Default Referral From the Command Line Use the command-line utility to add a default referral to the ldapmodify entry in your directory’s configuration file. cn=config For example, to add a new default referral from your Directory Server, , to a server named , add a new line to the dir1.example.com...
Page 138: Creating Smart Referrals Using The Directory Server Console
Using Referrals The following procedures describe creating smart referrals using both the console and the command-line utilities. Creating Smart Referrals Using the Directory Server Console To configure smart referrals: In the Directory Server Console, select the Directory tab. Browse through the tree in the left navigation pane and select the entry for which you want to add the referral.
Page 139: Creating Smart Referrals From The Command Line
Using Referrals The Smart Referral List lists the referrals currently in place for the selected entry. The entire list of referrals is returned to client applications in response to a request, when you select “Return Referrals for all Operations” or “Return Referrals for Update Operations”...
Page 140: Creating Suffix Referrals
Using Referrals sn: doe uid: jdoe ref: ldap://directory.europe.example.com/cn=john%20doe,ou=people, l=europe,dc=example,dc=com Use the option with when there is already a referral in the DN path. ldapmodify For information about the utility, see Netscape Directory Server ldapmodify Configuration, Command, and File Reference. For more information on smart referrals, see Netscape Directory Server Deployment Guide.
Page 141: Creating Suffix Referrals From The Command Line
Using Referrals Click Add to add the referral to the list. You can enter multiple referrals. The directory will return the entire list of referrals in response to requests from client applications. Click Save. Creating Suffix Referrals From the Command Line Use the command-line utility to add a suffix referral to an entry in ldapmodify...
Page 142 Using Referrals Netscape Directory Server Administrator’s Guide • December 2003...
Page 143: Chapter 4 Populating Directory Databases
Chapter 4 Populating Directory Databases Databases contain the directory data managed by your Netscape Directory Server (Directory Server). This chapter describes the following procedures for populating your directory databases: • Importing Data (page 143) • Exporting Data (page 150) • Backing Up and Restoring Data (page 154) •...
Page 144: Performing An Import From The Console
Importing Data Table 4-1 describes the differences between an import and initializing databases. Table 4-1 Import Method Comparison Import Initialize Database Overwrites database LDAP operations Add, modify, delete Add only Performance More time consuming Fast Partition speciality Works on all partitions Local partitions only Response to server failure Best effort (all changes made...
Page 145 Importing Data To import data from the Directory Server Console: In the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and select Import Database. You can also import by going to the Configuration tab and selecting “Import” from the Console menu.
Page 146: Initializing A Database From The Console
Importing Data Initializing a Database From the Console You can overwrite the existing data in a database. The following section describes using the console to initialize databases. You must be logged in as the Directory Manager in order to initialize a database. This is because you cannot import an LDIF file that contains a root entry unless you bind to the directory as the Directory Manager (Root DN).
Page 147: Importing From The Command Line
Importing Data Importing From the Command Line You can use three methods for importing data through the command line: • Using —This import method overwrites the contents of your database ldif2db and requires the server to be stopped. • Using —This import method overwrites the contents of your ldif2db.pl database while the server is still running.
Page 148: Importing Using The Ldif2Db.pl Perl Script
Importing Data Two examples of performing an import using follow: ldif2db Windows batch file: ldif2db.bat -n Database1 -i c:\netscape\servers\slapd-dirserver\ldif\demo.ldif -i c:\netscape\servers\slapd-dirserver\ldif\demo2.ldif UNIX shell script: ldif2db -n Database1 -i /usr/netscape/servers/slapd-dirserver/ldif/demo.ldif -i /usr/netscape/servers/slapd-dirserver/ldif/demo2.ldif The following table describes the options used in the examples: ldif2db Option Description...
Page 149: Importing Using The Ldif2Ldap Command-Line Script
Importing Data Run the perl script. ldif2db.pl For more information about using this perl script, refer to Netscape Directory Server Configuration, Command, and File Reference. The following examples import an LDIF file using the script. You do ldif2db.pl not need root privileges to run the script, but you must authenticate as the directory manager.
Page 150: Exporting Data
Exporting Data To import LDIF using ldif2ldap From the command line, change to the following directory: serverRoot/slapd-serverID/ Run the command-line script. ldif2ldap For more information about using this script, refer to Netscape Directory Server Configuration, Command, and File Reference. Two examples of performing an import using follow: ldif2ldap Windows batch file:...
Page 151: Exporting Directory Data To Ldif Using The Console
Exporting Data Figure 4-1 Splitting a Database Contents into Two Databases To populate the new databases requires exporting the contents of database one and importing it into the new databases one and two. You can use the Directory Server Console or command-line utilities to export data.
Page 152: Exporting A Single Database To Ldif Using The Console
Exporting Data To export directory data to LDIF from the Directory Server Console while the server is running: In the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and click Export Database(s). To export all of your databases, you can also select the Configuration tab and select Export from the Console menu.
Page 153: Exporting To Ldif From The Command Line
Exporting Data Expand the Data tree in the left navigation pane. Expand the suffix maintained by the database you want to export. Select the database under the suffix that you want to export. Right-click the database and select Export Database. You can also select Export Database from the Object menu.
Page 154: Backing Up And Restoring Data
Backing Up and Restoring Data Option Description Specifies the name of the database from which the file is being exported. Defines the output file in which the server saves the exported LDIF. This file is stored by default in the directory where the command-line script resides.
Page 155: Backing Up All Databases From The Server Console
Backing Up and Restoring Data Backing Up All Databases From the Server Console When you back up your databases from the Directory Server Console, the server copies all of the database contents and associated index files to a backup location. You can perform a backup while the server is running. To back up your databases from the Server Console: In the Directory Server Console, select the Tasks tab.
Page 156: Backing Up A Single Database
Backing Up and Restoring Data Run the command-line script. db2bak For more information about using this script, refer to Netscape Directory Server Configuration, Command, and File Reference. Two examples of performing an import using follow: db2bak Windows batch file: db2bak \usr\netscape\servers\slapd-dirserver\bak\bak_200107011030 UNIX shell script: db2bak /usr/netscape/servers/slapd-dirserver/bak/bak_200107011030 You can specify the backup directory and output file where the server saves the...
Page 157: Backing Up The Dse.ldif Configuration File
Backing Up and Restoring Data Backing Up the dse.ldif Configuration File Directory Server automatically backs up the configuration file. When dse.ldif you start your Directory Server, the directory creates a backup of the file dse.ldif automatically in a file named in this directory: dse.ldif.startOK serverRoot/slapd-serverID/config...
Page 158: Restoring Your Database From The Command Line
Backing Up and Restoring Data Select the backup from the Available Backups list, or enter the full path to a valid backup in the Directory text box. The Available Backups list shows all backups located in the default directory, serverRoot/slapd-serverID/bak/backup_name where is the name of the backup file.
Page 159: Restoring A Single Database
Backing Up and Restoring Data Using bak2db.pl Perl Script To restore your directory from the command line while the server is running: At the command prompt, change to the following directory: serverRoot/slapd-serverID Run the perl script. bak2db.pl For more information on using this perl script, refer to Netscape Directory Server Configuration, Command, and File Reference.
Page 160: Restoring Databases That Include Replicated Entries
Backing Up and Restoring Data If the server is running, type the following to shut it down: ./stop-slapd Change to the directory containing the backup you want to restore. Copy all of the files to the directory containing the database you want to overwrite with your backup.
Page 161: Restoring The Dse.ldif Configuration File
Enabling and Disabling Read-Only Mode For information on managing replication, see “Managing Replication,” on page 285. Restoring the dse.ldif Configuration File To restore the configuration file, stop the server, then use the procedure dse.ldif outlined in “Restoring a Single Database,” on page 159 to copy the backup copy of file into your directory.
Page 162: Disabling Read-Only Mode
Enabling and Disabling Read-Only Mode Click Save. Your change takes effect immediately. Before performing an import or restore operation, you should ensure that the databases affected by the operation are not in read-only mode. If they are, use the following procedure to make them available for updates. Disabling Read-Only Mode In the Directory Server Console, select the Configuration tab, and expand the Data tree.
Page 163: Chapter 5 Advanced Entry Management
Chapter 5 Advanced Entry Management You can group the entries contained within your directory to simplify the management of user accounts. Netscape Directory Server (Directory Server) supports a variety of methods for grouping entries and sharing attributes between entries. This chapter describes the following grouping mechanisms and their procedures: •...
Page 164: Managing Static Groups
Using Groups Managing Static Groups Static groups allow you to group entries by specifying the same group value in the DN attribute of any number of users. This section includes the following procedures for creating and modifying static groups: • Adding a New Static Group •...
Page 165: Modifying A Static Group
Using Groups Modifying a Static Group In the Directory Server Console, select the Directory tab. The directory contents appear in the left pane. Double-click the entry you want to modify or select Open from the Object menu. The Edit Group dialog box appears. Make your changes to the group information.
Page 166: Using Roles
Using Roles Double-click the entry you want to modify or select Properties from the Object menu. The Edit Group dialog box appears. Make your changes to the group information. Click OK. To view your changes, go to the View menu and select Refresh. Using Roles Roles are a new entry grouping mechanism that unify the static and dynamic groups described in the previous sections.
Page 167 Using Roles • Remove a particular role from a given entry. You can do everything you would normally do with static groups with managed roles, and you can filter members using filtered roles as you used to do with dynamic groups. Roles are easier to use than groups, more flexible in their implementation, and reduce client complexity.
Page 168: Managing Roles Using The Console
Using Roles Managing Roles Using the Console This section contains the following procedures for creating and modifying roles: • Creating a Managed Role • Creating a Filtered Role • Creating a Nested Role • Viewing and Editing an Entry’s Roles •...
Page 169: Creating A Filtered Role
Using Roles In the right pane, select Managed Role. Click Add to add new entries to the list of members. The standard “Search users and groups” dialog box appears. In the Search drop-down list, select Users from the Search drop-down list, then click Search.
Page 170: Creating A Nested Role
Using Roles Click OK. The new role appears in the right pane. Creating a Nested Role Nested roles allow you to create roles that contain other roles. Before you create a nested role, another role must exist. When you create a nested role, the console displays a list of the roles available for nesting.
Page 171: Modifying A Role Entry
Using Roles To remove a managed role, select it and click Remove. To edit a managed role associated with an entry, click Edit. The Edit Entry dialog box displays. Make any changes to the general information or members and click OK. Select the Other Roles tab to view the filtered or nested roles this entry belongs Click Edit to make changes to any filtered or nested roles associated with the entry.
Page 172: Reactivating A Role
Using Roles The role is inactivated. To see the inactivated entries, select Inactivation State from the View menu. A red slash through the role icon indicates that the role has been inactivated. Reactivating a Role To reactivate a disabled role: In the Directory Server Console, select the Directory tab.
Page 173: Managing Roles Using The Command Line
Using Roles Managing Roles Using the Command Line Roles inherit from the object class, which is defined in the ISO/IEC ldapsubentry X.509 standard. In addition, each type of role has two specific object classes that inherits from the object class. Once you create a role, you nsRoleDefinition assign members to it as follows: •...
Page 174: Example: Filtered Role Definition
Using Roles Specify the managed role as follows: dn: cn=Marketing,ou=people,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsSimpleRoleDefinition objectclass: nsManagedRoleDefinition cn: Marketing description: managed role for marketing staff Notice that the object class inherits from the nsManagedRoleDefinition object classes. LDAPsubentry nsRoleDefinition nsSimpleRoleDefinition Assign the role to a marketing staff member named Bob by doing an...
Page 175: Example: Nested Role Definition
Using Roles The following entry matches the filter (possesses the attribute with the value ) and therefore is a member of this filtered role: sales manager dn: cn=Pat,ou=people,dc=example,dc=com objectclass: person cn: Pat sn: Pat userPassword: bigsecret o: sales managers Example: Nested Role Definition You want to create a role that contains both the marketing staff and sales managers contained by the roles you created in the previous examples.
Page 176 Using Roles However, in some security contexts it is inappropriate to have such open roles. For example, consider account inactivation roles. By default, account inactivation roles contain ACIs defined for their suffix. When creating a role, the server administrator decides whether a user can assign themselves to or remove themselves from the role.
Page 177: Assigning Class Of Service
Assigning Class of Service Assigning Class of Service A class of service (CoS) allows you to share attributes between entries in a way that is transparent to applications. CoS simplifies entry management and reduces storage requirements. There are two methods for creating and managing CoS, using the Directory Server Console or through the command line.
Page 178: About The Cos Definition Entry
Assigning Class of Service The following sections describe the entries that make up a CoS in more detail and provide examples of each type of CoS. About the CoS Definition Entry The CoS definition entry is an instance of the object class.
Page 179: How A Pointer Cos Works
Assigning Class of Service • The value of one of the target entry’s attributes. The attribute used to provide the relative DN to the template entry is specified in the CoS definition entry using the attribute. This cosIndirectSpecifier type of template is associated with an indirect CoS. •...
Page 180: How A Classic Cos Works
Assigning Class of Service The three CoS entries appear as illustrated in Figure 5-2. Figure 5-2 Sample Indirect CoS In this example, the target entry for William Holiday contains the indirect specifier, attribute. William’s manager is Carla Fuentes, so the manager manager attribute contains a pointer to the DN of the template entry,...
Page 181: Managing Cos Using The Console
Assigning Class of Service Figure 5-3 Sample Classic CoS In this example, the Cos definition entry’s attribute specifies the cosSpecifier attribute. This attribute, in combination with the template DN, employeeType identify the template entry as . The template cn=sales,cn=exampleUS,cn=data entry then provides the value of the attribute to the target entry.
Page 182 Assigning Class of Service Go to the Object menu and select New > Class of Service. You can also right click the entry and select New > Class of Service. The Create New Class of Service dialog displays. Select General in the left pane. In the right pane, enter the name of your new class of service in the “Class Name”...
Page 183: Editing An Existing Cos
Assigning Class of Service Click Template in the left pane. In the right pane, select how the template entry is identified. By its DN. If you choose to have the template entry identified by only its DN (a pointer CoS), enter the DN of the template in the “Template DN” field. Click Browse to locate the DN on your local server.
Page 184: Deleting A Cos
Assigning Class of Service Deleting a CoS The following procedure describes deleting a CoS: In the Directory Server Console, select the Directory tab. Browse the tree in the left navigation pane and select the parent entry that contains your class of service. The CoS appears in the right pane with other entries.
Page 185: Table 5-3 Cos Definition Entry Attributes
Assigning Class of Service Table 5-2 CoS Definition Entry Object Classes (Continued) CoS Type Object Classes Description Indirect CoS Identifies the template entry using the value of one cosIndirectDefinition of the target entry’s attributes. The attribute of the target entry is specified in the cosIndirectSpecifier attribute.
Page 186 Assigning Class of Service • Operational This qualifier indicates that the attribute will only be returned if it is explicitly requested in the search. Operational attributes do not need to pass a schema check in order to be returned. When you use as a operational qualifier, it works as if...
Page 187: Creating The Cos Template Entry From The Command Line
Assigning Class of Service Now that you have been introduced to the object classes and attributes used by a CoS definition, it is time to put them together to create the definition entry itself. Table 5-4 describes the CoS definition for each type of CoS. Table 5-4 CoS Definitions CoS Type...
Page 188: Example Of A Pointer Cos
Assigning Class of Service The CoS template entry also contains the attribute generated by the CoS (as specified in the attribute of the CoS definition entry) and the value cosAttribute for that attribute. For example, a CoS template entry that provides a value for the postalCode attribute follows: dn:cn=exampleUS,cn=data,dc=example,dc=com...
Page 189: Example Of An Indirect Cos
Assigning Class of Service To add a new pointer CoS definition entry to the suffix, dc=example,dc=com you do an as follows: ldapmodify ldapmodify -a -D "cn=directory manager" -w secret -h host -p 389 utility binds to the server and prepares it to add information to ldapmodify the configuration file.
Page 190: Example Of A Classic Cos
Assigning Class of Service Next, you add the indirect CoS definition to the root suffix dc=example,dc=com as follows: dn: cn=indirectCoS,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosIndirectDefinition cosIndirectSpecifier: manager cosAttribute: departmentNumber Next, you create the template entry for the manager Carla Fuentes as follows: dn:cn=Carla Fuentes,cn=data,dc=example,dc=com objectclass: top objectclass: LDAPsubentry...
Page 191: Creating Role-Based Attributes
Assigning Class of Service utility binds to the server and prepares it to add information to ldapmodify the configuration file. Next, you add the indirect CoS definition to the root suffix dc=example,dc=com as follows: dn: cn=classicCoS,dc=example,dc=com objectclass: top objectclass: LDAPsubentry objectclass: cosSuperDefinition objectclass: cosClassicDefinition cosTemplateDn: cn=exampleUS,cn=data,dc=example,dc=com...
Page 192 Assigning Class of Service To create a role-based attribute, use the attribute as the nsRole cosSpecifier the CoS definition entry of a classic CoS. Because the attribute can be nsRole multivalued, you can define CoS schemes that have more than one possible template entry.
Page 193: Access Control And Cos
Assigning Class of Service NOTE The role entry and the CoS definition and template entries should be located at the same level in the directory tree. Access Control and CoS The server controls access to attributes generated by a CoS in exactly the same way as regular stored attributes.
Page 194 Assigning Class of Service Netscape Directory Server Administrator’s Guide • December 2003...
Page 195: Chapter 6 Managing Access Control
Chapter 6 Managing Access Control Netscape Directory Server (Directory Server) provides you with the ability to control access to your directory. This chapter describes the access control mechanism. This section includes the following topics: • Access Control Principles (page 196) •...
Page 196: Access Control Principles
Access Control Principles Access Control Principles The mechanism by which you define access is called access control. When the server receives a request, it uses the authentication information provided by the user in the bind operation, and the access control instructions (ACIs) defined in the server to allow or deny access to directory information.
Page 197: Aci Placement
