manualshive.com logo in svg

Netscape NETSCAPE DIRECTORY SERVER 6.02, Administrator'S Manual

Share
Download
Netscape NETSCAPE DIRECTORY SERVER 6.02 Administrator'S Manual Download Page 205

Creating ACIs Manually

Chapter

6

Managing Access Control

205

Comparing the value of an attribute:

Grant compare permission on the attribute type.

Searching for entries:

Grant search permission on each attribute type used in the search filter.

Grant read permission on attribute types used in the entry.

The permissions you need to set up to allow users to search the directory are more
readily understood with an example. Consider the following

ldapsearch

operation:

% ldapsearch -h

host

-s

base

-b

"

uid=bkolics,dc=example,dc=com

"

objectclass=* mail

The following ACI is used to determine whether user

bkolics

can be granted

access:

aci: (targetattr = "mail")(version 3.0; acl "self access to mail";

allow (read, search) userdn = "ldap:///self";)

The search result list is empty, because this ACI does not grant access to the
objectclass attribute. If you want the search operation described above to be
successful, you must modify the ACI to read as follows:

aci: (targetattr = "mail || objectclass")(version 3.0; acl "self

access to mail"; allow (read, search) userdn = "ldap:///self";)

Permissions Syntax

In an ACI statement, the syntax for permissions is:

allow|deny (

rights

)

where

rights

is a list of 1 to 8 comma-separated keywords enclosed within

parentheses. Valid keywords are

read

,

write

,

add

,

delete

,

search

,

compare

,

selfwrite

,

proxy

, or

all

.

In the following example, read, search, and compare access is allowed, provided
the bind rule is evaluated to be true:

aci:

(target="ldap:///dc=example,dc=com") (version 3.0;acl

"example";

allow (read, search, compare)

bind_rule

;)

Summary of Contents for NETSCAPE DIRECTORY SERVER 6.02

Page 1: ...Administrator s Guide Netscape Directory Server Version6 02 May 2002 ...

Page 2: ... 2002 Netscape Communications Corporation All rights reserved Portions of the Software copyright 1995 PEER Networks Inc All rights reserved The Software contains the Taligent International Classes from Taligent Inc and IBM Corp Portions of the Software copyright 1992 1998 Regents of the University of Michigan All rights reserved The software contains encryption software from RSA Security Inc Copyr...

Page 3: ...ver Console 28 Copying Entry DNs to the Clipboard 29 Configuring the Directory Manager 30 Binding to the Directory From Netscape Console 30 Starting and Stopping the Directory Server 31 Configuring LDAP Parameters 33 Starting the Server with SSL Enabled 36 Cloning a Directory Server 37 Starting the Server in Referral Mode 38 Chapter 2 Creating Directory Entries 41 Managing Entries From the Directo...

Page 4: ...aintaining Databases 85 Creating Databases 86 Maintaining Directory Databases 91 Creating and Maintaining Database Links 92 Configuring the Chaining Policy 93 Creating a New Database Link 98 Chaining Using SSL 109 Maintaining Database Links 110 Database Links and Access Control Evaluation 111 Advanced Feature Tuning Database Link Performance 112 Detecting Errors During Normal Processing 115 Managi...

Page 5: ...ples Managed Role Definition 169 Example Filtered Role Definition 170 Example Nested Role Definition 171 Using Roles Securely 171 Assigning Class of Service 172 About CoS 173 About the CoS Definition Entry 173 About the CoS Template Entry 174 How a Pointer CoS Works 175 How an Indirect CoS Works 175 How a Classic CoS Works 176 Managing CoS Using the Console 177 Managing CoS From the Command Line 1...

Page 6: ...ting Write Access to Personal Entries 233 Restricting Access to Key Roles 236 Granting a Group Full Access to a Suffix 238 Granting Rights to Add and Delete Group Entries 239 Granting Conditional Access to a Group or Role 241 Denying Access 243 Setting a Target Using Filtering 246 Allowing Users to Add or Remove Themselves From a Group 246 Defining Permissions for DNs That Contain a Comma 247 Prox...

Page 7: ...d DN 271 Setting Resource Limits Using the Console 272 Setting Resource Limits Using the Command Line 272 Chapter 8 Managing Replication 275 Replication Overview 276 Read Write Replica Read Only Replica 276 Supplier Consumer 276 Change Log 277 Unit of Replication 277 Replication Identity 278 Replication Agreement 279 Compatibility with Earlier Versions of Directory Server 279 Replication Scenarios...

Page 8: ...onsumer Initialization 310 Manual Consumer Initialization Using the Command Line 311 Manual Consumer Initialization Overview 311 Exporting a Replica to LDIF 312 Importing the LDIF File to the Consumer Server 312 Forcing Replication Updates 312 Forcing Replication Updates From the Console 313 Forcing Replication Updates From the Command Line 313 Replication Over SSL 316 Configuring Replication Over...

Page 9: ...dex Entry 356 Running the vlvindex Script 358 Deleting Indexes 359 Deleting Indexes From the Server Console 360 Deleting Indexes From the Command Line 361 Deleting an Index Entry 361 Running the db2index pl Script 362 Deleting Browsing Indexes From the Server Console 363 Deleting Browsing Indexes From the Command Line 364 Deleting a Browsing Index Entry 364 Running the vlvindex Script 366 Managing...

Page 10: ...he Audit Log 396 Configuring the Audit Log 396 Manual Log File Rotation 397 Monitoring Server Activity 398 Monitoring Your Server From the Directory Server Console 398 Viewing the Server Performance Monitor 398 Overview of Server Performance Monitor Information 398 General Information Server 399 Resource Summary 399 Current Resource Usage 400 Connection Status 401 Global Database Cache Information...

Page 11: ...mance 423 Tuning Server Performance 423 Tuning Database Performance 424 Optimizing Search Performance 425 Tuning Transaction Logging 427 Changing the Location of the Database Transaction Log 428 Changing the Database Checkpoint Interval 428 Disabling Durable Transactions 429 Specifying Transaction Batching 430 Miscellaneous Tuning Tips 430 Avoid Creating Entries Under the cn config Entry in the ds...

Page 12: ...2 UID Uniqueness Plug in 452 URI Plug in 454 Enabling and Disabling Plug Ins From the Server Console 454 Chapter 16 Using the Pass Through Authentication Plug In 455 How Directory Server Uses PTA 455 PTA Plug In Syntax 457 Configuring the PTA Plug In 459 PTA Plug In Syntax Examples 465 Specifying One Authenticating Directory Server and One Subtree 465 Specifying Multiple Authenticating Directory S...

Page 13: ...n LDIF 491 Representing Binary Data 491 Specifying Directory Entries Using LDIF 493 Defining Directories Using LDIF 497 LDIF File Example 499 Storing Information in Multiple Languages 500 Appendix B Finding Directory Entries 503 Finding Entries Using the Server Console 503 Using ldapsearch 504 Using Special Characters 504 ldapsearch Command Line Format 505 Commonly Used ldapsearch Options 505 ldap...

Page 14: ...16 Using Wildcards in Matching Rule Filters 518 Supported Search Types 518 International Search Examples 519 Less Than Example 519 Less Than or Equal to Example 520 Equality Example 520 Greater Than or Equal to Example 520 Greater Than Example 521 Substring Example 521 Appendix C LDAP URLs 523 Components of an LDAP URL 523 Escaping Unsafe Characters 525 Examples of LDAP URLs 526 Appendix D Interna...

Page 15: ...igure 4 1 Splitting a Database Contents into Two Databases 147 Figure 5 1 Sample Pointer CoS 175 Figure 5 2 Sample Indirect CoS 176 Figure 5 3 Sample Classic CoS 177 Figure 6 1 Using Inheritance With the userattr Keyword 218 Figure 6 2 Selecting an Object in the Navigation Tree to Set Access Control l 226 Figure 6 3 Access Control Editor Window 226 Figure 6 4 Example directory tree for Macro ACIs ...

Page 16: ...16 Netscape Directory Server Administrator s Guide May 2002 ...

Page 17: ... Error Detection Parameters 116 Table 3 7 Cascading Chaining Configuration Attributes 125 Table 4 1 Import Method Comparison 140 Table 5 1 Object Classses and Attributes for Roles 169 Table 5 2 CoS Definition Entry Object Classes 180 Table 5 3 CoS Definition Entry Attributes 181 Table 5 4 CoS Definitions 182 Table 6 1 LDIF Target Keywords 196 Table 6 2 LDIF Bind Rule Keywords 207 Table 6 3 Macros ...

Page 18: ...ug In 437 Table 15 5 Details of Boolean Syntax Plug In 438 Table 15 6 Details of Case Exact String Syntax Plug In 438 Table 15 7 Details of Case Ignore String Syntax Plug In 439 Table 15 8 Details of Cloning Database Plug In 439 Table 15 9 Details of Class of Service Plug In 440 Table 15 10 Details of Country String Plug In 440 Table 15 11 Details of Distinguished Name Syntax Plug In 441 Table 15 ...

Page 19: ...ters 458 Table 17 1 Attribute Uniqueness Plug In Variables 473 Table 18 1 Attributes for Setting Limits On Search Operations 486 Table A 1 LDIF Fields 490 Table A 2 LDIF Elements in Organization Entries 494 Table A 3 LDIF Elements in Organizational Unit Entries 495 Table A 4 LDIF Elements in Person Entries 497 Table B 1 Search Filter Operators 512 Table B 2 Search Filter Boolean Operators 514 Tabl...

Page 20: ...20 Netscape Directory Server Administrator s Guide May 2002 ...

Page 21: ... read and write operations Multi master replication can be combined with simple and cascading replication scenarios to provide a highly flexible and scalable replication environment Chaining and referrals Increases the power of your directory by storing a complete logical view of your directory on a single server while maintaining data on a large number of directory servers transparently for clien...

Page 22: ...ts you to monitor your Directory Server in real time using the Simple Network Management Protocol SNMP Online backup and restore Allows you to create backups and restore from backups while the server is running Prerequisite Reading This manual describes how to administer the Directory Server and its contents However this manual does not describe many of the basic directory and architectural concep...

Page 23: ...the Directory Server in a different location you should adapt the path accordingly serverID represents the server identifier you gave the server when you installed it For example if you gave the server an identifier of phonebook then the actual path would be usr netscape servers slapd phonebook All paths specified in this manual are in UNIX format If you are using a Windows based Directory Server ...

Page 24: ...ectory Server schema Netscape Directory Server Plug in Reference Guide Describes how to write server plug ins in order to customize and extend the capabilities of Directory Server For a list of documentation installed with Directory Server open the server_root manual en slapd index htm file where server_root is the directory in which you installed Directory Server For the latest information about ...

Page 25: ...Creating Directory Entries Chapter 3 Configuring Directory Databases Chapter 4 Populating Directory Databases Chapter 5 Advanced Entry Management Chapter 6 Managing Access Control Chapter 7 User Account Management Chapter 8 Managing Replication Chapter 9 Extending the Directory Schema Chapter 10 Managing Indexes ...

Page 26: ...ectory Server Administrator s Guide May 2002 Chapter 11 Managing SSL Chapter 12 Monitoring Server and Database Activity Chapter 13 Monitoring Directory Server Using SNMP Chapter 14 Tuning Directory Server Performance ...

Page 27: ...Directory Server and the most basic tasks you need to start administering a directory service It includes the following sections Overview of Directory Server Management page 28 Using the Directory Server Console page 28 Configuring the Directory Manager page 30 Binding to the Directory From Netscape Console page 30 Starting and Stopping the Directory Server page 31 Configuring LDAP Parameters page...

Page 28: ...etscape Console The Directory Server Console is a part of Netscape Console designed specifically for use with Directory Server You can perform most Directory Server administrative tasks from the Directory Server Console You can also perform administrative tasks manually by editing the configuration files or by using command line utilities For more information about the Netscape Console see Managin...

Page 29: ...word The Netscape Console is displayed 5 Navigate through the tree in the left hand pane to find the machine hosting your Directory Server and click on its name or icon to display its general properties 6 To edit the name and description of your Directory Server click the Edit button Enter the new name and description in the text boxes The name will appear in the tree on the left Click OK to set t...

Page 30: ...a different user 2 On the Directory Server Console select the Configuration tab and then select the top entry in the navigation tree in the left pane 3 Select the Manager tab in the right pane 4 Enter the new distinguished name for the Directory Manager in the Root DN field The default value is cn Directory Manager 5 From the Manager Password Encryption pull down menu select the storage scheme you...

Page 31: ...t to bind to the server For example if you want to bind as the Directory Manager then enter the following in the Distinguished Name text box cn Directory Manager For more information about the Directory Manager DN and password refer to Configuring the Directory Manager on page 30 Viewing the Current Bind DN From the Console You can view the bind DN you used to log in to the Directory Server Consol...

Page 32: ...s icon 3 Scroll through the list of services and select the Netscape Directory Server The service name is Netscape Directory Server version serverID where version is the version number and serverID is the identifier you specified for the server when you installed it 4 Start or stop the service To stop the service click Stop and then confirm that you want to stop the service To start the service se...

Page 33: ... settings through the Directory Server Console This section provides information on Changing Directory Server Port Numbers Placing the Entire Directory Server in Read Only Mode Tracking Modifications to Directory Entries For information on schema checking see Chapter 9 Extending the Directory Schema Changing Directory Server Port Numbers You can modify the port or secure port number of your user D...

Page 34: ...ext box The default value is 389 4 Enter the port number you want the server to use for SSL communications in the Encrypted Port text box The encrypted port number that you specify must not be the same port number as you are using for normal LDAP communications The default value is 636 5 Click Save and then restart the server See Starting and Stopping the Directory Server on page 31 for informatio...

Page 35: ...s last modified in GMT format To enable the Directory Server to track this information 1 On the Directory Server Console select the Configuration tab and then select the top entry in the navigation tree in the left pane 2 Select the Settings tab in the right pane NOTE This operation also makes the Directory Server configuration read only therefore you cannot update the server configuration enable ...

Page 36: ... on the server s host machine On UNIX you must start the server from the command line Alternatively on either platform you can create a password file to store your certificate password By placing your certificate database password in a file you can start your server from the server console and also allow your server to automatically restart when running unattended The password file must be placed ...

Page 37: ...on of your first Directory Server instance and apply it to the new one Creating a New Directory Server Instance 1 In the Netscape Console window select then right click Server Group in the navigation tree 2 From the pop up menu select Create Instance of Directory Server The Create New Instance dialog box is displayed 3 Enter a unique identifier for the server in the Server Identifier field This na...

Page 38: ... displayed with the list of target servers for cloning 3 In this window select the server to which you want the configuration to apply and click the Clone To button A message is displayed to give you the status of the operation Starting the Server in Referral Mode Referrals are used to redirect client applications to another server while the current server is unavailable or when the client request...

Page 39: ...tory Server you want to start in referral mode and ldapurl is the referral returned to clients For information on the format of an LDAP URL refer to Appendix C LDAP URLs On a Windows machine to start the Directory Server in referral mode follow these steps 1 Go to the following directory under your installation directory netscape servers slapd serverID bin slapd server 2 Run the refer command as f...

Page 40: ...Starting the Server in Referral Mode 40 Netscape Directory Server Administrator s Guide May 2002 ...

Page 41: ...apter consists of the following sections Managing Entries From the Directory Console page 41 Managing Entries From the Command Line page 50 LDIF Update Statements page 58 Maintaining Referential Integrity page 68 Managing Entries From the Directory Console You can use the Directory tab and the Property Editor on the Directory Server Console to add modify or delete entries individually If you want ...

Page 42: ...tomatically created To create a root entry for a database 1 On the Directory Server Console select the Configuration tab For information on starting the Directory Server Console refer to Using the Directory Server Console on page 28 2 Create a new database as explained in Creating and Maintaining Databases on page 85 3 On the Directory tab right click the top object representing the Directory Serv...

Page 43: ...he Property Editor for the new entry is displayed You can accept the current values by clicking OK or modify the entry as explained in Modifying Directory Entries on page 45 Creating Directory Entries Directory Server Console offers several predefined templates for creating directory entries Templates are available for the following types of entries User Group Organizational Unit Role Class of Ser...

Page 44: ...nizational Unit Role Class of Service or Other The corresponding Create window is displayed 3 Supply values for all of the mandatory attributes identified by an asterisk and if you want for any of the optional attributes The Create window does not provide fields for all optional attributes 4 To display the full list of attributes click the Advanced button The Property Editor is displayed Refer to ...

Page 45: ...ect the naming attribute you want to use to name your new entry To provide values for optional attributes that are not listed refer to Modifying Directory Entries on page 45 6 Click OK to save the new entry and dismiss the Property Editor window The new entry is displayed in the right pane Modifying Directory Entries To modify directory entries from Directory Server Console you must start the Prop...

Page 46: ...try you want to modify and select Properties from the pop up menu Alternatively you can double click the entry The Property Editor is displayed 2 Select the object class field and click Add Value The Add Object Class window is displayed It shows a list of object classes that you can add to the entry 3 Select the object class you want to add and click OK The object class you selected appears in the...

Page 47: ...ibute dialog box is displayed 3 Select the attribute you want to add from the list and click OK The Add Attribute window is dismissed and the attribute you selected appears in the list of attributes in the Property Editor 4 Type in the value for the new attribute in the text box to the right of the attribute name 5 Click OK in the Property Editor when you have finished editing the entry The Proper...

Page 48: ...ck OK in the Property Editor when you have finished editing the entry The Property Editor is dismissed Adding an Attribute Subtype You can add three different kinds of subtypes to attributes contained within an entry language binary and pronunciation Language Subtype Sometimes a user s name can be more accurately represented in characters of a language other than the default language For example N...

Page 49: ...btype to an attribute indicates that the attribute value is a phonetic representation The subtype is added to the attribute name as follows attribute phonetic This subtype is commonly used in combination with a language subtype for languages that have more than one alphabet where one is a phonetic representation You might want to use this with attributes that are expected to contain user names suc...

Page 50: ...e right pane and select Delete from the pop up menu To select multiple entries use Ctrl click or Shift click and then select Delete from the Edit menu The server deletes the entry or entries immediately There is no undo Managing Entries From the Command Line The command line utilities allow you to manipulate the contents of your directory They can be useful if you want to write scripts to perform ...

Page 51: ...following depending upon the type of machine you use UNIX Almost always control D D Windows Usually control Z followed by a carriage return Z return For example suppose you want to input some LDIF update statements to ldapmodify Then on a UNIX system you would do the following prompt ldapmodify D bindDN w password h hostname dn cn Barry Nixon ou people dc example dc com changetype modify delete te...

Page 52: ...ds to the server and prepares it to add an entry You create the new root object as follows dn Suffix_Name objectclass newobjectclass The DN corresponds to the DN of the root or sub suffix contained by the database The newobjectclass value depends upon the type of object class you are adding to the database You may need to specify additional mandatory attributes depending upon the root object you a...

Page 53: ...the distinguished name and password you supply and modifies the entries based on LDIF update statements contained in a specified file Because ldapmodify uses LDIF update statements ldapmodify can do everything that ldapdelete can do If schema checking is turned on when you use this utility then the server performs schema checking for the entire entry when it is modified If the server detects an at...

Page 54: ...IF statements in the new ldif file do not specify a change type They follow the format defined in LDIF File Format on page 489 To add the entries you must enter the following command ldapmodify a D cn Directory Manager dc example dc comd w King Pin h cyclops p 845 f new ldif The following table describes the ldapmodify parameters used in the example Table 2 2 Description of ldapmodify Parameters U...

Page 55: ... with the appropriate LDIF update statements and then enter the following command ldapmodify D cn Directory Manager dc example dc com w King Pin h cyclops p 845 f modify_statements The following table describes the ldapmodify parameters used in the example f Optional parameter that specifies the file containing the LDIF update statements used to define the modifications If you do not supply this p...

Page 56: ...if there aren t any entries below it If you want to delete ou People dc example dc com you must first delete Paula Simon and Jerry O Connor s entries and all other entries in that subtree Here is a typical example of how to use the ldapdelete utility Suppose that You want to delete the entries identified by the distinguished names cn Robert Jenkins ou People dc example dc com and cn Lisa Jangles o...

Page 57: ...dapdelete parameters refer to the Netscape Directory Server Configuration Command and File Reference Using Special Characters When using the Directory Server command line client tools you may need to specify values that contain characters that have special meaning to the command line interpreter such as space asterisk backslash and so forth When this situation occurs enclose the value in quotation...

Page 58: ...eral LDIF update statements are a series of statements that Specify the distinguished name of the entry to be modified Specify a change type that defines how a specific entry is to be modified add delete modify modrdn Specify a series of attributes and their changed values A change type is required unless you use ldapmodify with the a parameter If you specify the a parameter then an add operation ...

Page 59: ...statements are identical dn cn Lisa Jangles ou People dc example dc com dn cn Lisa Jangles ou People dc example dc com The following sections describe the change types in detail Adding an Entry Using LDIF Use changetype add to add an entry to your directory When you add an entry make sure to create an entry representing a branch point before you try to create new entries under that branch That is ...

Page 60: ...pminsky dn cn Sue Jacobs ou People dc example dc com changetype add objectclass top objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn Sue Jacobs givenName Sue sn Jacobs ou People ou Marketing uid sjacobs dn ou Groups dc example dc com changetype add objectclass top objectclass organizationalUnit ou Groups dn cn Administrators ou Groups dc example dc com changetype ad...

Page 61: ... Using LDIF Use changetype modrdn to change an entry s relative distinguished name RDN An entry s RDN is the left most element in the distinguished name Therefore the RDN for cn Barry Nixon ou People dc example dc com is cn Barry Nixon And the RDN for ou People dc example dc com is ou People Therefore this rename operation allows you to change the left most value in an entry s distinguished name F...