Access Control Principles ACI Placement If an entry containing an ACI does not have any child entries, the ACI applies to that entry only. If the entry has child entries, the ACI applies to the entry itself and all entries below it. As a direct consequence, when the server evaluates access permissions to any given entry, it verifies the ACIs for every entry between the one requested and the directory suffix, as well as the ACIs on the entry itself.
Page 198: Aci Limitations
Access Control Principles For example, if you deny write permission at the directory’s root level, then none of the users can write to the directory regardless of the specific permissions you grant them. To grant a specific user write permissions to the directory, you have to restrict the scope of the original denial for write permission so that it does not include the user.
Page 199: Default Acis
Default ACIs If you create target filters or bind rules that depend on the value of attributes generated by CoS, the access control rule will not work. For more information on CoS, see Chapter 5, “Advanced Entry Management.” • Access control rules are always evaluated on the local server. Therefore, it is not necessary to specify the hostname or port number of the server in LDAP URLs used in ACI keywords.
Page 200: Creating Acis Manually
Creating ACIs Manually • Group expansion. • All authenticated users have search, compare, and read rights to configuration attributes that identify the Administration Server. The following sections explain how to modify these default settings to suit the needs of your organization. Creating ACIs Manually You can create access control instructions manually using LDIF statements, and add them to your directory tree using the...
Page 201: Example Aci
Creating ACIs Manually • specifically outlines what rights you are either allowing or denying permission (for example, read or search rights). • specify the credentials and bind parameters that a user has to provide bind_rules to be granted access. Bind rules can also specifically deny access to certain users or groups of users.
Page 202: Table 6-1 Ldif Target Keywords
Creating ACIs Manually • An attribute value, or a combination of values, that match a specified LDAP filter, as described in “Targeting Attribute Values Using LDAP Filters,” on page 207. The general syntax for a target is: (keyword = "expression") (keyword != "expression") where: indicates the type of target...
Page 203: Targeting A Directory Entry
Creating ACIs Manually acl1: ( target=...)( targetattr!=a )(version 3.0; acl "name";allow (...).. acl2: ( target=...)( targetattr!=b )(version 3.0; acl "name";allow (...).. the result would be to allow all values of the target attribute. The first ACL ( acl1 will allow and the second ACL ( ) will allow .
Page 204 Creating ACIs Manually The following are legal examples of wildcard usage: • (target="ldap:///uid=*,dc=example,dc=com") Matches every entry in the entire tree that has the example.com attribute in the entry’s RDN. • (target="ldap:///uid=*Anderson,dc=example,dc=com") Matches every entry directly under the node with a example.com ending in Anderson.
Page 205: Targeting Attributes
Creating ACIs Manually NOTE You cannot use wildcards in the suffix part of a distinguished name. That is, if your directory uses the suffixes c=US c=GB then you cannot use the following target to reference both suffixes: (target="ldap:///dc=example,c=*"). Neither can you use a target such as uid=bjensen,dc=*.com Targeting Attributes In addition to targeting directory entries, you can also target one or more attributes...
Page 206: Targeting Both An Entry And Attributes
Creating ACIs Manually If, however, you target the tree’s branch point , then all the entries beneath the branch ou=Marketing,dc=example,dc=com point that can contain a password attribute are affected by the ACI. Targeting Both an Entry and Attributes By default, the entry targeted by an ACI containing a keyword is the targetattr entry on which the ACI is placed.
Page 207: Targeting Attribute Values Using Ldap Filters
Creating ACIs Manually dn: dc=example,dc=com objectClass: top objectClass: organization aci: (targetattr="departmentNumber || manager") (targetfilter="(businessCategory=Engineering)") (version 3.0; acl "eng-admins-write"; allow (write) groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";) Although using LDAP filters can be useful when you are targeting entries and attributes that are spread across the directory, the results are sometimes unpredictable because filters do not directly name the object for which you are managing access.
Page 208: Targeting A Single Directory Entry
Creating ACIs Manually When creating an entry, if a filter applies to an attribute in the new entry, then each instance of that attribute must satisfy the filter. When deleting an entry, if a filter applies to an attribute in the entry, then each instance of that attribute must also satisfy the filter.
Page 209: Defining Permissions
Creating ACIs Manually aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl "Default anonymous access"; allow (read, search) userdn="ldap:///anyone";) This ACI can apply only to the entry. o=NetscapeRoot The risk associated with these methods is that your directory tree might change in the future, and you would have to remember to modify this ACI. Defining Permissions Permissions specify the type of access you are allowing or denying.
Page 210 Creating ACIs Manually Delete. Indicates whether users can delete entries. This permission applies only to the delete operation. Search. Indicates whether users can search for the directory data. Users must have Search and Read rights in order to view the data returned as part of a search result. This permission applies only to the search operation.
Page 211: Rights Required For Ldap Operations
Creating ACIs Manually Rights Required for LDAP Operations This section describes the rights you need to grant to users depending on the type of LDAP operation you want to authorize them to perform. Adding an entry: • Grant add permission on the entry being added. •...
Page 212: Permissions Syntax
Bind Rules The permissions you need to set up to allow users to search the directory are more readily understood with an example. Consider the following ldapsearch operation: " " % ldapsearch -h host -s base -b uid=bkolics,dc=example,dc=com objectclass=* mail The following ACI is used to determine whether user can be granted bkolics...
Page 213: Bind Rule Syntax
Bind Rules Bind rules can be simple. For example, a bind rule can simply state that the person accessing the directory must belong to a specific group. Bind rules can also be more complex. For example, a bind rule can state that a person must belong to a specific group and must log in from a machine with a specific IP address, between 8 am and 5 pm.
Page 214: Table 6-2 Ldif Bind Rule Keywords
Bind Rules Table 6-2 LDIF Bind Rule Keywords Keyword Valid Expressions Wildcard Allowed? ldap:///distinguished_name yes, in DN only userdn ldap:///all ldap:///anyone ldap:///self ldap:///parent ldap:///suffix??sub?(filter) ldap:///DN || DN groupdn ldap:///DN || DN roledn attribute#bindType or userattr attribute#value IP_address DNS_host_name dayofweek 0 - 2359 timeofday none authmethod...
Page 215: Defining User Access - Userdn Keyword
Bind Rules Defining User Access - userdn Keyword User access is defined using the keyword. The keyword requires userdn userdn one or more valid distinguished names in the following format : userdn = "ldap:///dn [|| ldap:///dn]...[||ldap:///dn]" where can be a DN or one of the expressions , or anyone self...
Page 216: Self Access (Self Keyword)
Bind Rules Self Access (self Keyword) Specifies that users are granted or denied access to their own entries. In this case, access is granted or denied if the bind DN matches the DN of the targeted entry. From the Server Console, you set up self access on the Access Control Editor. For more information, see “Creating ACIs From the Console,”...
Page 217 Bind Rules Userdn keyword containing an LDAP URL: userdn = "ldap:///uid=*,dc=example,dc=com"; The bind rule is evaluated to be true if the user binds to the directory using any distinguished name of the specified pattern. For example, both of the following bind DNs would be evaluated to be true: uid=ssarette,dc=example,dc=com uid=tjaz,ou=Accounting,dc=example,dc=com...
Page 218: Defining Group Access - Groupdn Keyword
Bind Rules The bind rule is evaluated to be true for any valid bind DN. To be true, a valid distinguished name and password must have been presented by the user during the bind operation. For example, if you want to grant read access to the entire tree to all authenticated users, you would create the following ACI on the node: dc=example,dc=com...
Page 219: Examples
Bind Rules keyword requires one or more valid distinguished names in the groupdn following format : groupdn="ldap:///dn [|| ldap:///dn]...[|| ldap:///dn]" The bind rule is evaluated to be true if the bind DN belongs to the named group. If a DN contains a comma, the comma must be escaped by a NOTE backslash (\).
Page 220: Defining Access Based On Value Matching
Bind Rules keyword requires one or more valid distinguished names in the roledn following format : roledn = "ldap:///dn [|| ldap:///dn]... [|| ldap:///dn]" The bind rule is evaluated to be true if the bind DN belongs to the specified role. If a DN contains a comma, the comma must be escaped by a NOTE backslash (\).
Page 221 Bind Rules or, if you are using an attribute type that requires a value other than a user DN, group DN, role DN, or an LDAP filter: userattr = "attrName#attrValue" where: • is the name of the attribute used for value matching attrName •...
Page 222 Bind Rules If you are using static groups that are under the same suffix as the targeted entry, you can use the following expression: userattr = "ldap:///dc=example,dc=com?owner#GROUPDN" In this example, the group entry is under the suffix. The dc=example,dc=com server can process this type of syntax more quickly than the previous example. (By default, is not an allowed entry in a user’s entry.
Page 223: Using The Userattr Keyword With Inheritance
Bind Rules Example With LDAPURL Bind Type The following is an example of the keyword associated with a bind userattr based on an LDAP filter: userattr = "myfilter#LDAPURL" The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter attribute of the targeted entry.
Page 224: Figure 6-1 Using Inheritance With The Userattr Keyword
Bind Rules For example, userattr = "parent[0,1].manager#USERDN" This bind rule is evaluated to be true if the bindDN matches the manager attribute of the targeted entry. The permissions granted when the bind rule is evaluated to be true apply to the target entry and to all entries immediately below it. Example With userattr Inheritance The example in Figure 6-1 indicates that user is allowed to read and...
Page 225: Granting Add Permission Using The Userattr Keyword
Bind Rules Granting Add Permission Using the userattr Keyword If you use the keyword in conjunction with permissions, you userattr might find that the behavior of the server is not what you expect. Typically, when a new entry is created in the directory, Directory Server evaluates access rights on the entry being created, and not on the parent entry.
Page 226: Defining Access From A Specific Ip Address
Bind Rules Defining Access From a Specific IP Address Using bind rules, you can indicate that the bind operation must originate from a specific IP address. This is often used to force all directory updates to occur from a given machine or network domain. The LDIF syntax for setting a bind rule based on an IP address is as follows: ip = "IP_address"...
Page 227: Defining Access At A Specific Time Of Day Or Day Of Week
Bind Rules keyword requires a fully qualified DNS domain name. Granting access to a host without specifying the domain creates a potential security threat. For example, the following expression is allowed but not recommended: dns = "legend.eng"; You should use a fully qualified name such as: dns = "legend.eng.example.com";...
Page 228: Examples
Bind Rules The LDIF syntax for setting a bind rule based on the day in the week is as follows: dayofweek = "day1, day2 ..." The possible values for the dayofweek keyword are the English three-letter abbreviations for the days of the week: sun, mon, tue, wed, thu, fri, sat. Examples The following are examples of the syntax:...
Page 229: Defining Access Based On Authentication Method
Bind Rules Defining Access Based on Authentication Method You can set bind rules that state that a client must bind to the directory using a specific authentication method. The authentication methods available are: • None—Authentication is not required. This is the default. It represents anonymous access.
Page 230: Using Boolean Bind Rules
Bind Rules authmethod = "ssl"; The bind rule is evaluated to be true if the client authenticates to the directory using a certificate over LDAPS. This is not evaluated to be true if the client authenticates using simple authentication (bind DN and password) over ldaps. authmethod = "sasl DIGEST-MD5";...
Page 231: Creating Acis From The Console
Creating ACIs From the Console Because Boolean expressions are evaluated from left to right, in the first case, bind rule A is evaluated before bind rule B, and in the second case, bind rule B is evaluated before bind rule A. However, the Boolean is evaluated before the Boolean and Boolean...
Page 232: Displaying The Access Control Editor
Creating ACIs From the Console In the Access Control Editor, you can click on the Edit Manually button at any time to check the LDIF representation of the changes you make through the graphical interface. Displaying the Access Control Editor Start the Directory Server Console.
Page 233: Viewing Current Acis
Creating ACIs From the Console Click New. The Access Control Editor is displayed as shown in Figure 6-3. Figure 6-3 Access Control Editor Window For information on navigating through the Access Control dialog boxes, refer to the online help. Viewing Current ACIs If you want to see what ACIs apply to a particular subtree in your directory, follow these steps: In the Directory tab, right-click the top entry in the subtree, and choose Set...
Page 234: Creating A New Aci
Creating ACIs From the Console Creating a New ACI To create a new ACI: Display the Access Control Editor. This task is explained in “Displaying the Access Control Editor,” on page 232. If the view displayed is different from Figure 6-3 on page 233, click the Edit Visually button.
Page 235: Editing An Aci
Creating ACIs From the Console Click the Hosts tab, then the Add button to display the Add Host Filter dialog box. You can specify a hostname or an IP address. If you specify an IP address, you can use the wildcard character (*). Click the Times tab to display the table showing at what times access is allowed.
Page 236: Deleting An Aci
Access Control Usage Examples Deleting an ACI To delete an ACI: In the Directory tab, right-click the top entry in the subtree, and choose Set Access Permissions from the pop-up menu. The Access Control Manager window is displayed. It contains the list of ACIs belonging to the entry.
Page 237: Granting Anonymous Access
Access Control Usage Examples • Grant all employees the right to create group entries under example.com the Social Committee branch of the directory, and to delete group entries that they own (see “Granting Rights to Add and Delete Group Entries,” on page 245).
Page 238 Access Control Usage Examples This example assumes that the is added to the dc=example,dc=com entry Note that the userPassword attribute is excluded from the scope of the ACI. From the Console, you can set this permission by doing the following: In the Directory tab, right click the node in the left navigation example.com...
Page 239: Granting Write Access To Personal Entries
Access Control Usage Examples This example assumes that the ACI is added to the entry. It also assumes that every ou=subscribers,dc=example,dc=com subscriber entry has an attribute which is set to yes or no. unlistedSubscriber The target definition filters out the unlisted subscribers based on the value of this attribute.
Page 240 Access Control Usage Examples It is also ’s policy to let their subscribers update their own example.com personal information in the tree provided that they establish an example.com SSL connection to the directory. This is illustrated in the ACI “Write Subscribers” example.
Page 241 Access Control Usage Examples In the Targets tab, click This Entry to display the suffix in dc=example,dc=com the target directory entry field. In the attribute table, tick the checkboxes for the , and attributes. homePhone homePostalAddress userPassword All other checkboxes should be clear. This task is made easier if you click the Check None button to clear the checkoxes for all attributes in the table, then clikc the Name header to organize them alphabetically, and select the appropriate ones.
Page 242 Access Control Usage Examples In the Users/Groups tab, in the ACI name field, type "Write Subscribers". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area to Special Rights, and select Self from the Search results list.
Page 243: Restricting Access To Key Roles
Access Control Usage Examples Restricting Access to Key Roles You can use role definitions in the directory to identify functions that are critical to your business, the administration of your network and directory, or another purpose. For example, you might create a role by identifying a subset of your superAdmin system administrators that are available at a particular time of day and day of the...
Page 244: Granting A Group Full Access To A Suffix
Access Control Usage Examples Click the Add button to list Self in the list of users who are granted access permission. Click OK to dismiss the Add Users and Groups dialog box. In the Rights tab, tick the checkbox for write. Make sure the other checkboxes are clear.
Page 245: Granting Rights To Add And Delete Group Entries
Access Control Usage Examples ACI “HR” In LDIF, to grant the HR group all rights on the employee branch of the directory, you would use the following statement: aci: (version 3.0; acl "HR"; allow (all) userdn= "ldap:///cn=HRgroup,ou=example-people,dc=example,dc=com";) This example assumes that the ACI is added to the entry.
Page 246 Access Control Usage Examples for example, there is an active social committee that is example.com organized into various clubs: tennis, swimming, skiing, role-playing, etc. Any employee can create a group entry representing a new club. This example.com is illustrated in the ACI “Create Group” example. Any employee can example.com become a member of one of these groups.
Page 247 Access Control Usage Examples Click OK to dismiss the Add Users and Groups dialog box. In the Rights tab, tick the checkbox for add. Make sure the other checkboxes are clear. In the Targets tab, click This Entry to display the ou=social committee, suffix in the target directory entry field.
Page 248: Granting Conditional Access To A Group Or Role
Access Control Usage Examples Granting Conditional Access to a Group or Role In many cases, when you grant a group or role privileged access to the directory, you want to ensure that those privileges are protected from intruders trying to impersonate your privileged users.
Page 249 Access Control Usage Examples In the Users/Groups tab, in the ACI name field, type "HostedCompany1". In the list of users granted access permission, do the following: Select and remove All Users, then click Add. The Add Users and Groups dialog box is displayed. Set the Search area to Users and Groups, and type DirectoryAdmin in the Search For field.
Page 250: Denying Access
Access Control Usage Examples "ldap:///cn=DirectoryAdmin,ou=HostedCompany1,ou=corporate-cli ents, dc=example,dc=com") and (dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and timeofday <= "1800") and (ip="255.255.123.234") and (authmethod="ssl"); ) Click OK. The new ACI is added to the ones listed in the Access Control Manager window. Denying Access If your directory holds business-critical information, you might specifically want to deny access to it.
Page 251 Access Control Usage Examples Click the Add button to list Self in the list of users who are granted access permission. Click OK to dismiss the Add Users and Groups dialog box. In the Rights tab, tick the checkboxes for search and read rights. Make sure the other checkboxes are clear.
Page 252: Setting A Target Using Filtering
Access Control Usage Examples Set the Search area in the Add Users and Groups dialog box to to Special Rights, and select Self from the Search results list. Click the Add button to list Self in the list of users who are granted access permission.
Page 253: Allowing Users To Add Or Remove Themselves From A Group
Access Control Usage Examples Before you can set these permissions, you must create the accounting branch point ( ). You can create organizational ou=accounting,dc=example,dc=com unit branch points using the directory tab on the Directory Server Console. Allowing Users to Add or Remove Themselves From a Group Many directories set ACIs that allow users to add or remove themselves from groups.
Page 254: Defining Permissions For Dns That Contain A Comma
Access Control Usage Examples In the Rights tab, tick the checkbox for selfwrite. Make sure the other checkboxes are clear. In the Targets tab, type suffix in the target directory entry dc=example,dc=com field. In the attribute table, tick the checkbox for the attribute.
Page 255 Access Control Usage Examples In order for the client application to gain access to the Accounting subtree (using the same access permissions as the Accounting Administrator): • The Accounting Administrator must have access permissions to the subtree. For example, the following ou=Accounting,dc=example,dc=com ACI grants all rights to the Accounting Administrator entry: aci: (target="ldap:///ou=Accounting,dc=example,dc=com")
Page 256: Viewing The Acis For An Entry
Viewing the ACIs for an Entry Viewing the ACIs for an Entry You can view all the ACIs under a single suffix in the directory by running the following command: ldapsearch ldapsearch -h host -p port -b baseDN -D rootDN -w rootPassword (aci=*) aci See Netscape Directory Server Configuration, Command, and File Reference for information on using the utility.
Page 257 Advanced Access Control: Using Macro ACIs In this illustration, note the repeating pattern of subdomains with the same tree structure (ou=groups, ou=people). This pattern is also repeated across the tree, because the directory tree stores the following suffixes example.com , and dc=hostedCompany2, dc=example,dc=com dc=hostedCompany3,dc=example,dc=com The ACIs that apply in the directory tree also have a repeating pattern.
Page 258: Figure 6-4 Example Directory Tree For Macro Acis
Advanced Access Control: Using Macro ACIs Figure 6-4 Example directory tree for Macro ACIs The following ACI is located on the dc=hostedCompany1,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1, dc=example,dc=com";) Netscape Directory Server Administrator’s Guide • December 2003...
Page 259: Macro Aci Syntax
Advanced Access Control: Using Macro ACIs The following ACI is located on the dc=subdomain1,dc=hostedCompany1, node: dc=example,dc=com aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1, dc=hostedCompany1,dc=example,dc=com";) The following ACI is located on the dc=hostedCompany2,dc=example,dc=com node: aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany2, dc=example,dc=com";) The following ACI is located on the...
Page 260: Macro Matching For ($Dn)
Advanced Access Control: Using Macro ACIs • [$dn] • ($attr.attrName), where attrName represents an attribute contained in the target entry To simplify the discussion in this section, the ACI keywords used to provide bind credentials such as , and , are collectively called userdn roledn groupdn...
Page 261: Macro Matching For [$Dn]
Advanced Access Control: Using Macro ACIs aci: (target="ldap:///ou=*,($dn),dc=example,dc=com") (targetattr = "*") (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,($dn),dc=example,dc=co m";) In this case, if the string matching ($dn) in the target is dc=subdomain1, , then the same string is used in the subject. The ACI above is dc=hostedCompany1 expanded as follows: aci: (target="ldap:///ou=Groups,dc=subdomain1,dc=hostedCompany1,...
Page 262: Macro Matching For ($Attr.attrname)
Advanced Access Control: Using Macro ACIs Replace [$dn] in subject with dc=hostedCompany1 The result is groupdn="ldap:///cn=DomainAdmins,ou=Groups, . In this case, if the bind DN is dc=hostedCompany1,dc=example,dc=com" not a member of that group, the ACI is not evaluated. If it is a member, the ACI is evaluated.
Page 263: Access Control And Replication
Access Control and Replication In order to evaluate the part of the ACI, the server looks at the attribute roledn stored in the targeted entry, and uses the value of this attribute to expand the macro. Therefore, in the example, the is expanded as follows: roledn roledn =...
Page 264: Logging Access Control Information
Logging Access Control Information Logging Access Control Information To obtain information on access control in the error logs, you must set the appropriate log level. To set the error log level from the Console: In the Console, click the Directory tab, right click the config node, and choose Properties from the pop-up menu.
Page 265: Chapter 7 User Account Management
Chapter 7 User Account Management When a user connects to your Netscape Directory Server (Directory Server), first the user is authenticated. Then, the directory can grant access rights and resource limits to the user depending upon the identity established during authentication. This chapter describes tasks for user account management, including configuring the password and account lockout policy for your directory, denying groups of users access to the directory, and limiting system resources available to users...
Page 266: Configuring The Password Policy
Managing the Password Policy Once you have established a password policy, which can be for the entire directory, or for specific subtrees or users, you can protect your user passwords from potential threats by configuring an account lockout policy. Account lockout protects against hackers who try to break into the directory by repeatedly guessing a user’s password.
Page 267: Configuring A Global Password Policy Using The Console
Managing the Password Policy • Configuring Subtree/User Password Policy Using the Command-Line NOTE After configuring your password policy, we recommend that you configure an account lockout policy. For details, see “Configuring the Account Lockout Policy,” on page 277. Configuring a Global Password Policy Using the Console To set up or modify the password policy for an entire directory: In the Directory Server Console, select the Configuration tab and then the Data node.
Page 268: Configuring A Subtree/User Password Policy Using The Console
Managing the Password Policy because the number of seconds will go past the epoch date. In such an event, the error log will indicate that the password maximum age is invalid. To resolve this problem, you must correct the attribute paswordMaxAge value in the file.
Page 269: Configuring A Global Password Policy Using The Command-Line
Managing the Password Policy Create the local password policy for the subtree or user. In the Directory Server Console, select the Directory tab. In the navigation pane, select the subtree or user entry for which you want to set up the password policy. From the Object menu, select the Manage Password Policy option and then select the “For user”...
Page 270 Managing the Password Policy Table 7-1 Password Policy Attributes (Continued) Attribute Name Definition When on, this attribute requires users to change their passwords when passwordMustChange they first login to the directory or after the password is reset by the Directory Manager. When on, the user is required to change their password even if user-defined passwords are disabled.
Page 271 Managing the Password Policy Table 7-1 Password Policy Attributes (Continued) Attribute Name Definition This attribute indicates the number of seconds before a warning passwordWarning message is sent to users whose password is about to expire. Depending on the LDAP client application, users may be prompted to change their password when the warning is sent.
Page 272 Managing the Password Policy Table 7-1 Password Policy Attributes (Continued) Attribute Name Definition This attribute indicates whether the directory stores a password history. passwordHistory When set to on, the directory stores the number of passwords you specify in the passwordInHistory attribute in a history. If a user attempts to reuse one of the password, the password will be rejected.
Page 273: Configuring Subtree/User Password Policy Using The Command-Line
Managing the Password Policy Configuring Subtree/User Password Policy Using the Command-Line To configure a subtree or user level password policy: Add the required attributes to the subtree or user entries by running the script. ns-newpwpolicy.pl The command syntax for the script is as follows: ns-newpwpolicy.pl [-D rootDN] { -w password | -w - | -j filename } [-p port] [-h host] -U userDN -S suffixDN For updating a subtree entry, use the...
Page 274 Managing the Password Policy The CoS template entry ( ) that has the nsPwTemplateEntry value pointing to the above ( pwdpolicysubentry nsPwPolicyEntry entry. For example: dn: cn="cn=nsPwTemplateEntry, ou=people, dc=example, dc=com", cn=nsPwPolicyContainer, ou=people, dc=example, dc=com objectclass: top objectclass: extensibleObject objectclass: costemplate objectclass: ldapsubentry cosPriority: 1 pwdpolicysubentry: cn="cn=nsPwPolicyEntry, ou=people,...
Page 275 Managing the Password Policy The actual password policy specification entry ( ) for nsPwPolicyEntry holding the password policy attributes that are specific to the user. For example: dn: cn="cn=nsPwPolicyEntry, uid=jdoe, ou=people, dc=example, dc=com", cn=nsPwPolicyContainer, ou=people, dc=example, dc=com objectclass: top objectclass: extensibleObject objectclass: ldapsubentry objectclass: passwordpolicy Assign the value of the above entry DN to the...
Page 276: Setting User Passwords
Managing the Password Policy To turn off user and subtree level password policy checks, set the attribute to by modifying the entry. nsslapd-pwpolicy-local cn=config For example, you can use the command to make these changes: ldapmodify dn: cn=config changetype: modify replace: nsslapd-pwpolicy-local: on nsslapd-pwpolicy-local: off You can also disable the attribute by modifying it directly in the configuration...
Page 277: Configuring The Account Lockout Policy
Managing the Password Policy Configuring the Account Lockout Policy The lockout policy works in conjunction with the password policy to provide further security. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user’s password. You can set up your password policy so that a specific user is locked out of the directory after a given number of failed attempts to bind.
Page 278: Table 7-2 Account Lockout Policy Attributes
Managing the Password Policy Table 7-2 describes the attributes you can use to configure your account lockout policy. Account Lockout Policy Attributes Table 7-2 Attribute Name Definition This attribute indicates whether users are locked out of the directory passwordLockout after a given number of failed bind attempts. You set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure attribute.
Page 279: Managing The Password Policy In A Replicated Environment
Managing the Password Policy Managing the Password Policy in a Replicated Environment Password and account lockout policies are enforced in a replicated environment as follows: • Password policies are enforced on the data master. • Account lockout is enforced on all servers participating in replication. Some of the password policy information in your directory is replicated.
Page 280: Inactivating Users And Roles
Inactivating Users and Roles Inactivating Users and Roles You can temporarily inactivate a single user account or a set of accounts. Once inactivated, a user cannot bind to the directory. The authentication operation will fail. Users and roles are inactivated using the operational attribute nsAccountLock When an entry contains the attribute with a value of...
Page 281: Inactivating User And Roles Using The Command Line
Inactivating Users and Roles Click Account in the left pane. The right pane states that the role or user is inactivated. Click Activate to activate the user or role. Click OK to close the dialog box and save your changes. Once inactivated, you can view the state of the object by selecting Inactivation State from the View menu.
Page 282: Activating User And Roles Using The Command Line
Inactivating Users and Roles Browse the navigation tree in the left navigation pane and double-click the user or role you want to activate. The Edit Entry dialog box appears. You can also select Activate from the Object menu as a short cut. Click Account in the left pane.
Page 283: Setting Resource Limits Based On The Bind Dn
Setting Resource Limits Based on the Bind DN For more information about running the script, refer to ns-activate.pl Netscape Directory Server Configuration, Command, and File Reference. Setting Resource Limits Based on the Bind DN You can control server limits for search operations using special operational attribute values on the client application binding to the directory.
Page 284: Setting Resource Limits Using The Command Line
Setting Resource Limits Based on the Bind DN Click Account in the left pane. The right pane contains the four limits you can set in the Resource Limits section. Entering a value of -1 indicates no limit. Click OK when you are finished. Setting Resource Limits Using the Command Line The following operational attributes can be set for each entry using the...
Page 285: Chapter 8 Managing Replication
Chapter 8 Managing Replication Replication is the mechanism by which directory data is automatically copied from one Netscape Directory Server (Directory Server) to another; it is an important mechanism for extending your directory service beyond a single server configuration. This chapter describes the tasks to be performed on the supplier servers and the consumer servers to set up single master replication, multi-master replication, and cascading replication.
Page 286: Replication Overview
Replication Overview For conceptual information on how you can use replication in your directory deployment, see the Netscape Directory Server Deployment Guide. Replication Overview Replication is the mechanism by which directory data is automatically copied from one Directory Server to another. Updates of any kind—entry additions, modifications, or even deletions—are automatically mirrored to other Directory Servers using replication.
Page 287: Supplier/Consumer
Replication Overview Supplier/Consumer A server that holds a replica that is copied to a replica on a different server is called a supplier for that replica. A server that holds a replica that is copied from a different server is called a consumer for that replica. Generally, the replica on the supplier server is a read-write replica, and the one on the consumer server is a read-only replica.
Page 288: Unit Of Replication
Replication Overview Unit of Replication In Directory Server, the smallest unit of replication is a database. This means that you can replicate an entire database, but not a subtree within a database. Therefore, when you create your directory tree, you must take your replication plans into consideration.
Page 289: Replication Agreement
Replication Overview For more information on creating the Replication Manager entry, refer to “Creating the Supplier Bind DN Entry” on page 296. Replication Agreement Directory Servers use replication agreements to define their replication configuration. A replication agreement describes replication between one supplier and one consumer only.
Page 290: Replication Scenarios
Replication Scenarios Replication Scenarios This section describes the most commonly used replication scenarios: • Single-Master Replication • Multi-Master Replication • Cascading Replication You can combine these basic scenarios to build the replication environment that best suits your needs. Whatever replication scenario you choose to implement, remember NOTE to consider schema replication.
Page 291: Multi-Master Replication
Replication Scenarios Figure 8-1 Single-Master Replication In this particular configuration the suffix ou=people,dc=example,dc=com receives a large number of search requests. Therefore, to distribute the load, this tree, which is mastered on Server A, is replicated to two read-only replicas located on Server B and Server C.
Page 292: Figure 8-2 Multi-Master Replication (Two Suppliers)
Replication Scenarios This type of configuration can work with any number of consumer servers. Each consumer server holds a read-only replica. The consumers can receive updates from all the suppliers. The consumers also have referrals defined for all the suppliers to forward any update requests that the consumers receive. Such scenarios are called multi-master configurations.
Page 293: Figure 8-3 Multi-Master Replication (Four Suppliers)
Replication Scenarios Figure 8-3 Multi-Master Replication (Four Suppliers) Multi-master configurations have the following advantages: • Automatic write failover when one supplier is inaccessible • Updates are made on a local supplier in a geographically distributed environment NOTE Replication, especially multi-master replication, works better over high speed links than over slow links such as a WAN used in geographically distributed environments.
Page 294: Cascading Replication
Replication Scenarios Cascading Replication In a cascading replication scenario, one server, often called a hub supplier, acts both as a consumer and a supplier for a particular replica. It holds a read-only replica and maintains a change log. It receives updates from the supplier server that holds the master copy of the data, and in turn supplies those updates to the consumer.
Page 295: Handling Complex Replication Configurations
Handling Complex Replication Configurations For information on setting up cascading replication, refer to “Configuring Cascading Replication” on page 319. NOTE You can combine multi-master and cascading replication. For example, in the multi-master scenario illustrated in Figure 8-2 on page 292, Server C and Server D could be hub suppliers that would replicated to any number of consumer servers.
Page 296: Creating The Supplier Bind Dn Entry
Handling Complex Replication Configurations Between suppliers and hub suppliers. Optionally, you can initialize the replicas on the consumer servers at this stage. Configure replication agreements on all hub suppliers, between the hub supplier and the dedicated consumers. Optionally, you can initialize the replicas on the consumer servers at this stage. It is very important to create and configure all replicas before you NOTE attempt to create a replication agreement.
Page 297 Handling Complex Replication Configurations • It must be defined in the replication agreement on the supplier server. For example, you could create an entry cn=Replication Manager,cn=config under the tree on the consumer server. This would be the supplier bind cn=config DN that all supplier servers would use to bind to the consumer to perform replication operations.
Page 298: Configuring Supplier Settings
Handling Complex Replication Configurations Configuring Supplier Settings On any server that holds the master copy of a replica, you must specify supplier settings. To configure supplier settings: In the Directory Server Console, select the Configuration tab. For information on starting the Directory Server Console, see “Using the Directory Server Console”...
Page 299: Configuring A Read-Only Replica
Handling Complex Replication Configurations In the Replica Role section, select the Single Master or Multi-Master radio button. In the Common Settings section, specify a Replica ID (an integer between 1 and 254, both inclusive). The replica ID must be unique for a given suffix. Make sure you specify an ID that is different from the IDs used for read-write replicas on this server and on other servers.
Page 300: Configuring A Hub Supplier
Handling Complex Replication Configurations In the Update Settings section, specify the supplier bind DN that the supplier will use to bind to the replica. This supplier bind DN or entry DN must correspond to the entry you created on the server that acts as a consumer in the replication agreement. You can now specify multiple supplier bind DNs per replica but only one supplier DN per replication agreement.
Page 301: Creating A Replication Agreement
Handling Complex Replication Configurations In the Replica Role section, select the Hub radio button. In the Common Settings section, specify a purge delay in the “Purge delay” field. This option indicates how often the state information stored in the replicated entries is purged.
Page 302: Configuring Single-Master Replication
Configuring Single-Master Replication To create a replication agreement: In the Directory Server Console, select the Configuration tab. For information on starting the Directory Server Console, see “Using the Directory Server Console” on page 32. In the navigation tree, expand the Replication folder, right-click the database to replicate, and select New Replication Agreement.
Page 303: Configuring The Read-Only Replica On The Consumer Server
Configuring Single-Master Replication Configuring the Read-Only Replica on the Consumer Server Create the database for the read-only replica, if it does not exist. For instructions, refer to “Creating Suffixes” on page 80. Create the entry corresponding to the supplier bind DN on the consumer server, if it does not exist.
Page 304: Configuring The Read-Write Replica On The Supplier Server
Configuring Single-Master Replication In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica. This supplier bind DN should correspond to the entry created in Step 2. Note that the supplier bind DN corresponds to a privileged user, because it is not subject to access control.
Page 305 Configuring Single-Master Replication Specify a change log by clicking the “Use default” button, or click the Browse button to display a file selector. Set the change log parameters (number and age). You must clear the unlimited checkboxes if you want to specify different values.
Page 306: Initializing The Replicas For Single-Master Replication
Configuring Multi-Master Replication When you have finished, the replication agreement is set up. Initializing the Replicas for Single-Master Replication You can initialize the read-only replicas from the Replication Agreement Wizard, or at anytime afterwards. For information on initializing read-only replicas, refer to “Initializing Consumers”...
Page 307: Configuring The Read-Only Replicas On The Consumer Servers
Configuring Multi-Master Replication Configuring the Read-Only Replicas on the Consumer Servers Perform these steps on each consumer server, Server C and Server D: Create the database for the read-only replica, if it does not exist. For instructions, refer to “Creating Suffixes” on page 80. Create the entry corresponding to the supplier bind DN, if it does not exist.
Page 308: Configuring The Read-Write Replicas On The Supplier Servers
Configuring Multi-Master Replication In the Update Settings section, specify the bind DN or entry DN that the supplier will use to bind to the replica. This supplier bind DN should correspond to the entry created in Step 2. Note that the supplier bind DN corresponds to a privileged user, because it is not subject to access control.
Page 309 Configuring Multi-Master Replication Set the change log parameters (number and age). You must clear the unlimited checkboxes if you want to specify different values. Click Save to save the supplier settings. Create the entry corresponding to the supplier bind DN, if it does not exist. For multi-master replication, it is necessary to create this supplier bind DN on the supplier servers (as well as the consumers), because they act as both consumer and supplier to the other supplier servers.