Page 62: ...bs and only cn Susan Jacobs would remain within the entry A Note on Renaming Entries You cannot rename an entry with the modrdn change type such that the entry moves to a completely different subtree To move an entry to a completely different branch you must create a new entry in the alternative subtree using the old entry s attributes and then delete the old entry Also for the same reasons that y...

Page 63: ...he server returns an error replace attribute The specified values are used to entirely replace the attribute s value s If the attribute does not already exist it is created If no replacement value is specified for the attribute the attribute is deleted delete attribute The specified attribute is deleted If more than one value of an attribute exists for the entry then all values of the attribute ar...

Page 64: ...555 1212 telephonenumber 555 6789 add manager manager cn Sally Nixon ou People dc example dc com The following example adds a jpeg photograph to the directory The jpeg photo can be displayed by Directory Server Gateway In order to add this attribute to the directory you must use the ldapmodify b parameter which indicates that ldapmodify should read the referenced file for binary values if the attr...

Page 65: ...replace manager manager cn Wally Hensford ou People dc example dc com If the entry has multiple instances of the attribute then to change one of the attribute values you must delete the attribute value that you want to change and then add the replacement value For example consider the following entry cn Barney Fife ou People dc example dc com objectClass inetOrgPerson cn Barney Fife sn Fife teleph...

Page 66: ... of how many times it appears in the entry dn cn Barney Fife ou People dc example dc com changetype modify delete telephonenumber If you want to delete just a specific instance of the telephonenumber attribute then you simply delete that specific attribute value The following section describes how to do this Deleting a Specific Attribute Value Using LDIF Use changetype modify with the delete opera...

Page 67: ...onal unit For example of the following three entries ou People dc example dc com cn Paula Simon ou People dc example dc com cn Jerry O Connor ou People dc example dc com you can delete only the last two entries The entry that identifies the People subtree can be deleted only if no other entries exist below it The following LDIF update statements can be used to delete person entries dn cn Pete Mins...

Page 68: ...y Referential integrity is a database mechanism that ensures relationships between related entries are maintained In the Directory Server referential integrity can be used to ensure that an update to one entry in the directory is correctly reflected in any other entries that may refer to the updated entry For example if a user s entry is removed from the directory and referential integrity is enab...

Page 69: ...owever configure the behavior of the referential integrity plug in to suit your own needs You can Record referential integrity updates in the replication change log Modify the update interval Select the attributes to which you apply referential integrity Disable referential integrity Using Referential Integrity with Replication There are certain limitations associated with the use of the referenti...

Page 70: ...tial Integrity You can enable or disable referential integrity from the Directory Server Console or from the command line From the Directory Server Console 1 On the Directory Server Console select the Configuration tab For information on starting the Directory Server Console refer to Using the Directory Server Console on page 28 2 Expand the Plugins folder in the navigation tree and select the Ref...

Page 71: ...older in the navigation tree and select the Referential Integrity Postoperation plug in The settings for the plug in are displayed in the right pane 3 In the arguments list replace the referint filename with the absolute path to the change log directory 4 Click Save to save your changes 5 For your changes to be taken into account go to the Tasks tab and select Restart the Directory Server Modifyin...

Page 72: ...he appropriate time interval 4 Click Save to save your changes 5 For your changes to be taken into account go to the Tasks tab and select Restart the Directory Server Modifying the Attribute List By default the referential integrity is set up to update the member uniquemember owner and seeAlso attributes You can add or delete attributes to be updated from the Directory Server Console From the Dire...

Page 73: ...tory Entries 73 5 For your changes to be taken into account go to the Tasks tab and select Restart the Directory Server NOTE For best performance the attributes set for updating should also be indexed For information on indexing see Chapter 8 Managing Indexes ...

Page 74: ...Maintaining Referential Integrity 74 Netscape Directory Server Administrator s Guide May 2002 ...

Page 75: ...nks page 92 Using Referrals page 132 For conceptual information on distributing your directory data refer to the Netscape Directory Server Deployment Guide Creating and Maintaining Suffixes You can store different pieces of your directory tree in different databases and then distribute these databases across multiple servers Your directory tree contains branch points called nodes These nodes can e...

Page 76: ...ning Suffixes Creating Suffixes You can create both root and sub suffixes to organize the contents of your directory tree A root suffix is the parent of a sub suffix It can be part of a larger tree you have designed for your Directory Server A sub suffix is a branch underneath a root suffix The data for root and sub suffixes are contained by databases Your directory might contain more than one roo...

Page 77: ...ve the directory tree looks as illustrated in Figure 3 3 Figure 3 3 A Sample Directory Tree with a Root Suffix Off Limits to Search Operations Searches performed by client applications on the dc example dc com branch of example com Corporation s directory will not return entries from the l europe dc example dc com branch of the directory as it is a separate root suffix If example com Corporation d...

Page 78: ...h a database 1 On the Directory Server Console select the Configuration tab 2 Right click Data in the left navigation pane and select New Root Suffix from the pop up menu The Create new root suffix dialog box is displayed 3 Enter a unique suffix in the New suffix field The suffix must be named according to dc naming conventions For example you might enter a new suffix name of dc example dc com 4 S...

Page 79: ...t New Sub Suffix from the pop up menu The Create new sub suffix dialog box is displayed 3 Enter a unique suffix name in the New suffix field The suffix must be named according to dc naming conventions For example you might enter a new suffix name of ou groups The root suffix is automatically added to the name For example if you are creating the sub suffix ou groups under the dc example dc com suff...

Page 80: ...e server and prepares it to add an entry to the configuration file Next you create the root suffix entry for example com Corporation as follows dn cn dc example dc com cn mapping tree cn config objectclass top objectclass extensibleObject objectclass nsMappingTree nsslapd state backend nsslapd backend UserData cn dc example dc com NOTE Avoid creating entries under the cn config entry in the dse ld...

Page 81: ...sing the Directory Server Console you will need to respect the same spacing you use to name the root and sub suffixes via the command line For example if you name a root suffix ou groups dc example dc com with two spaces after groups any sub suffixes you create under this root will need to specify two spaces after ou groups as well Table 3 1 Suffix Attributes Attribute Name Value dn Defines the DN...

Page 82: ... nsslapd backend Gives the name of the database or database link used to process requests This attribute can be multi valued with one database or database link per value Refer to Creating and Maintaining Database Links on page 92 for more information about database links This attribute is required when the value of the nsslapd state attribute is set to backend or referral on update nsslapd distrib...

Page 83: ...tory Server Console select the Configuration tab 2 Under Data in the left pane click the suffix to which you want to add a referral 3 Click the Suffix Settings tab Select the Use Referrals radio button 4 Click the Referrals tab Enter an LDAP URL in the Enter a new referral field or click Construct to be guided through the creation of an LDAP URL For more information about the structure of LDAP URL...

Page 84: ...ferrals only during update operations 1 On the Directory Server Console select the Configuration tab 2 Under Data in the left pane click the suffix to which you want to add a referral 3 Click the Suffix Settings tab Select the Use Referrals on Update radio button 4 Click the Referrals tab Enter an LDAP URL in the Enter a new referral field or click Construct to be guided through the creation of an...

Page 85: ...pane select the suffix you want to delete 3 Select Delete from the Object menu You can also right click the suffix and select Delete from the pop up menu 4 Select Delete this suffix and all of its sub suffixes if you want to remove all the suffix and every suffix below it Select Delete this suffix only if you want to remove only this particular suffix not its sub suffixes 5 Click OK to delete the ...

Page 86: ...rectory Server supports the use of multiple databases over which you can distribute your directory tree There are two ways you can distribute your data across multiple databases One database per suffix The data for each suffix is contained in a separate database For example your directory tree appears as follows You add three databases to store the data contained in your separate suffixes as follo...

Page 87: ...ch of your directory tree is so large that you need two databases to store them In this case the data contained by ou people could be distributed across two databases This is illustrated as follows Database one contains people with names from A K and database two contains people with names from L Z Database three contains the ou groups data and database four contains the ou contractors data You ne...

Page 88: ...e example2 5 In the Create database in field enter the path to the directory where you want to store the new database You can also click Browse to locate a directory on your local machine By default the directory stores the new database in the usr netscape servers slapd serverID db directory 6 Click OK Click Yes in the confirmation dialog to create the new database Creating a New Database for a Si...

Page 89: ...iven in the DN attribute must correspond with the value in the nsslapd backend attribute of the suffix entry Adding Multiple Databases for a Single Suffix You can distribute a single suffix across multiple databases However to distribute the suffix you need to create a custom distribution function to extend the directory For more information on creating a custom distribution function contact Netsc...

Page 90: ...o which you want to apply your distribution function 3 Select the Databases tab in the right window 4 Click Add to associate additional databases with the suffix The Database List dialog box is displayed Select a database from the list and click OK 5 Enter the path to your distribution library in the Distribution library field or click Browse to locate a distribution library on your local machine ...

Page 91: ...r Directory Server manages multiple databases you can place all of them into read only mode at the same time by placing your entire server in read only mode For more information see Placing the Entire Directory Server in Read Only Mode on page 34 This section includes procedures for the following Making a Database Read Only Using the Console Making a Database Read Only From the Command Line Making...

Page 92: ...the Object menu select Delete You can also right click the database and select Delete from the pop up menu The Deleting Database confirmation dialog box is displayed 4 Click Yes to confirm that you want to delete the database A progress dialog box appears telling you the steps the Directory Server completes during the deletion Once deleted the database no longer appears in the right pane Creating ...

Page 93: ... policy applies to all database links you create on your Directory Server Chaining Component Operations A component is any functional unit in the server that uses internal operations For example plug ins are considered to be components as are functions in the front end However a plug in may actually be comprised of multiple components for example the ACI plug in Some components send internal LDAP ...

Page 94: ...fig Read search and compare 4 0 plug ins This component name represents all Directory Server 4 0 plug ins The 4 0 plug ins share the same chaining policy Specify the following in the nsActiveChainingComponents attribute nsActiveChainingComponents cn old plugin cn plugins cn config Depends upon the 4 0 plug in you are allowing to chain Resource limit component This component sets server limits depe...

Page 95: ...fig Read write search and compare UID uniqueness plug in This plug in checks that all the values for a specified uid attribute are unique no duplicates If you allow this plug in to chain it confirms that the uid attribute values are unique even on attributes changed through a database link To chain this component s operations specify the following nsActiveChainingComponents cn uid uniqueness cn pl...

Page 96: ...ponent to chain you must create an ACI in the suffix on the remote server to which the operation will be chained For example you would create the following ACI for the referential integrity plug in aci targetattr target ldap ou customers l us dc example dc com version 3 0 acl RefInt Access for chaining allow read write search compare userdn ldap cn referential integrity postoperation cn plugins cn...

Page 97: ... This control sorts entries according to their attribute values Managed DSA This controls returns smart referrals as entries rather than following the referral This allows you to change or delete the smart referral itself Loop detection This control keeps track of the number of times the server chains with another server When the count reaches a number you configure a loop is detected and the clie...

Page 98: ...database cn plugins cn config entry For example to forward the virtual list view control you add the following to your database link entry in the configuration file nsTransmittedControls 2 16 840 1 113730 3 4 9 In addition if clients of your Directory Server create their own controls and you want their operations to be chained to remote servers you need to add the OID of the custom control to the ...

Page 99: ...e Creating a New Database Link Using the Console To create a new database link using the Directory Server Console 1 On the Directory Server Console select the Configuration tab 2 Right click Data in the left navigation pane and select New Root Suffix or New Sub Suffix from the pop up menu A Create New Suffix dialog box is displayed 3 Enter the name of the suffix on the remote server to which you w...

Page 100: ...d for the bind in the Remote server port field The default port number is 389 12 Enter the name of a failover server in the Failover Server s field and specify a port number in the Port field The default port number is 389 Click Add to add the failover server to the list You can specify multiple failover servers If the primary remote server fails the database link contacts the first server in the ...

Page 101: ...he Netscape Directory Server Configuration Command and File Reference This section contains the following procedures for configuring a database link from the command line Providing Suffix Information Providing Bind Credentials Providing an LDAP URL Providing a List of Failover Servers Summary of Cascading Chaining Configuration Attributes Database Link Configuration Example Providing Suffix Inform...

Page 102: ...ntries on page 41 b Provide proxy access rights for the administrative user created in step 1 on the subtree chained to by the database link For more information on configuring ACI s refer to Managing Access Control on page 189 2 On the server containing the database like you need to do the following a Use ldapmodify to provide a user DN for the database link in the nsMultiplexorBindDN attribute o...

Page 103: ...esponding to the nsMultiplexorBindDN and you must set the proxy authentication rights for this user To set the proxy authorization right you need to set the proxy ACI as you would any other ACI CAUTION Carefully examine access controls when enabling chaining to avoid giving access to restricted areas of your directory For example if you create a default proxy ACI on a branch the users that connect...

Page 104: ...verURL might appear as follows nsFarmServerURL ldap example com 389 Do not forget to use the trailing slash at the end of the URL If you want to the database link to connect to the remote server using LDAP over SSL the LDAP URL of the remote server takes the following form ldaps servername portnumber For more information about chaining and SSL refer to Chaining Using SSL on page 109 Providing a Li...

Page 105: ... database link take precedence over the global attribute value Table 3 4 Database Link Configuration Attributes Attributes Value nsTransmittedControls Gives the OID of LDAP controls forwarded by the database link to the remote data server nsslapd suffix The suffix managed by the database link Any changes you make to this attribute after the entry has been created take effect only after you restart...

Page 106: ...has been restarted The default value is off nsProxiedAuthorization Reserved for advanced use only Allows you to disable proxied authorization A value of off means proxied authorization is disabled The default value is on nsActiveChainingComponents Lists the components using chaining A component is any functional unit in the server The value of this attribute in the database link instance overrides...

Page 107: ...cret h us example com Then specify the configuration information for the database link dn cn DBLink1 cn chaining database cn plugins cn config objectclass top objectclass extensibleObject objectclass nsBackendInstance nsslapd suffix l Zanzibar ou people dc example dc com nsfarmserverurl ldap africa example com 389 nsmultiplexorbinddn cn proxy admin cn config nsmultiplexorcredentials secret cn DBLi...

Page 108: ...database link The nsslapd parent suffix attribute specifies the parent of this new suffix ou people dc example dc com Next you create an administrative user on server B as follows dn cn proxy admin cn config objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn proxy admin sn proxy admin userPassword secret description Entry for use by database links Add the following pr...

Page 109: ...ample com 636 Enable SSL on the server that contains the database link For more information on enabling SSL refer to Enabling SSL Summary of Steps on page 376 When you configure the database link and remote server to communicate using SSL this does not mean that the client application making the operation request must also communicate using SSL The client can bind using a normal port NOTE When a u...

Page 110: ...ter a new LDAP URL in the Remote Server URL field Unlike the standard LDAP URL format the URL of the remote server does not specify a suffix It takes the following form ldap servername portnumber 5 Update the bind DN used by the database link to bind with the remote server by entering a new DN in the Database link bind DN field 6 Update the password used by the database link to bind with the remot...

Page 111: ...cess controls on the subtree contained on the remote server This means that you need to add the usual access controls to the remote server with a few restrictions You cannot use all types of access control For example role based or filter based ACIs need access to the user entry Because you are accessing the data via database links only the data in the proxy control can be verified Consider design...

Page 112: ...ication When performing a modify operation the database link does not have access to the full entry stored on the remote server If performing a delete operation the database link is only aware of the entry s DN If an access control specifies a particular attribute then a delete operation will fail when being conducted through a database link Advanced Feature Tuning Database Link Performance The fo...

Page 113: ...s that the database link establishes with the remote server The default value is 3 connections Bind timeout Amount of time in seconds before the database link s bind attempt times out The default value is 15 seconds Maximum binds per connection Maximum number of outstanding bind operations per TCP connection The default value is 10 outstanding bind operations per connection Time out before abandon...

Page 114: ...on management attributes for a specific database link are stored in the following entry cn database_link_name cn chaining database cn plugins cn config where database_link_name is the name of the database link The connection management attributes specified in this entry take precedence over the attributes specified in the cn default instance config entry The following table lists the attributes as...

Page 115: ...is set using the nsMaxTestResponseDelay nsBindRetryLimit Number of times a database link attempts to bind to the remote server A value of zero 0 indicates that the database link will try to bind only once The default value is 3 attempts nsConnectionLife Connection lifetime in seconds You can keep connections between the database link and the remote server open for an unspecified time or you can cl...

Page 116: ...owing too long However the database link forwards operations to remote servers for processing The database link contacts the remote server forwards the operation waits for the result and then sends the result back to the client application The entire operation can take much longer than a local operation Table 3 6 Database Link Processing Error Detection Parameters Attribute Name Description nsMaxR...

Page 117: ...hread number to 50 to improve performance After changing the thread number restart the server to implement your changes Advanced Feature Configuring Cascading Chaining You can configure your database link to point to another database link creating a cascading chaining operation A cascading chain occurs any time more than one hop is required to access all of the data in a directory tree The section...

Page 118: ...ins the data the clients wants to modify in a database Two hops are required to access the piece of data the client want to modify During a normal operation request a client binds to the server and then any ACIs applying to that client are evaluated With cascading chaining the client bind request is evaluated on server one but the ACIs applying to the client are evaluated only after the request ha...

Page 119: ...es are stored on Server A The l europe dc example dc com and ou groups suffixes are stored in on Server B and the ou people branch of the l europe dc example dc com suffix is stored on Server C With cascading configured on servers A B and C a client request targeted at the ou people l europe dc example dc com entry would be routed by the directory as follows ...

Page 120: ...u people l europe dc example dc com branch Because at least two hops are required for the directory to service the client request this is considered a cascading chain Configuring Cascading Chaining Defaults Using the Console To set cascading chaining defaults for all database links in your Directory Server 1 On the Directory Server Console select the Configuration tab 2 Expand the Data folder in t...

Page 121: ...ng 1 On the Directory Server Console select the Configuration tab 2 Expand the Data folder in the left pane and locate the database link you want to include in a cascading chain Click the database link then click the Limits and Controls tab in the right navigation pane 3 Select the Check local ACI checkbox if you want to enable the evaluation of local ACIs on the intermediate database links involv...

Page 122: ...abase link must contain the URL of the server containing another database link For example suppose the database link on the server called example1 com points to a database link on the server called africa example com The cn database_link_name cn chaining database cn plugins cn config entry of the database link on server one would contain the following nsFarmServerURL ldap africa example com 389 Tr...

Page 123: ... the administrative user that targets the appropriate suffix This ensures the administrator has access only to the suffix of the database link Add the following ACI to the administrative user s entry aci targetattr version 3 0 acl Proxied authorization for database links allow proxy userdn ldap cn proxy admin cn config This ACI is like the ACI you create on the remote server when configuring simpl...

Page 124: ...hen need to add any client ACIs to this superior suffix entry For example you might add the following aci targetattr version 3 0 acl Client authentication for database link users allow all userdn ldap uid cn config This ACI allows client applications that have a uid in the cn config entry of server one to perform any type of operation on the data below the ou people dc example dc com suffix on ser...

Page 125: ...Configuring Server Three Table 3 7 Cascading Chaining Configuration Attributes Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain nsTransmittedControls Enter the following OIDs to the database links involved in the cascading chain nsTransmittedControls 2 16 840 1 113730 3 4 12 nsTransmittedControls 1 3 6 1 4 1 1466 29539 12 The first OI...

Page 126: ...guring Server One First use the ldapmodify command line utility to add a database link to server one To use the utility type the following to change to the directory containing the utility cd usr netscape servers shared bin Run the utility as follows ldapmodify a D cn directory manager w secret h host p 389 ...

Page 127: ... The first section creates the entry associated with DBLink1 The second section creates a new suffix allowing the server to direct requests made to the database link to the correct server You do not need to configure the nsCheckLocalACI attribute to check local ACIs as this is only required on the database link DBLink2 on server two Since you want to implement loop detection you need to specify th...

Page 128: ... Next you configure the database link DBLink2 on server two Using ldapmodify specify the configuration information for DBLink2 as follows dn cn DBLink2 cn chaining database cn plugins cn config objectclass top objectclass extensibleObject objectclass nsBackendInstance nsslapd suffix l Zanzibar c africa ou people dc example dc com nsfarmserverurl ldap zanz africa example com 389 nsmultiplexorbinddn...

Page 129: ...4 1 1466 29539 12 where nsTransmittedControl 2 16 840 1 113730 3 4 12 is the OID for Proxy Authorization control and nsTransmittedControl 1 3 6 1 4 1 1466 29539 12 is the OID for the loop detection control Again remember to check beforehand whether or not the loop detection control is already configured and adapt the above command accordingly The next step is to configure your ACIs On server two y...

Page 130: ...tattr target l Zanzibar c africa ou people dc example dc com version 3 0 acl Client authorization for database links allow all userdn ldap uid c us ou people dc example dc com This ACI allows clients that have a uid in c us ou people dc example dc com on server one to perform any type of operation on the l Zanzibar c africa ou people dc example dc com suffix tree on server three Should you have us...

Page 131: ...cess to the data contained on the remote server server three within the l Zanzibar ou people dc example dc com subtree only You then need to create an local client ACI on the l Zanzibar ou people dc example dc com subtree that corresponds to the original client application Use the same ACI as the one you created for the client on server two aci targetattr target l Zanzibar c africa ou people dc ex...

Page 132: ...eferrals are returned to client applications that submit operations on a DN not contained within any of the suffixes maintained by your directory The following procedures describes setting a default referral for your directory using the console and the command line utilities Setting a Default Referral Using the Console Set a default referral to your directory as follows 1 On the Directory Server C...

Page 133: ... ldap zanzibar com Once you have added the default referral to the cn config entry of your directory the directory will return the default referral in response to requests made by client applications You do not need to restart the server Creating Smart Referrals Smart referrals allow you to map a directory entry or directory tree to a specific LDAP URL Using smart referrals you can refer client ap...