Page 310 Configuring Multi-Master Replication In the Common Settings section, specify a Replica ID. The replica ID must be an integer between 1 and 254, both inclusive, and must be unique for a given suffix. Make sure you specify an ID that is different from the IDs used for read-write replicas on this server and on other servers.
Page 311: Initializing The Replicas For Multi-Master Replication
Configuring Multi-Master Replication Go through the steps in the replication wizard by clicking Next to move to the following step. You can initialize the read-only replicas and the read-write replica on Server B from the Replication Agreement Wizard, or at anytime afterwards.
Page 312: Configuring 4-Way Multi-Master Replication
Configuring Multi-Master Replication Configuring 4-Way Multi-Master Replication The 6.2 release of Directory Server supports 4-way multi-master replication. To set up multi-master replication such as the configuration shown in Figure 8-3 on page 293, between four supplier servers, Server M1 through Server M4, that each hold a read-write replica, and eight consumer servers, Server C1 through Server C8, that each hold a read-only replica, you need to perform the following procedures: •...
Page 313 Configuring Multi-Master Replication In the navigation tree, expand the Replication folder, and select the replica database. The Replica Settings tab is displayed on the right pane. Check the Enable Replica checkbox. In the Replica Role section, select the Dedicated Consumer radio button. In the Common Settings section, specify a purge delay in the “Purge delay”...
Page 314: Configuring The Read-Write Replicas On The Supplier Servers
Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier Servers Perform these steps on each supplier server, Server M1 through Server M4: Specify the supplier settings for each server. In the Directory Server Console, select the Configuration tab. In the navigation tree, highlight the Replication node, and on the right pane, select the Supplier Settings tab.
Page 315 Configuring Multi-Master Replication If you have enabled the password expiration policy (or intend to do so in the future), disable it to prevent replication from failing due to expiration of passwords. To disable the password expiration policy on the attribute, userPassword add the attribute with a value of...
Page 316 Configuring Multi-Master Replication On Server M1, set up the following replication agreements: one with supplier Server M2, where Server M2 is configured as a consumer for the replica; one with supplier Server M4, where Server M4 is configured as a consumer for the replica;...
Page 317: Initializing The Replicas For Multi-Master Replication
Configuring Multi-Master Replication When you have configured the servers holding the read-write replicas, the necessary replication agreements, and the servers holding the read-only replicas, you are ready to initialize replication. You can perform this task when you create the replication agreements on the supplier servers, or at any time afterwards. For information on the order and procedure for initializing read-only replicas, refer to“Initializing the Replicas for Multi-Master Replication”...
Page 318 Configuring Multi-Master Replication • nsds5ReplicaBusyWaitTime Amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access. The default is 3 seconds. • nsds5ReplicaSessionPauseTime Amount of time in seconds a supplier should wait between update sessions. Set this interval so that it is at least 1 second longer than the interval specified .
Page 319: Configuring Cascading Replication
Configuring Cascading Replication Configuring Cascading Replication This section provides information on setting up cascading replication. The steps described in this section provide a high-level overview of the procedures you need to follow and cross references to the detailed task descriptions are provided at each step.
Page 320 Configuring Cascading Replication In the Common Settings section, specify a purge delay in the “Purge delay” field. This option indicates how often the state information stored in the replicated entries is purged. In the Update Settings section, specify the bind DN that the supplier will use to bind to the replica.
Page 321: Configuring The Read-Only Replica On The Hub Supplier
Configuring Cascading Replication On the hub supplier, set up the replication agreement between this server and the consumer. When you have configured the replicas on each server, and the necessary replication agreements between servers, you can initialize the read-only replicas on the hub supplier, and on the consumer.
Page 322 Configuring Cascading Replication In the navigation tree, expand the Replication node and then select the database to replicate. The Replica Settings tab is displayed on the right pane. Check the Enable Replica checkbox. In the Replica Role section, select the Hub radio button. In the Common Settings section, specify a purge delay in the “Purge delay”...
Page 323: Configuring The Read-Write Replica On The Supplier Server
Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Perform these steps on the supplier server that holds the original copy of the database: Specify the supplier settings for the server. In the Directory Server Console, select the Configuration tab. In the navigation tree, highlight the Replication node.
Page 324: Initializing The Replicas For Cascading Replication
Making a Replica Updatable In the Common Settings section, specify a purge delay in the “Purge delay” field. This option indicates how often the state information stored in the replicated entries is purged. Click Save to save the replication settings for the database. Initializing the Replicas for Cascading Replication In the case of cascading replication, you should initialize replicas in the following...
Page 325: Deleting The Change Log
Deleting the Change Log Deleting the Change Log The change log is a record of all modifications on a given replica that the supplier uses to replay these modifications to replicas on consumer servers (or masters in the case of multi-master replication). In the event of a supplier server going offline, it is important to be able to delete the changelog because it no longer holds a true record of all modifications, and, as a result, should not be used as a basis for replication.
Page 326: Moving The Change Log To A New Location
Initializing Consumers Moving the Change Log to a New Location To delete the change log while the server is still running and continuing to log changes, you simply move the change log to a new location. By moving the change log, a new change log is created in the directory you specify, and the old change log is deleted.
Page 327: Online Consumer Initialization Using The Console
Initializing Consumers You can either initialize the consumer online using the console or manually using the command line. Online consumer initialization using the console is an effective method of initializing a small number of consumers. However, since each replica is initialized in sequence, this method is not suited to initializing a large number of replicas.
Page 328: Manual Consumer Initialization Using The Command Line
Initializing Consumers Click Yes in the confirmation box. Online consumer initialization begins immediately. You can check the status of the online consumer initialization on the Summary tab in the Status box. If online consumer initialization is in progress, the status shows that a replica is being initialized.
Page 329: Exporting A Replica To Ldif
Initializing Consumers Import the LDIF file with the supplier replica contents to the consumer server. See “Importing the LDIF File to the Consumer Server” on page 329 for instructions. Exporting a Replica to LDIF You can convert the replica to LDIF using one of the following three procedures: When you create a replication agreement by selecting “Create consumer initialization file”...
Page 330: Forcing Replication Updates
Forcing Replication Updates Forcing Replication Updates When you stop a Directory Server involved in replication for regular maintenance, when it comes back online, you need to ensure that it gets updated through replication immediately. In the case of a master in a multi-master environment, the directory information needs to be updated by the other master in the multi-master set.
Page 331: Forcing Replication Updates From The Command Line
Forcing Replication Updates Forcing Replication Updates From the Command Line From the consumer that requires updating, you can run a script that prompts the supplier to send replication updates immediately. This script is shown in Code Example 8-1. You can copy this example and give it a meaningful name, for example, .
Page 332 Forcing Replication Updates Code Example 8-1 Replicate_Now Script Example #!/bin/sh SUP_HOST=supplier_hostname SUP_PORT=supplier_portnumber SUP_MGRDN=supplier_directoryManager SUP_MGRPW=supplier_directoryManager_password MY_HOST=consumer_hostname MY_PORT=consumer_portnumber ldapsearch -1 -T -h ${SUP_HOST} -p ${SUP_PORT} -D "${SUP_MGRDN}" -w ${SUP_MGRPW} -b "cn=mapping tree, cn=config" \ "(&(objectclass=nsds5replicationagreement)(nsDS5ReplicaHost=${MY _HOST}) \ (nsDS5ReplicaPort=${MY_PORT}))" dn nsds5ReplicaUpdateSchedule > /tmp/$$ cat /tmp/$$ | awk ’...
Page 333: Table 8-1 Replicate_Now Variables
Forcing Replication Updates Code Example 8-1 Replicate_Now Script Example (Continued) /^nsds5ReplicaUpdateSchedule: / { s = 1; print $0; } /^$/ { if ( $s == 1 ) { print "-" ; print ""; } else { print "nsds5ReplicaUpdateSchedule: 0000-2359 0123456"; print "-"...
Page 334: Replication Over Ssl
Replication Over SSL If you want the update operation to occur over an SSL connection, you must modify the command in the script with the appropriate parameters ldapmodify and values. For more information on the command, refer to ldapmodify “Managing Entries From the Command Line” on page 55 and Netscape Directory Server Configuration, Command, and File Reference.
Page 335: Configuring Replication Over Ssl Using The Replication Wizard
Replication with Earlier Releases Configuring Replication Over SSL Using the Replication Wizard In the Directory Server Console of the supplier server, click the Configuration tab, expand the Replication folder and select the database that you want to replicate. Right-click the database, and choose New Replication Agreement from the drop-down menu.
Page 336: Configuring Directory Server As A Consumer Of A Legacy Directory Server
Replication with Earlier Releases • This version of Directory Server cannot be a supplier for other replicas. The main advantage of being able to use this version of Directory Server as a consumer of a legacy Directory Server is to ease the migration of a replicated environment.
Page 337: Using The Retro Change Log Plug-In
Using the Retro Change Log Plug-In Repeat Step 7 and Step 8 for each read-only replica that will receive updates from a legacy supplier. To complete your legacy replication setup, you must now configure the legacy supplier to replicate to the Directory Server. For instructions on configuring a replication agreement on a 4.x Directory Server, refer to the documentation for your legacy Directory Server.
Page 338: Enabling The Retro Change Log Plug-In
Using the Retro Change Log Plug-In Table 8-2 Attributes of a Retro Change Log Entry (Continued) Attribute Definition This attribute contains the DN of the entry that was affected targetDN by the LDAP operation. The the case of a modrdn operation, the targetDN attribute contains the DN of the entry before it was modified or moved.
Page 339: Trimming The Retro Change Log
Using the Retro Change Log Plug-In To enable the retro change log plug-in from the command line: Create an LDIF file that contains the following LDIF update statements: dn: cn=Retro Changelog Plugin,cn=plugins,cn=config cn: Retro Changelog Plugin changetype: modify replace: nsslapd-pluginenabled nsslapd-pluginenabled: on Use the command to import the LDIF file into the directory.
Page 340: Searching And Modifying The Retro Change Log
Monitoring Replication Status Example of value: nsslapd-changelogmaxage nsslapd-changelogmaxage: 2d Searching and Modifying the Retro Change Log The change log supports search operations. It is optimized for searches that include filters of the form: (&(changeNumber>=X)(changeNumber<=Y)) As a general rule, you should not perform add or modify operations on the retro change log entries, although you can delete entries to trim the size of the change log.
Page 341: Monitoring Replication Status From The Directory Server Console
Monitoring Replication Status • Monitoring Replication Status From Administration Express Monitoring Replication Status From the Directory Server Console To view a summary of replication status via the Directory Server Console: Open the Directory Server Console. Select the Status tab, and then in the left navigation tree, select Replication Status.
Page 342: Monitoring Replication Status From Administration Express
Monitoring Replication Status Monitoring Replication Status From Administration Express Although the replication status report that you view via the Directory Server Console shows many details, it does not show the progress of the replication. Additionally, because one report is generated per agreement, you need to navigate among the status reports for different agreements.
Page 343 Monitoring Replication Status In the URL field, enter the Administration Server URL in this format: http://hostname:admin_port Click Netscape Administration Express and, when prompted, log in. Select a master Directory Server instance, and click Replication Status. This brings up a page for specifying the runtime parameters of the replication-monitoring tool.
Page 344: Solving Common Replication Conflicts
Solving Common Replication Conflicts Solving Common Replication Conflicts Multi-master replication uses a loose consistency replication model. This means that the same entries can be changed on different servers. When replication occurs between the two servers, the conflicting changes need to be resolved. Mostly, resolution occurs automatically, based on the timestamp associated with the change on each server.
Page 345: Renaming An Entry With A Multi-Valued Naming Attribute
Solving Common Replication Conflicts • (created nsuniqueid=66446001-1dd211b2+uid=adamss,dc=example,dc=com at time t2) The second entry needs to be renamed in such a way that it has a unique DN. The renaming procedure depends on whether the naming attribute is single-valued or multi-valued. Each procedure is described below. Renaming an Entry with a Multi-Valued Naming Attribute To rename an entry that has a multi-valued naming attribute: Rename the entry using a new value for the naming attribute and keep the old...
Page 346: Renaming An Entry With A Single-Valued Naming Attribute
Solving Common Replication Conflicts Renaming an Entry with a Single-Valued Naming Attribute To rename an entry that has a single-valued naming attribute: Rename the entry using a different naming attribute, and keep the old RDN. For example: prompt> ldapmodify -D adminDN -w password >dn: nsuniqueid=66446001-1dd211b2+dc=pubs,dc=example,dc=com >changetype: modrdn >newrdn: cn=TempValue...
Page 347: Solving Orphan Entry Conflicts
Solving Common Replication Conflicts Solving Orphan Entry Conflicts When a delete operation is replicated, and the consumer server finds that the entry to be deleted has child entries, the conflict resolution procedure creates a glue entry to avoid having orphaned entries in the directory. In the same way, when an add operation is replicated, and the consumer server cannot find the parent entry, the conflict resolution procedure creates a glue entry representing the parent so that the new entry is not an orphan entry.
Page 348: Troubleshooting Replication-Related Problems
Troubleshooting Replication-Related Problems !="userPassword")(version 3.0;acl "Anonymous read-search access";allow (read, search, compare)(userdn = "ldap:///anyone");) > - > add: aci > aci: (target="ldap:///dc=example,dc=com")(targetattr!="userPassword") (targetfilter="(!(nsds5ReplConflict=*))")(version 3.0;acl "Anonymous read-search access";allow (read, search, compare) (userdn="ldap:///anyone");) > - The new ACI contains filters out all entries that contain the nsds5ReplConflict attribute from search results.
Page 349 Troubleshooting Replication-Related Problems Because log level is additive, running the above command will result in excessive messages in the error log. So, use it judiciously. To turn off replication debugging log, set the same attribute to 0. Error Message: agmt=%s (%s:%d) Replica has a different generation ID than the local data Reason: The consumer specified at the beginning of this message has not been (successfully) initialized yet, or it was initialized from a different root master.
Page 350 Troubleshooting Replication-Related Problems Error Message: agmt=%s(%s:%d): Can't locate CSN %s in the changelog (DB rc=%d). The consumer may need to be reinitialized. Reason: Most likely the change log was recreated because of disk full or server’s ungracefully shutdown. Impact: The local server will not be able to send any more change to that consumer until the consumer is reinitialized or gets the CSN from other suppliers.
Page 351 Troubleshooting Replication-Related Problems Symptom: Changelog is getting too big. Reason: Either changelog purge is turned off, which is the default setting, or changelog purge is turned on, but some consumers are way behind the supplier. Remedy: By default changelog purge is turned off. To turn it on from the command line, do as follows: ldapmodify...
Page 352: Useful Tools
Troubleshooting Replication-Related Problems Symptom: In the Replication Monitor, some masters show just the header of the table. (For information on Replication Monitor, see “Monitoring Replication Status” on page 340.) Reason: No change has originated from the corresponding masters. In this case, the in the header part should be MaxCSN:...
Page 353: Chapter 9 Extending The Directory Schema
Chapter 9 Extending the Directory Schema Netscape Directory Server (Directory Server) comes with a standard schema that includes hundreds of object classes and attributes. While the standard object classes and attributes should meet most of your requirements, you may need to extend your schema by creating new object classes and attributes.
Page 354: Managing Attributes
Managing Attributes To extend the directory schema you should proceed in the following order: Create new attributes. See “Creating Attributes,” on page 355 for information. Create an object class to contain the new attributes and add the attributes to the object class.
Page 355: Creating Attributes
Managing Attributes Table 9-1 Attributes Tab Reference (Continued) Field or Pane Description The object identifier of the attribute. An OID is a string, usually of dotted decimal numbers, that uniquely identifies an object, such as an object class or an attribute. If you do not specify an OID, the Directory Server automatically uses attribute_name-oid.
Page 356: Editing Attributes
Managing Attributes Click Create. The Create Attribute dialog box is displayed. Enter a unique name for the attribute in the Attribute Name text box. Enter an object identifier for the attribute in the Attribute OID (Optional) text box. OIDs are described in Table 9-1 on page 354. Select a syntax that describes the data to be held by the attribute from the Syntax drop-down menu.
Page 357: Deleting Attributes
Managing Object Classes To make the attribute multivalued, select the Multi-Valued checkbox. The Directory Server allows more than one instance of a multivalued attribute per entry. When you have finished editing the attribute, click OK. Deleting Attributes You can delete only attributes that you have created. You cannot delete standard attributes.
Page 358: Viewing Object Classes
Managing Object Classes Viewing Object Classes To view information about all object classes that currently exist in your directory schema: In the Directory Server Console, select the Configuration tab. In the navigation tree, select the Schema folder and then select the Object Classes tab in the right pane.
Page 359: Creating Object Classes
Managing Object Classes Table 9-2 Object Classes Tab Reference (Continued) Field or Pane Description Allowed Attributes Contains a list of attributes that may be present in entries that use this object class. Includes inherited attributes. Creating Object Classes You create an object class by giving it a unique name, selecting a parent object for the new object class, and adding required and optional attributes.
Page 360: Editing Object Classes
Managing Object Classes To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button. You cannot remove either allowed or required attributes that are inherited from the parent object classes.
Page 361: Deleting Object Classes
Turning Schema Checking On and Off To remove an attribute that you previously added, highlight the attribute in the Required Attributes list or the Allowed Attributes list and then click the corresponding Remove button. You cannot remove either allowed or required inherited attributes. When you are satisfied with you the object class definition, click OK to dismiss the dialog box.
Page 362 Turning Schema Checking On and Off To turn schema checking on and off: In the Directory Server Console, select the Configuration tab. Highlight the server icon at the top of the navigation tree, then select the Settings tab in the right pane. To enable schema checking, check the “Enable Schema Checking”...
Page 363: Chapter 10 Managing Indexes
Chapter 10 Managing Indexes The Netscape Directory Server Deployment Guide guide introduced the concept of indexing, the costs and benefits and different types of index shipped with Netscape Directory Server (Directory Server). This chapter begins with a description of the searching algorithm itself, so as to place the indexing mechanism in context, and then describes how to create, delete and manage indexes.
Page 364: About Index Types
About Indexes About Index Types Indexes are stored in files in the directory’s databases. The names of the files are based on the indexed attribute, not the type of index contained in the file. Each index file may contain multiple types of indexes if multiple indexes are maintained for the specific attribute.
Page 365: About Default, System, And Standard Indexes
About Indexes would return all the entries in your directory with telephone numbers that contain • International index—The international index speeds up searches for information in international directories. The process for creating an international index is similar to the process for creating regular indexes, except that you apply a matching rule by associating a locale (OID) with the attributes to be indexed.
Page 366: Overview Of System Indexes
About Indexes Table 10-1 Default Indexes (Continued) Attribute Pres Purpose Improves the performance of the most common mail types of user directory searches. Used by the Netscape Messaging Server. mailHost Improves Netscape server performance. This member index is also used by the referential integrity plug-in.
Page 367: Overview Of Standard Indexes
About Indexes Table 10-2 System Indexes (Continued) Attribute Pres Purpose Used to help accelerate subtree searches in the dnComp directory. Used to help accelerate subtree searches in the objectClass directory. Speeds up entry retrieval based on DN searches. entryDN Enhances directory performance during one-level parentID searches.
Page 368: Overview Of The Searching Algorithm
About Indexes Overview of the Searching Algorithm Indexes are used to speed up searches. To understand how the directory uses indexes, it helps to understand the searching algorithm. Each index contains a list of attributes (such as the , common name, attribute) and a pointer to the entries corresponding to each value.
Page 369 About Indexes which specifies the maximum number of entries to nsslapd-sizelimit return from a search operation. If this limit is reached, the directory returns any entries it has located that match the search request, as well as an exceeded size limit error. which specifies the maximum number of seconds nsslapd-timelimit allocated for a search request.
Page 370: Balancing The Benefits Of Indexing
About Indexes Name in the Directory Query String Match Comments (Phonetic Code) (Phonetic code) Surette Matches. The generated code exists in the (SRT) original name despite the misspelling of Sarette. Bertha Sarette No match. The code BR0 does not exist in (BR0 SRT) the original name.
Page 371 About Indexes For example, suppose the Directory Server is asked to add the entry dn: cn=John Doe, ou=People, o=example.com objectclass: top objectClass: person objectClass: orgperson objectClass: inetorgperson cn: John Doe cn: John sn: Doe ou: Manufacturing ou: people telephonenumber: 408 555 8834 description: Manufacturing lead for the Z238 line.
Page 372: Creating Indexes
Creating Indexes Creating Indexes This section describes how to create presence, equality, approximate, substring, and international indexes for specific attributes using the Directory Server Console and the command line. Given that this version of Directory Server can operate in either a NOTE single or multi-database environment, you need to remember to create your new indexes in every database instance, since newly...
Page 373: Creating Indexes From The Command Line
Creating Indexes Expand the Data node, expand the suffix of the database you want to index, and select the database. Select the Indexes tab in the right pane. NOTE Do not click on the Database Settings node because this will take you to the Default Index Settings window and not the window for configuring indexes per database.
Page 374: Adding An Index Entry
Creating Indexes Creating indexes from the command line involves two steps: • Using the command-line utility to add a new index entry or edit ldapmodify an existing index entry. • Running the perl script to generate the new set of indexes to be db2index.pl maintained by the server.
Page 375 Creating Indexes First, type the following to change to the directory containing the utility: cd serverRoot/shared/bin Run the command-line utility as follows: ldapmodify ldapmodify -a -h server -p 389 -D "cn=directory manager" -w password utility binds to the server and prepares it to add an entry to the ldapmodify configuration file.
Page 376: Running The Db2Index.pl Script
Creating Indexes You can use the keyword in the attribute to specify that no none nsIndexType indexes are to be maintained for the attribute. For example, suppose you want to temporarily disable the sn indexes you just created on the database,.
Page 377: Creating Browsing Indexes From The Server Console
Creating Indexes Two examples of generating indexes using the follow: db2index.pl Windows batch file (you need to run the script from the directory as shown in the example): ..\bin\slapd\admin\bin\perl ..\bin\slapd\admin\bin\perl db2index.pl -D "cn=Directory Manager" -w password -n ExampleServer -t sn UNIX shell script: db2index.pl -D "cn=Directory Manager"...
Page 378: Creating Browsing Indexes From The Command Line
Creating Indexes Click Close to close the Create Browsing Index dialog box. The new index is immediately active for any new data that you add to your directory. You do not have to restart your server. Note that the default access control for VLV information is for it to be allowed for anyone who has authenticated.
Page 379: Adding A Browsing Index Entry
Creating Indexes Adding a Browsing Index Entry The type of browsing index entry you want to create depends on the type of attribute sorting you want to accelerate. It is important to take the ldapsearch following into account: • The scope of the search (base, one, sub). For more information on the option, which allows you to ldapsearch -s...
Page 380 Creating Indexes Next, you need to add two browsing index entries which define your browsing index. The first entry you add specifies the base, scope, and filter of the browsing index: dn: cn="dc=example,dc=com",cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:vlvSearch cn:"dc=example,dc=com" vlvbase:"dc=example,dc=com" vlvscope:one vlvfilter:(|(objectclass=*)(objectclass=ldapsubentry)) contains the browsing index identifier, which specifies the entry on which you want to create the browsing index, in this example, the entry.
Page 381: Running The Vlvindex Script
Creating Indexes attribute value specifies the order in which you want your attributes vlvsort to be sorted, in this example , and then givenname NOTE This first browsing index entry must be added to the cn=instanceName,cn=ldbm database,cn=plugins,cn=config directory tree node and the second entry must be a child of the first entry.
Page 382: Setting Access Control For Vlv Information
Deleting Indexes For more information about the script, see the Netscape Directory vlvindex Server Configuration, Command, and File Reference. Setting Access Control for VLV Information Note that the default access control for the VLV index information is for it to be allowed for anyone who has authenticated.
Page 383: Deleting Indexes From The Server Console
Deleting Indexes As the procedure for deleting browsing indexes is different, it is covered in a separate section. This section contains the following procedures: • Deleting Indexes From the Server Console • Deleting Indexes From the Command Line • Deleting Browsing Indexes From the Server Console •...
Page 384: Deleting Indexes From The Command Line
Deleting Indexes Click Save. A Delete Index warning dialog box appears asking you to confirm that you want to delete the index. Click Yes to delete the index. The Delete Browsing Index dialog box appears displaying the status of the index deletion.
Page 385 Deleting Indexes dn: cn=sn,cn=index,cn=Example1,cn=ldbm database,cn=plugins,cn=config objectClass:top objectClass:nsIndex cn:sn nsSystemIndex:false nsIndexType:pres nsIndexType:eq nsIndexType:sub nsMatchingRule:2.16.840.1.113730.3.3.2.3.1 To run the command-line utility, type the following to change to the ldapdelete directory containing the utility: cd serverRoot/shared/bin Perform the as follows: ldapdelete ldapdelete -D "cn=Directory Manager" -w password -h ExampleServer -p845 "cn=sn,cn=index,cn=Example1,dn=ldbm database, cn=plugins,dn=config"...
Page 386: Running The Db2Index.pl Script
Deleting Indexes Running the db2index.pl Script Once you have deleted an indexing entry or deleted some of the index types from an indexing entry, run the script to generate the new set of indexes to db2index.pl be maintained by the Directory Server. Once you run the script, the new set of indexes is active for any new data you add to your directory and any existing data in your directory.
Page 387: Deleting Browsing Indexes From The Server Console
Deleting Indexes Deleting Browsing Indexes From the Server Console Using Directory Server Console you can delete browsing indexes. To delete a browsing index using the Directory Server Console: In the Directory Server Console, select the Database tab. Select the entry from which you want to delete the index in the navigation tree, for example, , and select Delete Browsing Index from the Object People...
Page 388 Deleting Indexes For example, you want to delete a browsing index for accelerating ldapsearch operations on the entry " held in the database dc=example,dc=com" Example1 where the search base is the search filter is "dc=example,dc=com" , the scope is and the (|(objectclass=*)(objectclass=ldapsubentry)) sorting order for the returned attributes is , and...
Page 389: Running The Vlvindex Script
Deleting Indexes Option Description Specifies the password associated with the distinguished name specified in the -D option. Specifies the name of the host on which the server is running. Specifies the port number that the server uses. For full information on options, refer to the Netscape Directory ldapdelete Server Configuration, Command, and File Reference.
Page 390: Managing Indexes
Managing Indexes The following table describes the options used in the examples. vlvindex Option Description Name of the database containing the entries to index. Browsing index identifier to use to create browsing indexes. For more information about the script, see the Netscape Directory vlvindex Server Configuration, Command, and File Reference.
Page 391: Drawbacks Of The All Ids Mechanism
Managing Indexes • Does not have to maintain infinitely increasing entry ID lists, thus minimizing your Directory Server’s disk space usage • Does not have to load unnecessarily large entry ID lists into memory in response to search requests that result in all directory entries anyway, thus increasing search performance by reducing large disk reads •...
Page 392: When All Ids Threshold Is Too High
Managing Indexes When All IDs Threshold is Too High Setting the All IDs Threshold too high can also cause performance problems. An excessively high All IDs Threshold results in large entry ID lists that must be maintained and loaded into memory when servicing search requests. An excessively high All IDs Threshold can eliminate all of the benefits of the All IDs mechanism (see “Benefits of the All IDs Mechanism,”...
Page 393: All Ids Threshold Tuning Advice For Service Providers And Extranets
Managing Indexes If you expect your directory to grow considerably in the future, you can do one of the following: • Set the All IDs Threshold to the current best value (2,500), and plan on rebuilding your database when your directory becomes large enough to warrant it.
Page 394: Default All Ids Threshold Value
Managing Indexes Default All IDs Threshold Value By default, the Directory Server is set to an All IDs Threshold of 4000. This value is suitable for a database of up to 80,000 entries. If you expect your databases to be larger than 80,000 entries, we recommend that you change your all IDs Threshold to a large value before populating your databases.
Page 395: Changing The All Ids Threshold Value
Managing Indexes The presence of the flag indicates that the All IDs Threshold has been notes=U reached for the attribute index. Changing the All IDs Threshold Value To change the All IDs Threshold value for your server: Shut down your Directory Server. Export all of your directory databases to LDIF using the command line.
Page 396: Attribute Name Quick Reference Table
Attribute Name Quick Reference Table Set your database cache size using the attribute attribute. nsslapd-dbcachesize For more information, see attribute in the Netscape nsslapd-dbcachesize Directory Server Configuration, Command, and File Reference. Attribute Name Quick Reference Table Table 10-3 lists all attributes which have a primary or real name as well as an alias. When creating indexes be sure to use the primary name.
Page 397: Chapter 11 Managing Ssl
Chapter 11 Managing SSL To provide secure communications over the network, Netscape Directory Server (Directory Server) includes the LDAPS communications protocol. LDAPS is the standard LDAP protocol, but it runs on top of Secure Sockets Layer (SSL). This chapter describes how to use SSL with your Directory Server in the following sections: •...
Page 398: Enabling Ssl: Summary Of Steps
Introduction to SSL in the Directory Server Using SSL with simple authentication ensures confidentiality and data integrity. The benefits of using a certificate to authenticate to the Directory Server, instead of a bind DN and password, include: • Improved efficiency—When you are using applications that prompt you once for your certificate database password, and then use that certificate for all subsequent bind or authentication operations, it is more efficient than continuously providing a bind DN and password.
Page 399: Obtaining And Installing Server Certificates
Obtaining and Installing Server Certificates Optionally, ensure that each user of the Directory Server obtains and installs a personal certificate for all clients that will authenticate with SSL. For information, see “Configuring LDAP Clients to Use SSL” on page 409. For a complete description of SSL, internet security, and certificates, check the appendixes included in Managing Servers with Netscape Console.
Page 400: Step 2: Send The Certificate Request
Obtaining and Installing Server Certificates Select the Server Certs tab, and click the Request button. The Certificate Request Wizard is displayed. Click Next. Enter the Requestor Information in the blank text fields, then click Next. Enter the following information: Server Name. Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups, for example, dir.example.com Organization.
Page 401: Step 3: Install The Certificate
Obtaining and Installing Server Certificates Copy the certificate request information from the clipboard or the saved file into the body of the message. The content will look similar to the following example: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1JOSUEx LDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF0aW9uMRwwG gYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNA DCBiQKBgQCwAbskGh6SKYOgHy+UCSLnm3ok3X3u83Us7ug0EfgSLR0f+K41eNqqR ftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG+JDf/n/zMyahxtV7+mT8GOFFigFfuxa xMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G+N9YdbjveMVXW0v4XwIDAQABoAAwDQYK -----END NEW CERTIFICATE REQUEST-----...
Page 402: Step 4: Trust The Certificate Authority
Obtaining and Installing Server Certificates In the following encoded text block. Copy the text from the CAs email or from the text file you created and paste it in this field. For example: -----BEGIN CERTIFICATE----- MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp Y2F0aW9uczEWMBQGA1UEAxMNZHVgh49dq2itLmNvbTBaMA0GCSqGSIb3 -----END CERTIFICATE----- Check that the certificate information displayed is correct, and click Next.
Page 403: Step 5: Confirm That Your New Certificates Are Installed
Activating SSL Check that the certificate information that is displayed is correct, and click Next. Specify a name for the certificate, and click Next. Select the purpose of trusting this Certificate Authority (you can select both): Accepting connections from clients (Client Authentication). The server checks that the client’s certificate has been issued by a trusted Certificate Authority.
Page 404 Activating SSL Before you can activate SSL, you must create a certificate database, obtain and install a server certificate and trust the CA’s certificate as described in “Obtaining and Installing Server Certificates” on page 399. NOTE On SSL-enabled servers, be sure to check the file permissions on certificate-database files, key-databases files, and PIN files to protect the sensitive information they contain.
Page 405 Activating SSL Set your preferences for client authentication. Do not allow client authentication. With this option, the server will ignore the client’s certificate. This does not mean that the bind will fail. Allow client authentication. This is the default setting. With this option, authentication is performed on the client’s request.
Page 406: Setting Security Preferences
Setting Security Preferences Click Save. Restart the Directory Server. See “Starting the Server with SSL Enabled” on page 40 for more information. Setting Security Preferences You can choose the type of ciphers you want to use for SSL communications. A cipher is the algorithm used in encryption.
Page 407: Using Certificate-Based Authentication
Using Certificate-Based Authentication In the Directory Server Console, select the Configuration tab and then select the topmost entry in the navigation tree in the left pane. Select the Encryption tab in the right pane. This displays the current server encryption settings. Click Cipher Settings.
Page 408: Setting Up Certificate-Based Authentication
Using Certificate-Based Authentication NOTE When specifying the key and certificate database filenames, you may use absolute or relative paths. If using relative paths, ensure that they are relative to the server root (for example, alias/slapd-phonebook-cert8.db alias/slapd-phonebook-key3.db The name of the certificate database has been changed from .
Page 409: Allowing/Requiring Client Authentication
Configuring LDAP Clients to Use SSL Map the certificate’s distinguished name to a distinguished name known by your directory. This allows you to set access control for the client when it binds using this certificate. This mapping process is described in Managing Servers with Netscape Console.
Page 410 Configuring LDAP Clients to Use SSL These operations are sufficient if you want to ensure that LDAP clients recognize the server’s certificate. However, if you also want LDAP clients to use their own certificate to authenticate to the directory, make sure that all your directory users obtain and install a personal certificate.
Page 411 Configuring LDAP Clients to Use SSL On your client system, install your client certificate. Regardless of how you receive your certificate (either in email or on a web page), there should be a link that you click to install the certificate. Click it and step through the dialog boxes that Communicator presents to you.
Page 412 Configuring LDAP Clients to Use SSL NOTE Do not map your certificate-based-authentication certificate to a distinguished name under . If you map your cn=monitor certificate to a DN under , your bind will fail. Map cn=monitor your certificate to a target located elsewhere in the directory information tree.
Page 413: Chapter 12 Monitoring Server And Database Activity
Chapter 12 Monitoring Server and Database Activity This chapter describes monitoring database and Netscape Directory Server (Directory Server) logs. This chapter contains the following sections: • Viewing and Configuring Log Files (page 413) • Manual Log File Rotation (page 420) •...
Page 414: Defining A Log File Rotation Policy
Viewing and Configuring Log Files The following sections describe how to define your log file creation and deletion policy, and how to view and configure each type of log. NOTE When the server is not running, you cannot read the logs using the Directory Server Console.
Page 415: Defining A Log File Deletion Policy
Viewing and Configuring Log Files • The total number of logs you want the directory to keep. When the directory reaches this number of logs, it deletes the oldest log file in the folder before creating a new log. The default is logs.
Page 416: Access Log
Viewing and Configuring Log Files You can configure the following parameters: • The maximum size of the combined archived logs. When the maximum size is reached, the oldest archived log is automatically deleted. If you don’t want to set a maximum size, type in this field.
Page 417: Configuring The Access Log
Viewing and Configuring Log Files Configuring the Access Log You can configure a number of settings to customize the access log, including where the directory stores the access log and the creation and deletion policies. You can also disable access logging for the directory. You may do this because the access log can grow very quickly (every 2,000 accesses to your directory will increase your access log by approximately 1 MB).
Page 418: Viewing The Error Log
Viewing and Configuring Log Files • Configuring the Error Log Viewing the Error Log To view the error log: In the Directory Server Console, select the Status tab, then in the navigation tree, expand the Logs folder and select the Error Log icon. A table displays a list of the last 25 entries in the error log.
Page 419: Audit Log
Viewing and Configuring Log Files Set the maximum size of combined archived logs, minimum amount of free disk space, and maximum age for a log file. For information on these parameters, see “Defining a Log File Deletion Policy,” on page 415. If you want to set the log level, Ctrl+click the options you want the directory to include in the Log Level list box.
Page 420: Configuring The Audit Log
Manual Log File Rotation You can display messages containing a string you specify. To do this, enter the string in the “Show only lines containing” text box and click Refresh. Configuring the Audit Log You can use the Directory Server Console to enable and disable audit logging and to specify where the audit log file is stored.
Page 421: Monitoring Server Activity
Monitoring Server Activity To manually rotate log files: Shut down the server. See “Starting and Stopping the Directory Server,” on page 35 for instructions. Move or rename the log file you are rotating in case you need the old log file for future reference.
Page 422: Overview Of Server Performance Monitor Information