Page 134: ...og box displays 5 Select referral from the list and click OK 6 Click Add Attribute The Add Attribute dialog box is displayed 7 Scroll down the list of attributes to the ref attribute Select the ref attribute then click OK The ref attribute now appears in the Property Editor dialog box 8 In the text box next to the ref attribute enter the LDAP URL to which you want to refer client application reque...

Page 135: ...le com you would include the following in your LDIF file before importing dn uid ssarette ou people dc example dc com objectclass top objectclass person objectclass organizationalperson objectclass inetOrgPerson objectclass referral cn somi sarette sn sarette uid ssarette ref ldap directory europe example com cn somi 20sarette ou people l europe dc example dc com Use the M option with ldapmodify w...

Page 136: ...rral will be returned when this suffix receives an update request from a client application This option is used to redirect update and write requests made by client applications to a read only database 4 Click the Referrals tab Enter an LDAP URL in the Enter a new referral field or click Construct to be guided through the creation of an LDAP URL For more information about the structure of LDAP URL...

Page 137: ... example dc com cn mapping tree cn config objectclass extensibleObject objectclasss nsmappingtree nsslapd state referral nsslapd referral ldap zanzibar com The nsslapd state attribute is set to referral meaning that a referral is returned for requests made to this suffix The nsslapd referral attribute contains the LDAP URL of the referral returned by the suffix in this case a referral to the Zanzi...

Page 138: ...Using Referrals 138 Netscape Directory Server Administrator s Guide May 2002 ...

Page 139: ... the Directory Server Console You can use the Directory Server Console to append data to all of your databases including database links Initialize databases You can use the Directory Server Console to import data to one database This method overwrites any data contained by the database Importing data from the command line You can import data using the command line utilities Table 4 1 describes the...

Page 140: ... on remote databases to which your Directory Server has a configured database link You must be logged in as the Directory Manager in order to perform an import Table 4 1 Import Method Comparison Import Initialize Database Overwrites database No Yes LDAP operations Add modify delete Add only Performance More time consuming Fast Partition speciality Works on all partitions Local partitions only Resp...

Page 141: ...file may contain modify and delete instructions in addition to the default add instructions If you want the server to ignore operations other than add select the Add only check box Continue on Error Select the Continue on error checkbox if you want the server to continue with the import even if errors occur For example you might use this option if you are importing an LDIF file that contains some ...

Page 142: ...he database itself 3 Right click the database and select Initialize Database You can also select Initialize Database from the Object menu 4 In the LDIF file field enter the full path to the LDIF file you want to import or click Browse to locate it on your machine 5 If you are operating the console from a machine local to the file being imported skip to step 6 If you are operating the console from ...

Page 143: ...th the import By default the script first saves and then merges any existing o NetscapeRoot configuration information with the o NetscapeRoot configuration information in the files being imported To import LDIF with the server stopped 1 From the command line change to the following directory usr netscape servers slapd serverID where serverID is the name of your Directory Server 2 Stop the server b...

Page 144: ...eference Importing Using the ldif2db pl Perl Script As with the ldif2db script the ldif2db pl script overwrites the data in a database you specify This script requires the server to be running in order to perform the import 1 From the command line change to the following directory usr netscape servers slapd serverID where serverID is the name of your Directory Server Option Name Description i Spec...

Page 145: ...ectory Manager w secretpwd i usr netscape servers slapd dirserver ldif demo ldif n Database1 The following table describes the ldif2db pl options used in the examples Importing Using the ldif2ldap Command Line Script The ldif2ldap script appends the LDIF file through LDAP Using this script you import data to all directory databases at the same time The server must be running in order to import usi...

Page 146: ...etscape servers slapd dirserver ldif demo ldif The ldif2ldap script requires you to specify the DN of the administrative user the password of the administrative user and the absolute path and file name of the LDIF file s to be imported Exporting Data You can use the LDAP Data Interchange Format LDIF to export database entries from your databases LDIF is a standard format described in RFC 2849 The ...

Page 147: ...ing the Console Exporting a Single Database to LDIF Using the Console Exporting to LDIF From the Command Line Note that the export operations do not export the configuration information cn config Exporting Directory Data to LDIF Using the Console You can export some or all of your directory data to LDIF depending upon the location of the final exported file When the LDIF file is on the server you ...

Page 148: ...the console on a machine remote to the server two radio buttons are displayed beneath the LDIF file field Select To local machine to indicate that you are exporting to an LDIF file in the machine from which you run the console Select To server machine to indicate that you are exporting to an LDIF file located on the server s machine 4 If you want to export the whole directory select the Entire dat...

Page 149: ... From the Command Line You can export your database to LDIF using the db2ldif command line script This script exports all of your database contents or a part of their contents to LDIF when the server is running or stopped To export to LDIF from the command line 1 From the command line change to the following directory usr netscape servers slapd serverID where serverID is the name of your Directory...

Page 150: ...ation File Backing Up All Databases The following procedures describe backing up all of the databases in your directory using the Directory Server Console and from the command line Option Name Description n Specifies the name of the database from which the file is being exported a Defines the output file in which the server saves the exported LDIF This file is stored by default in the directory wh...

Page 151: ...ose to use the default the backup files will be placed in the following location usr netscape servers slapd serverID bak backup_directory where serverID is the name of your Directory Server The backup_directory variable names a directory using the name of the backup file By default the backup directory name contains the time and date the backup was created YYYY_MM_DD_hhmmss 4 Click OK to create th...

Page 152: ...lt in the directory where the command line script resides By default the backup file is named according to the year month day hour format YYYY_MM_DD_hhmmss Backing Up a Single Database To back up a single database 1 At the command prompt change to usr netscape servers slapd serverID where serverID is the name of your Directory Server 2 If the server is running type the following to stop it stop sl...

Page 153: ...line Restoring All Databases from the Console If your databases become corrupted you can restore data from a previously generated backup using the Directory Server Console This process consists of stopping the server and then copying the databases and associated index files from the backup location to the database directory To restore your databases from a previously created backup 1 On the Direct...

Page 154: ...restore your directory from the command line while the server is shut down 1 At the command prompt change to the following directory usr netscape servers slapd serverID where serverID is the name of your Directory Server 2 If the server is running type the following to stop it stop slapd 3 Run the bak2db command line script For more information about using this script refer to Netscape Directory S...

Page 155: ... the script from the bin slapd admin bin perl directory Windows batch file bin slapd admin bin perl bak2db pl D cn Directory Manager w secret a usr netscape servers slapd dirserver bak mybak_20010701103056 UNIX shell script bak2db pl D cn Directory Manager w secret a usr netscape servers slapd dirserver bak mybak_20010701103056 The following table describes the bak2db pl options used in the exampl...

Page 156: ... a database containing data received from a supplier server then one of two situations can occur Change log entries have not yet expired on the supplier server If the supplier server change log has not expired since the database backup was taken then you can restore the local consumer and continue with normal operations This situation occurs only if the backup was taken within a period of time tha...

Page 157: ...e with the most recent changes to your directory Enabling and Disabling Read Only Mode Before performing certain operations of export or backup on your Directory Server you can enable read only mode on any of the databases to ensure you have a faithful image of the state of these databases at a given time The Directory Server Console and the command line utilities do not automatically put the dire...

Page 158: ... in read only mode If they are use the following procedure to make them available for updates Disabling Read Only Mode 1 On the Directory Server Console select the Configuration tab and expand the Data tree 2 Select the database that you want to make available for updates and click the Database Settings tab in the right pane 3 Clear the Database is Read only checkbox 4 Click Save Your change takes...

Page 159: ...oles and class of service in the planning phase of your directory deployment determine your directory topology Refer to the Netscape Directory Server Deployment Guide for more information Using Groups Groups are a mechanism for associating entries for ease of administration This mechanism was provided with previous versions of Directory Server and should be used primarily for compatibility with ol...

Page 160: ...is required 4 Enter a description of the new group in the Description field 5 Click Members in the left pane In the right pane select the Static Group tab Click Add to add new members to the group The standard Search users and groups dialog box appears 6 In the Search drop down list select what sort of entries to search for users groups or both then click Search Select one of the entries returned ...

Page 161: ...ng and modifying dynamic groups Adding a New Dynamic Group Modifying a Dynamic Group Adding a New Dynamic Group 1 Follow steps 1 4 of Adding a New Static Group on page 160 2 Click Members in the left pane In the right pane select the Dynamic Group tab Click Add to create a LDAP URL for querying the database The standard Construct and Test LDAP URL dialog box displays 3 Enter an LDAP URL in the tex...

Page 162: ...the role of an entry rather than select a group and browse the members list This section contains the following topics About Roles Managing Roles Using the Console Managing Roles Using the Command Line Using Roles Securely About Roles Roles unify the static and dynamic group concept supported by previous versions of Directory Server You can use roles to Enumerate the members of a role Having an en...

Page 163: ... server side Each role has members or entries that possess the role You can specify members either explicitly or dynamically How you specify role membership depends upon the type of role you are using Directory Server supports three types of roles Managed roles A managed role allows you to create an explicit enumerated list of members Filtered roles A filtered role allows you to assign entries to ...

Page 164: ... and select the parent entry for your new role 3 Go to the Object menu and select New Role You can also right click the entry and select New Role The Create New Role dialog box is displayed 4 Click General in the left pane Type a name for your new role in the Role Name field The role name is required 5 Enter a description of the new role in the Description field 6 Click Members in the left pane A ...

Page 165: ...ole definitions fields a Select the types of entries you want to filter from the For drop down list You can choose between users groups or both b Select an attribute from the Where drop down list The two fields following it allow you to refine your search by selecting one of the qualifiers from the drop down list such as contains does not contain is is not and enter an attribute value in the text ...

Page 166: ...the Directory Server Console select the Directory tab 2 In the left navigation pane browse the tree and select the entry for which you want to view or edit a role 3 Select Set Roles from the Object menu The Roles dialog box displays 4 Select the Managed Roles tab to display the managed roles to which this entry belongs To add a new managed role click Add and select an available role from the Role ...

Page 167: ...aking a Role Inactive You can temporarily disable the members of a role by inactivating the role to which they belong Inactivating a role inactivates the entries possessed by the role and not the role itself To temporarily disable the members of a role 1 In the Directory Server Console select the Directory tab 2 Browse the navigation tree in the left pane to locate the base DN for your role Roles ...

Page 168: ...tries 3 Right click the role and select Delete A dialog box appears asking you to confirm the deletion Click Yes 4 The Deleted Entries dialog box appears to inform you that the role was successfully deleted Click OK Managing Roles Using the Command Line Roles inherit from the ldapsubentry object class which is defined in the ISO IEC X 509 standard In addition each type of role has two specific obj...

Page 169: ...n Marketing ou people dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsSimpleRoleDefinition objectclass nsManagedRoleDefinition cn Marketing description managed role for marketing staff Table 5 1 Object Classses and Attributes for Roles Role Type Object Classes Attributes Managed Role nsSimpleRoleDefinition nsManagedRoleDefinition Description op...

Page 170: ...rs Run the ldapmodify script as follows ldapmodify D cn Directory Manager w secret h host p 389 Specify the filtered role as follows dn cn SalesManagerFilter ou people dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsComplexRoleDefinition objectclass nsFilteredRoleDefinition cn SalesManagerFilter nsRoleFilter o sales managers Description filtere...

Page 171: ...s suitable for use in a security context When creating a new role consider how easily the role can be assigned to and removed from an entry Sometimes it is appropriate for users to be able to easily add themselves to or remove themselves from a role For example if you had an interest group role called Mountain Biking you would want interested users to add themselves or remove themselves easily How...

Page 172: ...ttribute The user should not be allowed to add delete and modify the attribute used by the filtered role If the value of the filter attribute is computed then all attributes that can modify the value of the filter attribute should be protected in the same way Nested roles A nested role is comprised of filtered and managed roles so the above points should be considered for each of the roles that co...

Page 173: ...es to the template entry attribute values are automatically applied to all the entries within the scope of the CoS A single CoS might have more than one template entry associated with it The CoS definition entry and template entry interact to provide attribute information to their target entries any entry within the scope of the CoS The following sections describe the entries that make up a CoS in...

Page 174: ...ibute for which the CoS is generating values by default the CoS supplies the client application with the attribute value in the entry itself However you can use the CoS definition entry to control this behavior About the CoS Template Entry The CoS template entry contains the value or values of the attributes generated by the CoS logic The CoS template entry contains a general object class of cosTe...

Page 175: ...n this example the template entry is identified by its DN cn exampleUS cn data in the CoS definition entry Each time the postalCode attribute is queried on the entry cn wholiday ou people dc example dc com the Directory Server returns the value available in the template entry cn exampleUS cn data How an Indirect CoS Works You can create an indirect CoS that uses the manager attribute of the target...

Page 176: ...Carla Fuentes so the manager attribute contains a pointer to the DN of the template entry cn Carla Fuentes ou people dc example dc com The template entry in turn provides the departmentNumber attribute value of 318842 How a Classic CoS Works You can create a classic CoS that uses a combination of the template DN and a CoS specifier to identify the template entry containing the postal code The thre...

Page 177: ...ampleUS cn data The template entry then provides the value of the postalCode attribute to the target entry Managing CoS Using the Console This section describes creating and editing CoS through the Directory Server Console It includes the following sections Creating a New CoS Editing an Existing CoS Deleting a CoS Creating a New CoS 1 In the Directory Server Console select the Directory tab 2 Brow...

Page 178: ...n a generated value if there is no corresponding attribute value stored with the entry Select Overrides target entry attribute to make the value of the attribute generated by the CoS override the local value Select Overrides target entry attribute and is operational to make the attribute override the local value and to make the attribute operational so that it is not visible to client applications...

Page 179: ...e describes changing the description and attributes generated on the target entry of an existing class of service To edit an existing CoS 1 In the Directory Server Console select the Directory tab 2 Browse the tree in the left navigation pane and select the parent entry that contains your class of service The CoS appears in the right pane with other entries 3 Double click the CoS The Edit Entry di...

Page 180: ...es a particular object class to be specified in the definition entry All CoS definition object classes inherit from the LDAPsubentry object class and the cosSuperDefinition object class Table 5 2 lists the object classes associated with each type of CoS definition entry Table 5 2 CoS Definition Entry Object Classes CoS Type Object Classes Description Pointer CoS cosPointerDefinition Identifies the...

Page 181: ...orks as if override and operational were specified If you do not indicate a qualifier default is assumed Table 5 3 CoS Definition Entry Attributes Attribute Definition cosAttribute Provides the name of the attribute for which you want to generate a value You can specify more than one cosAttribute value This attribute is used by all types of CoS definition entries cosIndirectSpecifier Specifies the...

Page 182: ...the attributes refer to the Netscape Directory Server Configuration Command and File Reference Now that you have been introduced to the object classes and attributes used by a CoS definition it is time to put them together to create the definition entry itself Table 5 4 describes the CoS definition for each type of CoS NOTE If an entry contains an attribute value generated by a CoS you cannot manu...

Page 183: ... you might have a multi valued cosSpecifier in your CoS definition entry In such a case you can specify a template priority on each template entry to determine which template provides the attribute value Set the template priority using the cosPriority attribute This attribute represents the global priority of a particular template A priority of zero is the highest priority Classic CoS objectclass ...

Page 184: ...ver any other conflicting templates that define a different departmentNumber value The following sections provide examples of template entries along with examples of each type of CoS definition entry Example of a Pointer CoS You want to create a pointer CoS that shares a common postal code with all entries in the dc example dc com tree To add a new pointer CoS definition entry to the dc example dc...

Page 185: ... First you add a new indirect CoS definition entry to the dc example dc com suffix using ldapmodify as follows ldapmodify a D cn directory manager w secret h host p 389 The ldapmodify utility binds to the server and prepares it to add information to the configuration file Next you add the indirect CoS definition to the dc example dc com root suffix as follows dn cn indirectCoS dc example dc com ob...

Page 186: ...ata dc example dc com The department number is different depending upon the manager Example of a Classic CoS You want to create a classic CoS that automatically generates postal codes using a combination of the template DN and the attribute specified in the cosSpecifier attribute First you add a new classic CoS definition entry to the dc example dc com suffix using ldapmodify as follows ldapmodify...

Page 187: ...ng template provides a postal code specific to employees in the marketing department Creating Role Based Attributes You can create classic CoS schemes that generate attribute values for an entry based on the role possessed by the entry For example you could use role based attributes to set the server look through limit on an entry by entry basis To create a role based attribute use the nsRole attr...

Page 188: ...CoS template entry The CoS template entry provides the value for the mailboxquota attribute An additional qualifier of override tells the CoS to override any existing mailboxquota attributes values in the target entry The corresponding CoS template entry looks as follows dn cn cn ManagerRole ou people dc example dc com cn managerCOS dc example dc com objectclass top objectclass LDAPsubentry object...

Page 189: ... Control Usage Examples page 229 Viewing the ACIs for an Entry page 249 Advanced Access Control Using Macro ACIs page 249 Access Control and Replication page 256 Logging Access Control Information page 256 Compatibility with Earlier Releases page 257 To take full advantage of the power and flexiblity of the access control mechanism while you are in the planning phase for your directory deployment ...

Page 190: ...ttributes You can set permissions for a specific user all users belonging to a specific group or role or all users of the directory Finally you can define access for a specific location such as an IP address or a DNS name ACI Structure Access control instructions are stored in the directory as attributes of entries The aci attribute is an operational attribute it is available for use on every entr...

Page 191: ...ould create an ACI that targets entries that include the inetorgperson object class You can use this feature to minimize the number of ACIs in the directory tree by placing general rules at high level branch points To limit the scope of more specific rules you should place them as close as possible to leaf entries ACI Evaluation To evaluate the access rights to a particular entry the server compil...

Page 192: ...cated on remote servers ACIs that depend on role definitions roledn keyword must be located on the same server as the role definition entry Every entry that is intended to have the role must also be located on the same server However you can do value matching of values stored in the target entry with values stored in the entry of the bind user for example using the userattr keyword Access will be ...

Page 193: ...ator by default uid admin ou Administrators ou TopologyManagement o NetscapeRoot has all rights except proxy rights All members of the Configuration Administrators group have all rights except proxy rights All members of the Directory Administrators group have all rights except proxy rights SIE group Whenever you create a new database in the directory the top entry has the default ACIs listed abov...

Page 194: ... for the ACI The name can be any string that identifies the ACI The ACI name is required permission specifically outlines what rights you are either allowing or denying for example read or search rights bind_rules specify the credentials and bind parameters that a user has to provide to be granted access Bind rules can also specifically deny access to certain users or groups of users TIP LDIF ACI ...

Page 195: ... all attributes in her own directory entry The following sections describe the syntax of each portion of the ACI in more detail Defining Targets The target identifies what the ACI applies to If the target is not specified the ACI applies to the entry containing the aci attribute and to the entries below it A target can be A directory entry or all of the entries in a subtree as described in Targeti...

Page 196: ...o applies to all entries below it For example if you target the entry ou accounting dc example dc com the permissions you set will apply to all entries in the accounting branch of the example com tree As a counter example if you place an ACI on the ou accounting dc example dc com entry you cannot target the uid sarette ou people dc example dc com entry because it is not located under the accountin...

Page 197: ...ctly under the example com node with a uid ending in Anderson target ldap uid C A dc example dc com Matches every entry directly under the example com node with a uid beginning with C and ending with A Depending on the position of the wildcard it can apply to the full DN not only to attribute values Therefore the wildcard can be used as a substitute for portions of the DN For example uid andy dc e...

Page 198: ... to partial information about an entry For example you could allow access to only the common name surname and telephone number attributes of a given entry Or you could deny access to sensitive information such as passwords You can specify that the target is equal or is not equal to a specific attribute The attributes you supply do not need to be defined in the schema This absence of schema checkin...

Page 199: ...he tree s branch point ou Marketing dc example dc com then all the entries beneath the branch point that can contain a password attribute are affected by the ACI Targeting Both an Entry and Attributes By default the entry targeted by an ACI containing a targetattr keyword is the entry on which the ACI is placed That is if you put the ACI aci targetattr uid access_control_rules on the ou Marketing ...

Page 200: ...ple uses LDAP filtering to select all entries with businessCategory attributes set to Engineering dn dc example dc com objectClass top objectClass organization aci targetattr departmentNumber manager targetfilter businessCategory Engineering version 3 0 acl eng admins write allow write groupdn ldap cn Engineering Admins dc example dc com Targeting Attribute Values Using LDAP Filters You can use ac...

Page 201: ...a filter applies to an attribute in the new entry then each instance of that attribute must satisfy the filter When deleting an entry if a filter applies to an attribute in the entry then each instance of that attribute must also satisfy the filter When modifying an entry if the operation adds an attribute then the add filter that applies to that attribute must be satisfied if the operation delete...

Page 202: ...ny organizational units ou defined below that node you could specify an ACI that contains targetattr ou A safer method is to use the targetfilter keyword and to explicitly specify an attribute value that appears in the entry alone For example during the installation of the Directory Server the following ACI is created aci targetattr targetfilter o NetscapeRoot version 3 0 acl Default anonymous acc...

Page 203: ...s only to the delete operation Search Indicates whether users can search for the directory data Users must have Search and Read rights in order to view the data returned as part of a search result This permission applies only to the search operation Compare Indicates whether the users can compare data they supply with data stored in the directory With compare rights the directory returns a success...

Page 204: ...n the value of each attribute in the entry This right is granted by default but could be restricted using the targattrfilters keyword Deleting an entry Grant delete permission on the entry to be deleted Grant write permission on the value of each attribute in the entry This right is granted by default but could be restricted using the targattrfilters keyword Modifying an attribute in an entry Gran...

Page 205: ...rsion 3 0 acl self access to mail allow read search userdn ldap self The search result list is empty because this ACI does not grant access to the objectclass attribute If you want the search operation described above to be successful you must modify the ACI to read as follows aci targetattr mail objectclass version 3 0 acl self access to mail allow read search userdn ldap self Permissions Syntax ...