Monitoring Server Activity Click Refresh to refresh the current display. If you want the server to continuously update the displayed information, select the Continuous checkbox. Overview of Server Performance Monitor Information The server provides monitoring information as described in the following sections: •...
Page 423: Resource Summary
Monitoring Server Activity Resource Summary The Resource Summary table displayed by the console provides resource-specific information listed in Table 12-1. Server Performance Monitoring - Resource Summary Table 12-1 Resource Usage since startup Average per minute Connections Total number of connections to this Average number of connections server since server startup.
Page 424: Connection Status
Monitoring Server Activity Table 12-2 Server Performance Monitoring - Current Resource Usage (Continued) Resource Current total Remaining Available Total number of remaining connections that the server can concurrently Connections open. This number is based on the number of currently open connections and the total number of concurrent connections that the server is allowed to open.
Page 425: Global Database Cache Information
Monitoring Server Activity Table 12-3 Server Performance Monitoring - Connection Status (Continued) Table Header Description Read/Write Indicates whether the server is currently blocked for read or write access to the client. Possible values include: • Not blocked. Indicates that the server is idle, actively sending data to the client, or actively reading data from the client.
Page 426: Monitoring Your Server From The Command Line
Monitoring Server Activity Monitoring Your Server From the Command Line You can monitor your Directory Server’s current activities from any LDAP client by performing a search operation with the following characteristics: • Search for attribute objectClass=* • Search base: cn=monitor •...
Page 427: Monitoring Database Activity
Monitoring Database Activity • : Identifies the number of connections currently in currentconnections service by the directory. • : Identifies the number of connections handled by the totalconnections directory since it started. • : Shows the number of file descriptors available to the directory. dtablesize Each connection requires one file descriptor: one for every open index, one for log file management, and one for...
Page 428: Monitoring Database Activity From The Server Console
Monitoring Database Activity • Monitoring Databases From the Command Line Monitoring Database Activity From the Server Console This section describes how you can use Directory Server Console to view the database performance monitors and what sort of information the performance monitors provide.
Page 429: Summary Information Table
Monitoring Database Activity Summary Information Table The Summary Information table provides the following information: Table 12-5 Database Performance Monitoring - Summary Information Performance Metric Current Total Readonly status Indicates whether the database is currently in read-only mode. Your database is in read-only mode when the readonly attribute is set to on.
Page 430: Database Cache Information Table
Monitoring Database Activity Database Cache Information Table The Database Cache Information table provides caching information listed in Table 12-6. Database Performance Monitoring - Database Cache Information Table 12-6 Performance Metric Current Total Hits Indicates the number of times the database cache successfully supplied a requested page.
Page 431: Monitoring Databases From The Command Line
Monitoring Database Activity Table 12-7 Database Performance Monitoring - Database File-Specific table Performance Metric Current Total Cache hits Number of times that a search result resulted in a cache hit on this specific file. That is, a client performs a search that requires data from this file and the directory obtains the required data from the cache.
Page 432 Monitoring Database Activity • : Provides the same information as described in Entry cache entrycachetries tries in Table 12-5 on page 429. • : Provides the same information as described in “Entry entrycachehitratio cache hit ratio,” on page 429 in Table 12-5. •...
Page 433: Monitoring Database Link Activity
Monitoring Database Link Activity • : Provides the same information as described in Pages number dbfilepageout written out in Table 12-7 on page 431. Monitoring Database Link Activity You can monitor the activity of your database links from the command line using the monitoring attributes.
Page 434 Monitoring Database Link Activity Table 12-8 Database Link Monitoring Attributes (Continued) Attribute Name Description Number of bind request received. nsBindCount Number of unbinds received. nsUnbindCount Number of compare operations received. nsCompareCount Number of open connections for normal nsOperationConnectionCount operations. Number of open connections for bind operations. nsBindConnectionCount For more information about , see the Netscape Directory Server...
Page 435: Chapter 13 Monitoring Directory Server Using Snmp
Chapter 13 Monitoring Directory Server Using SNMP The server and database activity monitoring log setup described in Chapter 12, “Monitoring Server and Database Activity” is specific to Netscape Directory Server (Directory Server). You can also monitor your Directory Server using the Simple Network Management Protocol (SNMP) which is a management protocol used for monitoring network activity which can be used to monitor a wide range of devices in real time.
Page 436: About Snmp
About SNMP About SNMP SNMP is a protocol used to exchange data about network activity. With SNMP, data travels between a managed device and a network management station (NMS) where users remotely manage the network. A managed device is anything that runs SNMP, such as hosts, routers, and your Directory Server.
Page 437: Nms-Initiated Communication
About SNMP • Managed Device-Initiated Communication NMS-Initiated Communication NMS-initiated communication is the most common type of communication between an NMS and a managed device. In this type of communication, the NMS either requests information from the managed device or changes the value of a variable stored on the managed device.
Page 438: Overview Of The Directory Server Management Information Base
Overview of the Directory Server Management Information Base Overview of the Directory Server Management Information Base Each Netscape server has its own MIB. The Directory Server’s MIB is a file called . This MIB contains definitions for variables netscape-ldap.mib pertaining to network management for the directory. These variables are known as managed objects.
Page 439: Table 13-1 Operations Table - Managed Objects And Descriptions
Overview of the Directory Server Management Information Base Table 13-1 Operations Table - Managed Objects and Descriptions Managed Object Description The number of anonymous binds to the directory since server startup. dsAnonymousBinds The number of unauthenticated binds to the directory since server dsUnauthBinds startup.
Page 440: Entries Table
Overview of the Directory Server Management Information Base Table 13-1 Operations Table - Managed Objects and Descriptions (Continued) Managed Object Description The number of referrals returned by this directory in response to client dsReferrals requests since server startup. The number of operations forwarded to this directory that did not meet dsSecurityErrors security requirements.
Page 441: Interaction Table
Overview of the Directory Server Management Information Base Interaction Table The Interaction Table provides statistical information about the interaction of this Directory Server with peer Directory Servers. This table: • Contains statistical information for the last five Directory Servers with which this Directory Server has attempted to communicate.
Page 442: Setting Up Snmp
Setting Up SNMP Table 13-3 Interaction Table - Managed Objects and Descriptions (Continued) Managed Object Description The number of failures since the last time an attempt to contact dsFailuresSinceLastSuccess this Directory Server was successful. If there has been no successful attempts, this counter will contain the number of failures since this entry was created.
Page 443: Setting Up Snmp On Unix
Setting Up SNMP Setting Up SNMP on UNIX To set up SNMP support for your Directory Server on a UNIX machine: Configure and start the master agent using the Administration Server Console. If you are using the default port settings (161 for SNMP and 199 for SMUX) then you need to be root user.
Page 444: Starting And Stopping The Snmp Subagent On Unix
Starting and Stopping the SNMP Subagent on UNIX NOTE Do not use the loopback address 127.0.0.1; use the real IP address instead. If you need more information, see your related system documentation. Starting and Stopping the SNMP Subagent on UNIX To start, stop, and restart the SNMP subagent for a directory running on UNIX: In the Directory Server Console, select the Configuration tab and then select the top most entry in the navigation tree in the left pane.
Page 445: Configuring Snmp For The Directory Server
Configuring SNMP for the Directory Server To start, stop and restart the SNMP subagent for a directory running on Windows: Open the Control Panel and select Services. Select SNMP from the Service list. Click Start to start the SNMP Service, click Stop to stop the SNMP Service, or click Stop then Start to restart the SNMP Service.
Page 446 Configuring SNMP for the Directory Server Type the location within the company or organization where the directory resides in the Location text box. Type the email address of the person responsible for maintaining the directory in the Contact text box. Click Save.
Page 447: Chapter 14 Tuning Directory Server Performance
Chapter 14 Tuning Directory Server Performance This chapter describes the tools provided with Netscape Directory Server (Directory Server) to help optimize performance. It also provides tips to improve the performance of your directory. This chapter contains the following sections: • Tuning Server Performance (page 447) •...
Page 448: Tuning Database Performance
Tuning Database Performance To configure Directory Server to optimize performance: In the Directory Server Console, select the Configuration tab and then select the topmost entry in the navigation tree in the left pane. The tabs that are displayed in the right pane control server-wide configuration attributes.
Page 449: Optimizing Search Performance
Tuning Database Performance • Changing the Database Checkpoint Interval • Disabling Durable Transactions • Specifying Transaction Batching Optimizing Search Performance You can improve server performance on searches by tuning database settings. The database attributes that affect performance mainly define the amount of memory available to the server.
Page 450 Tuning Database Performance • The attributes of each database that you use to store directory data, including the server configuration data in the database. On these NetscapeRoot databases, you can change the following attributes to improve performance: The maximum number of entries you want the server to keep in memory (maximum entries in cache attribute) The amount of memory you want to make available for cached entries (memory available for cache attribute)
Page 451: Tuning Transaction Logging
Tuning Database Performance Enter the amount of memory you want to make available for cached entries in the Memory Available for Cache field. If you are creating a very large database from LDIF, set this attribute as large as possible, depending on the memory available on your machine. The larger this parameter, the faster your database will be created.
Page 452: Changing The Location Of The Database Transaction Log
Tuning Database Performance Changing the Location of the Database Transaction Log By default, the database transaction log file is stored in the directory along with the database files themselves. serverRoot/slapd-serverID/db Because the purpose of the transaction log is to aid in the recovery of a directory database that was shut down abnormally, it is a good idea to store the database transaction log on a different disk from the one containing the directory database.
Page 453: Disabling Durable Transactions
Tuning Database Performance required to recover directory databases after a disorderly shutdown and require more disk space due to large database transaction log files. Therefore, you should only modify only this attribute if you are familiar with database optimization and can fully assess the effect of the change. To modify the checkpoint interval while the server is running, use the following procedure: Use the...
Page 454: Specifying Transaction Batching
Miscellaneous Tuning Tips Use the command-line utility to add the ldapmodify attribute to the nsslapd-db-durable-transactions cn=config,cn=ldbm entry, and set the value of this attribute to database,cn=plugins,cn=config For information on the syntax of the nsslapd-db-durable-transactions attribute, see the Netscape Directory Server Configuration, Command, and File Reference.
Page 455: Avoid Creating Entries Under The Cn=Config Entry In The Dse.ldif File
Miscellaneous Tuning Tips Avoid Creating Entries Under the cn=config Entry in the dse.ldif File entry in the simple, flat configuration file is not stored in cn=config dse.ldif the same highly scalable database as regular entries. As a result, if many entries, and particularly entries that are likely to be updated frequently, are stored under , performance will probably suffer.
Page 456 Miscellaneous Tuning Tips Netscape Directory Server Administrator’s Guide • December 2003...
Page 457: Part 2 Plug-Ins Reference
Part 2 Plug-Ins Reference Chapter 15, “Administering Directory Server Plug-Ins” Chapter 16, “Using the Pass-Through Authentication Plug-In” Chapter 17, “Using the Attribute Uniqueness Plug-In” Chapter 18, “Configuring IM Presence Information”...
Page 458 Netscape Directory Server Administrator’s Guide • December 2003...
Page 459: Chapter 15 Administering Directory Server Plug-Ins
Chapter 15 Administering Directory Server Plug-Ins Netscape Directory Server (Directory Server) plug-ins extend the functionality of the server. Directory Server ships with several plug-ins to help you manage your directory. This chapter contains general information on the types of plug-ins available, and how to enable or disable them. This chapter is divided into the following sections: •...
Page 460: Acl Plug-In
Server Plug-in Functionality Reference Table 15-1 Details of 7-Bit Check Plug-In (Continued) DN of Configuration cn=7-bit check,cn=plugins,cn=config Entry Checks certain attributes are 7-bit clean Description on | off Configurable Options Default Setting Configurable list of attributes (uid mail userpassword) followed by "," and Arguments then suffix(ex) on which the check is to occur None...
Page 461: Acl Preoperation Plug-In
Server Plug-in Functionality Reference ACL Preoperation Plug-In Table 15-3 Details of Preoperation Plug-In Plug-in Name ACL preoperation DN of Configuration cn=ACL preoperation,cn=plugins,cn=config Entry Description ACL access check plug-in on | off Configurable Options Default Setting Configurable None Arguments Dependencies database None Performance Related Information...
Page 462: Boolean Syntax Plug-In
Server Plug-in Functionality Reference Boolean Syntax Plug-In Table 15-5 Details of Boolean Syntax Plug-In Plug-in Name Boolean Syntax DN of Configuration cn=Boolean Syntax,cn=plugins,cn=config Entry Description Syntax for handling booleans on | off Configurable Options Default Setting Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in.
Page 463: Case Ignore String Syntax Plug-In
Server Plug-in Functionality Reference Case Ignore String Syntax Plug-In Table 15-7 Details of Case Ignore String Syntax Plug-In Plug-in Name Case Ignore String Syntax DN of Configuration cn=Case Ignore String Syntax,cn=plugins,cn=config Entry Description Syntax for handling case-insensitive strings on | off Configurable Options Default Setting...
Page 464: Class Of Service Plug-In
Server Plug-in Functionality Reference Class of Service Plug-In Table 15-9 Details of Class of Service Plug-In Plug-in Name Class of Service DN of Configuration cn=Class of Service,cn=plugins,cn=config Entry Description Allows for sharing of attributes between entries on | off Configurable Options Default Setting Configurable...
Page 465: Distinguished Name Syntax Plug-In
Server Plug-in Functionality Reference Distinguished Name Syntax Plug-In Table 15-11 Details of Distinguished Name Syntax Plug-In Plug-in Name Distinguished Name Syntax DN of Configuration cn=Distinguished Name Syntax,cn=plugins,cn=config Entry Description Syntax for handling DNs on | off Configurable Options Default Setting Configurable None Arguments...
Page 466: Integer Syntax Plug-In
Server Plug-in Functionality Reference Table 15-12 Details of Generalized Time Syntax Plug-In (Continued) The Generalized Time String consists of the following: Further Information four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication.
Page 467: Ldbm Database Plug-In
Server Plug-in Functionality Reference Table 15-14 Details of Internationalization Plug-In (Continued) on | off Configurable Options Default Setting The Internationalization has one argument which must not be Configurable Arguments modified: serverRoot/slapd-serverID/config/slapd-collations.conf This directory stores the collation orders and locales used by the internationalization plug-in.
Page 468: Legacy Replication Plug-In
Server Plug-in Functionality Reference Legacy Replication Plug-In Table 15-16 Details of Legacy Replication Plug-In Plug-in Name Legacy Replication plug-in DN of Configuration cn=Legacy Replication Entry plug-in,cn=plugins,cn=config Description Enables this version of Directory Server to be a consumer of a 4.1 supplier on | off Configurable...
Page 469: Octet String Syntax Plug-In
Server Plug-in Functionality Reference Table 15-17 Details of Multimaster Replication Plug-In (Continued) You can turn this plug-in off if you only have one server which will Further Information never replicate. See also Chapter 8, “Managing Replication.” Octet String Syntax Plug-in Table 15-18 Details of Octet String Syntax Plug-In Plug-in Name Octet String Syntax...
Page 470: Crypt Password Storage Plug-In
Server Plug-in Functionality Reference Table 15-19 Details of CLEAR Password Storage Plug-In (Continued) None Dependencies Performance Do not modify the configuration of this plug-in. You should leave Related Information this plug-in running at all times. Chapter 7, “User Account Management.” Further Information CRYPT Password Storage Plug-In Table 15-20 Details of CRYPT Password Storage Plug-In...
Page 471: Sha Password Storage Plug-In
Server Plug-in Functionality Reference Table 15-21 Details of NS-MTA-MD5 Password Storage Plug-In (Continued) Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in. Netscape Related Information recommends that you leave this plug-in running at all times. You cannot choose to encrypt passwords using the Further Information NS-MTA-MD5 password storage scheme.
Page 472: Ssha Password Storage Plug-In
Server Plug-in Functionality Reference SSHA Password Storage Plug-In Table 15-23 Details of SSHA Password Storage Plug-In Plug-in Name SSHA DN of Configuration cn=SSHA,cn=Password Storage Entry Schemes,cn=plugins,cn=config Description SSHA password storage scheme for password encryption Configurable on | off Options Default Setting Configurable None Arguments...
Page 473: Presence Plug-In
Server Plug-in Functionality Reference Presence Plug-In Table 15-25 Details of Presence Plig-In Plug-in Name Presence DN of Configuration cn=Presence,cn=plugins,cn=config Entry Description Syntax used for handling postal addresses on | off Configurable Options Default Setting Configurable None Arguments Dependencies database Check the reference provided in Further Information. Performance Related Information Further Information...
Page 474: Referential Integrity Postoperation Plug-In
Server Plug-in Functionality Reference Table 15-26 Details of PTA Plug-In (Continued) Chapter 16, “Using the Pass-Through Authentication Plug-In.” Performance Related Information Chapter 16, “Using the Pass-Through Authentication Plug-In.” Further Information Referential Integrity Postoperation Plug-In Table 15-27 Details of Referential Integrity Postoperation Plug-In Plug-in Name Referential Integrity Postoperation DN of Configuration...
Page 475: Retro Change Log Plug-In
Server Plug-in Functionality Reference Table 15-27 Details of Referential Integrity Postoperation Plug-In (Continued) You should enable the Referential Integrity plug-in on only one Performance Related Information master in a multimaster replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers you must be sure to analyze your performance resource and time needs as well as your integrity needs.
Page 476: Space Insensitive String Syntax Plug-In
Server Plug-in Functionality Reference Table 15-29 Details of Roles Plug-In (Continued) DN of Configuration cn=Roles Plugin,cn=plugins,cn=config Entry Enables the use of roles in the Directory Server Description on | off Configurable Options Default Setting Configurable None Arguments None Dependencies Performance Do not modify the configuration of this plug-in.
Page 477: State Change Plug-In
Server Plug-in Functionality Reference Table 15-30 Details of Space Insensitive String Syntax Plug-In (Continued) This plug-in enables the Directory Server to support space and Further Information case insensitive values. Applications can now search the directory using entries with ASCII space characters. For example, applications that use AOL Screen Names™...
Page 478: Telephone Syntax Plug-In
Server Plug-in Functionality Reference Telephone Syntax Plug-In Table 15-32 Details of Telephone Syntax Plug-In Plug-in Name Telephone Syntax DN of Configuration cn=Telephone Syntax,cn=plugins,cn=config Entry Description Syntax for handling telephone numbers on | off Configurable Options Default Setting Configurable None Arguments Dependencies None Do not modify the configuration of this plug-in.