Page 206: ... that a person must belong to a specific group and must log in from a machine with a specific IP address between 8 am and 5 pm Bind rules define who can access the directory when and from where More specifically bind rules can specify Users groups and roles that are granted access Location from which an entity must bind Time or day on which binding must occur Type of authentication that must be in...

Page 207: ...the expression NOTE The timeofday keyword also supports the inequality expressions This is the only keyword that supports these expressions Table 6 2 LDIF Bind Rule Keywords Keyword Valid Expressions Wildcard Allowed userdn ldap distinguished_name ldap all ldap anyone ldap self ldap parent ldap suffix sub filter yes in DN only groupdn ldap DN DN no roledn ldap DN DN no userattr attribute bindType ...

Page 208: ...ss userdn ldap parent defines access for the parent entry The userdn keyword can also be expressed as an LDAP filter of the form ldap suffix sub filter Anonymous Access anyone Keyword Granting anonymous access to the directory means that anyone can access it without providing a bind DN or password and regardless of the circumstances of the bind You can limit anonymous access to specific types of a...

Page 209: ...the DN of the targeted entry From the Server Console you set up self access on the Access Control Editor For more information see Creating ACIs From the Console on page 224 Parent Access parent Keyword Specifies that users are granted or denied access to the entry only if their bind DN is the parent of the targeted entry You cannot set up parent access control using the Server Console LDAP URLs Yo...

Page 210: ...ing any distinguished name of the specified pattern For example both of the following bind DNs would be evaluated to be true uid ssarette dc example dc com uid tjaz ou Accounting dc example dc com whereas the following bind DN would be evaluated to be false cn Babs Jensen dc example dc com Userdn keyword containing logical OR of LDAP URLs userdn ldap uid bj c example com ldap uid kc dc example dc ...

Page 211: ...e for any valid bind DN To be true a valid distinguished name and password must have been presented by the user during the bind operation For example if you want to grant read access to the entire tree to all authenticated users you would create the following ACI on the dc example dc com node aci version 3 0 acl all read allow read userdn ldap all Userdn keyword containing the anyone keyword userd...

Page 212: ...er binds using a DN that belongs to a specific group The groupdn keyword requires one or more valid distinguished names in the following format groupdn ldap dn ldap dn ldap dn The bind rule is evaluated to be true if the bind DN belongs to the named group From the Server Console you can define specific groups using the Access Control Editor For more information see Creating ACIs From the Console o...

Page 213: ...be granted or denied if the user binds using a DN that belongs to a specific role The roledn keyword requires one or more valid distinguished names in the following format roledn ldap dn ldap dn ldap dn The bind rule is evaluated to be true if the bind DN belongs to the specified role The roledn keyword has the same syntax and is used in the same way as the groupdn keyword Defining Access Based on...

Page 214: ...lows userattr attrName bindType or if you are using an attribute type that requires a value other than a user DN group DN role DN or an LDAP filter userattr attrName attrValue where attrName is the name of the attribute used for value matching bindType is one of USERDN GROUPDN LDAPURL attrValue is any string representing an attribute value The following sections provide examples of the userattr ke...

Page 215: ...aluation of this type of ACI by the server is very resource intensive If you are using static groups that are under the same suffix as the targeted entry you can use the following expression userattr ldap dc example dc com owner GROUPDN In this example the group entry is under the dc example dc com suffix The server can process this type of syntax more quickly than the previous example By default ...

Page 216: ...attr myfilter LDAPURL The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter attribute of the targeted entry The myfilter attribute can be replaced by any attribute that contains an LDAP filter Example With Any Attribute Value The following is an example of the userattr keyword associated with a bind based on any attribute value userattr favoriteDrink Bee...

Page 217: ...filter userattr parent inheritance_level attrName attrValue where inheritance_level is a comma separated list that indicates how many levels below the target will inherit the ACI You can include five levels 0 1 2 3 4 below the targeted entry zero 0 indicates the targeted entry attribute is the attribute targeted by the userattr or groupattr keyword bindType can be one of USERDN GROUPDN LDAPURL For...

Page 218: ...etattr version 3 0 acl profiles access allow read search userattr owner USERDN Granting Add Permission Using the userattr Keyword If you use the userattr keyword in conjunction with all or add permissions you might find that the behavior of the server is not what you expect Typically when a new entry is created in the directory Directory Server evaluates access rights on the entry being created an...

Page 219: ...ever use the parent keyword to grant add rights below existing entries You must specify the number of levels below the parent for add rights For example the following ACI allows child entries to be added to any entry in the dc example dc com that has a manager attribute that matches the bind DN aci target ldap dc example dc com targetattr version 3 0 acl parent access allow add userattr parent 0 1...

Page 220: ...main The LDIF syntax for setting a bind rule based on the DNS host name is as follows dns DNS_Hostname or dns DNS_Hostname The dns keyword requires a fully qualified DNS domain name Granting access to a host without specifying the domain creates a potential security threat For example the following expression is allowed but not recommended dns legend eng You should use a fully qualified name such ...

Page 221: ...t equal to greater than greater than or equal to less than or less than or equal to The timeofday keyword requires a time of day expressed in hours and minutes in the 24 hour clock 0 to 2359 The LDIF syntax for setting a bind rule based on the day in the week is as follows dayofweek day1 day2 The possible values for the dayofweek keyword are the English three letter abbreviations for the days of t...

Page 222: ...Authentication Method You can set bind rules that state that a client must bind to the directory using a specific authentication method The authentication methods available are None Authentication is not required This is the default It represents anonymous access Simple The client must provide a user name and password to bind to the directory SSL The client must bind to the directory over a Secure...

Page 223: ...rtificate over LDAPS This is not evaluated to be true if the client authenticates using simple authentication bind DN and password over ldaps authmethod sasl DIGEST MD5 The bind rule is evaluated to be true if the client is accessing the directory using the SASL DIGEST MD5 mechanism The other supported SASL mechanism is EXTERNAL Using Boolean Bind Rules Bind rules can be complex expressions that u...

Page 224: ...Boolean bind rules bind_rule_A OR bind_rule_B bind_rule_B OR bind_rule_A Because Boolean expressions are evaluated from left to right in the first case bind rule A is evaluated before bind rule B and in the second case bind rule B is evaluated before bind rule A However the Boolean NOT is evaluated before the Boolean OR and Boolean AND Thus in the following example bind_rule_A AND NOT bind_rule_B ...

Page 225: ...an bind rules see Using Boolean Bind Rules on page 223 Generally create ACIs that use the following keywords roledn userattr authmethod Displaying the Access Control Editor 1 Start the Directory Server Console Log in using the bind DN and password of a privileged user such as the directory manager who has write access to the ACIs configured for the directory For instructions refer to Using the Dir...

Page 226: ...pe Directory Server Administrator s Guide May 2002 Figure 6 2 Selecting an Object in the Navigation Tree to Set Access Control l 4 Click New The Access Control Editor is displayed as shown in Figure 6 3 Figure 6 3 Access Control Editor Window ...

Page 227: ...Editor This task is explained in Displaying the Access Control Editor on page 225 If the view displayed is different from Figure 6 3 on page 226 click the Edit Visually button 2 Name the ACI by typing a name in the ACI Name text box The name can be any string you want to use to uniquely identify the ACI If you do not enter a name the server uses unnamed ACI 3 In the Users Groups tab select the use...

Page 228: ...e ACI to only certain attributes by selecting the attributes you want to target in the attribute list 6 Click the Hosts tab then the Add button to display the Add Host Filter dialog box You can specify a hostname or an IP address If you specify an IP address you can use the wildcard character 7 Click the Times tab to display the table showing at what times access is allowed By default access is al...

Page 229: ...ess Control Editor 4 When you have finished editing the ACI click OK The ACI Editor is dismissed and the modified ACI is listed in the ACI Manager Deleting an ACI To delete an ACI 1 On the Directory tab right click the top entry in the subtree and choose Set Access Permissions from the pop up menu The Access Control Manager window is displayed It contains the list of ACIs belonging to the entry 2 ...

Page 230: ... Access to a Suffix on page 238 Grant all example com employees the right to create group entries under the Social Committee branch of the directory and to delete group entries that they own see Granting Rights to Add and Delete Group Entries on page 239 Grant all example com employees the right to add themselves to group entries under the Social Committee branch of the directory see Allowing User...

Page 231: ...om This example assumes that the aci is added to the dc example dc com entry Note that the userPassword attribute is excluded from the scope of the ACI From the Console you can set this permission by doing the following 1 On the Directory tab right click the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 C...

Page 232: ... target definition filters out the unlisted subscribers based on the value of this attribute For details on the filter definition refer to Setting a Target Using Filtering on page 246 From the Console you can set this permission by doing the following 1 On the Directory tab right click the Subscribers entry under the example com node in the left navigation tree and choose Set Access Permissions fr...

Page 233: ...om want to allow users to change their own password home telephone number and home address but nothing else This is illustrated in the ACI Write example com example It is also example com s policy to let their subscribers update their own personal information in the example com tree provided that they establish an SSL connection to the directory This is illustrated in the ACI Write Subscribers exa...

Page 234: ... to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write right Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the dc example dc com suffix in the target directory entry field In the attribute table tick the checkboxes for the homePhone homePostalAddress and userPassword attributes All other checkboxes should be clear...

Page 235: ... entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Write Subscribers In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users an...

Page 236: ...hat are critical to your business the administration of your network and directory or another purpose For example you might create a superAdmin role by identifying a subset of your system administrators that are available at a particular time of day and day of the week at corporate sites worldwide Or you might want to create a First Aid role that includes all members of staff on a particular site ...

Page 237: ...lf from the Search results list c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write Make sure the other checkboxes are clear 5 On the Hosts tab click Add to display the Add Host Filter dialog box In the DNS host filter field type example com Click OK to d...

Page 238: ...grant the HR group all rights on the employee branch of the directory you would use the following statement aci version 3 0 acl HR allow all userdn ldap cn HRgroup ou example people dc example dc com This example assumes that the ACI is added to the ou example people dc example dc com entry From the Console you can set this permission by doing the following 1 On the Directory tab right click the e...

Page 239: ...e can create a group entry representing a new club This is illustrated in the ACI Create Group example Any example com employee can become a member of one of these groups This is illustrated in ACI Group Members under Allowing Users to Add or Remove Themselves From a Group on page 246 Only the group owner can modify or delete a group entry This is illustrated in the ACI Delete Group example ACI Cr...

Page 240: ...ission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for add Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the ou social committee dc example dc com suffix in the target directory entry field 6 On the Hosts tab click Add to display the Add Host Filter dialog box In the DNS host filter field type example c...

Page 241: ...rs Therefore in many cases access control rules that grant critical access to a group or role are often associated with a number of conditions example com for example has created a Directory Administrator role for each of its hosted companies HostedCompany1 and HostedCompany2 It wants these companies to be able to manage their own data and implement their own access control rules while securing it...

Page 242: ... tab in the ACI name field type HostedCompany1 In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area to Users and Groups and type DirectoryAdmin in the Search For field This example assumes that you have created an administrators role with a cn of DirectoryAdmin c Click the...

Page 243: ...00 and ip 255 255 123 234 and authmethod ssl 9 Click OK The new ACI is added to the ones listed in the Access Control Manager window Denying Access If your directory holds business critical information you might specifically want to deny access to it For example example com wants all subscribers to be able to read billing information such as connection time or account balance under their own entri...

Page 244: ... users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkboxes for search and read rights Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the ou subscribers dc example dc com suffix in the target directory entry field In the attribute table tick the checkboxes for the connectionTim...

Page 245: ...box is displayed b Set the Search area in the Add Users and Groups dialog box to to Special Rights and select Self from the Search results list c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write Make sure the other checkboxes are clear 5 Click the Edit M...

Page 246: ...s JPEG photo and manager attributes for all members of the accounting organization Before you can set these permissions you must create the accounting branch point ou accounting dc example dc com You can create organizational unit branch points using the directory tab on the Directory Server Console Allowing Users to Add or Remove Themselves From a Group Many directories set ACIs that allow users ...

Page 247: ... All Authenticated Users in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for selfwrite Make sure the other checkboxes are clear 5 On the Targets tab type dc example dc com suffix in the target directory entry field In the attribute table tick the checkbox for the member attribute All other checkb...

Page 248: ...lication to gain access to the Accounting subtree using the same access permissions as the Accounting Administrator The Accounting Administrator must have access permissions to the ou Accounting dc example dc com subtree For example the following ACI grants all rights to the Accounting Administrator entry aci target ldap ou Accounting dc example dc com targetattr version 3 0 acl allowAll AcctAdmin...

Page 249: ...u can view all of the ACIs that apply to a particular entry through the Access Control Manager 1 In the Directory Console on the Directory tab right click the entry in the navigation tree and select Set Access Permissions The Access Control Manager is displayed It contains a list of the ACIs belonging to the selected entry 2 Check the Show Inherited ACIs checkbox to display all ACIs created on ent...

Page 250: ...4 on page 251 shows a directory tree in which using macro ACIs is an effective way of reducing the overall number of ACIs In this illustration note the repeating pattern of subdomains with the same tree structure ou groups ou people This pattern is also repeated across the tree because the example com directory tree stores the following suffixes dc hostedCompany2 dc example dc com and dc hostedCom...

Page 251: ...xample directory tree for Macro ACIs The following ACI is located on the dc hostedCompany1 dc example dc com node aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com ...

Page 252: ...agedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc subdomain1 dc hostedCompany2 dc example dc com In the four ACIs shown above the only differentiator is the DN specified in the groupdn keyword By using a macro for the DN it is possible to replace these ACIs by a single ACI at the root of the tree on the dc example dc com node This ACI reads as fol...

Page 253: ...ttr you must define a target that contains dn In short you when using any macro you always need a target definition that contains the dn macro You can combine the dn macro and the attr attrName macro Macro Matching for dn The dn macro is replaced by the matching part of the resource targeted in an LDAP request For example you have an LDAP request targeted at the cn all ou groups dc subdomain1 dc h...

Page 254: ...whether access is granted or not Macro Matching for dn The matching mechanism for dn is slightly different than for dn The DN of the targeted resource is examined several times each time dropping the left most RDN component until a match is found For example you have an LDAP request targeted at the cn all ou groups dc subdomain1 dc hostedCompany1 dc example dc com subtree and the following ACI aci...

Page 255: ...main access allow read search groupdn ldap cn DomainAdmins ou Groups dn dc example dc com It grants access to the members of cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com to all of the subdomains under dc hostedCompany1 so an administrator belonging to that group could access for example the subtree ou people dc subdomain1 1 dc subdomain1 However at the same time members of cn Doma...

Page 256: ...tedCompany1 dc example dc com ou People dc HostedCompany1 dc example dc com In this case when the Directory Server evaluates the ACI it performs a logical OR on the following expanded expressions roledn ldap cn DomainAdmins ou Engineering dc HostedCompany1 dc example dc com roledn ldap cn DomainAdmins ou People dc HostedCompany1 dc example dc com Access Control and Replication ACIs are stored as a...

Page 257: ...dy displayed is 8192 replication debugging you should change the value to 8320 For complete information on error log levels refer to Netscape Directory Server Configuration Command and File Reference 4 Click OK to dismiss the Property Editor Compatibility with Earlier Releases Some ACI keywords that were used in earlier releases of Directory Server have been deprecated in Directory Server 6 02 How...

Page 258: ...Compatibility with Earlier Releases 258 Netscape Directory Server Administrator s Guide May 2002 ...

Page 259: ...to users depending upon their bind DNs This chapter contains the following sections Managing the Password Policy page 259 Inactivating Users and Roles page 268 Setting Resource Limits Based on the Bind DN page 271 Managing the Password Policy A password policy minimizes the risks of using passwords by enforcing the following Users must change their passwords according to a schedule Users must prov...

Page 260: ...syntax and password history details Bind information The bind information includes tracking bind failures and password aging attributes This section describes the following procedures for configuring your password policy Configuring the Password Policy Using the Console Configuring the Password Policy Using the Command Line After configuring your password policy we recommend that you configure an ...

Page 261: ... to change their passwords periodically select the Password expires after X days radio button and then enter the number of days that a user password is valid 9 If you have turned selected the Password expire after X days radio button you need to specify how long before the password expires to send a warning to the user In the Send Warning X Days Before Password Expires text enter the number of day...

Page 262: ...ult passwordChange When on this attribute indicates that users may change their own password Choosing for users to set their own passwords runs the risk of users choosing passwords that are easy to remember However setting good passwords for the user requires a significant administrative effort In addition providing passwords to users that are not meaningful to them runs the risk that users will w...

Page 263: ...vial word is any value stored in the uid cn sn givenName ou or mail attributes of the user s entry This attribute is off by default passwordMinLength This attribute specifies the minimum number of characters that must be used in passwords Shorter passwords are easier to crack You can require passwords that are 2 to 512 characters long Generally a length of 6 to 8 characters is long enough to be di...

Page 264: ...ing users can reuse old passwords passwordInHistory This attribute indicates the number of passwords the directory stores in the history You can store from 2 to 24 passwords in the history This feature is not enabled unless the passwordHistory attribute is set to on This attribute is set to 6 by default passwordStorageScheme This attribute specifies the type of encryption used to store Directory S...

Page 265: ... into the directory by repeatedly trying to guess a user s password You can set up your password policy so that a specific user is locked out of the directory after a given number of failed attempts to bind Configuring the account lockout policy is described in the following sections Configuring the Account Lockout Policy Using the Console Configuring the Account Lockout Policy Using the Command L...

Page 266: ...out Policy Attributes Attribute Name Definition passwordLockout This attribute indicates whether users are locked out of the directory after a given number of failed bind attempts You set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure attribute You can lock users out for a specific time or until an administrator resets the password This attr...

Page 267: ...ute specifies the time in seconds after which the password failure counter will be reset Each time an invalid password is sent from the user s account the password failure counter is incremented If the passwordLockout attribute is set to on users will be locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute The account is locked o...

Page 268: ...n for example the server identities need to have passwords that never expire To make sure that these special users have passwords that do not expire add the passwordExpirationTime attribute to the entry and give it a value of 20380119031407Z the top of the valid range Inactivating Users and Roles You can temporarily inactivate a single user account or a set of accounts Once inactivated a user cann...

Page 269: ... view the state of the object by selecting Inactivation State from the View menu The icon of the object then appears in the right pane of the console with a red slash through it Inactivating User and Roles Using the Command Line To inactivate a user account use the ns inactivate pl script The following example describes using the ns inactivate pl script to inactivate Joe Frasier s user account ns ...

Page 270: ...pane The right pane states that the role or user is activated Click Activate to activate the user or role 4 If the user or role is a member of another inactivated role the console displays an option for viewing the inactivated roles Click Show Inactivated Roles to view the list of roles to which the user or role belongs 5 Click OK when you are finished Once reactivated you can view the state of th...

Page 271: ...the Bind DN You can control server limits for search operations using special operational attribute values on the client application binding to the directory You can set the following search operation limits Look through limit Specifies how many entries can be examined for a search operation Size limit Specifies the maximum number of entries the server returns to a client application in response t...

Page 272: ...e navigation tree in the left navigation pane and double click the user or role for which you want to set resource limits The Edit Entry dialog box appears 3 Click Account in the left pane The right pane contains the four limits you can set in the Resource Limits section Entering a value of 1 indicates no limit 4 Click OK when you are finished Setting Resource Limits Using the Command Line The fol...

Page 273: ...t a search return size limit of 500 entries nsSizeLimit Specifies the maximum number of entries the server returns to a client application in response to a search operation Giving this attribute a value of 1 indicates that there is no limit nsTimeLimit Specifies the maximum time the server spends processing a search operation Giving this attribute a value of 1 indicates that there is no time limit...

Page 274: ...Setting Resource Limits Based on the Bind DN 274 Netscape Directory Server Administrator s Guide May 2002 ...

Page 275: ...pter includes the following topics Replication Overview page 276 Replication Scenarios page 280 Summary of Steps for Complex Replication Configurations page 285 Detailed Replication Tasks page 286 Configuring Single Master Replication page 292 Configuring Multi Master Replication page 296 Configuring Cascading Replication page 301 Making a Replica Updatable page 307 Deleting the Change Log page 30...

Page 276: ...y Replication Agreement Compatibility with Earlier Versions of Directory Server Read Write Replica Read Only Replica A database that participates in replication is defined as a replica There are two kinds of replicas read write or read only A read write replica contains master copies of directory information and can be updated A read only replica refers all update operations to read write replicas...

Page 277: ...nge log is a record that describes the modifications that have occurred on a replica The supplier server then replays these modifications to the replicas stored on consumer servers or to other suppliers in the case of multi master replication When an entry is modified a change record describing the LDAP operation that was performed is recorded in the change log In Directory Server the format of th...

Page 278: ...rver that receives updates from another server that is on every hub supplier or a dedicated consumer When you configure a replica that receives updates from another server you must specify this entry as the one authorized to perform replication updates When you configure the replication agreement on the supplier server you must specify the DN of this entry in the replication agreement This entry m...

Page 279: ...replication mechanism in this version of Directory Server is different from the mechanism used in earlier versions of Directory Server Compatibility is provided through the Legacy Replication Plug in The legacy replication plug in makes Directory Server behave as a 4 x Directory Server in a consumer role For information on how to implement legacy replication using this plug in refer to Replication...

Page 280: ...ad write replica on one server called the supplier server The supplier server also maintains change log for this replica On another server called the consumer server you have as many read only replicas as you like Such scenarios are called single master configurations Figure 8 1 shows an example of single master replication NOTE Whatever replication scenario you choose to implement remember to con...

Page 281: ...replicated to two read only replicas located on Server B and Server C For information on setting up a single master replication environment refer to Configuring Single Master Replication on page 292 Multi Master Replication Directory Server also supports complex replication scenarios in which the same suffix database can be mastered on two servers This suffix is held in a read write replica on eac...

Page 282: ...te requests that they receive Such scenarios are called multi master configurations Figure 8 2 shows an example of multi master replication scenario Figure 8 2 Multi Master Replication Multi master configurations have the following advantages Automatic write failover when one supplier is inaccessible Updates are made on a local supplier in a geographically distributed environment NOTE Replication ...

Page 283: ... for a particular replica It holds a read only replica and maintains a change log It receives updates from the supplier server that holds the master copy of the data and in turn supplies those updates to the consumer Cascading replication is very useful when you need to balance heavy traffic loads or have supplier servers based locally in geographically distributed environments Figure 8 3 shows an...

Page 284: ...n on setting up cascading replication refer to Configuring Cascading Replication on page 301 NOTE You can combine multi master and cascading replication For example in the multi master scenario illustrated in Figure 8 2 on page 282 Server C and Server D could be hub suppliers that would replicated to any number of consumer servers ...

Page 285: ...r supplier DN entry Specify the supplier settings for replication includes change log configuration Specify the replica settings for a read write replica 3 On all suppliers Create the replica databases Specify the supplier settings for replication includes change log configuration Specify the replica settings for a read write replica 4 Configure replication agreements on all suppliers Between supp...

Page 286: ...ntry that the suppliers will use to bind to the consumer servers to perform replication updates The supplier bind DN must meet the following criteria It must be unique It must be created on the consumer server or hub supplier and not on the supplier server It must correspond to an actual entry on the consumer server It must be created on every server that receives updates from another server It mu...

Page 287: ... passwords expiring To disable the password expiration policy on the userPassword attribute add the passwordExpirationTime attribute with a value of 20380119031407Z which means that the password will never expire When you configure a replica as a consumer you must use the DN of this entry to define the supplier bind DN Configuring Supplier Settings On any server that holds the master copy of a rep...

Page 288: ...click Browse to display a file selector 6 Set the change log number and age parameters You must clear the unlimited checkboxes to specify different values 7 Click Save to save the supplier settings Configuring a Read Write Replica For each read write replica you must specify the appropriate replication settings To configure a read write replica 1 In the Directory Server Console click the Configura...

Page 289: ...ee Using the Directory Server Console on page 28 2 In the left navigation tree expand the Replication folder and highlight the replica database The Replica Settings tab is displayed in the right navigation window 3 Check the Enable Replica checkbox 4 In the Replica Role section select the Dedicated Consumer option 5 In the Common Settings section specify a purge delay in the Purge delay field This...

Page 290: ...rm ldap servername port If you want clients to bind to the supplier using SSL you can use this field to specify a referral of the form ldaps servername port where the s in ldaps indicates secure connections In the case of cascading replication referrals are automatically sent to the hub supplier which in turn refers the request to the original master Therefore you should set a referral to the orig...

Page 291: ...rred to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replication agreement that includes the current replica You can choose to either add the supplier servers that you specify to the automatically generated list or to use the supplier servers that you specify to replace the automatically generated list of servers 9 Click Sa...

Page 292: ...ion agreement icon indicates that your replication agreement is set up Configuring Single Master Replication This section provides information on configuring single master replication The steps described in this section provide a high level overview of the procedure you need to follow Cross references to the detailed task descriptions are provided at each step To set up single master replication s...

Page 293: ...lication settings required for a read only replica a In the Directory Server Console click the Configuration tab b In the navigation tree expand the Replication folder and highlight the replica database The Replica Settings tab is displayed in the right hand side of the window c Check the Enable Replica checkbox d In the Replica Role section select the Dedicated Consumer radio button e In the Comm...

Page 294: ...udes the current replica Automatic referrals assume that clients will bind over a regular connection and therefore are of the form ldap servername port If you want clients to bind to the supplier using SSL you can use this field to specify a referral of the form ldaps servername port where the s in ldaps indicates secure connections 4 Click Save to save the replication settings for the replica 5 R...

Page 295: ...the IDs used for read write replicas on this server and on other servers e In the Common Settings section specify a purge delay in the Purge delay field This option indicates how often the state information stored in the replicated entries is purged f Click Save to save the replication settings for the database 3 Create a replication agreement You must create one replication agreement for each rea...

Page 296: ...to the detailed task descriptions are provided at each step To set up multi master replication such as the configuration shown in Figure 8 2 on page 282 between two suppliers Server A and Server B that each hold a read write replica and two consumers Server C and Server D that each hold a read only replica you need to perform the following procedures Configuring the Read Only Replicas on the Consu...

Page 297: ... tab is displayed in the right hand side of the window c Check the Enable Replica checkbox d In the Replica Role section select the Dedicated Consumer radio button e In the Common Settings section specify a purge delay in the Purge delay field This option indicates how often the state information stored in the replicated entries is purged f In the Replica Update Settings section specify the bind D...

Page 298: ...e of the form ldap servername port If you want clients to bind to the supplier using SSL you can use this field to specify a referral of the form ldaps servername port where the s in ldaps indicates secure connections 4 Click Save to save the replication settings for the replica 5 Repeat these steps for every read only replica in your replication configuration Configuring the Read Write Replicas o...

Page 299: ...emember to disable it to prevent replication from failing due to passwords expiring To disable the password expiration policy on the userPassword attribute add the passwordExpirationTime attribute with a value of 20380119031407Z which means that the password will never expire 3 On Server A and Server B specify the replication settings for the multi mastered read write replica a In the navigation t...

Page 300: ...o save the replication settings for the database 4 On Server A set up the following replication agreements One with supplier Server B where B is configured as a consumer for the replica One for each consumer Server C and Server D a In the navigation tree on the Configuration tab right click the database to replicate and select New Replication Agreement Alternatively highlight the database and sele...

Page 301: ...lication In the case of multi master replication you should initialize replicas in the following order 1 Ensure one master has the complete set of data to replicate Use this master to initialize the replica on the other master in the multi master replication set 2 Initialize the replicas on the consumer servers from any one of the two masters For information on initializing replicas refer to Initi...

Page 302: ...ver 1 On the consumer server create the database for the replica if it does not exist For instructions refer to Creating Suffixes on page 76 2 On the consumer server create the entry corresponding to the supplier bind DN if it does not exist This is the special entry that the supplier will use to bind 3 On the consumer server specify the replication settings for the read only replica a In the Dire...

Page 303: ...referred to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replication agreement that includes the current replica In the case of cascading replication referrals are automatically sent to the hub supplier which in turn refers the request to the original master Therefore you should set a referral to the original master to repl...

Page 304: ... exist This is the special entry that the supplier will use to bind a In the Directory Server Console click the Directory tab and create an entry For example you could use cn Replication Manager cn config b Specify a userPassword attribute value pair c If you have enabled the password expiration policy or intend to do so in the future you must remember to disable it to prevent replication from fai...

Page 305: ... entry DN field Click Add You supplier bind DN will appear in the Current Supplier DNs or entry DNs to which the supplier s certificate is mapped field directly above Repeat the operation for every supplier bind DN you want to include in the list Click Save when you have finished This supplier bind DN should correspond to the entry created in Step 2 Note that the supplier bind DN corresponds to a ...

Page 306: ...efault button or click the Browse button to display a file selector f Set the change log parameters number and age You must clear the unlimited checkboxes if you want to specify different values g Click Save to save the supplier settings 2 Specify the required replication settings a In the navigation tree on the Configuration tab expand the Replication node and highlight the database to replicate ...

Page 307: ...he following order 1 Use the supplier server to initialize the replica on the hub supplier 2 From the hub supplier initialize the replica on the consumer For information on initializing replicas refer to Initializing Consumers on page 309 Making a Replica Updatable To make a read only server writable follow this procedure 1 Make sure there are no updates in progress 2 Stop the master server 3 Open...

Page 308: ...cess afresh To delete the change log you can either remove it or move it to a new location This section contains the information for the following procedures Removing the Change Log Moving the Change Log to a New Location Removing the Change Log You can remove the change log using the Directory Server Console To remove the change log from the supplier server 1 On the Directory Server Console selec...

Page 309: ...lizing consumers This section is divided into the following parts When to Initialize a Consumer Online Consumer Initialization Using the Console Manual Consumer Initialization Using the Command Line When to Initialize a Consumer Consumer initialization involves copying data from the supplier server to the consumer server Once the subtree has been physically placed on the consumer the supplier serv...

Page 310: ...r online 1 Create a replication agreement See Creating a Replication Agreement on page 291 2 On the supplier server on the Directory Server Console select the Configuration tab 3 Expand the Replication folder then expand the replicated database Right click the replication agreement and choose Initialize Consumer from the pop up menu A message is displayed to warn you that any information already s...

Page 311: ...l consumer initialization process is more complex than the online consumer initialization process We suggest you use the manual process whenever you find that the online process is inappropriate due to performance concerns This section is divided into the the following parts Manual Consumer Initialization Overview Exporting a Replica to LDIF Importing the LDIF File to the Consumer Server Manual Co...

Page 312: ...s in the Directory Server Console or by using either the ldif2db script or ldif2db pl script Both import methods are described in Importing From the Command Line on page 143 If you use the ldif2db script remember to bind using the supplier bind DN configured on the consumer server Forcing Replication Updates When you stop a Directory Server involved in replication for regular maintenance when it c...

Page 313: ... the Console To ensure that replication updates are sent immediately when a consumer or a supplier in a multi master replication configuration comes back online after a period of time you can perform these steps on the supplier server that holds the most recent version of the directory information 1 On the Directory Server Console click the Configuration tab expand the Replication folder and the d...

Page 314: ...in sh SUP_HOST supplier_hostname SUP_PORT supplier_portnumber SUP_MGRDN supplier_directoryManager SUP_MGRPW supplier_directoryManager_passwd MY_HOST consumer_hostname MY_PORT consumer_portnumber ldapsearch 1 T h SUP_HOST p SUP_PORT D SUP_MGRDN w SUP_MGRPW b cn mapping tree cn config objectclass nsds5replicationagreement nsDS5ReplicaHost MY _HOST nsDS5ReplicaPort MY_PORT dn nsds5ReplicaUpdateSchedu...

Page 315: ...w SUP_MGRPW f tmp ldif Table 8 1 Replicate_Now Variables Variable Definition supplier_hostname Hostname of the supplier to contact for information on replication agreements with the current consumer supplier_portnumber LDAP port in use on the supplier supplier_directoryManager DN of the privileged Directory Manager user on the supplier supplier_directoryManager_passwd Password of the privileged Di...

Page 316: ...SSL Configure your consumer server to recognize your supplier server s certificate as the supplier DN You do this only if you want to use SSL client authentication rather than simple authentication These procedures are described in Chapter 11 Managing SSL When your servers are configured to use SSL you can ensure replication operations occur over SSL connections by using the Replication Wizard whe...

Page 317: ...ion If you select SSL Client Authentication the supplier and consumer servers will use certificates to authenticate to each other If you select Simple Authentication the supplier and consumer servers will use a bind DN and password to authenticate to each other You must specify this information in the text fields provided When you specify this option simple authentication takes place over a secure...

Page 318: ...ory Server can be involved in replication scenarios with earlier releases of Directory Server providing the following conditions are met Directory Server is defined as a consumer in the replication agreement The legacy suppliers can be Directory Server 4 0 4 1 4 11 and 4 12 The following restrictions apply A legacy Directory Server and this version of Directory Server cannot update the same replic...

Page 319: ...st contain at least 8 characters 5 Click Save You must now configure legacy consumer settings for each replica that will receive updates from a legacy supplier 6 In the navigation tree expand the Replication node and select a replica that will receive updates from the legacy supplier 7 On the Replication tab in the right pane check the Enable Replication and the Enable Legacy Consumer checkboxes T...

Page 320: ...e level of entries Each entry in the change log has the object class changeLogEntry and can include the attributes listed in Table 8 2 NOTE The Directory Server Console will not prevent you from configuring a database as a read write replica and enabling legacy consumer settings This makes migration easier because you can configure your Directory Server as you want it to be after the migration and...

Page 321: ...Retro Changelog Plugin cn plugins cn config cn Retro Changelog Plugin changetype modify replace nsslapd pluginenabled nsslapd pluginenabled on 2 Use the ldapmodify command to import the LDIF file into the directory For more information on the ldapmodify command refer to Managing Entries From the Command Line on page 50 and Netscape Directory Server Configuration Command and File Reference changes ...

Page 322: ...ich entries are automatically deleted from the change log you must set the nsslapd changelogmaxage configuration attribute in the cn Retro Changelog Plugin cn plugins cn config entry The nsslapd changelogmaxage attribute is a single valued attribute Its syntax is as follows nsslapd changelogmaxage Integer timeUnit where integer represents a number and timeUnit can be one of the following s for sec...

Page 323: ...ly to the Directory Manager You should not grant read access to anonymous users because the change log entries can contain modifications to sensitive information such as passwords Only authenticated applications and users should be allowed to access this information To modify the default access control policy which applies to the retro change log you can modify the aci attribute of the cn changelo...

Page 324: ...ample you could use the following ldapsearch command Table 8 3 Directory Server Console Replication Status Table Header Description Agreement Contains the name you provided when you set up the replication agreement Replica suffix Contains the suffix that is replicated Supplier Specifies the supplier server in the agreement Consumer Specifies the consumer server in the agreement Number of changes I...

Page 325: ...c conflict resolution procedure renames the last entry created by including the entry s unique identifier in the DN Every directory entry includes a unique identifier given by the operational attribute nsuniqueid When a naming conflict occurs this unique ID is appended to the non unique DN For example the entry uid adamss ou people dc example dc com is created on Server A at time t1 and on Server ...

Page 326: ...e For example prompt ldapmodify D adminDN w passwd dn uid NewValue dc example dc com changetype modify delete uid uid adamss delete nsds5ReplConflict For more information on the ldapmodify command refer to Managing Entries From the Command Line on page 50 and Netscape Directory Server Configuration Command and File Reference Renaming an Entry with a Single Valued Naming Attribute To rename an entr...

Page 327: ...oldrdn attribute to 0 For more information on the ldapmodify command refer to Managing Entries From the Command Line on page 50 and Netscape Directory Server Configuration Command and File Reference Solving Orphan Entry Conflicts When a delete operation is replicated and the consumer server finds that the entry to be deleted has child entries the conflict resolution procedure creates a glue entry ...

Page 328: ...ely on attribute uniqueness such as a mail server you might need to restrict access to the entries which contain the nsds5ReplConflict attribute If you do not restrict access to these entries then the applications requiring one attribute only will pick up both the original entry and the conflict resolution entry containing the nsds5ReplConflict and operations will fail To restrict access you need ...

Page 329: ...ion Conflicts Chapter 8 Managing Replication 329 For more information on the ldapmodify command refer to Managing Entries From the Command Line on page 50 and Netscape Directory Server Configuration Command and File Reference ...

Page 330: ...Solving Common Replication Conflicts 330 Netscape Directory Server Administrator s Guide May 2002 ...

Page 331: ...s to your schema you must create a new object class to contain them Although it may seem convenient to just add the attributes you need to an existing object class that already contains most of the attributes you require doing so compromises interoperability with LDAP clients Interoperability of Directory Server with existing LDAP clients relies on the standard LDAP schema If you change the standa...

Page 332: ...owing sections describe how to manage attributes Viewing Attributes Creating Attributes Editing Attributes Deleting Attributes For information on managing object classes see Managing Object Classes on page 335 Viewing Attributes To view information about all attributes that currently exist in your directory schema 1 On the Directory Server Console select the Configuration tab 2 In the left navigat...

Page 333: ... your enterprise send mail to the IANA Internet Assigned Number Authority at iana iana org or visit the IANA website at http www iana org Syntax The attribute syntax Case Ignore String Indicates that values for this attribute are not case sensitive Case Exact String Indicates that values for this attribute are case sensitive Distinguished Name Indicates that values for this attribute are DNs Binar...

Page 334: ...ne instance of a multi valued attribute per entry 7 Click OK Editing Attributes You can edit only attributes you have created You cannot edit standard attributes To edit an attribute 1 Display the Attributes tab This procedure is explained in Viewing Attributes on page 332 2 Select the attribute that you want to edit in the User Defined Attributes table and click Edit The Edit Attribute dialog box...

Page 335: ...in Viewing Attributes on page 332 2 In the User Defined Attributes table select the attribute and click Delete 3 If prompted confirm the delete The server immediately deletes the attribute There is no undo Managing Object Classes You can use Directory Server Console to manage your schema s object classes Through the Console you can view all of your schema s object classes and create edit and delet...

Page 336: ...tionalPerson Typically if you want to add new attributes for user entries the parent would be the inetOrgPerson object class If you want to add new attributes for corporate entries the parent is usually organization or organizationalUnit If you want to add new attributes for group entries the parent is usually groupOfNames or groupOfUniqueNames OID The object identifier of the object class An OID ...

Page 337: ...m the Parent drop down menu You can choose from any existing object class See Table 9 2 on page 336 for more information on parent object classes 6 To add an attribute that must be present in entries that use the new object class highlight the attribute in the Available Attributes list and then click the Add button to the left of the Required Attributes box You can use either the standard attribut...

Page 338: ...you want to edit from the Object Classes list and click Edit The Edit Object Class dialog box is displayed 3 To change the name of the object class enter the new name in the Name text box 4 To change the object identifier for the object class enter the new OID in the OID Optional text box OIDs are described in Table 9 2 on page 336 5 To change the parent object for the object class select the new ...

Page 339: ...emove and click Delete 3 If prompted confirm the delete The server immediately deletes the object class There is no undo Turning Schema Checking On and Off When schema checking is on the Directory Server ensures that The object classes and attributes you are using are defined in the directory schema The attributes required for an object class are contained in the entry Only attributes allowed by t...

Page 340: ...n tree then select the Settings tab in the right pane 3 To enable schema checking check the Enable Schema Checking checkbox clear it to turn off schema checking 4 Click Save You can also turn schema checking on and off by using the nsslapd schemacheck attribute For information see the Netscape Directory Server Configuration Command and File Reference ...

Page 341: ... indexing mechanism in context and then describes how to create delete and manage indexes This chapter contains the following sections About Indexes page 341 Creating Indexes page 350 Deleting Indexes page 359 Managing Indexes page 367 Attribute Name Quick Reference Table page 372 About Indexes This section provides an overview of indexing in Directory Server It contains the following topics About...

Page 342: ...he presence index is not used for base object searches Equality index eq The equality index allows you to search efficiently for entries containing a specific attribute value For example an equality index on the cn attribute allows a user to perform the search for cn Babs Jensen far more efficiently Approximate index approx The approximate index allows efficient approximate or sounds like searches...

Page 343: ...he ou people branch You can create a browsing index on any branchpoint in the directory tree to improve display performance You do this through the Directory Server Console or by using the vlvindex command line tool About Default System and Standard Indexes When you install Directory Server a set of default and system indexes is created per database instance To maintain these indexes the directory...

Page 344: ...plug in See Netscape Directory Server Administrator s Guide for more information seeAlso X Improves Netscape server performance This index is also used by the referential integrity plug in See Maintaining Referential Integrity on page 68 for more information sn X X X Improves the performance of the most common types of user directory searches telephoneNumber X X X Improves the performance of the m...

Page 345: ...mber Overview of the Searching Algorithm Indexes are used to speed up searches To understand how the directory uses indexes it helps to understand the searching algorithm Each index contains a list of attributes such as the cn common name attribute and a pointer to the entries corresponding to each value Directory Server processes a search request as follows 1 An LDAP client application such as Ne...

Page 346: ...rectory consults multiple indexes and then combines the resulting lists of candidate entries 4 If there is an index for the attribute the directory takes the candidate matches from the index files in the form of a series of entry ID numbers 5 The directory uses the returned entry ID numbers to read the corresponding entries from the id2entry db3 file The Directory Server then examines each of the ...

Page 347: ... in the entry string All of the query string codes are in the same order as the entry string codes For example NOTE The metaphone phonetic algorithm in Directory Server 5 0 supports only US ASCII letters Therefore use approximate indexing only with English values Name in the directory Phonetic code Query string Phonetic code Match comments Alice B Sarette ALS B SRT Alice Sarette ALS SRT Matches Co...

Page 348: ...gh the search performance may be degraded significantly depending on the type of search Keep in mind that the more indexes you maintain the more disk space you will require The following example illustrates exactly how time consuming indexes can become Consider the procedure for creating a specific attribute 1 The Directory Server receives an add or modify operation 2 The Directory Server examines...

Page 349: ...or Bill and Bill Pumice 2 Create the appropriate common name approximate index entries for Bill and Bill Pumice 3 Create the appropriate common name substring index entries for Bill and Bill Pumice 4 Create the surname equality index entry for Pumice 5 Create the appropriate surname approximate index entry for Pumice 6 Create the appropriate surname substring index entries for Pumice 7 Create the ...

Page 350: ... equality approximate substring and international indexes for specific attributes To create indexes 1 On the Directory Server Console select the Configuration tab NOTE Given that this version of Directory Server can operate in either a single or multi database environment you need to remember to create your new indexes in every database instance since newly created indexes are not automatically cr...

Page 351: ...using multiple languages by listing multiple OIDs separated by commas but no whitespace For a list of languages their associated OIDs and further information regarding collation orders see Appendix D Internationalization 8 Click Save The Indexes dialog box appears displaying the status of the index creation and informing you when the indexes have been created You can click on the Status Logs box t...

Page 352: ...orresponds to the name of the database For information on the LDIF update statements required to add entries see LDIF Update Statements on page 58 For example you want to create presence equality and substring indexes for the sn surname attribute in the Example1 database NOTE You cannot create new system indexes because system indexes are hard coded in Directory Server NOTE Avoid creating entries ...