Page 479 Server Plug-in Functionality Reference Table 15-33 Details of UID Uniqueness Plug-In (Continued) Enter the following arguments: Configurable Arguments "DN" "DN"... if you want to check for uid attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid" MarkerObjectclass = "ObjectClassName" and optionally requiredObjectClass = "ObjectClassName"...
Page 480: Uri Plug-In
Enabling and Disabling Plug-Ins From the Server Console URI Plug-in Table 15-34 Details of URI Plug-In Plug-in Name URI Syntax DN of Configuration cn=URI Syntax,cn=plugins,cn=config Entry Description Syntax for handling URIs (Unique Resource Identifiers) including URLs (Unique Resource Locators) on | off Configurable Options Default Setting...
Page 481: Chapter 16 Using The Pass-Through Authentication Plug-In
Chapter 16 Using the Pass-Through Authentication Plug-In Pass-through authentication (PTA) is a mechanism by which one directory server consults another to authenticate bind requests. The PTA plug-in provides this functionality; allowing a directory server to accept simple bind operations (password based) for entries not stored in its local database. Netscape Directory Server (Directory Server) uses PTA to allow you to administer your user and configuration directories on separate instances of Directory Server.
Page 482 How Directory Server Uses PTA PTA is required in this case because the user entry is stored under admin in the configuration directory. Therefore, attempts to bind to o=NetscapeRoot the user directory as would normally fail. PTA allows the user directory admin to transmit the credentials to the configuration directory which verifies them.
Page 483: Pta Plug-In Syntax
PTA Plug-In Syntax dn: cn=Pass Through Authentication,cn=plugins, objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://config.example.com/ou=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.2 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin The user directory is now configured to send all bind requests for entries whose DN contains to the configuration directory...
Page 484: Table 16-1 Pta Plug-In Parameters
PTA Plug-In Syntax nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.extension nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: state nsslapd-pluginarg0: ldap|ldaps://authDS/subtree [maxconns,maxops,timeout,ldver,connlifetime] The variable components of the PTA plug-in syntax are described in Table 16-1. Notes: • The LDAP URL ( ) must be separated from the ldap|ldaps://authDS/subtree optional parameters ( ) by a single maxconns...
Page 485 PTA Plug-In Syntax Table 16-1 PTA Plug-In Parameters (Continued) Variable Definition subtree The pass-through subtree. The PTA directory server passes through bind requests to the authenticating directory server from all clients whose DN is in this subtree. See “Specifying the Pass-Through Subtree,” on page 489 for more information. maxconns Optional.
Page 486: Configuring The Pta Plug-In
Configuring the PTA Plug-In Configuring the PTA Plug-In The only method for configuring the PTA plug-in is to modify the entry in the file. cn=Pass Through Authentication,cn=plugins,cn=config dse.ldif To modify the file, you must proceed as follows: dse.ldif Use the command to modify ldapmodify cn=Pass Through...
Page 487: Configuring The Servers To Use A Secure Connection
Configuring the PTA Plug-In Create an LDIF file that contains the following LDIF update statements: dn: cn=Pass Through Authentication,cn=plugins,cn=config cn: Pass Through Authentication changetype: modify replace: nsslapd-pluginenabled nsslapd-pluginenabled: on Use the command to import the LDIF file into the directory. ldapmodify For detailed information on the command, refer to Netscape...
Page 488: Specifying The Authenticating Directory Server
Configuring the PTA Plug-In To configure the PTA directory and authenticating directory to use SSL: Create an LDIF file that contains the following LDIF update statements: dn: cn=Pass Through Authentication,cn=plugins,cn=config cn: Pass Through Authentication changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: ldaps://authDS/subtree [optional_parameters] For information on the variable components in this sytax, refer to “PTA Plug-In Parameters,”...
Page 489: Specifying The Pass-Through Subtree
Configuring the PTA Plug-In Port 636 if is specified in the URL. ldaps:// For example, you could set the value of the attribute to: nsslapd-pluginarg0 "ldap://dirserver.example.com:389/subtree [Parameters]" For information on the variable components in this sytax, refer to “PTA Plug-In Parameters,”...
Page 490: Configuring The Optional Parameters
Configuring the PTA Plug-In Configuring the Optional Parameters You can configure the following optional parameters for the PTA plug-in: • The maximum number of connections the PTA directory server can open simultaneously to the authenticating directory, represented by in the maxconns PTA syntax.
Page 491: Pta Plug-In Syntax Examples
PTA Plug-In Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config cn: Pass Through Authentication changetype: add add: nsslapd-pluginarg0 nsslapd-pluginarg0: ldap://authDS/subtree [maxconns,maxops,timeout,ldver,connlifetime] Make sure there is a space between the subtree parameter, and the optional parameters. For example, you could set the value of the attribute to: nsslapd-pluginarg0 "ldap://dirserver.example.com/o=NetscapeRoot 3,5,300,3,300"...
Page 492: Specifying Multiple Authenticating Directory Servers
PTA Plug-In Syntax Examples dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so nsslapd-pluginInitfunc: passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: ldap://config-dir.example.com/ou=NetscapeRoot nsslapd-plugin-depends-on-type: database nsslapd-pluginId: passthruauth nsslapd-pluginVersion: 6.2 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: pass through authentication plugin Specifying Multiple Authenticating Directory Servers If the connection between the PTA directory server and the authenticating directory server is broken or the connection cannot be opened, the PTA directory...
Page 493: Specifying One Authenticating Directory Server And Multiple Subtrees
PTA Plug-In Syntax Examples Specifying One Authenticating Directory Server and Multiple Subtrees The following example configures the PTA directory server to pass through bind requests for more than one subtree (using parameter defaults): dn: cn=Pass Through Authentication,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: Pass Through Authentication nsslapd-pluginPath: /usr/netscape/servers/lib/passthru-plugin.so...
Page 494: Servers
Using Directory Server for Windows Pass-through Authentication Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers If you want to specify a different pass-through subtree and optional parameter values for each authenticating directory server, you must specify more than one LDAP URL/optional parameters pair.
Page 495 Using Directory Server for Windows Pass-through Authentication When users authenticate to a Directory Server running on Windows 2000, Directory Server first attempts to confirm the user’s identity using the normal Directory Server authentication mechanisms. If this authentication fails, Directory Server attempts to confirm authentication with the appropriate Windows 2000 primary domain controller if all the following conditions are true: •...
Page 496 Using Directory Server for Windows Pass-through Authentication Netscape Directory Server Administrator’s Guide • December 2003...
Page 497: Chapter 17 Using The Attribute Uniqueness Plug-In
Chapter 17 Using the Attribute Uniqueness Plug-In The attribute uniqueness plug-in can be used to ensure that the attributes you specify always have unique values in the directory. You must create a new instance of the plug-in for every attribute for which you want to ensure unique values. Netscape Directory Server (Directory Server), provides a uid uniqueness plug-in that can be used to manage the uniqueness of the uid attribute.
Page 498 Overview of the Attribute Uniqueness Plug-In If an update operation applies to an attribute and suffix monitored by the plug-in, and it would cause two entries to have the same attribute value, then the server terminates the operation and returns an error to the LDAP_CONSTRAINT_VIOLATION client.
Page 499: Overview Of The Uid Uniqueness Plug-In
Overview of the UID Uniqueness Plug-in Overview of the UID Uniqueness Plug-in Directory Server provides an instance of the attribute uniqueness plug-in, the Uid Uniqueness plug-in. By default, the plug-in ensures that values given to the uid attribute are unique in the suffix you configured when installing the directory (the suffix corresponding to the database).
Page 500 Attribute Uniqueness Plug-In Syntax nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 6.2 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: Enforce unique attribute values Notes: • You can specify any name you like in the attribute to name the plug-in. The name should be descriptive. This attribute does not contain the name of the attribute which is checked for uniqueness.
Page 501: Table 17-1 Attribute Uniqueness Plug-In Variables
Attribute Uniqueness Plug-In Syntax • You can specify only one attribute on which the uniqueness check will be performed. • If the attribute begins with attribute_name, nsslapd-pluginarg0 attribute= then the server expects that the attribute will include a nsslapd-pluginarg1 markerObjectClass The variable components of the attribute uniqueness plug-in syntax are described in Table 17-1.
Page 502: Creating An Instance Of The Attribute Uniqueness Plug-In
Creating an Instance of the Attribute Uniqueness Plug-In Creating an Instance of the Attribute Uniqueness Plug-In If you want to ensure that a particular attribute in your directory always has unique values, you must create an instance of the attribute uniqueness plug-in for the attribute you want to check.
Page 503: Configuring Attribute Uniqueness Plug-Ins
Configuring Attribute Uniqueness Plug-Ins Configuring Attribute Uniqueness Plug-Ins This section explains how to use Directory Server Console to view the plug-ins configured for your directory, and how to modify the configuration of the attribute uniqueness plug-ins. Viewing Plug-In Configuration Information From the Directory Server Console, you can display the configuration entry for attribute uniqueness plug-ins as follows: In the Directory Server Console, click the Directory tab.
Page 504: Configuring Attribute Uniqueness Plug-Ins From The Command Line
Configuring Attribute Uniqueness Plug-Ins To modify an attribute uniqueness plug-in configuration from the Directory Server Console Configuration tab: In the Directory Server Console, select the Configuration tab, then in the navigation tree, expand the Plugins folder, and select the attribute uniqueness plug-in that you want to modify.
Page 505: Turning The Plug-In On Or Off
Configuring Attribute Uniqueness Plug-Ins Turning the Plug-in On or Off To turn the plug-in on from the command line, you must create an LDIF file that contains the following LDIF update statements: dn: cn=descriptive_plugin_name,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginenabled nsslapd-pluginenabled: on Use the command to import the LDIF file into the directory.
Page 506: Using The Markerobjectclass And Requiredobjectclass Keywords
Configuring Attribute Uniqueness Plug-Ins Using the markerObjectClass and requiredObjectClass Keywords Instead of specifying a suffix or subtree in the configuration of an attribute uniqueness plug-in, you can specify to perform the check under the entry belonging to the DN of the updated entry that has the object class specified in the keyword.
Page 507: Attribute Uniqueness Plug-In Syntax Examples
Attribute Uniqueness Plug-In Syntax Examples markerObjectClass=ou nsslapd-pluginarg1: requiredObjectClass=person nsslapd-pluginarg2: nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttr nsslapd-pluginVersion: 6.2 nsslapd-pluginVendor: Netscape Communications Corporation nsslapd-pluginDescription: Enforce unique attribute values You cannot repeat the keywords markerObjectClass requiredObjectClass by incrementing the counter in the attribute suffix. nsslapd-pluginarg attribute always contains the name of NOTE nsslapd-pluginarg0...
Page 508: Specifying One Attribute And Multiple Subtrees
Attribute Uniqueness Plug-In Syntax Examples Specifying One Attribute and Multiple Subtrees This example configures the plug-in to ensure the uniqueness of the attribute mail under the l=Chicago,dc=example,dc=com subtrees. l=Boston,dc=example,dc=com dn: cn=mail uniqueness,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: mail uniqueness nsslapd-pluginPath: /usr/netscape/servers/lib/uid-plugin.so nsslapd-pluginInitfunc: NSUniqueAttr_Init nsslapd-pluginType: preoperation...
Page 509: Replication And The Attribute Uniqueness Plug-In
Replication and the Attribute Uniqueness Plug-In Replication and the Attribute Uniqueness Plug-In When you use the attribute uniqueness plug-ins on Directory Servers involved in a replication agreement, you must think carefully about how to configure the plug-in on each server. Consider the following cases: •...
Page 510 Replication and the Attribute Uniqueness Plug-In When these conditions are met, attribute uniqueness conflicts are reported as naming conflicts at replication time. Naming conflicts require manual resolution. For information on how to resolve replication conflicts, refer to “Solving Common Replication Conflicts,” on page 344. Netscape Directory Server Administrator’s Guide •...
Page 511: Chapter 18 Configuring Im Presence Information
Chapter 18 Configuring IM Presence Information Netscape Directory Server (Directory Server) 6.0 included a preview release of a new feature called Instant Messenger (IM) Presence Information. This chapter provides an overview of this feature and information that will help you configure Directory Server to provide an IM user’s online-status information as a part of the user-profile information stored in the directory.
Page 512: Schema For The Presence Plug-In
Schema For the Presence Plug-In Making the presence information available via a directory provides an easy, efficient, and unified way of looking at a user’s online status. In organizations where directory is generally deployed to store user-profile information, presence information can be added to the directory schema and the online status of users becomes available to everyone within the organization without having to worry about the details of how this information is queried or obtained.
Page 513: Performance-Related Information
Performance-Related Information The file lists the default object classes with the allowed attributes that must be added to a user’s entry in order for presence information to be available for that user: objectclass: nsAIMpresence attributeTypes: nsAIMid syntax DirectoryString attributeTypes: nsAIMStatusGraphic syntax Binary NO-USER-MODIFICATION USAGE directoryOperation attributeTypes: nsAIMStatusText syntax DirectoryString NO-USER-MODIFICATION USAGE directoryOperation...
Page 514: Setting Resource Limits Based On Bind Dn
Troubleshooting Setting Resource Limits Based on Bind DN You can control or set limits on search operations for directory data using special operational attribute values on the client application binding to the directory. Table 18-1 lists attributes that you can use to set search-operation limits. Table 18-1 Attributes for Setting Limits On Search Operations Parameter...
Page 515: Part 3
Part 3 Appendixes Appendix A, “LDAP Data Interchange Format” Appendix B, “Finding Directory Entries” Appendix C, “LDAP URLs” Appendix D, “Internationalization”...
Page 516 Netscape Directory Server Administrator’s Guide • December 2003...
Page 517: Appendix A Ldap Data Interchange Format
Appendix A LDAP Data Interchange Format Netscape Directory Server (Directory Server) uses the LDAP Data Interchange Format (LDIF) to describe a directory and directory entries in text format. LDIF is commonly used to build the initial directory database or to add large numbers of entries to the directory all at once.
Page 518 LDIF File Format The basic form of a directory entry represented in LDIF is as follows: dn: distinguished_name objectClass: object_class objectClass: object_class attribute_type[;subtype]:attribute_value attribute_type[;subtype]:attribute_value You must supply the DN and at least one object class definition. In addition, you must include any attributes required by the object classes that you define for the entry.
Page 519: Continuing Lines In Ldif
LDIF File Format Table A-1 LDIF Fields (Continued) Field Definition [subtype] Optional. Specifies a subtype, language, binary, or pronunciation. Use this tag to identify the language in which the corresponding attribute value is expressed, or whether the attribute value is binary or a pronunciation of an attribute value.
Page 520 LDIF File Format If you use this standard notation, you do not need to specify the ldapmodify -b parameter. However, you must add the following line to the beginning of your LDIF file, or your LDIF update statements: version:1 For example, you could use the following command: ldapmodify prompt>...
Page 521: Specifying Directory Entries Using Ldif
Specifying Directory Entries Using LDIF Specifying Directory Entries Using LDIF You can store many types of entries in your directory. This section concentrates on three of the most common types of entries used in a directory: organization, organizational unit, and organizational person entries. The object classes defined for an entry are what indicate whether the entry represents an organization, an organizational unit, an organizational person, or some other type of entry.
Page 522: Table A-2 Ldif Elements In Organization Entries
Specifying Directory Entries Using LDIF The organization name in the following example uses a comma: dn: o="example.com Chile\\, S.A." objectclass: top objectclass: organization o: “example.com Chile\\, S.A.” description: Fictional company for example purposes telephonenumber: 555-5556 Each element of the LDIF-formatted organization entry is defined in Table A-2. Table A-2 LDIF Elements in Organization Entries LDIF Element...
Page 523: Specifying Organizational Unit Entries
Specifying Directory Entries Using LDIF Specifying Organizational Unit Entries Organizational unit entries are often used to represent major branch points, or subdirectories, in your directory tree. They correspond to major, reasonably static entities within your enterprise, such as a subtree that contains people, or a subtree that contains groups.
Page 524: Specifying Organizational Person Entries
Specifying Directory Entries Using LDIF Table A-3 LDIF Elements in Organizational Unit Entries (Continued) LDIF Element Description Specifies the organizationalUnit object class. objectClass: This line defines the entry as an organizationalUnit. organizationalUnit See the Netscape Directory Server Schema Reference for a list of the attributes you can use with this object class.
Page 525 Specifying Directory Entries Using LDIF ou: people description: Fictional person for example purposes telephonenumber: 555-5557 userpassword: {sha}dkfljlk34r2kljdsfk9 Table A-4 defines each aspect of the LDIF person entry. LDIF Elements in Person Entries Table A-4 LDIF Element Description dn: distinguished_name Specifies the distinguished name for the entry. A DN is required.
Page 526: Defining Directories Using Ldif
Defining Directories Using LDIF Defining Directories Using LDIF You can define the contents of an entire directory using LDIF. Using LDIF is an efficient method of directory creation when you have many entries to add to the directory. To create a directory using LDIF, follow these steps: Create an ASCII file containing the entries you want to add in LDIF format.
Page 527: Ldif File Example
Defining Directories Using LDIF Use this method if you currently have a directory database, but you are adding a new subtree to the database. Unlike the other methods for creating the directory from an LDIF file, Directory Server must be running before you can add a subtree using .
Page 528: Storing Information In Multiple Languages
Storing Information in Multiple Languages mail: chambers@example.com userPassword: {sha}jdl2alem87dlacz1 telephoneNumber: 2652 ou: Manufacturing ou: People roomNumber: 167 dn: cn=Robert Wong,ou=People,example.com Corp,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Robert Wong cn: Bob Wong sn: Wong givenName: Robert givenName: Bob mail: bwong@example.com userPassword: {sha}nn2msx761 telephoneNumber: 2881...
Page 529 Storing Information in Multiple Languages For a list of the languages supported by Directory Server and their associated language tags, see “Identifying Supported Locales,” on page 559. NOTE The language tag has no effect on how the string is stored within the directory.
Page 530 Storing Information in Multiple Languages Netscape Directory Server Administrator’s Guide • December 2003...
Page 531: Appendix B Finding Directory Entries
Appendix B Finding Directory Entries You can find entries in your directory using any LDAP client. Most clients provide some form of a search interface that allows you to easily search the directory and retrieve entry information. NOTE You cannot search the directory unless the appropriate access control has been set in your directory.
Page 532: Using Ldapsearch
Using ldapsearch On Directory Server Console, select the Directory tab. Depending on the DN you used to authenticate to the directory, this tab displays the contents of the directory that you have access permissions to view. You can browse through the contents of the tree or right-click an entry and select Search from the pop-up menu.
Page 533: Ldapsearch Command-Line Format
Using ldapsearch Depending on your command-line interpreter, use either single or double quotation marks for this purpose. Refer to your operating system documentation for more information. ldapsearch Command-Line Format When you use , you must enter the command using the following ldapsearch format: ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes]...
Page 534 Using ldapsearch Option Description Specifies the starting point for the search. The value specified here must be a distinguished name that currently exists in the database. This option is optional if the environment variable has LDAP_BASEDN been set to a base DN. The value specified in this option should be provided in double quotation marks.
Page 535 Using ldapsearch Option Description Specifies the scope of the search. The scope can be one of the following: • —Search only the entry specified in the option or defined base by the environment variable. LDAP_BASEDN • —Search only the immediate children of the entry specified in option.
Page 536: Ldapsearch Examples
Using ldapsearch ldapsearch Examples In the next set of examples, suppose the following are true: • You want to perform a search of all entries in the directory. • You have configured your directory to support anonymous access for search and read.
Page 537: Searching The Schema Entry
Using ldapsearch Searching the Schema Entry Directory Server stores all directory server schema in the special cn=schema entry. This entry contains information on every object class and attribute defined for your directory server. You can examine the contents of this entry as follows: ldapsearch -h mozilla -b "cn=schema"...
Page 538: Specifying Search Filters Using A File
Using ldapsearch Specifying Search Filters Using a File You can enter search filters into a file instead of entering them on the command line. When you do this, specify each search filter on a separate line in the file. The command runs each search in the order in which it appears in the file.
Page 539: Ldap Search Filters
LDAP Search Filters LDAP Search Filters Search filters select the entries to be returned for a search operation. They are most commonly used with the command-line utility. When you use ldapsearch , you can place multiple search filters in a file, with each filter on a ldapsearch separate line in the file, or you can specify a search filter directly on the command line.
Page 540: Using Attributes In Search Filters
LDAP Search Filters Using Attributes in Search Filters When searching for an entry, you can specify attributes associated with that type of entry. For example, when you search for people entries, you can use the attribute to search for people with a specific common name. Examples of attributes that people entries might include: •...
Page 541: Using Compound Search Filters
LDAP Search Filters Table B-1 Search Filter Operators (Continued) Search Type Operator Description Greater than or equal to >= Returns entries containing attributes that are greater than or equal to the specified value. For example, buildingname >= alpha Less than or equal to <= Returns entries containing attributes that are less than or equal to the specified value.
Page 542: Search Filter Examples
LDAP Search Filters Table B-2 Search Filter Boolean Operators Operator Symbol Description & All specified filters must be true for the statement to be true. For example: (&(filter)(filter)(filter)...) At least one specified filter must be true for the statement to be true. For example: (|(filter)(filter)(filter)...) The specified statement must not be true for the statement to be true.
Page 543: Searching An Internationalized Directory
Searching an Internationalized Directory The following filter returns all entries whose organizational unit is Marketing and that have Julie Fulmer or Cindy Zwaska as a manager: (&(ou=Marketing)(|(manager=cn=Julie Fulmer,ou=Marketing,dc=example,dc=com)(manager=cn=Cindy Zwaska,ou=Marketing,dc=example,dc=com))) The following filter returns all entries that do not represent a person: (!(objectClass=person)) The following filter returns all entries that do not represent a person and whose common name is similar to...
Page 544: Matching Rule Filter Syntax
Searching an Internationalized Directory Matching Rule Filter Syntax A matching rule provides special guidelines for how the directory compares strings during a search operation. In an international search, the matching rule tells the system what collation order and operator to use when performing the search operation.
Page 545 Searching an Internationalized Directory • Using a Language Tag and Suffix for the Matching Rule Using an OID for the Matching Rule Each locale supported by the directory server has an associated collation order OID. For a list of locales supported by the directory server and their associated OIDs, see Table D-1 on page 559.
Page 546: Using Wildcards In Matching Rule Filters
Searching an Internationalized Directory For a list of locales supported by the directory server and their associated OIDs, see Table D-1 on page 559. For a list of relational operators and their equivalent suffixes, see Table B-3 on page 547. Using a Language Tag and Suffix for the Matching Rule As an alternative to using a relational operator-value pair, you can append a suffix that represents a specific operator to the language tag in the matching rule portion...
Page 547: International Search Examples
Searching an Internationalized Directory • greater than or equal to (>=) • less than (<) • less than or equal to (<=) Approximate, or phonetic, and presence searches are supported only in English. As with a regular search operation, an international search uses ldapsearch operators to define the type of search.
Page 548: Less Than Or Equal To Example
Searching an Internationalized Directory For example, to search for all surnames that come before the surname Marquez in the Spanish collation order, you could use any of the following matching rule filters: sn:2.16.840.1.113730.3.3.2.15.1:=< Marquez sn:es:=< Marquez sn:2.16.840.1.113730.3.3.2.15.1.1:=Marquez sn:es.1:=Marquez Less Than or Equal to Example When you perform a locale-specific search using the less than or equal to operator (<=) or suffix (.2), you search for all attribute values that come at or before the given attribute in a specific collation order.
Page 549: Greater Than Example
Searching an Internationalized Directory For example, to search for all localities that come at or after Québec in the French collation order, you could use any of the following matching rule filters: locality:2.16.840.1.113730.3.3.2.18.1:=>= Québec locality:fr:=>= Québec locality:2.16.840.1.113730.3.3.2.18.1.4:=Québec locality:fr.4:=Québec Greater Than Example When you perform a locale-specific search using the greater than operator (>) or suffix (.5), you search for all attribute values that come at or before the given attribute in a specific collation order.
Page 550 Searching an Internationalized Directory Netscape Directory Server Administrator’s Guide • December 2003...
Page 551: Appendix C Ldap Urls
Appendix C LDAP URLs When you access the Netscape Directory Server (Directory Server) using a web-based client such as Directory Server Gateway, you must provide an LDAP URL identifying the Directory Server you wish to access. You also use LDAP URLs when managing Directory Server referrals or access control instructions.
Page 552 Components of an LDAP URL Table C-1 LDAP URL Components (Continued) Component Description base_dn Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search. If no base DN is specified, the search starts at the root of the directory tree. attributes The attributes to be returned.
Page 553: Escaping Unsafe Characters
Escaping Unsafe Characters Escaping Unsafe Characters Any “unsafe” characters in the URL need to be represented by a special sequence of characters. This is called escaping unsafe characters. For example, a space is an unsafe character that must be represented as within the URL.
Page 554: Examples Of Ldap Urls
Examples of LDAP URLs Examples of LDAP URLs Example 1: The following LDAP URL specifies a base search for the entry with the distinguished name dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com Because no port number is specified, the standard LDAP port number (389) is used. Because no attributes are specified, the search returns all attributes.
Page 555 Examples of LDAP URLs Example 4: The following LDAP URL specifies a search for entries that have the surname and are at any level under Jensen dc=example,dc=com ldap://ldap.example.com/dc=example,dc=com??sub?(sn=Jensen) Because no attributes are specified, the search returns all attributes. Because the search scope is , the search encompasses the base entry and entries at all levels under the base entry.
Page 556 Examples of LDAP URLs Netscape Directory Server Administrator’s Guide • December 2003...
Page 557: Appendix D Internationalization
Appendix D Internationalization Netscape Directory Server (Directory Server) allows you to store, manage, and search for entries and their associated attributes in a number of different languages. An internationalized directory can be an invaluable corporate resource, providing employees and business partners with immediate access to the information they need in the languages they can understand.
Page 558 About Locales In addition, the locale information indicates what code page should be used to represent a given language. A code page is an internal table that the operating system uses to relate keyboard keys to character font screen displays. More specifically, a locale specifies: •...
Page 559: Identifying Supported Locales
Identifying Supported Locales Identifying Supported Locales When performing directory operations that require you to specify a locale, such as a search operation, you can use a language tag or a collation order object identifier (OID). A language tag is a string that begins with the two-character lowercase language code that identifies the language (as defined in ISO standard 639).
Page 560 Identifying Supported Locales Table D-1 Supported Locales (Continued) Locale Language Tag Collation Order Object Identifiers (OIDs) English (US) en or en-US 2.16.840.1.113730.3.3.2.11.1 Estonian 2.16.840.1.113730.3.3.2.16.1 Finnish 2.16.840.1.113730.3.3.2.17.1 French fr or fr-FR 2.16.840.1.113730.3.3.2.18.1 German 2.16.840.1.113730.3.3.2.7.1 Greek 2.16.840.1.113730.3.3.2.10.1 Hebrew 2.16.840.1.113730.3.3.2.27.1 Hungarian 2.16.840.1.113730.3.3.2.23.1 Icelandic 2.16.840.1.113730.3.3.2.24.1 Japanese 2.16.840.1.113730.3.3.2.28.1...
Page 561: Supported Language Subtypes
Supported Language Subtypes Supported Language Subtypes Language subtypes can be used by clients to determine specific values for which to search. For more information on using language subtypes, see “Adding an Attribute Subtype,” on page 53. Table D-2 contains the list of supported language subtypes. Table D-2 Supported Language Subtypes Language tag...
Page 562 Supported Language Subtypes Table D-2 Supported Language Subtypes (Continued) Language tag Language Dutch Norwegian Polish Portuguese Romanian Russian Slovakian Slovenian Albanian Serbian Swedish Turkish Ukrainian Chinese Netscape Directory Server Administrator’s Guide • December 2003...
Page 563: Glossary
Glossary access control instruction See ACI. ACI Access Control Instruction. An instruction that grants or denies permissions to entries in the directory. access control list See ACL. ACL Access control list. The mechanism for controlling access to your directory. access rights In the context of access control, specify the level of access granted or denied.
Page 564 attribute Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value. attribute list A list of required and optional attributes for a given entry type or object class.
Page 565 browser Software, such as Netscape Navigator, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server. browsing index Otherwise known as the virtual view index, speeds up the display of entries in the Directory Server Console.
Page 566 ciphertext Encrypted information that cannot be read by anyone without the proper key to decrypt the information. CIR See consumer-initiated replication. class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory.
Page 567 daemon A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning. DAP Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory. data master The server that is the master source of a particular piece of data.
Page 568 DNS Domain Name System. The system used by machines on a network to associate standard IP addresses (such as 198.93.93.10) with hostnames (such as ). Machines normally get the IP address for a hostname from www.example.com a DNS server, or they look it up in tables maintained on their systems. DNS alias A DNS alias is a hostname that the DNS server knows points to a different host—specifically a DNS CNAME record.
Page 569 general access When granted, indicates that all authenticated users can access directory information. hostname A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example, is the machine www.example.com in the subdomain domain. example HTML Hypertext Markup Language.
Page 570 ISO International Standards Organization knowledge reference Pointers to directory information stored in different databases. LDAP Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms. LDAPv3 Version 3 of the LDAP protocol, upon which Directory Server bases its schema format LDAP client Software used to request and view LDAP entries from an LDAP Directory Server.
Page 571 management information base See MIB. mapping tree A data structure that associates the names of suffixes (subtrees) with databases. master agent See SNMP master agent. matching rule Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use.
Page 572 name collisions Multiple entries with the same distinguished name. nested role Allow you to create roles that contain other roles. network management application Network Management Station component that graphically displays information about SNMP managed devices (which device is up or down, which and how many error messages were received, etc.). network management station See NMS.
Page 573 password file A file on Unix machines that stores Unix user login names, passwords, and user ID numbers. It is also known as , because of /etc/passwd where it is kept. password policy A set of rules that govern how passwords are used in a given directory.
Page 574 RAM Random access memory. The physical semiconductor-based memory in a computer. Information stored in RAM is lost when the computer is shut down. rc.local A file on Unix machines that describes programs that are run when the machine starts. It is also called because of its location.
Page 575 role An entry grouping mechanism. Each role has members, which are the entries that possess the role. role-based attributes Attributes that appear on an entry because it possesses a particular role within an associated CoS template. root The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine.
Page 576 service A background process on a Windows machine that is responsible for a particular system task. Service processes do not need human intervention to continue functioning. SIE Server Instance Entry, the ID assigned to an instance of Directory Server during installation. Simple Network Management Protocol See SNMP.
Page 577 suffix The name of the entry at the top of the directory tree, below which data is stored. Multiple suffixes are possible within the same directory. Each database only has one suffix. superuser The most privileged user available on Unix machines (also called root).
Page 578 uid A unique number associated with each user on a Unix system. URL Uniform Resource Locator. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is .
Page 579: Index
Index targeting attributes 205 targeting entries 203 access control targeting using filters 206 ACI attribute 196 using the Access Control Editor 231 ACI syntax 200 value matching 220 allowing or denying access 209 Access Control Editor and replication 263 displaying 232 and schema checking 205 viewing current ACIs 233 anonymous access 215, 229, 237...
Page 580 cascading chaining 127 adding directory entries 58 creating from console 234 Administration Server dayofweek keyword 228 master agents and 436 deleting from console 236 agents dns keyword 226 master agent 436 editing from console 235 Unix 436 evaluation 197 Windows NT 436 examples of use 236 subagent 436 groupdn keyword 218...
Page 581 passwordGraceLimit 269 passwordInHistory 272 backing up data 154 passwordMustChange 270 all 154 passwordStorageScheme 272 db2bak 155 ref 139 dse.ldif 157 removing a value 52 bak2db script 158 roles 173 searching for 540 bak2db.pl perl script 159 standard 353, 354 base 64 encoding 519 syntax 356 base DN, ldapsearch and 537 targeting 205...
Page 582 self keyword 216 component operations,from command line 101 timeofday keyword 227 overview 97 user access using SSL 113 LDIF example 217 change log 287 parent 216 deleting 325 self 216 using with referential integrity 75 user access example 239 change operations 63 userattr keyword 220 add 67 userdn keyword 215...
Page 583 classic CoS consumer initialization example 180 manual consumer creation 328 overview 180 online consumer creation 327 client consumer server 287 using to find entries 531 continued lines client authentication in LDIF 519 over SSL 409 in LDIF update statements 63 code page 558 CoS definition entry attributes 185...
Page 584 creating from command line 93 database transaction logging creating from console 92 described 451 creating multiple 94 durable transactions 453 creating using LDIF 526 log file location 452 deleting 96 databases export 150 in directory server 79 db2ldif 153 date format 558 export from console 151 dayofweek keyword 228 import 143...
Page 585 Directory Manager dse.ldif attribute 34 PTA plugin 486 configuring 34 dse.ldif file privileges 34 backing up 157 directory server 421 PTA syntax 486 attributes 34 restoring 161 basic administration 31 durable transactions 453 binding to 34 dynamic groups 165 changing bind DN 35 creating 165 configuration 37 modifying 165...
Page 586 LDAP_BASEDN 537 EOF marker 56 general access equality index 364 example 218 equality search 540 overview 215 example 542 global password policy 266 international example 548 glossary of terms 563 error log greater than or equal to search access control information 264 international example 548, 549 configuring 418 overview 541...
Page 587 inactivating accounts 280 locales and 557 location of files 558 inactivating roles 167, 171 matching rule filters 544 index types 364 modifying entries 72 approximate index 364 monetary format 558 browsing index 365 object identifiers and 559 equality index 364 of LDIF files 528 international index 365 search filters and 543...
Page 588 examples 206 internationalization and 528 line continuation 519 LDAP URLs Server Console and 57 components of 551 specifying entries examples 554 organization 521 for database links 108 organizational person 524 in access control 216 organizational unit 523 security and 555 update statements 62 syntax 551 using to create directory 526...
Page 589 international example 548 manually rotating log files 420 syntax 541 markerObjectClass keyword 506 less than search master agent international example 547 overview 436 syntax 541 Unix 436 local password policy 266 Windows NT 436 locales matchingRule format 544 defined 557 using language tag 545 location of files 558 using language tag and suffix 546...
Page 590 standard 353, 358 user-defined 358 naming conflicts viewing 358 in replication 344 object identifier (OID) 559 nested role attribute 356 creating 170 in matchingRule 545 example 175 object class 359 netscape-ldap.mib 438 objectClass field (LDIF) 518 entries table 440 OID, See object identifier interaction table 441 operational CoS qualifier 186 location of 438...
Page 591 global 266 disabling 480 lockout duration 277 distinguished name syntax plug-in 465 managing 265 enabling 480 password failure counter 277 generalized time syntax plug-in 465 replication 279 integer syntax plug-in 466 subtree level 266 internationalization plug-in 466 user level 266 ldbm database plug-in 467 legacy replication plug-in 468 passwordChange attribute 270...
Page 592 protocol data units. See PDUs referral object class 139 proxy authorization referrals ACI example 254 creating smart referrals 137 with cascading chaining 126 creating suffix 140 on update 88 proxy DN 255 setting default 136 proxy right 210 suffix 87 PTA plug-in renaming entries configuring 486...
Page 593 supplier bind DN 288 access to directory 219 supplier server 287 activating 281 supplier-initiated 287 attributes 173 troubleshooting 348 editing 170 unit of 288 filtered using template-cl-dump.pl script 352 creating 169 using template-repl-monitor.pl script 342 example 174 inactivating 167, 280 replication agreement 289 inactivation 171 creating 301...
Page 594 scripts serverRoot 27 template-cl-dump.pl 352 setting access controls 231 template-repl-monitor.pl 342 setting passwords 276 search filters 539 simple authentication 229 Boolean operators 541 Simple Authentication and Security Layer (SASL). contained in file 537 See SASL authentication examples 539, 542 Simple Network Management Protocol. See SNMP matching rule 544 Simple Sockets Layer.
Page 595 creating root suffix 82 and replication 334 creating sub suffix 83 certificate password 40 custom distribution function 94 chaining with 113 custom distribution logic 94 client authentication 409 disabling 89 configuring clients to use 409 in directory server 79 enabling 403 using referrals 87 port number 37 on update only 88...
Page 596 overview 201 referential integrity 72 using LDAP search filters 206 user level password policy 266 using LDAP URLs 216 user passwords 276 target keyword 203 userattr keyword 220 targetattr keyword 205 restriction on add 225 targetfilter keyword 206 user-defined attributes 354 targeting user-defined object classes 358 directory entries 203...

This manual is also suitable for:

Directory server 6.2

Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual

List of Figures

List of Tables

Introduction

Part 1 Administering Netscape Directory Server

Chapter 1 Introduction to Netscape Directory Server

Chapter 2 Creating Directory Entries

Chapter 3 Configuring Directory Databases

Chapter 4 Populating Directory Databases

Chapter 5 Advanced Entry Management

Chapter 6 Managing Access Control

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for Netscape NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR

Summary of Contents for Netscape NETSCAPE DIRECTORY SERVER 6.2 - ADMINISTRATOR