Page 353: ...nt to index in this example the sn attribute The entry is a member of the nsIndex object class The nsSystemIndex attribute is false indicating that the index is not essential to Directory Server operations The multi valued nsIndexType attribute specifies the presence pres equality eq and substring sub indexes Note that each keyword has to be entered on a separate line The nsMatchingRule attribute ...

Page 354: ...mmand and File Reference Running the db2index pl Script Once you have created an indexing entry or added additional index types to an existing indexing entry run the db2index pl script to generate the new set of indexes to be maintained by the Directory Server Once you run the script the new set of indexes is active for any new data you add to your directory and any existing data in your directory...

Page 355: ...ion Command and File Reference Creating Browsing Indexes From the Server Console To create a browsing index using the Directory Server Console 1 On the Directory Server Console select the Directory tab 2 Select the entry for which you want to create the index in the left navigation tree for example People and select Create Browsing Index from the Object menu You can also select and right click the...

Page 356: ...lowing sections describe the steps involved in creating browsing indexes Adding a Browsing Index Entry The type of browsing index entry we want to create depends on the type of ldapsearch attribute sorting we want to accelerate It is important to take the following items into account The scope of the search base one sub For more information on the ldapsearch s option which allows you to specify th...

Page 357: ...ectClass top objectClass vlvSearch cn dc example dc com vlvbase dc example dc com vlvscope one vlvfilter objectclass objectclass ldapsubentry The cn contains the browsing index identifier which specifies the entry on which you want to create the browsing index in this example the dc example dc com entry We recommend you use the dn of the entry for your browsing index identifier which is the approa...

Page 358: ...then sn Running the vlvindex Script Once you have created the two browsing indexing entries or added additional attribute types to an existing indexing browsing entries run the vlvindex script to generate the new set of browsing indexes to be maintained by the Directory Server Once you run the script the new set of browsing indexes is active for any new data you add to your directory and any exist...

Page 359: ...d browsing indexes for specific attributes As the procedure for deleting browsing indexes is different it is covered in a separate section This section contains the following procedures Deleting Indexes From the Server Console Deleting Indexes From the Command Line Deleting Browsing Indexes From the Server Console Deleting Browsing Indexes From the Command Line Option Name Description n Name of th...

Page 360: ...lar attribute select the attribute s cell under Attribute Name and click Delete Attribute 4 Click Save A Delete Index warning dialog box appears asking you to confirm that you want to delete the index Click Yes to delete the index 5 The Delete Browsing Index dialog box appears displaying the status of the index deletion You can click on the Status Logs button to view the status of the indexes dele...

Page 361: ...to delete the indexes for a particular database you remove your index entry from the cn index cn instanceName cn ldbm database cn plugins cn config entry where cn instanceName corresponds to the name of the database To delete a default index remove it from the cn default indexes cn config cn ldbm database cn plugins cn config entry For example you want to delete presence equality and substring ind...

Page 362: ... set of indexes to be maintained by the Directory Server Once you run the script the new set of indexes is active for any new data you add to your directory and any existing data in your directory To run the db2index pl perl script 1 From the command line change to the following directory usr netscape servers slapd serverID where serverID is the name of your Directory Server 2 Run the db2index pl ...

Page 363: ... Indexes From the Server Console Using Directory Server Console you can delete browsing indexes To delete a browsing index using the Directory Server Console 1 On the Directory Server Console select the Database tab 2 Select the entry from which you want to delete the index in the navigation tree for example People and select Delete Browsing Index from the Object menu You can also select and right...

Page 364: ...rowsing index entries To delete browsing indexes for a particular database you remove your browsing index entries from the cn index cn instanceName cn ldbm database cn plugins cn config entry where cn instanceName corresponds to the name of the database For example you want to delete a browsing index for accelerating ldapsearch operations on the entry dc example dc com held in the Example1 databas...

Page 365: ...formation on ldapdelete options refer to the Netscape Directory Server Configuration Command and File Reference Once you have deleted these two browsing index entries the browsing index for accelerating ldapsearch operations on the entry dc example dc com held in the Example1 database where the search base is dc example dc com the search filter is objectclass objectclass ldapsubentry the scope is ...

Page 366: ...rID is the name of your Directory Server 2 Run the vlvindex script For more information about using the vlvindex script refer to Netscape Directory Server Configuration Command and File Reference Two examples of creating indexes using vlvindex follow Windows batch file you need to run the script from the bin slapd admin bin perl directory as shown in the example bin slapd admin bin perl vlvindex n...

Page 367: ...e search request will allow the server to narrow its candidate list before processing the request The following sections examine the benefits and drawbacks of the All IDs mechanism They also give advice for the tuning of the All IDs Threshold Benefits of the All IDs Mechanism The All IDs mechanism is an important mechanism for improving search performance in those cases where the search results wo...

Page 368: ...e quite large but it will still be a list that is necessary for search performance If your directory grows large enough that so many cn James entries are added that the All IDs threshold is met then the cn James entry ID list is replaced with an All IDs token Every time you search for cn James the Directory Server will examine every single entry in the directory in response to the search request W...

Page 369: ...ld Suppose for example that your current directory is 50 000 entries in size However in the next few years you expect your directory to grow 1 000 000 entries If you set your All IDs Threshold to 5 percent of 50 000 2 500 then when your directory grows to 1 000 000 entries you will have a performance problem 2 500 entries is too low for a database containing 1 000 000 entries because the lower lim...

Page 370: ...for Service Providers and Extranets For hosting service providers extranet directories and directories with over 80 000 entries tuning advice is available from Netscape Professional Services Default All IDs Threshold Value By default the Directory Server is set to an All IDs Threshold of 4000 This value is suitable for a database of up to 80 000 entries If you expect your databases to be larger th...

Page 371: ...n your access log file The SRCH line will show the search filter that was used for the search request If you have an index for the specified search filter then the notes U flag results from the All IDs Threshold value being reached for the index key For example the access log looks as follows 24 July 1998 15 12 20 0800 conn 2 op 1 SRCH base o example com scope 0 filter cn James 24 July 1998 15 12 ...

Page 372: ...creasing your database cache size by the same factor as you increased the All IDs Threshold is an extreme measure If you have the physical memory available try increasing your database cache size by a factor that is 25 percent of your nsslapd allidsthreshold value increase For example if you doubled the All IDs Threshold value increase your database cache size by 50 percent If necessary slowly inc...

Page 373: ...lUnitName facsimileTelephoneNumber fax uid userId mail rfc822mailbox mobile mobileTelephoneNumber pager pagerTelephoneNumber co friendlyCountryName labeledUri labeledUri ttl timeToLive dc domainComponent authorCn documentAuthorCommonName authorSn documentAuthorSurname drink favoriteDrink Table 10 3 Attribute Name Quick Reference Table Continued ...

Page 374: ...Attribute Name Quick Reference Table 374 Netscape Directory Server Administrator s Guide May 2002 ...

Page 375: ...Server page 375 Obtaining and Installing Server Certificates page 377 Activating SSL page 381 Setting Security Preferences page 383 Using Certificate Based Authentication page 385 Configuring LDAP Clients to Use SSL page 386 Introduction to SSL in the Directory Server You can use SSL to secure communications between LDAP clients and the Directory Server between Directory Servers that are bound by ...

Page 376: ...s means that you do not have to choose between SSL or non SSL communications for your Directory Server you can use both at the same time Enabling SSL Summary of Steps To configure your Directory Server to use LDAPS follow these steps 1 Obtain and install a certificate for your Directory Server and configure the Directory Server to trust the certification authority s CA s certificate For informatio...

Page 377: ...ficate Request Step 2 Send the Certificate Request to the Certificate Authority Step 3 Install the Certificate Step 4 Trust the Certificate Authority Step 5 Confirm That Your New Certificates Are Installed You will use the Certificate Request Wizard to generate a certificate request Step 1 and send it to a Certificate Authority Step 2 You then use the Certificate Install Wizard to install the cert...

Page 378: ... character abbreviation for your country s name ISO format The country code for the United States is US The Netscape Schema Reference Guide contains a complete list of ISO Country Codes 5 Enter the password that will be used to protect the private key and click Next The Next field is greyed out until you supply a password When you click Next the Request Submission dialog box is displayed 6 Select ...

Page 379: ...mpany it could take several weeks to respond to your request When the CA sends a response be sure to save the information in a text file You will need the data when you install the certificate You should also back up the certificate data in a safe location If your system ever loses the certificate data you can reinstall the certificate using your backup file Once you receive your certificate you a...

Page 380: ...uthority from which you obtained the server s certificate Step 4 Trust the Certificate Authority Configuring your Directory Server to trust the certificate authority consists of obtaining your CA s certificate and installing it into your server s certificate database This process differs depending on the certificate authority you use Some commercial CAs provide a website that allows you to automat...

Page 381: ...er you should first make sure that the certificates have been installed correctly Step 5 Confirm That Your New Certificates Are Installed 1 On the Directory Server Console select the Tasks tab and click Manage Certificates The Manage Certificates window is displayed 2 Select the Server Certs tab A list of all the installed certificates for the server is displayed 3 Scroll through the list You shou...

Page 382: ...e certificate that you want to use from the drop down menu 7 Click Cipher Settings The Cipher Preference dialog box is displayed 8 Select the checkbox next to the cipher you want to use and click OK to dismiss the Cipher Preference dialog box For more information about specific ciphers see Setting Security Preferences on page 383 9 Set your preferences for client authentication Do not allow client...

Page 383: ...fers to use to encrypt information In any two way encryption process both parties must use the same ciphers There are a number of ciphers available Your server needs to be able to use the ciphers that will be used by client applications connecting to the server Directory Server provides the following SSL 3 0 ciphers RC4 cipher with 40 bit encryption and MD5 message authentication RC2 cipher with 4...

Page 384: ... server to use by selecting them from the list and click OK Unless you have a security reason to not use a specific cipher you should select all of the ciphers except for none MD5 6 On the Encryption tab click Save In order to continue using the Netscape Console with SSL you must select at least one of the following ciphers RC4 cipher with 40 bit encryption and MD5 message authentication No encryp...

Page 385: ...lly takes place when you install a certificate For information on creating a certificate database for a client see Configuring LDAP Clients to Use SSL on page 386 2 Obtain and install a certificate on both the client and the server or on both servers involved in replication 3 Enable SSL on the server or on both servers involved in replication For information on enabling SSL refer to Activating SSL...

Page 386: ...odify the cn encryption cn config entry by changing the value of the nsSSLClientAuth attribute from required to allowed For information on modifying entries from the command line see Chapter 2 Creating Directory Entries 3 Start Directory Server You can now start Netscape Console Configuring LDAP Clients to Use SSL If you want all the users of your Directory Server to use SSL or certificate based a...

Page 387: ... recognize that the Directory Server s certificate has been issued by a trusted CA However if you also want the Directory Server to authenticate clients using the clients certificate you must perform the following additional steps 4 On the client system obtain a client certificate from the CA 5 On your client system install your client certificate Regardless of how you receive your certificate eit...

Page 388: ... the Directory Server modify the directory entry for the user who owns the client certificate to add the userCertificate attribute a Select the Directory tab and navigate to the user entry b Double click the user entry and use the Property Editory to add the userCertificate attribute with the binary subtype When you add this attribute instead of an editable field the server provides a Set Value bu...

Page 389: ... file you created in Step 6 For information on using the Directory Server Console to edit entries refer to Modifying Directory Entries on page 45 You can now use SSL with your LDAP clients For information on how to use SSL with ldapmodify ldapdelete and ldapsearch refer to Netscape Directory Server Configuration Command and File Reference ...

Page 390: ...Configuring LDAP Clients to Use SSL 390 Netscape Directory Server Administrator s Guide May 2002 ...

Page 391: ...tabase Activity page 404 Monitoring Database Link Activity page 410 For information on using SNMP to monitor your Directory Server see Chapter 13 Monitoring Directory Server Using SNMP Viewing and Configuring Log Files Directory Server provides three types of logs to help you better manage your directory and tune performance These logs include Access Log Error Log Audit Log The following aspects a...

Page 392: ...ize or the maximum age defined in the next step the directory archives the file and starts a new one If you set the maximum number of logs to 1 the directory ignores this attribute How often the directory archives the current log file and creates a new one by entering a number of minutes hours days weeks or months If you set the maximum number of logs to 1 the directory ignores this attribute Defi...

Page 393: ... table displays a list of the last 25 entries in the access log 2 To refresh the current display click Refresh Select the Continuous checkbox if you want the display to refresh automatically every ten seconds 3 To view an archived access log select it from the Select Log pull down menu 4 To display a different number of messages enter the number you want to view in the Lines to show text box and t...

Page 394: ...erID logs access 4 Set the maximum number of logs log size and periodicity of archiving For information on these parameters see Defining a Log File Rotation Policy on page 392 5 Set the maximum size of combined archived logs minimum amount of free disk space and maximum age for a log file For information on these parameters see Defining a Log File Deletion Policy on page 392 6 When you have finish...

Page 395: ...he error log 1 On the Directory Server Console select the Configuration tab Then in the navigation tree expand the Logs folder and select the Error Log icon The error log configuration attributes are displayed in the right pane 2 Select the Error Log tab in the right pane 3 To enable error logging select the Enable Logging checkbox Clear this checkbox if you do not want the directory to maintain a...

Page 396: ...wing the Audit Log Before you can view the audit log you must enable audit logging for the directory See Configuring the Audit Log on page 396 for information To view the audit log 1 On the Directory Server Console select the Status tab Then in the navigation tree expand the Logs folder and select the Audit Log icon A table displays a list of the last 25 entries in the audit log 2 To refresh the c...

Page 397: ...or information on these parameters see Defining a Log File Rotation Policy on page 392 5 Set the maximum size of combined archived logs minimum amount of free disk space and maximum age for a log file For information on these parameters see Defining a Log File Deletion Policy on page 392 6 When you have finished making changes click Save Manual Log File Rotation The Directory Server supports autom...

Page 398: ...out using the Directory Server Console to monitor your server and the information available to you in the performance monitor Viewing the Server Performance Monitor To monitor your server s activities using Directory Server Console 1 On the Directory Server Console select the Status tab In the navigation tree select Performance Counters The Status tab in the right pane displays current information...

Page 399: ...ows Server host name Server port number Database generation number Possibly obsolete A unique identifier that is created only when you create your directory database without a machine data entry in the LDIF file Current change log number This is the number corresponding to the last change made to your directory This number starts at one and increments by one for each change made to the database St...

Page 400: ...erage number of bytes sent to clients per minute since server startup Table 12 2 Server Performance Monitoring Current Resource Usage Resource Current total Active Threads Current number of active threads used for handling requests Additional threads may be created by internal server tasks such as replication or chaining Open Connections Total number of open connections Each connection can account...

Page 401: ...ris 2 x only Provides an indication of the level of thread concurrency Databases in use Total number of databases being serviced by the server Table 12 3 Server Performance Monitoring Connection Status Table Header Description Time opened Indicates the time on the server when the connection was initially opened Started Indicates the number of operations initiated by this connection Completed Indic...

Page 402: ...g to the disk Tries The total number of requests performed on your directory since server startup Hit Ratio The ratio of cache tries to successful cache hits The closer this number is to 100 the better Pages read in Indicates the number of pages read from disk into the cache Pages written out Indicates the number of pages written from the cache back to disk Read only page evicts Indicates the numb...

Page 403: ...iated The number of operations initiated by this connection opscompleted The number of operations completed binddn The distinguished name used by this connection to connect to the directory rw The field shown if the connection is blocked for read or write By default this information is available to you only if you bind to the directory as the Directory Manager However you can change the ACI associ...

Page 404: ...n UTC format starttime Identifies the time when the server started The time is displayed in Greenwich mean time GMT in UTC format nbackends Identifies the number of back ends databases the server services concurrency Solaris 2 x only Indicates the current level of thread concurrency backendmonitordn Identifies the DN of each directory database Monitoring Database Activity You can monitor your data...

Page 405: ...ase Performance Monitor Information The directory provides database monitoring information as described in the following sections General Information Database Summary Information Table Database Cache Information Table Database File Specific Table General Information Database The directory provides the following general database information Database Identifies the type of database that you are moni...

Page 406: ... number of disk accesses increases and directory search performance drops To improve this ratio you can increase the number of entries that the directory maintains in the entry cache by increasing the value of the Maximum Entries in Cache attribute See Tuning Database Performance on page 424 for information on changing this value using the Server Console Current entry cache size in bytes Indicates...

Page 407: ...e by increasing the value of the Maximum Cache Size attribute See Tuning Database Performance on page 424 for information on changing this value using the Server Console Pages read in Indicates the number of pages read from disk into the database cache Pages written out Indicates the number of pages written from the cache back to disk A database page is written to disk whenever a read write page h...

Page 408: ...base Identifies the type of database you are currently monitoring readonly Indicates whether the database is in read only mode 0 indicates that the server is not in read only mode 1 indicates that it is in read only mode entrycachehits Provides the same information as described in Entry cache hits in Table 12 5 on page 405 entrycachetries Provides the same information as described in Entry cache t...

Page 409: ...ges written out in Table 12 6 on page 407 dbcacheroevict Provides the same information as described in Read only page evicts in Table 12 6 on page 407 dbcacherwevict Provides the same information as described in Read write page evicts in Table 12 6 on page 407 Next the following information for each file that makes up your database is displayed dbfilename number Indicates the name of the file numb...

Page 410: ...y example com p 389 D cn Directory Manager w secret s sub b cn monitor cn DBLink1 cn chaining database cn plugins cn config objectclass nsAddCount You can search for the following database link monitoring attributes NOTE The above command should be typed on a single line It does not appear on one line here because of page size constraints Table 12 8 Database Link Monitoring Attributes Attribute Na...

Page 411: ...t ldapsearch see the Netscape Directory Server Configuration Command and File Reference nsOperationConnectionCount Number of open connections for normal operations nsBindConnectionCount Number of open connections for bind operations Table 12 8 Database Link Monitoring Attributes Continued Attribute Name Description ...

Page 412: ...Monitoring Database Link Activity 412 Netscape Directory Server Administrator s Guide May 2002 ...

Page 413: ...ead popularity It is this interoperability combined with the fact that SNMP can take on numerous jobs specific to a whole range of different device classes that make SNMP the ideal standard mechanism for global network control and monitoring SNMP allows network administrators to unify all network monitoring activities with Directory Server monitoring just part of the broader picture This chapter c...

Page 414: ...hine For example if you have Directory Server Netscape Enterprise Server and Netscape Messaging Server all installed on the same host the subagents for each of these servers communicates with the same master agent In the Windows NT environment the master agent is the SNMP service provided by the Windows NT operating system In the UNIX environment the master agent is installed with the Netscape Adm...

Page 415: ...ocol data unit from the NMS is a request for information about variables the subagent gives information to the master agent and the master agent sends it back to the NMS in the form of another protocol data unit The NMS then displays the information textually or graphically If the protocol data unit from the NMS requests that the subagent set variable values the subagent sets these values Managed ...

Page 416: ...TIFIER 1 3 6 1 4 1 1450 7 The object identifier is located in the usr netscape servers plugins snmp directory You can see administrative information about your directory and monitor the server in real time using the directory MIB The directory MIB is broken into three distinct tables of managed objects Operations Table Entries Table Interaction Table For information on how to compile MIBs see your...

Page 417: ... number of read operations serviced by this directory since application start The value of this object will always be 0 because LDAP implements read operations indirectly via the search operation dsCompareOps The number of compare operations serviced by this directory since server startup dsAddEntryOps The number of add operations serviced by this directory since server startup dsRemoveEntryOps Th...

Page 418: ...and service errors Partially serviced requests will not be counted as an error Table 13 2 Entries Table Managed Objects and Descriptions Managed Object Description dsMasterEntries The number of directory entries for which this directory contains the master entry The value of this object will always be 0 as no updates are currently performed dsCopyEntries The number of directory entries for which t...

Page 419: ...tions 2 Enable Directory Server statistics collection See Configuring SNMP for the Directory Server on page 422 for information 3 Restart the Windows NT SNMP service See Starting and Stopping the SNMP Service on Windows NT on page 421 for information Setting Up SNMP on UNIX To set up SNMP support for your Directory Server on a UNIX machine 1 Configure and start the master agent using the Administr...

Page 420: ... a master agent However you need to change the AIX SNMP daemon configuration AIX uses several configuration files to filter its communications One of them snmpd conf needs to be changed so that the SNMP daemon accepts the incoming messages from the SMUX subagent For more information see the online manual page for snmpd conf You need to add a line to define each subagent For example you might add t...

Page 421: ...gent on Windows NT is the SNMP Service and not the SNMP subagent as is the case on other platforms The SNMP Service is installed and configured via the Windows NT control panel For a directory running on Windows NT the SNMP subagent is a DLL which the SNMP service invokes and it is by using the information stored in the registry that the SNMP Service knows which subagent to load To start stop and ...

Page 422: ...ost and Master Port text boxes The defaults are localhost and 199 respectively 6 Enter a description that uniquely describes the directory instance in the Description text box 7 Type the name the company or organization to which the directory belongs in the Organization text box 8 Type the location within the company or organization where the directory resides in the Location text box 9 Type the e...

Page 423: ...ce You can manage your server s performance by limiting the amount of resources the server uses to proces client search requests You can define The maximum number of entries the server returns to the client in response to a search operation size limit attribute The maximum amount of real time in seconds you want the server to spend performing a search request time limit attribute The time in secon...

Page 424: ...ch request in the Time Limit text box If you do not want to set a limit type zero 1 in this text box 5 Enter the time in seconds during which you want the server to maintain an idle connection before terminating it in the Idle Timeout text box If you do not want to set a limit type zero 0 in this text box 6 Set the maximum number of file descriptors available to the Directory Server in the Max Num...

Page 425: ...se two attributes Your ability to improve server performance with these attributes depends on the size of your database the amount of physical memory available on your machine and whether directory searches are random that is if your directory clients are searching for random and widely scattered directory data If your database does not fit into memory and if searches are random attempting to incr...

Page 426: ...ne This tab contains the database attributes for all databases stored on this server 3 In the Maximum Cache Size field enter a value corresponding to the amount of memory that you want to make available for all databases 4 In the look through limit field enter the maximum number of entries you want the server to check in response to a search request If you do not want to set a limit type 1 in this...

Page 427: ... directory does not perform the operation immediately Instead the operation is stored in a temporary memory cache on the Directory Server until the operation is completed If the server experiences a failure such as a power outage and shuts down abnormally the information about recent directory changes that were stored in the cache are lost However when the server restarts the directory automatical...

Page 428: ...ctory attribute to the cn config cn ldbm database cn plugins cn config entry Provide the full path to the log directory in the attribute For information on the nsslapd db logdirectory attribute syntax see the Netscape Directory Server Configuration Command and File Reference For instructions on using ldapmodify refer to Adding and Modifying Entries Using ldapmodify on page 53 3 Restart Directory S...

Page 429: ... to Adding and Modifying Entries Using ldapmodify on page 53 Disabling Durable Transactions Durable transaction logging means that the temporary database transaction log is in fact physically written to disk When durable transaction logging is disabled every directory database operation is written to the database transaction log file but may not be physically written to disk immediately If a direc...

Page 430: ... attribute to a value of greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value For transaction batching to be valid the nsslapd db durable transaction attribute must be set to on To specify or modify transaction batching while the server is running use the following procedure 1 Use the ldapmodify command line utili...

Page 431: ...ar entries As a result if many entries and particularly entries that are likely to be updated frequently are stored under cn config performance will probably suffer However although we recommend you do not store simple user entries under cn config for performance reasons it can be useful to store special user entries such as the Directory Manager entry or Replication Manager supplier bind DN entry...

Page 432: ...Miscellaneous Tuning Tips 432 Netscape Directory Server Administrator s Guide May 2002 ...

Page 433: ...Ins Reference Chapter 15 Administering Directory Server Plug Ins Chapter 16 Using the Pass Through Authentication Plug In Chapter 17 Using the Attribute Uniqueness Plug In Chapter 18 Configuring IM Presence Information ...

Page 434: ...434 Netscape Directory Server Administrator s Guide May 2002 ...

Page 435: ... Console page 454 Server Plug in Functionality Reference The following tables provide you with a quick overview of the plug ins provided with Directory Server along with their configurable options configurable arguments default setting dependencies general performance related information and further reading These tables will allow you to weigh up plug in performance gains and costs and choose the ...

Page 436: ...ce Related Information None Further Information If your Directory Server uses non ASCII characters for example Japanese turn this plug in off Table 15 2 Details of ACI Plug In Plug in Name ACL Plugin DN of Configuration Entry cn ACL Plugin cn plugins cn config Description ACL access check plug in Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performan...

Page 437: ...n Configurable Arguments None Dependencies database Performance Related Information None Further Information Chapter 6 Managing Access Control Table 15 4 Details of Binary Syntax Plug In Plug in Name Binary Syntax DN of Configuration Entry cn Binary Syntax cn plugins cn config Description Syntax for handling binary data Configurable Options on off Default Setting on Configurable Arguments None Dep...

Page 438: ... None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 6 Details of Case Exact String Syntax Plug In Plug in Name Case Exact String Syntax DN of Configuration Entry cn Case Exact String Syntax cn plugins cn config Description Syntax for handling case sensitive strings Configurable Options...

Page 439: ...uments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 8 Details of Cloning Database Plug In Plug in Name Chaining Databse DN of Configuration Entry cn Chaining database cn plugins cn config Description Syntax for handling DNs Configurable Options on off Default Se...

Page 440: ...ncies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter 5 Advanced Entry Management Table 15 10 Details of Country String Plug In Plug in Name Country String Syntax Plug in DN of Configuration Entry cn Country String Syntax cn plugins cn config Description Syntax for handling countries...

Page 441: ...uments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 12 Details of Generalized Time Syntax Plug In Plug in Name Generalized Time Syntax DN of Configuration Entry cn Generalized Time Syntax cn plugins cn config Description Syntax for dealing with dates times and t...

Page 442: ...nteger Syntax Plug In Plug in Name Integer Syntax DN of Configuration Entry cn Integer Syntax cn plugins cn config Description Syntax for handling integers Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information ...

Page 443: ...in You should leave this plug in running at all times Further Information See Appendix D Internationalization Table 15 15 Details of ldbm Database Plug In Plug in Name ldbm database Plug in DN of Configuration Entry cn ldbm database plug in cn plugins cn config Description Implements local databases Configurable Options N A Default Setting on Configurable Arguments None Dependencies None Performan...

Page 444: ...n off Default Setting on Configurable Arguments None This plug in can be disabled if the server is not and never will be a consumer of a 4 1 server Dependencies database Performance Related Information None Further Information Chapter 8 Managing Replication Table 15 17 Details of Multimaster Replication Plug In Plug in Name Multimaster Replication Plugin DN of Configuration Entry cn Multimaster Re...

Page 445: ...n Syntax for handling octet strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 19 Details of CLEAR Password Storage Plug In Plug in Name CLEAR DN of Configuration Entry cn CLEAR cn Password ...

Page 446: ...onfiguration Entry cn CRYPT cn Password Storage Schemes cn plugins cn config Description CRYPT password storage scheme used for password encryption Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter ...

Page 447: ... for reasons of backward compatibility with earlier versions of Directory Server See Chapter 7 User Account Management Table 15 22 Details of SHA Password Storage Plug In Plug in Name SHA DN of Configuration Entry cn SHA cn Password Storage Schemes cn plugins cn config Description SHA password storage scheme for password encryption Configurable Options on off Default Setting on Configurable Argume...

Page 448: ...pendencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter 7 User Account Management Table 15 24 Details of Postal Address String Syntax Plug In Plug in Name Postal Address Syntax DN of Configuration Entry cn Postal Address Syntax cn plugins cn config Description Syntax used for hand...

Page 449: ...e if you use the same server for your user directory and configuration directory Configurable Options on off Default Setting off Configurable Arguments ldap netscape com 389 o netscape Dependencies None Performance Related Information Chapter 16 Using the Pass Through Authentication Plug In Further Information Chapter 16 Using the Pass Through Authentication Plug In Table 15 26 Details of Referent...

Page 450: ...thread to process the request at intervals corresponding to the integer specified 2 Log file for storing the change for example usr netscape logs referint 3 All the additional attrribute names you want to be checked for referential integrity Dependencies database Performance Related Information You should enable the Referential Integrity plug in on only one master in a multimaster replication envi...

Page 451: ...wo configuration attributes for the retro change log plug in Dependencies None Performance Related Information May slow down Directory Server performance Further Information Chapter 8 Managing Replication Table 15 28 Details of Roles Plug In Plug in Name Roles Plugin DN of Configuration Entry cn Roles Plugin cn plugins cn config Description Enables the use of roles in the Directory Server Configur...

Page 452: ...igurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 30 Details of UID Uniqueness Plug In Plug in Name UID Uniqueness plug in DN of Configuration Entry cn UID Uniqueness cn plugins cn config Description C...

Page 453: ...in will not work at all and should therefore not be enabled If you try to add a new entry to a server where the UID Uniqueness plug in is enabled and a referral has been created in a subtree then the UID Uniqueness plug in will not work It will not work because if it sees any other error apart from noSuchObject meaning that the entry does not already exist which it will do if a referral is created...

Page 454: ...gins list 4 To disable the plug in clear the Enabled checkbox To enable the plug in check this checkbox 5 Click Save 6 Restart the Directory Server Table 15 31 Details of URI Plug In Plug in Name URI Syntax DN of Configuration Entry cn URI Syntax cn plugins cn config Description Syntax for handling URIs Unique Resource Identifiers including URLs Unique Resource Locators Configurable Options on off...

Page 455: ... Directory Server Uses PTA page 455 PTA Plug In Syntax page 457 Configuring the PTA Plug In page 459 PTA Plug In Syntax Examples page 465 How Directory Server Uses PTA If you install the configuration directory and the user directory on separate instances of Directory Server the installation program automatically sets up PTA to allow the Configuration Administrator user usually admin to perform ad...

Page 456: ...Machine A Server Name configdir example com Suffix o NetscapeRoot 2 You install the user directory server PTA directory on Machine B Server Name userdir example com Suffix dc example dc com 3 During the installation of the user directory on Machine B you are prompted to provide an LDAP URL This URL points to the configuration directory on Machine A 4 The installation program adds an entry to the d...

Page 457: ...ory as defined by the PTA plug in configuration 7 The configuration directory authenticates the user s credentials and sends the information back to the user directory 8 The user directory allows the admin user to bind PTA Plug In Syntax PTA plug in configuration information is specified in the cn Pass Through Authentication cn plugins cn config entry in the dse ldif file on the PTA directory the ...

Page 458: ...ing the Plug in On or Off on page 460 for more information extension File extension for the plug in The extension is always sl on HP UX so on all other UNIX platforms and dll on Windows NT ldap ldaps Defines whether SSL is used for communication between the two directory servers See Configuring the Servers to Use a Secure Connection on page 461 for more information authDS The authenticating direct...

Page 459: ...ory server If this timeout is exceeded the server returns an error to the client The default is 300 seconds five minutes Specify zero 0 to indicate no time limit should be enforced See Configuring the Optional Parameters on page 463 for more information ldver Optional The version of the LDAP protocol used to connect to the authenticating directory Directory Server supports LDAP version 2 and 3 The...

Page 460: ...rameters Turning the Plug in On or Off To turn the PTA plug in on from the command line 1 Create an LDIF file that contains the following LDIF update statements dn cn Pass Through Authentication cn plugins cn config cn Pass Through Authentication changetype modify replace nsslapd pluginenabled nsslapd pluginenabled on 2 Use the ldapmodify command to import the LDIF file into the directory For deta...

Page 461: ...the nsslapd pluginenabled on statement and add the nsslapd pluginenabled off statement Whenever you enable or disable the PTA plug in from the command line you must restart the server Configuring the Servers to Use a Secure Connection You can configure the PTA directory to communicate with the authenticating directory over SSL You do this by specifying LDAPS in the LDAP URL of the PTA directory To...

Page 462: ...ile that contains the following LDIF update statements dn cn Pass Through Authentication cn plugins cn config cn Pass Through Authentication changetype add add nsslapd pluginarg0 nsslapd pluginarg0 ldap authDS subtree optional_parameters Optionally you can include a colon followed by a port number If you do not specify the port number the PTA directory server attempts to connect using Port 389 if ...

Page 463: ...g0 ldap authDS subtree optional_parameters For example you could set the value of the nsslapd pluginarg0 attribute to ldap dirserver example com o NetscapeRoot Parameters For information on the variable components in this sytax refer to PTA Plug In Parameters on page 458 2 Use the ldapmodify command to import the LDIF file into the directory 3 Restart the server For information on restarting the s...

Page 464: ...enticating directory server is listed in the authDS parameter no time limit will be enforced If two or more hosts are listed the default is 300 seconds five minutes In the PTA syntax this parameter is represented as connlifetime 1 Create an LDIF file that contains the following LDIF update statements dn cn Pass Through Authentication cn plugins cn config cn Pass Through Authentication changetype a...

Page 465: ...oot subtree The hostname of the authenticating Directory Server is config dir example com dn cn Pass Through Authentication cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass extensibleObject cn Pass Through Authentication nsslapd pluginPath usr netscape servers lib passthru plugin so nsslapd pluginInitfunc passthruauth_init nsslapd pluginType preoperation nsslapd pluginEna...

Page 466: ...PTA directory server to pass through bind requests for more than one subtree using parameter defaults dn cn Pass Through Authentication cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass extensibleObject cn Pass Through Authentication nsslapd pluginPath usr netscape servers lib passthru plugin so nsslapd pluginInitfunc passthruauth_init nsslapd pluginType preoperation nssla...

Page 467: ...ing Directory Servers If you want to specify a different pass through subtree and optional parameter values for each authenticating directory server you must specify more than one LDAP URL optional parameters pair Separate the LDAP URL optional parameter pairs with a single space as follows dn cn Pass Through Authentication cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass...

Page 468: ...PTA Plug In Syntax Examples 468 Netscape Directory Server Administrator s Guide May 2002 ...

Page 469: ...the following sections Overview of the Attribute Uniqueness Plug In page 469 Overview of the UID Uniqueness Plug in page 471 Attribute Uniqueness Plug In Syntax page 471 Creating an Instance of the Attribute Uniqueness Plug In page 474 Configuring Attribute Uniqueness Plug Ins page 475 Attribute Uniqueness Plug In Syntax Examples page 479 Replication and the Attribute Uniqueness Plug In page 481 O...

Page 470: ...This configuration option is explained in more detail in Specifying a Suffix or Subtree on page 477 You can specify an object class pertaining to an entry in the DN of the updated entry and perform the uniqueness check on all the entries beneath it This option is useful in hosted environments For example when you add an entry such as uid jdoe ou people o example_a dc example dc com you can enforce...

Page 471: ...ueness plug in is disabled because it affects the operation of multi master replication For information on using the attribute uniqueness plug in in a replicated environment refer to Replication and the Attribute Uniqueness Plug In on page 481 Attribute Uniqueness Plug In Syntax Configuration information for the attribute uniqueness plug in is specified in an entry under cn plugins cn config entry...

Page 472: ... in Table 17 1 Use the following syntax to specify to perform the uniqueness check below an entry containing a specified object class dn cn descriptive_plugin_name cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass extensibleObject cn descriptive_plugin_name nsslapd pluginPath usr netscape servers lib uid plugin extension nsslapd pluginInitfunc NSUniqueAttr_Init nsslapd plu...

Page 473: ...s are on or off See Turning the Plug in On or Off on page 477 for more information attribute_name The name of the attribute for which you want to ensure unique values You can specify one attribute name only dn The DN of the suffix or subtree in which you want to ensure attribute uniqueness You can specify several suffixes or subtrees by incrementing the suffix of the nsslapd pluginarg attribute by...

Page 474: ...tiate the attribute uniqueness plug in for the mail attribute you would perform the following steps 1 In the dse ldif file locate the entry for the uid uniqueness plug in cn uid uniqueness cn plugins cn config 2 Add the following lines for the mail uniqueness plug in entry before or after the uid uniqueness plug in entry dn cn mail uniqueness cn plugins cn config objectClass top objectClass nsSlap...

Page 475: ...ins folder The list of plug ins is displayed in the right navigation window You should see the uid uniqueness plug in and any other attribute uniqueness plug ins that you created following the example given in Creating an Instance of the Attribute Uniqueness Plug In on page 474 3 In the right navigation window double click the plug in entry you want to look at The Property Editor is displayed It c...

Page 476: ...d If you use this syntax you can click Add again to specify a requiredObjectClass as described in Attribute Uniqueness Plug In Syntax on page 471 4 To delete an item from the list place the cursor in the text field that you want to delete and click Delete 5 Click Save to save your changes Configuring Attribute Uniqueness Plug Ins from the Command Line This section provides information about config...

Page 477: ...ory Server on page 31 Specifying a Suffix or Subtree You specify the suffix or subtrees under which you want the plug in to ensure attribute uniqueness by using the nsslapd pluginarg attribute in the entry defining the plug in You can specify the subtree or subtrees by creating and LDIF file that contains update statements similar to those shown in the following example dn cn mail uniqueness cn pl...

Page 478: ... on nsslapd pluginarg0 attribute mail nsslapd pluginarg1 markerObjectClass ou nsslapd plugin depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 6 02 nsslapd pluginVendor Netscape Communications Corporation nsslapd pluginDescription Enforce unique attribute values If you do not want the server to check every entry under the organizational unit entry you can limit the scope...

Page 479: ...achines Specifying One Attribute and One Subtree Specifying One Attribute and Multiple Subtrees Specifying One Attribute and One Subtree This example configures the plug in to ensure the uniqueness of the mail attribute under the dc example dc com subtree dn cn mail uniqueness cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass extensibleObject cn mail uniqueness nsslapd plu...

Page 480: ...plugin depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 6 02 nsslapd pluginVendor Netscape Communications Corporation nsslapd pluginDescription Enforce unique attribute values With this configuration the plug in allows an instance of a value for the mail attribute to exist once under the l Chicago dc example dc com subtree and once under the l Boston dc example dc com s...

Page 481: ...pplier It is unnecessary to enable it on the consumer server Enabling the attribute uniqueness plug in on the consumer will not prevent Directory Server from operating correctly but is likely to cause a performance degradation Multi Master Replication Scenario In a multi master replication scenario the two masters act both as suppliers and consumers of the same replica Because multi master replica...

Page 482: ...tor s Guide May 2002 When these conditions are met attribute uniqueness conflicts are reported as naming conflicts at replication time Naming conflicts require manual resolution For information on how to resolve replication conflicts refer to Solving Common Replication Conflicts on page 324 ...

Page 483: ...lemented as a Directory Server plug in giving you the flexibility to turn this feature on off The plug in enables you to configure Directory Server to provide instantaneous knowledge of an IM user s online status or online presence A user s presence information can be extremely useful in a corporate environment enabling users to know the online status of other users without having to configure the...

Page 484: ...y to use All you have to do is add the default presence attributes to a user s entry Once this is done when queried the plug in will serve the presence information for that user The online status of a user is made available in the form of text and as a binary value a GIF image The returned values for the binary return type can be configured based on vendor support and the values returned for text ...

Page 485: ... directoryOperation attributeTypes nsYIMStatusText syntax DirectoryString NO USER MODIFICATION USAGE directoryOperation You can create your own schema and modify the plug in configuration parameters accordingly For more information about Directory Server schema check the Netscape Directory Server Schema Reference Performance Related Information Note the following The Presence plug in provides the ...

Page 486: ...er loads similar to your expected usage pattern before deployment Troubleshooting The plug in makes HTTP requests for each queried IM Status attribute Make sure that the machine in which the presence enabled Directory Server is installed has HTTP access to the Internet In case of erroneous presence results to better understand the point of failures enable error logging for plug ins Table 18 1 Attr...

Page 487: ...487 Part 3 Appendixes Appendix A LDAP Data Interchange Format Appendix B Finding Directory Entries Appendix C LDAP URLs Appendix D Internationalization ...

Page 488: ...488 Netscape Directory Server Administrator s Guide May 2002 ...

Page 489: ...ata is stored using the UTF 8 encoding of Unicode Therefore the LDIF files you create must also be UTF 8 encoded This chapter provides information about LDIF in the following sections LDIF File Format page 489 Specifying Directory Entries Using LDIF page 493 Defining Directories Using LDIF page 497 Storing Information in Multiple Languages page 500 For information on using LDIF to modify directory...

Page 490: ...e A 1 LDIF Fields Field Definition id Optional A positive decimal number representing the entry ID The database creation tools generate this ID for you Never add or edit this value yourself dn distinguished_name Specifies the distinguished name for the entry For a complete description of distinguished names refer to the Netscape Directory Server Deployment Guide objectClass object_class Specifies ...

Page 491: ...nes However doing so may improve the readability of your LDIF file Representing Binary Data You can represent binary data such as a JPEG image in LDIF using one of the following methods The standard LDIF notation the lesser than symbol For example jpegphoto file path to photo subtype Optional Specifies a subtype either language binary or pronunciation Use this tag to identify the language in which...

Page 492: ...including new lines Use the ldif command line utility with the b parameter to convert binary data to LDIF format ldif b attribute_name where attribute_name is the name of the attribute to which you are supplying the binary data The binary data is read from standard input and the results are written to standard output Thus you should use redirection operators to select input and output files The ld...

Page 493: ...irectory and a list of the most commonly used attributes see the Netscape Directory Server Schema Reference Specifying Organization Entries Directories often have at least one organization entry Typically this is the first or topmost entry in your directory The organization entry often corresponds to the suffix set for your directory For example if your directory is defined to use a suffix of dc e...

Page 494: ...anization object class This line defines the entry as an organization See the Netscape Directory Server Schema Reference for a list of the attributes you can use with this object class o organization_name Attribute that specifies the organization s name If the organization name includes a comma you must escape the comma by either a single backslash and the entire organization argument must be encl...

Page 495: ...ear as follows dn distinguished_name objectClass top objectClass organizationalUnit ou organizational_unit_name list_of_optional_attributes The following is a sample organizational unit entry in LDIF format dn ou people dc example dc com objectclass top objectclass organizationalUnit ou people description Fictional organizational unit for example purposes Table A 3 defines each element of the LDIF...

Page 496: ...ople dc example dc com objectclass top objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn Babs Jensen sn Jensen givenname Babs uid bjensen ou Marketing ou people description Fictional person for example purposes telephonenumber 555 5557 userpassword sha dkfljlk34r2kljdsfk9 Table A 4 defines each aspect of the LDIF person entry ou organizational_unit_name Attribute tha...

Page 497: ...ss This object class specification should be included because some LDAP clients require it during search operations for an organizational person objectClass inetOrgPerson Specifies the inetOrgPerson object class The inetOrgPerson object class is recommended for the creation of an organizational person entry because this object class includes the widest range of attributes The uid attribute is requ...

Page 498: ...ence 3 Make sure that an entry representing a branch point in the LDIF file is placed before the entries that you want to create under that branch For example if you want to place an entry in a people and a group subtree create the branch point for those subtrees before creating entries within those subtrees 4 Create the directory from the LDIF file using one of the following methods Directory Ser...

Page 499: ...tion Fictional organizational unit for example purposes tel 555 5559 dn cn June Rossi ou People o example com Corp dc example dc com objectClass top objectClass person objectClass organizationalPerson objectClass inetOrgPerson cn June Rossi sn Rossi givenName June mail rossi example com userPassword sha KDIE3AL9DK ou Accounting ou people telephoneNumber 2616 roomNumber 220 dn cn Marc Chambers ou P...

Page 500: ...o add a new entry to the directory However if your organization is multinational you may find it necessary to store information in multiple languages so that users in different locales can view directory information in their own language When information in your directory is represented in multiple languages the server associates language tags with attribute values When you add a new entry you mus...

Page 501: ...ensen the administrator creates the following LDIF entry dn uid bjensen ou people dc example dc com objectclass top objectclass person objectclass organizationalPerson name Babs Jensen cn Babs Jensen sn Jensen uid bjensen streetAddress 1 University Street streetAddress lang en 1 University Street streetAddress lang fr 1 rue de l Université preferredLanguage fr Users accessing this directory entry ...

Page 502: ...Storing Information in Multiple Languages 502 Netscape Directory Server Administrator s Guide May 2002 ...

Page 503: ...ng an Internationalized Directory page 515 Finding Entries Using the Server Console Use the Directory tab of the Directory Server Console to browse the contents of the directory tree and search for specific entries in the directory 1 Make sure the Directory Server is running 2 Start Directory Server Console See Starting Directory Server Console on page 28 for specific instructions NOTE You cannot ...

Page 504: ...an entry s immediate subentries or an entire tree or subtree Search results are returned in LDIF format This section contains information about the following topics Using Special Characters ldapsearch Command Line Format Commonly Used ldapsearch Options ldapsearch Examples Using Special Characters When using the ldapsearch command line utility you may need to specify values that contain characters...

Page 505: ...attributes returned in the search results This list of attributes must appear after the search filter For an example see Displaying Subsets of Attributes on page 509 If you do not specify a list of attributes the search returns values for all attributes permitted by the access control set in the directory with the exception of operational attributes Commonly Used ldapsearch Options The following t...

Page 506: ...l if anonymous access is supported by your server If specified this value must be a DN recognized by the Directory Server and it must also have the authority to search for the entries For example D uid bjensen dc example dc com h Specifies the hostname or IP address of the machine on which the Directory Server is installed If you do not specify a host ldapsearch uses the localhost For example h mo...

Page 507: ...arting at the point identified in the b option This is the default w Specifies the password associated with the distinguished name that is specified in the D option If you do not specify this option anonymous access is used For example w diner892 x Specifies that the search results are sorted on the server rather than on the client This is useful if you want to sort according to a matching rule as...

Page 508: ...ectclass objectclass is a search filter that matches any entry in the directory Specifying Search Filters on the Command Line You can specify a search filter directly on the command line If you do this be sure to enclose your filter in quotation marks filter Also do not specify the f option For example ldapsearch h mozilla b dc example dc com cn babs jensen Searching the Root DSE Entry The root DS...

Page 509: ...distinguished name and all of the attributes that you are allowed to read you can set up the directory access control such that you are allowed to read only a subset of the attributes on any given directory entry Only operational attributes are not returned If you want operational attributes returned as a result of a search operation you must explicitly specify them in the search command Suppose y...

Page 510: ...ntry ldapsearch h mozilla f searchdb sn givenname Specifying DNs that Contain Commas in Search Filters When a DN within a search filter contains a comma as part of its value you must escape the comma with a backslash For example to find everyone in the example com Bolivia S A subtree use the following command ldapsearch h mozilla s base b o example com Bolivia S A dc example dc com objectclass Usi...

Page 511: ...ter Syntax The basic syntax of a search filter is attribute operator value For example buildingname alpha In this example buildingname is the attribute is the operator and alpha is the value You can also define filters that use different attributes combined together with Boolean operators Search filters are described in detail in the following sections Using Attributes in Search Filters Using Oper...

Page 512: ...arch filters are listed in Table B 1 Table B 1 Search Filter Operators Search type Operator Description Equality Returns entries containing attribute values that exactly match the specified value For example cn Bob Johnson Substring string string Returns entries containing attributes containing the specified substring For example cn Bob cn Johnson cn John cn B John The asterisk indicates zero 0 or...

Page 513: ...arch filters include the following Presence Returns entries containing one or more values for the specified attribute For example cn telephonenumber manager Approximate Returns entries containing the specified attribute with a value that is approximately equal to the value specified in the search filter For example cn suret l san fransico could return cn sarette l san francisco NOTE In addition to...

Page 514: ...o not contain the common name Ray Kultgen cn Ray Kultgen The following filter returns all entries that contain a description attribute that contains the substring X 500 description X 500 The following filter returns all entries whose organizational unit is Marketing and whose description field does not contain the substring X 500 ou Marketing description X 500 Table B 2 Search Filter Boolean Opera...

Page 515: ...ou can request that the directory sort the results based on any language for which the server has a supporting collation order For a listing of the collation orders supported by the directory see Identifying Supported Locales on page 530 This section focuses on the matching rule filter portion of the ldapsearch syntax For more information on general ldapsearch syntax see LDAP Search Filters on pag...

Page 516: ...ssion of matching rule formats see Matching Rule Formats on page 516 value is either the attribute value you want to search for or a relational operator plus the attribute value you want to search for The syntax of the value portion of the filter depends on the matching rule format you use Matching Rule Formats The matching rule portion of a search filter can be represented in several ways The one...

Page 517: ... associated language tag For a list of locales supported by the directory server and their associated language tags see Table D 1 on page 531 You can use the language tag in the matching rule portion of the matching rule filter as follows attr language tag relational_operator value The relational operator is included in the value portion of the string separated from the value by a single space For...

Page 518: ...see Table D 1 on page 531 For a list of relational operators and their equivalent suffixes see Table B 3 on page 519 Using Wildcards in Matching Rule Filters When performing a substring search using a matching rule filter you can use the asterisk character as a wildcard to represent zero or more characters For example to search for an attribute value that starts with the letter l and ends with the...

Page 519: ...ching rule portion of the filter Table B 3 summarizes each type of search the operator and the equivalent suffix International Search Examples The following sections show examples of how to perform international searches on directory data Each example gives all the possible matching rule filter formats so that you can become familiar with the formats and select the one that works best for you Less...

Page 520: ...ching rule filters roomNumber 2 16 840 1 113730 3 3 2 23 1 CZ422 roomNumber hu CZ422 roomNumber 2 16 840 1 113730 3 3 2 23 1 2 CZ422 roomNumber hu 2 CZ422 Equality Example When you perform a locale specific search using the equal to operator or suffix 3 you search for all attribute values that match the given attribute in a specific collation order For example to search for all businessCategory at...

Page 521: ...ribute in a specific collation order For example to search for all mail hosts that come after host schranka4 in the Czechoslovakian collation order you could use any of the following matching rule filters mailHost 2 16 840 1 113730 3 3 2 5 1 schranka4 mailHost cs schranka4 mailHost 2 16 840 1 113730 3 3 2 5 1 5 schranka4 mailHost cs 5 schranka4 Substring Example When you perform an international s...

Page 522: ...Searching an Internationalized Directory 522 Netscape Directory Server Administrator s Guide May 2002 ...

Page 523: ...xamples of LDAP URLs page 526 Components of an LDAP URL LDAP URLs have the following syntax ldap s hostname port base_dn attributes scope filter The ldap protocol is used to connect to LDAP servers over unsecured connections and the ldaps protocol is used to connect to LDAP servers over SSL connections Table C 1 lists the components of an LDAP URL Table C 1 LDAP URL Components Component Descriptio...

Page 524: ...se DN is specified the search starts at the root of the directory tree attributes The attributes to be returned To specify more than one attribute use commas to separate the attributes for example cn mail telephoneNumber If no attributes are specified in the URL all attributes are returned scope The scope of the search which can be one of these values base retrieves information only about the dist...

Page 525: ... space is an unsafe character that must be represented as 20 within the URL Thus the distinguished name o example com corporation must be encoded as o example com 20corporation The following table lists the characters that are considered unsafe within URLs and provides the associated escape characters to use in place of the unsafe character Unsafe Character Escape Characters space 20 3c 3e 22 23 2...

Page 526: ...lt filter objectclass Example 2 The following LDAP URL retrieves the postalAddress attribute of the entry with the DN dc example dc com ldap ldap example com dc example dc com postalAddress Because no search scope is specified the search is restricted to the base entry dc example dc com Because no filter is specified the directory uses the default filter objectclass Example 3 The following LDAP UR...

Page 527: ... a search for the object class for all entries one level under dc example dc com ldap ldap example com dc example dc com objectClass one Because the search scope is one the search encompasses all entries one level under the base entry dc example dc com The search scope does not include the base entry Because no filter is specified the directory uses the default filter objectclass NOTE The syntax f...

Page 528: ...Examples of LDAP URLs 528 Netscape Directory Server Administrator s Guide May 2002 ...

Page 529: ... preferences in search operations This appendix contains the following sections About Locales page 529 Identifying Supported Locales page 530 Supported Language Subtypes page 532 About Locales Directory Server provides support for multiple languages through the use of locales A locale identifies language specific information about how users of a specific region culture and or custom expect data to...

Page 530: ...ecifies the monetary symbol used by a specific region whether the symbol goes before or after its value and how monetary units are represented Time date format The time and date format indicates the customary formatting for times and dates in the region The time and date format indicates whether dates are customarily represented in the mm dd yy month day year or dd mm yy day month year format and ...

Page 531: ...erforming an international search in the directory use either the language tag or the OID to identify the collation order you want to use However when setting up an international index you must use the OIDs for more information on indexing see Chapter 10 Managing Indexes Table D 1 lists each locale supported by Directory Server and identifies the associated language tags and OIDs Table D 1 Support...

Page 532: ...3 2 28 1 Korean ko 2 16 840 1 113730 3 3 2 29 1 Latvian Lettish lv 2 16 840 1 113730 3 3 2 31 1 Lithuanian lt 2 16 840 1 113730 3 3 2 30 1 Macedonian mk 2 16 840 1 113730 3 3 2 32 1 Norwegian no 2 16 840 1 113730 3 3 2 35 1 Polish pl 2 16 840 1 113730 3 3 2 38 1 Romanian ro 2 16 840 1 113730 3 3 2 39 1 Russian ru 2 16 840 1 113730 3 3 2 40 1 Serbian Cyrilic sr 2 16 840 1 113730 3 3 2 45 1 Serbian ...

Page 533: ...f Afrikaans be Byelorussian bg Bulgarian ca Catalan cs Czechoslovakian da Danish de German el Greek en English es Spanish eu Basque fi Finnish fo Faroese fr French ga Irish gl Galician hr Croatian hu Hungarian id Indonesian is Icelandic it Italian ja Japanese ko Korean nl Dutch no Norwegian pl Polish pt Portuguese ro Romanian ...

Page 534: ... Netscape Directory Server Administrator s Guide May 2002 ru Russian sk Slovakian sl Slovenian sq Albanian sr Serbian sv Swedish tr Turkish uk Ukrainian zh Chinese Table D 2 Supported Language Subtypes Continued Language tag Language ...

Page 535: ...Disables a user account group of accounts or an entire domain so that all authentication attempts are automatically rejected All IDs Threshold A size limit which is globally applied to every index key managed by the server When the size of an individual ID list reaches this limit the server replaces that ID list with an All IDs token All IDs token A mechanism which causes the server to assume that...

Page 536: ...tions or access files and directories based on the permissions granted to that user by the directory administrator 2 Allows a client to make sure they are connected to a secure server preventing another computer from impersonating the server or attempting to appear secure when it is not authentication certificate Digital file that is not transferable and not forgeable and is issued by a third part...

Page 537: ...ect attributes Certificate Authority Company or organization that sells and issues authentication certificates You may purchase an authentication certificate from a Certification Authority that you trust Also known as a CA CGI Common Gateway Interface An interface for external programs to communicate with the HTTP server Programs written to use CGI are called CGI programs or CGI scripts and can be...

Page 538: ... sorted This information might include the sequence of letters in the alphabet or how to compare letters with accents to letters without accents consumer Server containing replicated directory trees or subtrees from a supplier server consumer initiated replication Replication configuration where consumer servers pull directory data from supplier servers consumer server In the context of replicatio...

Page 539: ...tree s root point appearing at the top of the hierarchy Also known as DIT Directory Manager The privileged database administrator comparable to the root user in UNIX Access control does not apply to the directory manager Directory Server Gateway DSGW A collection of CGI forms that allows a browser to perform LDAP client functions such as querying and accessing a Directory Server from a web browser...

Page 540: ...index Allows you to search efficiently for entries containing a specific attribute value file extension The section of a filename after the period or dot that typically defines the type of file for example GIF and HTML In the filename index html the file extension is html file type The format of a given file For example graphics files are often saved in GIF format while a text file is usually save...

Page 541: ... of replication a server that holds a replica that is copied from a different server and in turn replicates it to a third server See also cascading replication index key Each index that the directory uses is composed of a table of index keys and matching entry ID lists indirect CoS An indirect CoS identifies the template entry using the value of one of the target entry s attributes international i...

Page 542: ...form leaf entry An entry under which there are no other entries A leaf entry cannot be a branch point in a directory tree Lightweight Directory Access Protocol See LDAP locale Identifies the collation order character type monetary format and time date format used to present data for users of a specific region culture and or custom This includes information on how data of a given language is interp...

Page 543: ...e named and referenced Also called the directory tree monetary format Specifies the monetary symbol used by specific region whether the symbol goes before or after its value and how monetary units are represented multi master replication An advanced replication scenario in which two servers each hold a copy of the same read write replica Each server maintains a change log for the replica Modificat...

Page 544: ... attribute in an object oriented system Object identifiers are assigned by ANSI IETF or similar organizations OID See object identifier operational attribute Operational attributes contain information used internally by the directory to keep track of modifications and subtree properties They are not returned in response to a search unless explicitly requested parent access When granted indicates t...

Page 545: ...ith a proxy DN proxy DN Used with proxied authorization The proxy DN is the DN of an entry that has access permissions to the target on which the client application is attempting to perform an operation PTA Pass through authentication Mechanism by which one directory server consults another to check bind credentials PTA directory In pass through authentication PTA the PTA directory server is the s...

Page 546: ... replicas A server can hold any number of read only replicas read write replica A replica that contains a master copy of directory information and can be updated A server can hold any number of read write replicas relative distinguished name See RDN replication Act of copying directory trees or subtrees from supplier servers to consumer servers replication agreement Set of configuration parameters...

Page 547: ... have access to their own entries that is if the bind DN matches the targeted entry Server Console Java based application that allows you to perform administrative management of your Directory Server from a GUI server daemon The server daemon is a process that once running listens for and accepts requests from clients server service The server service is a process on Windows that once running list...

Page 548: ...on about the managed device and passes the information to the master agent SSL Secure Sockets Layer A software library establishing a secure connection between two parties client and server used to implement HTTPS the secure version of HTTP standard index Indexes that are maintained by default sub suffix A branch underneath a root suffix subagent See SNMP subagent substring index Allows for effici...

Page 549: ...P IP Transmission Control Protocol Internet Protocol The main network protocol for the Internet and for enterprise company networks template entry See CoS template entry time date format Indicates the customary formatting for times and dates in a specific region TLS Transport Layer Security The new standard for secure socket layers a public key based protocol topology The way a directory tree is d...

Page 550: ...p the display of entries in the Directory Server Console Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance X 500 standard The set of ISO ITU T documents outlining the recommended information model object classes and attributes used by directory server implementations ...

Page 551: ...ion 222 SSL authentication structure of ACIs target DN containing comma 247 target DN containing comma and 197 targeting 195 targeting attribute values 200 targeting attributes 198 targeting entries 196 targeting using filters 199 using the Access Control Editor 224 value matching 213 Access Control Editor displaying 225 viewing current ACIs 227 access control instruction ACI See ACI access log co...

Page 552: ...CI attribute default index for 344 overview 190 ACI placement 191 ACL See ACI activating accounts from command line 271 from console 270 add right 203 adding directory entries 54 Administration Server master agents and 414 agents master agent 414 Unix 414 Windows NT 414 subagent 414 configuring 422 enabling 422 starting and stopping on Unix 421 starting and stopping on Windows NT 421 AIX SNMP daem...

Page 553: ...SL 381 authmethod keyword 222 B backing up data 150 all 150 db2bak 151 dse ldif 153 bak2db script 154 bak2db pl perl script 155 base 64 encoding 491 base DN ldapsearch and 509 binary data LDIF and 491 binary subtype 49 bind credentials for database links 102 bind DN accessing the server 30 resource limits based on 271 viewing current 31 bind rules access at specific time or day 221 access based on...

Page 554: ...01 certificate mapping to a DN 385 password 36 certificate database password 376 certificate based authentication 385 setting up 385 chaining cascading 117 component operations from console 96 component operations from command line 96 overview 92 using SSL 109 change log 277 deleting 308 using with referential integrity 71 change operations 59 add 63 delete 63 replace 63 change type add 59 delete ...

Page 555: ...fix 81 connections monitoring 401 403 404 viewing number of 399 console starting 28 consumer initialization manual consumer creation 311 online consumer creation 310 consumer server 276 continued lines in LDIF 491 in LDIF update statements 59 CoS definition entry attributes 181 object classes 180 CoS template entry 174 creating 183 CoS See class of service cosPriority attribute 183 counter passwor...

Page 556: ...emote server info 110 overview 92 database server parameters read only 405 database transaction logging described 427 durable transactions 429 log file location 428 databases in directory server 75 date format 530 dayofweek keyword 221 db2bak script 151 db2bak utility 151 db2ldif utility 149 default referrals setting 132 setting from console 132 settings from command line 133 defining access contr...

Page 557: ...b2 file 345 dns keyword 220 dse ldif PTA plugin 460 dse ldif file backing up 153 PTA syntax 460 restoring 157 durable transactions 429 dynamic groups 161 creating 161 modifying 161 E end of file marker 51 entries adding an object class 46 adding attributes 47 adding using LDIF 53 adding using LDIF update statements 59 cache hit ratio 406 creating 43 54 using LDIF 493 deleting 50 56 using ldapdelet...

Page 558: ...her 383 format LDIF 489 G general access example 211 overview 209 glossary of terms 535 greater than or equal to search international example 520 521 overview 512 groupdn keyword 212 LDIF examples 212 groupdnattr keyword 214 groups access control 208 access control example 238 access to directory 212 dynamic 161 creating 161 modifying 161 overview 159 static 160 creating 160 modifying 161 H hub su...

Page 559: ...etary format 530 object identifiers and 531 of LDIF files 500 search filters and 515 supported locales 530 time format 530 ip keyword 219 J jpeg images 491 L language code in LDIF entries 500 list of supported 531 language subtype 48 language support language tag 531 searching and 515 specifying using locales 530 language tags described 531 in international searches 517 in LDIF update statements 6...

Page 560: ...s 58 using to create directory 497 LDIF entries binary data in 491 commas in 494 495 497 creating 493 organizational person 496 organizational units 495 organizations 493 internationalization and 500 LDIF files continued lines 491 creating directory using 497 creating multiple entries 53 example 499 importing from Server Console 53 internationalization and 500 LDIF format 489 LDIF update statement...

Page 561: ...cation of 416 netscape ldap mib 416 entries table 418 operations table 416 modifying attribute values 65 entries 63 international entries 68 modifying directory entries 55 monetary format 530 monitoring database from command line 408 database from server console 404 directory server 391 from console 398 log files 391 replication status 323 threads 401 with SNMP 413 monitoring from console 398 movi...

Page 562: ...or 493 organizational person specifying entries for 496 organizational unit specifying entries for 495 P parent access 209 parent keyword 209 parent object 337 pass through authentication PTA See PTA plug in password file SSL certificate 36 password policy account lockout 265 attributes 262 configuring 260 using command line 262 using console 260 lockout duration 266 managing 259 password failure ...

Page 563: ...log plug in 450 roles plug in 451 SHA password storage plug in 447 SSHA password storage plug in 448 telephone syntax plug in 452 uid uniqueness plug in 452 URI plug in 454 pointer CoS example 175 overview 175 port number directory server configuration 33 for SSL communications 33 precedence rule ACI 191 preferences security 383 presence index 342 defaults 344 presence plug in 483 presence search ...

Page 564: ...nfiguring legacy replication 319 configuring SSL 317 configuring supplier settings 287 consumer server 276 consumer initiated 277 creating the supplier bind DN 286 forcing synchronization 312 hub supplier 277 managing 275 monitoring status 323 of ACIs 256 overview 276 replica ID 289 replicate_now sh script 314 single master 292 solving conflicts 324 supplier server 276 supplier initiated 277 unit ...

Page 565: ...odify and 53 overview 339 turning on or off 339 search filters 510 Boolean operators 513 contained in file 509 examples 511 514 matching rule 516 operators in 512 specifying attributes 511 syntax 511 using compound 513 using multiple 513 search right 203 search types list of 512 518 searches approximate 513 equality 512 514 520 example 507 greater than or equal to 512 520 521 international 515 int...

Page 566: ... and stopping on Unix 421 starting and stopping on Windows NT 421 traps 415 Solaris thread concurrency 401 404 SSL and replication 316 certificate password 36 chaining with 109 client authentication 386 configuring clients to use 386 enabling 381 port number 33 setting preferences 383 starting the server with 36 SSL authentication 381 standard attributes 331 332 index files 345 object classes 331 ...

Page 567: ...n ACIs 196 overview 195 using LDAP search filters 199 using LDAP URLs 209 target keyword 196 targetattr keyword 198 targetfilter keyword 199 targeting directory entries 196 template entry See CoS template entry thread concurrency on Solaris 401 monitoring 401 403 time format 530 timeofday keyword 221 traps 415 triple DES 383 Triple DES cipher 383 384 tuning performance database 424 server 423 U un...

Page 568: ...serdn keyword 208 users activating 270 inactivating 268 UTF 8 529 V value based ACI 200 viewing attributes 332 W wildcard in LDAP URL 210 in target 197 wildcards in international searches 518 in matching rule filters 518 Windows NT master agent 414 write right 203 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands