manualshive.com logo in svg

Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR, Administrator'S Manual

Share
Download
Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR Administrator'S Manual Download Page 223

Bind Rules

Chapter

6

Managing Access Control

223

Granting Add Permission Using the userattr Keyword

If you use the

userattr

keyword in conjunction with

all

or

add

permissions, you

might find that the behavior of the server is not what you expect. Typically, when a
new entry is created in the directory, Directory Server evaluates access rights on
the entry being created, and not on the parent entry. However, in the case of ACIs
using the

userattr

keyword, this behavior could create a security hole, and the

server’s normal behavior is modified to avoid it.

Consider the following example:

aci: (target="ldap:///dc=example,dc=com")(targetattr=*) (version

3.0;

acl "manager-write"; allow (all) userattr = "manager#USERDN";)

This ACI grants managers all rights on the entries of employees that report to
them. However, because access rights are evaluated on the entry being created, this
type of ACI would also allow any employee to create an entry in which the
manager attribute is set to their own DN. For example, disgruntled employee Joe
(

cn=Joe,ou=eng,dc=example,dc=com

), might want to create an entry in the

Human Resources branch of the tree, to use (or misuse) the privileges granted to
Human Resources employees.

He could do this by creating the following entry:

dn: cn= Trojan Horse,ou=Human Resources,dc=example,dc=com

objectclass: top

...

cn: Trojan Horse

manager: cn=Joe,ou=eng,dc=example,dc=com

To avoid this type of security threat, the ACI evaluation process does not grant add
permission at level 0, that is, to the entry itself. You can, however, use the

parent

keyword to grant add rights below existing entries. You must specify the number
of levels below the parent for add rights. For example, the following ACI allows
child entries to be added to any entry in the

dc=example,dc=com

that has a

manager

attribute that matches the bind DN:

aci: (target="ldap:///dc=example,dc=com")(targetattr=*)

(version 3.0; acl "parent-access"; allow (add)

userattr = "parent[0,1].manager#USERDN";)

This ACI ensures that add permission is granted only to users whose bind DN
matches the manager attribute of the parent entry.

Summary of Contents for NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR

Page 1: ...Administrator s Guide Netscape Directory Server Version6 1 August 2002...

Page 2: ...2002 Netscape Communications Corporation All rights reserved Portions of the Software copyright 1995 PEER Networks Inc All rights reserved The Software contains the Taligent International Classes from...

Page 3: ...ver Console 32 Copying Entry DNs to the Clipboard 33 Configuring the Directory Manager 34 Binding to the Directory From Netscape Console 34 Changing Login Identity 35 Viewing the Current Bind DN From...

Page 4: ...Attribute Subtype 52 Deleting Directory Entries 54 Managing Entries From the Command Line 54 Providing Input From the Command Line 55 Creating a Root Entry From the Command Line 56 Adding Entries Usin...

Page 5: ...Update Operations 88 Disabling a Suffix 88 Deleting a Suffix 89 Creating and Maintaining Databases 89 Creating Databases 90 Creating a New Database for an Existing Suffix Using the Console 92 Creating...

Page 6: ...Creating Smart Referrals 137 Creating Smart Referrals Using the Directory Server Console 138 Creating Smart Referrals From the Command Line 139 Creating Suffix Referrals 140 Creating Suffix Referrals...

Page 7: ...65 Modifying a Dynamic Group 165 Using Roles 166 About Roles 166 Managing Roles Using the Console 167 Creating a Managed Role 168 Creating a Filtered Role 169 Creating a Nested Role 169 Viewing and Ed...

Page 8: ...imitations 196 Default ACIs 197 Creating ACIs Manually 198 The ACI Syntax 198 Example ACI 199 Defining Targets 199 Targeting a Directory Entry 201 Targeting Attributes 203 Targeting Both an Entry and...

Page 9: ...ng an ACI 233 Deleting an ACI 234 Access Control Usage Examples 234 Granting Anonymous Access 235 Granting Write Access to Personal Entries 237 Restricting Access to Key Roles 241 Granting a Group Ful...

Page 10: ...source Limits Based on the Bind DN 275 Setting Resource Limits Using the Console 276 Setting Resource Limits Using the Command Line 276 Chapter 8 Managing Replication 279 Replication Overview 280 Read...

Page 11: ...l Consumer Initialization Overview 315 Exporting a Replica to LDIF 316 Importing the LDIF File to the Consumer Server 316 Forcing Replication Updates 316 Forcing Replication Updates From the Console 3...

Page 12: ...ystem and Standard Indexes 349 Overview of Default Indexes 349 Overview of System Indexes 350 Overview of Standard Indexes 351 Overview of the Searching Algorithm 351 Balancing the Benefits of Indexin...

Page 13: ...ory Server 381 Enabling SSL Summary of Steps 382 Obtaining and Installing Server Certificates 383 Step 1 Generate a Certificate Request 383 Step 2 Send the Certificate Request 384 Step 3 Install the C...

Page 14: ...nitors 411 Overview of Database Performance Monitor Information 411 General Information Database 412 Summary Information Table 412 Database Cache Information Table 413 Database File Specific Table 414...

Page 15: ...7 bit Check Plug In 443 ACL Plug In 444 ACL Preoperation Plug In 445 Binary Syntax Plug In 445 Boolean Syntax Plug In 446 Case Exact String Syntax Plug In 446 Case Ignore String Syntax Plug In 447 Cha...

Page 16: ...y Server and One Subtree 475 Specifying Multiple Authenticating Directory Servers 475 Specifying One Authenticating Directory Server and Multiple Subtrees 476 Using Non Default Parameter Values 476 Sp...

Page 17: ...ries 505 Specifying Organizational Person Entries 506 Defining Directories Using LDIF 507 LDIF File Example 509 Storing Information in Multiple Languages 510 Appendix B Finding Directory Entries 513 F...

Page 18: ...526 Using Wildcards in Matching Rule Filters 528 Supported Search Types 528 International Search Examples 529 Less Than Example 529 Less Than or Equal to Example 530 Equality Example 530 Greater Than...

Page 19: ...gure 4 1 Splitting a Database Contents into Two Databases 151 Figure 5 1 Sample Pointer CoS 179 Figure 5 2 Sample Indirect CoS 180 Figure 5 3 Sample Classic CoS 181 Figure 6 1 Using Inheritance With t...

Page 20: ...20 Netscape Directory Server Administrator s Guide August 2002...

Page 21: ...Error Detection Parameters 120 Table 3 7 Cascading Chaining Configuration Attributes 129 Table 4 1 Import Method Comparison 144 Table 5 1 Object Classses and Attributes for Roles 173 Table 5 2 CoS De...

Page 22: ...on Plug In 445 Table 15 4 Details of Binary Syntax Plug In 445 Table 15 5 Details of Boolean Syntax Plug In 446 Table 15 6 Details of Case Exact String Syntax Plug In 446 Table 15 7 Details of Case Ig...

Page 23: ...of UID Uniqueness Plug In 462 Table 15 34 Details of URI Plug In 464 Table 16 1 PTA Plug In Parameters 468 Table 17 1 Attribute Uniqueness Plug In Variables 483 Table 18 1 Attributes for Setting Limit...

Page 24: ...24 Netscape Directory Server Administrator s Guide August 2002...

Page 25: ...read and write operations Multi master replication can be combined with simple and cascading replication scenarios to provide a highly flexible and scalable replication environment Chaining and referr...

Page 26: ...its you to monitor your Directory Server in real time using the Simple Network Management Protocol SNMP Online backup and restore Allows you to create backups and restore from backups while the server...

Page 27: ...IX On Windows it is c usr netscape servers If you have installed Directory Server in a different location you should adapt the path accordingly serverID is the ID or identifier you assigned to an inst...

Page 28: ...eference information on the command line scripts configuration attributes and log files shipped with Directory Server Netscape Directory Server Schema Reference Provides reference information about th...

Page 29: ...reating Directory Entries Chapter 3 Configuring Directory Databases Chapter 4 Populating Directory Databases Chapter 5 Advanced Entry Management Chapter 6 Managing Access Control Chapter 7 User Accoun...

Page 30: ...tory Server Administrator s Guide August 2002 Chapter 11 Managing SSL Chapter 12 Monitoring Server and Database Activity Chapter 13 Monitoring Directory Server Using SNMP Chapter 14 Tuning Directory S...

Page 31: ...irectory Server and the most basic tasks you need to start administering a directory service It includes the following sections Overview of Directory Server Management page 32 Using the Directory Serv...

Page 32: ...r called Netscape Console The Directory Server Console is a part of Netscape Console designed specifically for use with Directory Server You can perform most Directory Server administrative tasks from...

Page 33: ...he Netscape Console is displayed 5 Navigate through the tree in the left hand pane to find the machine hosting your Directory Server and click on its name or icon to display its general properties 6 T...

Page 34: ...a different user 2 On the Directory Server Console select the Configuration tab and then select the top entry in the navigation tree in the left pane 3 Select the Manager tab in the right pane 4 Enter...

Page 35: ...to bind to the server For example if you want to bind as the Directory Manager then enter the following in the Distinguished Name text box cn Directory Manager For more information about the Director...

Page 36: ...s icon 3 Scroll through the list of services and select the Netscape Directory Server The service name is Netscape Directory Server version serverID where version is the version number and serverID is...

Page 37: ...hrough the Directory Server Console This section provides information on Changing Directory Server Port Numbers Placing the Entire Directory Server in Read Only Mode Tracking Modifications to Director...

Page 38: ...ext box The default value is 389 4 Enter the port number you want the server to use for SSL communications in the Encrypted Port text box The encrypted port number that you specify must not be the sam...

Page 39: ...last modified in GMT format To enable the Directory Server to track this information 1 On the Directory Server Console select the Configuration tab and then select the top entry in the navigation tre...

Page 40: ...s only on the server s host machine On UNIX you must start the server from the command line Alternatively on either platform you can create a password file to store your certificate password By placin...

Page 41: ...n of your first Directory Server instance and apply it to the new one Creating a New Directory Server Instance 1 In the Netscape Console window select then right click Server Group in the navigation t...

Page 42: ...displayed with the list of target servers for cloning 3 In this window select the server to which you want the configuration to apply and click the Clone To button A message is displayed to give you...

Page 43: ...ver you want to start in referral mode and referral_url is the referral returned to clients For information on the format of an LDAP URL refer to Appendix C LDAP URLs On a Windows machine to start the...

Page 44: ...Starting the Server in Referral Mode 44 Netscape Directory Server Administrator s Guide August 2002...

Page 45: ...pter consists of the following sections Managing Entries From the Directory Console page 45 Managing Entries From the Command Line page 54 LDIF Update Statements page 62 Maintaining Referential Integr...

Page 46: ...tomatically created To create a root entry for a database 1 On the Directory Server Console select the Configuration tab For information on starting the Directory Server Console refer to Using the Dir...

Page 47: ...e Property Editor for the new entry is displayed You can accept the current values by clicking OK or modify the entry as explained in Modifying Directory Entries on page 49 Creating Directory Entries...

Page 48: ...anizational Unit Role Class of Service or Other The corresponding Create window is displayed 3 Supply values for all of the mandatory attributes identified by an asterisk and if you want for any of th...

Page 49: ...ct the naming attribute you want to use to name your new entry To provide values for optional attributes that are not listed refer to Modifying Directory Entries on page 49 6 Click OK to save the new...

Page 50: ...ntry you want to modify and select Properties from the pop up menu Alternatively you can double click the entry The Property Editor is displayed 2 Select the object class field and click Add Value The...

Page 51: ...bute dialog box is displayed 3 Select the attribute you want to add from the list and click OK The Add Attribute window is dismissed and the attribute you selected appears in the list of attributes in...

Page 52: ...ick OK in the Property Editor when you have finished editing the entry The Property Editor is dismissed Adding an Attribute Subtype You can add three different kinds of subtypes to attributes containe...

Page 53: ...type to an attribute indicates that the attribute value is a phonetic representation The subtype is added to the attribute name as follows attribute phonetic This subtype is commonly used in combinati...

Page 54: ...e right pane and select Delete from the pop up menu To select multiple entries use Ctrl click or Shift click and then select Delete from the Edit menu The server deletes the entry or entries immediate...

Page 55: ...ollowing depending upon the type of machine you use UNIX Almost always control D D Windows Usually control Z followed by a carriage return Z return For example suppose you want to input some LDIF upda...

Page 56: ...nds to the server and prepares it to add an entry You create the new root object as follows dn Suffix_Name objectclass newobjectclass The DN corresponds to the DN of the root or sub suffix contained b...

Page 57: ...he distinguished name and password you supply and modifies the entries based on LDIF update statements contained in a specified file Because ldapmodify uses LDIF update statements ldapmodify can do ev...

Page 58: ...DIF statements in the new ldif file do not specify a change type They follow the format defined in LDIF File Format on page 499 To add the entries you must enter the following command ldapmodify a D c...

Page 59: ...with the appropriate LDIF update statements and then enter the following command ldapmodify D cn Directory Manager dc example dc com w King Pin h cyclops p 845 f modify_statements The following table...

Page 60: ...if there aren t any entries below it If you want to delete ou People dc example dc com you must first delete Paula Simon and Jerry O Connor s entries and all other entries in that subtree Here is a ty...

Page 61: ...apdelete parameters refer to the Netscape Directory Server Configuration Command and File Reference Using Special Characters When using the Directory Server command line client tools you may need to s...

Page 62: ...neral LDIF update statements are a series of statements that Specify the distinguished name of the entry to be modified Specify a change type that defines how a specific entry is to be modified add de...

Page 63: ...tatements are identical dn cn Lisa Jangles ou People dc example dc com dn cn Lisa Jangles ou People dc example dc com The following sections describe the change types in detail Adding an Entry Using L...

Page 64: ...pminsky dn cn Sue Jacobs ou People dc example dc com changetype add objectclass top objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn Sue Jacobs givenName Sue sn Jacobs...

Page 65: ...Using LDIF Use changetype modrdn to change an entry s relative distinguished name RDN An entry s RDN is the left most element in the distinguished name Therefore the RDN for cn Barry Nixon ou People d...

Page 66: ...obs and only cn Susan Jacobs would remain within the entry A Note on Renaming Entries You cannot rename an entry with the modrdn change type such that the entry moves to a completely different subtree...

Page 67: ...e server returns an error replace attribute The specified values are used to entirely replace the attribute s value s If the attribute does not already exist it is created If no replacement value is s...

Page 68: ...555 1212 telephonenumber 555 6789 add manager manager cn Sally Nixon ou People dc example dc com The following example adds a jpeg photograph to the directory The jpeg photo can be displayed by Direct...

Page 69: ...eplace manager manager cn Wally Hensford ou People dc example dc com If the entry has multiple instances of the attribute then to change one of the attribute values you must delete the attribute value...

Page 70: ...of how many times it appears in the entry dn cn Barney Fife ou People dc example dc com changetype modify delete telephonenumber If you want to delete just a specific instance of the telephonenumber...

Page 71: ...nal unit For example of the following three entries ou People dc example dc com cn Paula Simon ou People dc example dc com cn Jerry O Connor ou People dc example dc com you can delete only the last tw...

Page 72: ...y Referential integrity is a database mechanism that ensures relationships between related entries are maintained In the Directory Server referential integrity can be used to ensure that an update to...

Page 73: ...configure the behavior of the referential integrity plug in to suit your own needs You can Record referential integrity updates in the replication change log Modify the update interval Select the att...

Page 74: ...ntial Integrity You can enable or disable referential integrity from the Directory Server Console or from the command line From the Directory Server Console 1 On the Directory Server Console select th...

Page 75: ...ee and select the Referential Integrity Postoperation plug in The settings for the plug in are displayed in the right pane 3 In the arguments list replace the referint filename with the absolute path...

Page 76: ...interval 4 Click Save to save your changes 5 For your changes to be taken into account go to the Tasks tab and select Restart the Directory Server Modifying the Attribute List By default the referenti...

Page 77: ...ory Entries 77 5 For your changes to be taken into account go to the Tasks tab and select Restart the Directory Server NOTE For best performance the attributes set for updating should also be indexed...

Page 78: ...Maintaining Referential Integrity 78 Netscape Directory Server Administrator s Guide August 2002...

Page 79: ...ks page 96 Using Referrals page 136 For conceptual information on distributing your directory data refer to the Netscape Directory Server Deployment Guide Creating and Maintaining Suffixes You can sto...

Page 80: ...ining Suffixes Creating Suffixes You can create both root and sub suffixes to organize the contents of your directory tree A root suffix is the parent of a sub suffix It can be part of a larger tree y...

Page 81: ...e the directory tree looks as illustrated in Figure 3 3 Figure 3 3 A Sample Directory Tree with a Root Suffix Off Limits to Search Operations Searches performed by client applications on the dc exampl...

Page 82: ...th a database 1 In the Directory Server Console select the Configuration tab 2 Right click Data in the left navigation pane and select New Root Suffix from the pop up menu The Create new root suffix d...

Page 83: ...New Sub Suffix from the pop up menu The Create new sub suffix dialog box is displayed 3 Enter a unique suffix name in the New suffix field The suffix must be named according to dc naming conventions...

Page 84: ...rver and prepares it to add an entry to the configuration file Next you create the root suffix entry for example com Corporation as follows dn cn dc example dc com cn mapping tree cn config objectclas...

Page 85: ...ing the Directory Server Console you will need to respect the same spacing you use to name the root and sub suffixes via the command line For example if you name a root suffix ou groups dc example dc...

Page 86: ...e nsslapd backend Gives the name of the database or database link used to process requests This attribute can be multi valued with one database or database link per value Refer to Creating and Maintai...

Page 87: ...ory Server Console select the Configuration tab 2 Under Data in the left pane click the suffix to which you want to add a referral 3 Click the Suffix Settings tab Select the Use Referrals radio button...

Page 88: ...ferrals only during update operations 1 On the Directory Server Console select the Configuration tab 2 Under Data in the left pane click the suffix to which you want to add a referral 3 Click the Suff...

Page 89: ...ane select the suffix you want to delete 3 Select Delete from the Object menu You can also right click the suffix and select Delete from the pop up menu 4 Select Delete this suffix and all of its sub...

Page 90: ...rectory Server supports the use of multiple databases over which you can distribute your directory tree There are two ways you can distribute your data across multiple databases One database per suffi...

Page 91: ...h of your directory tree is so large that you need two databases to store them In this case the data contained by ou people could be distributed across two databases This is illustrated as follows Dat...

Page 92: ...atabase example2 5 In the Create database in field enter the path to the directory where you want to store the new database You can also click Browse to locate a directory on your local machine By def...

Page 93: ...ven in the DN attribute must correspond with the value in the nsslapd backend attribute of the suffix entry Adding Multiple Databases for a Single Suffix You can distribute a single suffix across mult...

Page 94: ...o which you want to apply your distribution function 3 Select the Databases tab in the right window 4 Click Add to associate additional databases with the suffix The Database List dialog box is displa...

Page 95: ...Directory Server manages multiple databases you can place all of them into read only mode at the same time by placing your entire server in read only mode For more information see Placing the Entire...

Page 96: ...the Object menu select Delete You can also right click the database and select Delete from the pop up menu The Deleting Database confirmation dialog box is displayed 4 Click Yes to confirm that you w...

Page 97: ...policy applies to all database links you create on your Directory Server Chaining Component Operations A component is any functional unit in the server that uses internal operations For example plug i...

Page 98: ...fig Read search and compare 4 0 plug ins This component name represents all Directory Server 4 0 plug ins The 4 0 plug ins share the same chaining policy Specify the following in the nsActiveChainingC...

Page 99: ...ig Read write search and compare UID uniqueness plug in This plug in checks that all the values for a specified uid attribute are unique no duplicates If you allow this plug in to chain it confirms th...

Page 100: ...mponent to chain you must create an ACI in the suffix on the remote server to which the operation will be chained For example you would create the following ACI for the referential integrity plug in a...

Page 101: ...This control sorts entries according to their attribute values Managed DSA This controls returns smart referrals as entries rather than following the referral This allows you to change or delete the s...

Page 102: ...database cn plugins cn config entry For example to forward the virtual list view control you add the following to your database link entry in the configuration file nsTransmittedControls 2 16 840 1 1...

Page 103: ...Creating a New Database Link Using the Console To create a new database link using the Directory Server Console 1 On the Directory Server Console select the Configuration tab 2 Right click Data in th...

Page 104: ...d for the bind in the Remote server port field The default port number is 389 12 Enter the name of a failover server in the Failover Server s field and specify a port number in the Port field The defa...

Page 105: ...e Netscape Directory Server Configuration Command and File Reference This section contains the following procedures for configuring a database link from the command line Providing Suffix Information P...

Page 106: ...ntries on page 45 b Provide proxy access rights for the administrative user created in step 1 on the subtree chained to by the database link For more information on configuring ACI s refer to Managing...

Page 107: ...sponding to the nsMultiplexorBindDN and you must set the proxy authentication rights for this user To set the proxy authorization right you need to set the proxy ACI as you would any other ACI CAUTION...

Page 108: ...verURL might appear as follows nsFarmServerURL ldap example com 389 Do not forget to use the trailing slash at the end of the URL If you want to the database link to connect to the remote server using...

Page 109: ...database link take precedence over the global attribute value Table 3 4 Database Link Configuration Attributes Attributes Value nsTransmittedControls Gives the OID of LDAP controls forwarded by the da...

Page 110: ...has been restarted The default value is off nsProxiedAuthorization Reserved for advanced use only Allows you to disable proxied authorization A value of off means proxied authorization is disabled Th...

Page 111: ...us example com Then specify the configuration information for the database link dn cn DBLink1 cn chaining database cn plugins cn config objectclass top objectclass extensibleObject objectclass nsBack...

Page 112: ...database link The nsslapd parent suffix attribute specifies the parent of this new suffix ou people dc example dc com Next you create an administrative user on server B as follows dn cn proxy admin c...

Page 113: ...mple com 636 Enable SSL on the server that contains the database link For more information on enabling SSL refer to Enabling SSL Summary of Steps on page 382 When you configure the database link and r...

Page 114: ...ter a new LDAP URL in the Remote Server URL field Unlike the standard LDAP URL format the URL of the remote server does not specify a suffix It takes the following form ldap servername portnumber 5 Up...

Page 115: ...ess controls on the subtree contained on the remote server This means that you need to add the usual access controls to the remote server with a few restrictions You cannot use all types of access con...

Page 116: ...ication When performing a modify operation the database link does not have access to the full entry stored on the remote server If performing a delete operation the database link is only aware of the...

Page 117: ...that the database link establishes with the remote server The default value is 3 connections Bind timeout Amount of time in seconds before the database link s bind attempt times out The default value...

Page 118: ...ion management attributes for a specific database link are stored in the following entry cn database_link_name cn chaining database cn plugins cn config where database_link_name is the name of the dat...

Page 119: ...s set using the nsMaxTestResponseDelay nsBindRetryLimit Number of times a database link attempts to bind to the remote server A value of zero 0 indicates that the database link will try to bind only o...

Page 120: ...rowing too long However the database link forwards operations to remote servers for processing The database link contacts the remote server forwards the operation waits for the result and then sends t...

Page 121: ...read number to 50 to improve performance After changing the thread number restart the server to implement your changes Advanced Feature Configuring Cascading Chaining You can configure your database l...

Page 122: ...ins the data the clients wants to modify in a database Two hops are required to access the piece of data the client want to modify During a normal operation request a client binds to the server and th...

Page 123: ...s are stored on Server A The l europe dc example dc com and ou groups suffixes are stored in on Server B and the ou people branch of the l europe dc example dc com suffix is stored on Server C With ca...

Page 124: ...ou people l europe dc example dc com branch Because at least two hops are required for the directory to service the client request this is considered a cascading chain Configuring Cascading Chaining D...

Page 125: ...g 1 On the Directory Server Console select the Configuration tab 2 Expand the Data folder in the left pane and locate the database link you want to include in a cascading chain Click the database link...

Page 126: ...abase link must contain the URL of the server containing another database link For example suppose the database link on the server called example1 com points to a database link on the server called af...

Page 127: ...the administrative user that targets the appropriate suffix This ensures the administrator has access only to the suffix of the database link Add the following ACI to the administrative user s entry a...

Page 128: ...then need to add any client ACIs to this superior suffix entry For example you might add the following aci targetattr version 3 0 acl Client authentication for database link users allow all userdn lda...

Page 129: ...onfiguring Server Three Table 3 7 Cascading Chaining Configuration Attributes Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain nsTransmi...

Page 130: ...Configuring Server One First use the ldapmodify command line utility to add a database link to server one To use the utility type the following to change to the directory containing the utility cd ser...

Page 131: ...The first section creates the entry associated with DBLink1 The second section creates a new suffix allowing the server to direct requests made to the database link to the correct server You do not ne...

Page 132: ...Next you configure the database link DBLink2 on server two Using ldapmodify specify the configuration information for DBLink2 as follows dn cn DBLink2 cn chaining database cn plugins cn config object...

Page 133: ...1 1466 29539 12 where nsTransmittedControl 2 16 840 1 113730 3 4 12 is the OID for Proxy Authorization control and nsTransmittedControl 1 3 6 1 4 1 1466 29539 12 is the OID for the loop detection con...

Page 134: ...etattr target l Zanzibar c africa ou people dc example dc com version 3 0 acl Client authorization for database links allow all userdn ldap uid c us ou people dc example dc com This ACI allows clients...

Page 135: ...ess to the data contained on the remote server server three within the l Zanzibar ou people dc example dc com subtree only You then need to create an local client ACI on the l Zanzibar ou people dc ex...

Page 136: ...referrals are returned to client applications that submit operations on a DN not contained within any of the suffixes maintained by your directory The following procedures describes setting a default...

Page 137: ...zanzibar com Once you have added the default referral to the cn config entry of your directory the directory will return the default referral in response to requests made by client applications You do...

Page 138: ...log box displays 5 Select referral from the list and click OK 6 Click Add Attribute The Add Attribute dialog box is displayed 7 Scroll down the list of attributes to the ref attribute Select the ref a...

Page 139: ...e com you would include the following in your LDIF file before importing dn uid ssarette ou people dc example dc com objectclass top objectclass person objectclass organizationalperson objectclass ine...

Page 140: ...erral will be returned when this suffix receives an update request from a client application This option is used to redirect update and write requests made by client applications to a read only databa...

Page 141: ...le dc com cn mapping tree cn config objectclass extensibleObject objectclasss nsmappingtree nsslapd state referral nsslapd referral ldap zanzibar com The nsslapd state attribute is set to referral mea...

Page 142: ...Using Referrals 142 Netscape Directory Server Administrator s Guide August 2002...

Page 143: ...the Directory Server Console You can use the Directory Server Console to append data to all of your databases including database links Initialize databases You can use the Directory Server Console to...

Page 144: ...d on remote databases to which your Directory Server has a configured database link You must be logged in as the Directory Manager in order to perform an import Table 4 1 Import Method Comparison Impo...

Page 145: ...ile may contain modify and delete instructions in addition to the default add instructions If you want the server to ignore operations other than add select the Add only check box Continue on Error Se...

Page 146: ...the database itself 3 Right click the database and select Initialize Database You can also select Initialize Database from the Object menu 4 In the LDIF file field enter the full path to the LDIF file...

Page 147: ...ith the import By default the script first saves and then merges any existing o NetscapeRoot configuration information with the o NetscapeRoot configuration information in the files being imported To...

Page 148: ...ript the ldif2db pl script overwrites the data in a database you specify This script requires the server to be running in order to perform the import 1 From the command line change to the following di...

Page 149: ...The ldif2ldap script appends the LDIF file through LDAP Using this script you import data to all directory databases at the same time The server must be running in order to import using ldif2ldap To...

Page 150: ...the absolute path and file name of the LDIF file s to be imported Exporting Data You can use the LDAP Data Interchange Format LDIF to export database entries from your databases LDIF is a standard fo...

Page 151: ...ng the Console Exporting a Single Database to LDIF Using the Console Exporting to LDIF From the Command Line Note that the export operations do not export the configuration information cn config Expor...

Page 152: ...onsole on a machine remote to the server two radio buttons are displayed beneath the LDIF file field Select To local machine to indicate that you are exporting to an LDIF file in the machine from whic...

Page 153: ...he file Exporting to LDIF From the Command Line You can export your database to LDIF using the db2ldif command line script This script exports all of your database contents or a part of their contents...

Page 154: ...guration File Backing Up All Databases The following procedures describe backing up all of the databases in your directory using the Directory Server Console and from the command line Option Descripti...

Page 155: ...ault the backup files will be placed in the following location serverRoot slapd serverID bak backup_directory The backup_directory variable names a directory using the name of the backup file By defau...

Page 156: ...up a single database 1 At the command prompt change to serverRoot slapd serverID 2 If the server is running type the following to stop it stop slapd 3 Change to the directory containing the database y...

Page 157: ...opping the server and then copying the databases and associated index files from the backup location to the database directory To restore your databases from a previously created backup 1 On the Direc...

Page 158: ...bout using this script refer to Netscape Directory Server Configuration Command and File Reference Two examples of performing an import using bak2db follow Windows batch file bak2db bat usr netscape s...

Page 159: ...o shut it down stop slapd 3 Change to the directory containing the backup you want to restore 4 Copy all of the files to the directory containing the database you want to overwrite with your backup Fo...

Page 160: ...nce Directory Server automatically detects the compatibility between the replica and its change log If a mismatch is detected the server removes the old change log file and creates a new empty one Cha...

Page 161: ...1 On the Directory Server Console select the Configuration tab and expand the Data folder in the navigation tree 2 Select the database that you want to place in read only mode and click the Database...

Page 162: ...Enabling and Disabling Read Only Mode 162 Netscape Directory Server Administrator s Guide August 2002...

Page 163: ...les and class of service in the planning phase of your directory deployment determine your directory topology Refer to the Netscape Directory Server Deployment Guide for more information Using Groups...

Page 164: ...is required 4 Enter a description of the new group in the Description field 5 Click Members in the left pane In the right pane select the Static Group tab Click Add to add new members to the group The...

Page 165: ...g and modifying dynamic groups Adding a New Dynamic Group Modifying a Dynamic Group Adding a New Dynamic Group 1 Follow steps 1 4 of Adding a New Static Group on page 164 2 Click Members in the left p...

Page 166: ...the role of an entry rather than select a group and browse the members list This section contains the following topics About Roles Managing Roles Using the Console Managing Roles Using the Command Li...

Page 167: ...server side Each role has members or entries that possess the role You can specify members either explicitly or dynamically How you specify role membership depends upon the type of role you are using...

Page 168: ...and select the parent entry for your new role 3 Go to the Object menu and select New Role You can also right click the entry and select New Role The Create New Role dialog box is displayed 4 Click Ge...

Page 169: ...le definitions fields a Select the types of entries you want to filter from the For drop down list You can choose between users groups or both b Select an attribute from the Where drop down list The t...

Page 170: ...the Directory Server Console select the Directory tab 2 In the left navigation pane browse the tree and select the entry for which you want to view or edit a role 3 Select Set Roles from the Object me...

Page 171: ...king a Role Inactive You can temporarily disable the members of a role by inactivating the role to which they belong Inactivating a role inactivates the entries possessed by the role and not the role...

Page 172: ...ntries 3 Right click the role and select Delete A dialog box appears asking you to confirm the deletion Click Yes 4 The Deleted Entries dialog box appears to inform you that the role was successfully...

Page 173: ...Marketing ou people dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsSimpleRoleDefinition objectclass nsManagedRoleDefinition cn Marketing descrip...

Page 174: ...ers Run the ldapmodify script as follows ldapmodify D cn Directory Manager w secret h host p 389 Specify the filtered role as follows dn cn SalesManagerFilter ou people dc example dc com objectclass t...

Page 175: ...suitable for use in a security context When creating a new role consider how easily the role can be assigned to and removed from an entry Sometimes it is appropriate for users to be able to easily ad...

Page 176: ...attribute The user should not be allowed to add delete and modify the attribute used by the filtered role If the value of the filter attribute is computed then all attributes that can modify the value...

Page 177: ...s to the template entry attribute values are automatically applied to all the entries within the scope of the CoS A single CoS might have more than one template entry associated with it The CoS defini...

Page 178: ...ribute for which the CoS is generating values by default the CoS supplies the client application with the attribute value in the entry itself However you can use the CoS definition entry to control th...

Page 179: ...this example the template entry is identified by its DN cn exampleUS cn data in the CoS definition entry Each time the postalCode attribute is queried on the entry cn wholiday ou people dc example dc...

Page 180: ...Carla Fuentes so the manager attribute contains a pointer to the DN of the template entry cn Carla Fuentes ou people dc example dc com The template entry in turn provides the departmentNumber attribut...

Page 181: ...mpleUS cn data The template entry then provides the value of the postalCode attribute to the target entry Managing CoS Using the Console This section describes creating and editing CoS through the Dir...

Page 182: ...n a generated value if there is no corresponding attribute value stored with the entry Select Overrides target entry attribute to make the value of the attribute generated by the CoS override the loca...

Page 183: ...describes changing the description and attributes generated on the target entry of an existing class of service To edit an existing CoS 1 In the Directory Server Console select the Directory tab 2 Br...

Page 184: ...res a particular object class to be specified in the definition entry All CoS definition object classes inherit from the LDAPsubentry object class and the cosSuperDefinition object class Table 5 2 lis...

Page 185: ...rks as if override and operational were specified If you do not indicate a qualifier default is assumed Table 5 3 CoS Definition Entry Attributes Attribute Definition cosAttribute Provides the name of...

Page 186: ...the attributes refer to the Netscape Directory Server Configuration Command and File Reference Now that you have been introduced to the object classes and attributes used by a CoS definition it is ti...

Page 187: ...you might have a multi valued cosSpecifier in your CoS definition entry In such a case you can specify a template priority on each template entry to determine which template provides the attribute val...

Page 188: ...over any other conflicting templates that define a different departmentNumber value The following sections provide examples of template entries along with examples of each type of CoS definition entry...

Page 189: ...First you add a new indirect CoS definition entry to the dc example dc com suffix using ldapmodify as follows ldapmodify a D cn directory manager w secret h host p 389 The ldapmodify utility binds to...

Page 190: ...ata dc example dc com The department number is different depending upon the manager Example of a Classic CoS You want to create a classic CoS that automatically generates postal codes using a combinat...

Page 191: ...g template provides a postal code specific to employees in the marketing department Creating Role Based Attributes You can create classic CoS schemes that generate attribute values for an entry based...

Page 192: ...CoS template entry The CoS template entry provides the value for the mailboxquota attribute An additional qualifier of override tells the CoS to override any existing mailboxquota attributes values i...

Page 193: ...Control Usage Examples page 234 Viewing the ACIs for an Entry page 254 Advanced Access Control Using Macro ACIs page 254 Access Control and Replication page 261 Logging Access Control Information page...

Page 194: ...attributes You can set permissions for a specific user all users belonging to a specific group or role or all users of the directory Finally you can define access for a specific location such as an IP...

Page 195: ...uld create an ACI that targets entries that include the inetorgperson object class You can use this feature to minimize the number of ACIs in the directory tree by placing general rules at high level...

Page 196: ...ocated on remote servers ACIs that depend on role definitions roledn keyword must be located on the same server as the role definition entry Every entry that is intended to have the role must also be...

Page 197: ...tor by default uid admin ou Administrators ou TopologyManagement o NetscapeRoot has all rights except proxy rights All members of the Configuration Administrators group have all rights except proxy ri...

Page 198: ...for the ACI The name can be any string that identifies the ACI The ACI name is required permission specifically outlines what rights you are either allowing or denying for example read or search righ...

Page 199: ...all attributes in her own directory entry The following sections describe the syntax of each portion of the ACI in more detail Defining Targets The target identifies what the ACI applies to If the tar...

Page 200: ...all entries below it For example if you target the entry ou accounting dc example dc com the permissions you set will apply to all entries in the accounting branch of the example com tree As a counte...

Page 201: ...rgeting a Directory Entry To target a directory entry and the entries below it you must use the target keyword The target keyword can accept a value of the following format target ldap distinguished_n...

Page 202: ...xample uid andy dc example dc com targets all the directory entries in the entire example com tree with a matching uid attribute and not just the entries that are immediately below the dc example dc c...

Page 203: ...e targetattr keyword The keyword uses the following syntax targetattr attribute You can target multiple attributes by using the targetattr keyword with the following syntax targetattr attribute1 attri...

Page 204: ...h certain criteria To do this you must use the targetfilter keyword with an LDAP filter The syntax of the targetfilter keyword is targetfilter LDAP_filter where LDAP_filter is a standard LDAP search f...

Page 205: ...key roles such as Top Level Administrator LDAP filters are used to check that the conditions on attribute values are satisfied To create a value based ACI you must use the targattrfilters keyword wit...

Page 206: ...entry except the superAdmin role It also allows users to add a telephone number with a 123 prefix Targeting a Single Directory Entry Targeting a single directory entry is not straightforward because...

Page 207: ...ng access Assigning rights Allowing or Denying Access You can either explicitly allow or deny access permissions to your directory tree For more guidelines on when to allow and when to deny access ref...

Page 208: ...te search delete compare and selfwrite to the targeted entry excluding proxy rights Rights are granted independently of one another This means for example that a user who is granted add rights can cre...

Page 209: ...Modifying an attribute in an entry Grant write permission on the attribute type Grant write permission on the value of each attribute type This right is granted by default but could be restricted usi...

Page 210: ...ldap self Permissions Syntax In an ACI statement the syntax for permissions is allow deny rights where rights is a list of 1 to 8 comma separated keywords enclosed within parentheses Valid keywords a...

Page 211: ...t combine these criteria by using Boolean operators See Using Boolean Bind Rules on page 228 for more information Bind Rule Syntax Whether access is allowed or denied depends on whether an ACI s bind...

Page 212: ...d Valid Expressions Wildcard Allowed userdn ldap distinguished_name ldap all ldap anyone ldap self ldap parent ldap suffix sub filter yes in DN only groupdn ldap DN DN no roledn ldap DN DN no userattr...

Page 213: ...one can access it without providing a bind DN or password and regardless of the circumstances of the bind You can limit anonymous access to specific types of access for example access for read or acce...

Page 214: ...dap suffix sub filter For example all users in the accounting and engineering branches of the example com tree would be granted or denied access to the targeted resource dynamically based on the follo...

Page 215: ...p uid ou Accounting dc example dc com The bind rule is evaluated to be true if the client is not binding as a UID based distinguished name in the accounting subtree This bind rule only makes sense if...

Page 216: ...eate the following ACI on the dc example dc com node aci version 3 0 acl anonymous read search allow read search userdn ldap anyone Userdn keyword containing the parent keyword userdn ldap parent The...

Page 217: ...entire directory tree you would create the following ACI on the dc example dc com node aci version 3 0 acl Administrators write allow write groupdn ldap cn Administrators dc example dc com Groupdn ke...

Page 218: ...ve access to the entry This example is based on DN matching However you can match any attribute of the entry used in the bind with the targeted entry For example you could create an ACI that allowed a...

Page 219: ...ttribute in the targeted entry is expressed as a full DN The following example grants a manager full access to his or her employees entries aci target ldap dc example dc com targetattr version 3 0 acl...

Page 220: ...agers in your company you can use this mechanism to grant managers at all levels access to information about employees that are at a lower grade than themselves The DN of the role can be under any suf...

Page 221: ...ry used to bind with the target entry the ACI applies only to the target specified and not to the entries below it In some circumstances you might want to extend the application of the ACI several lev...

Page 222: ...n Profiles entry as well as the first level of child entries which includes cn mail and cn news thus allowing her to search through her own mail and news IDs Figure 6 1 Using Inheritance With the user...

Page 223: ...the manager attribute is set to their own DN For example disgruntled employee Joe cn Joe ou eng dc example dc com might want to create an entry in the Human Resources branch of the tree to use or mis...

Page 224: ...wing certain kinds of directory access only from a specific subnet or machine For example you could use a wildcard IP address such as 12 3 45 to specify a specific subnetwork or 123 45 6 255 255 255 1...

Page 225: ...efining Access From a Specific IP Address on page 224 Defining Access at a Specific Time of Day or Day of Week You can use bind rules to specify that binding can only occur at a certain time of day or...

Page 226: ...true if the client is accessing the directory at any time other than 1 am timeofday 0800 The bind rule is evaluated to be true if the client is accessing the directory at any time after 8 am timeofday...

Page 227: ...tablished through a Start TLS operation In both cases a certificate must be provided For information on setting up SSL see Chapter 11 Managing SSL SASL The client must bind to the directory over a Sim...

Page 228: ...You must create an LDIF statement The LDIF syntax for a Boolean bind rule is as follows bind_rule boolean bind_rule boolean bind_rule For example the following bind rule will be evaluated to be true...

Page 229: ...ng the Access Control Editor Viewing Current ACIs Creating a New ACI Editing an ACI Deleting an ACI See Access Control Usage Examples on page 234 for a collection of access control rules commonly used...

Page 230: ...onsole on page 32 2 On the Directory Server Console select the Directory tab 3 Right click the entry in the navigation tree for which you want to set access control and select Set Access Permissions f...

Page 231: ...he online help Viewing Current ACIs If you want to see what ACIs apply to a particular subtree in your directory follow these steps 1 On the Directory tab right click the top entry in the subtree and...

Page 232: ...h string in the Search field and click the Search button The search results are displayed in the list below b Highlight the entries you want in the search result list and click the Add button to add t...

Page 233: ...ry tab right click the top entry in the subtree and choose Set Access Permissions from the pop up menu The Access Control Manager window is displayed It contains the list of ACIs belonging to the entr...

Page 234: ...vice and internet access Part of example com s web hosting service is to host the directories of client companies example com actually hosts and partially manages the directories of two medium sized c...

Page 235: ...us access to the world to the individual subscribers subtree except for subscribers who have specifically requested to be unlisted This part of the directory could be a slave server outside of the fir...

Page 236: ...e other checkboxes are clear 5 On the Targets tab click This Entry to display the dc example dc com suffix in the target directory entry field In the attribute table locate the userPassword attribute...

Page 237: ...On the Rights tab tick the checkboxes for read and search rights Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the dc subscribers dc example dc com suffix i...

Page 238: ...the Console you can set this permission by doing the following 1 On the Directory tab right click the example com node in the left navigation tree and choose Set Access Permissions from the pop up me...

Page 239: ...e Subscribers In LDIF to grant example com subscribers the right to update their password and home telephone number you would write the following statement aci targetattr userPassword homePhone versio...

Page 240: ...c subscribers dc example dc com suffix in the target directory entry field a In the filter for subentries field type the following filter unlistedSubscriber yes b In the attribute table tick the check...

Page 241: ...superAdmin role This is illustrated in the ACI Roles example ACI Roles In LDIF to grant example com employees the right to add any role to their own entry except the superAdmin role you would write th...

Page 242: ...dc example dc com version 3 0 acl Roles allow write userdn ldap self and dns example com 7 Click OK The new ACI is added to the ones listed in the Access Control Manager window Granting a Group Full A...

Page 243: ...o the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area to Users and Groups and type HRgroup in the Search for field This ex...

Page 244: ...s objectClass groupOfNames version 3 0 acl Create Group allow add userdn ldap uid ou example people dc example dc com and dns example com This example assumes that the ACI is added to the ou social co...

Page 245: ...pOfNames The LDIF statement should read as follows targattrfilters add objectClass objectClass groupOfNames targetattr target ldap ou social committee dc example dc com version 3 0 acl Create Group al...

Page 246: ...day and Access requested from a specified IP address for each company These conditions are illustrated in a single ACI for each company ACI HostedCompany1 and ACI HostedCompany2 Because the content of...

Page 247: ...ccess permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab click the Check All button 5 On the Targets tab click This Entry to display the ou HostedCompany1 ou corp...

Page 248: ...cess to it For example example com wants all subscribers to be able to read billing information such as connection time or account balance under their own entries but explicitly wants to deny write ac...

Page 249: ...he target directory entry field In the attribute table tick the checkboxes for the connectionTime and accountBalance attributes All other checkboxes should be clear This task is made easier if you cli...

Page 250: ...tton to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write Make sure the other c...

Page 251: ...tional unit branch points using the directory tab on the Directory Server Console Allowing Users to Add or Remove Themselves From a Group Many directories set ACIs that allow users to add or remove th...

Page 252: ...suffix in the target directory entry field In the attribute table tick the checkbox for the member attribute All other checkboxes should be clear This task is made easier if you click the Check None...

Page 253: ...3 0 acl allowAll AcctAdmin allow all userdn ldap uid AcctAdministrator ou Administrators dc example dc com The following ACI granting proxy rights to the client application must exist in the director...

Page 254: ...at also apply Advanced Access Control Using Macro ACIs In organizations that use repeating directory tree structures it is possible to optimize the number of ACIs used in the directory by using macros...

Page 255: ...so repeated across the tree because the example com directory tree stores the following suffixes dc hostedCompany2 dc example dc com and dc hostedCompany3 dc example dc com The ACIs that apply in the...

Page 256: ...Figure 6 4 Example directory tree for Macro ACIs The following ACI is located on the dc hostedCompany1 dc example dc com node aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Do...

Page 257: ...rsion 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc subdomain1 dc hostedCompany2 dc example dc com In the four ACIs shown above the only differentiator is the DN sp...

Page 258: ...roupdn userattr you must define a target that contains dn In short you when using any macro you always need a target definition that contains the dn macro You can combine the dn macro and the attr att...

Page 259: ...ss is granted or not Macro Matching for dn The matching mechanism for dn is slightly different than for dn The DN of the targeted resource is examined several times each time dropping the left most RD...

Page 260: ...n 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dn dc example dc com It grants access to the members of cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com t...

Page 261: ...c example dc com ou People dc HostedCompany1 dc example dc com In this case when the Directory Server evaluates the ACI it performs a logical OR on the following expanded expressions roledn ldap cn Do...

Page 262: ...e value already displayed is 8192 replication debugging you should change the value to 8320 For complete information on error log levels refer to Netscape Directory Server Configuration Command and Fi...

Page 263: ...the directory and limiting system resources available to users depending upon their bind DNs This chapter contains the following sections Managing the Password Policy page 263 Inactivating Users and R...

Page 264: ...ithin the directory except for the Directory Manager Your password policy is comprised of the following information Password add and modify information The password information includes password synta...

Page 265: ...swords to expire select the Password never expires radio button 8 If you want users to have to change their passwords periodically select the Password expires after X days radio button and then enter...

Page 266: ...discover This attribute is off by default passwordChange When on this attribute indicates that users may change their own password Choosing for users to set their own passwords runs the risk of users...

Page 267: ...ial word is any value stored in the uid cn sn givenName ou or mail attributes of the user s entry This attribute is off by default passwordMinLength This attribute specifies the minimum number of char...

Page 268: ...ning users can reuse old passwords passwordInHistory This attribute indicates the number of passwords the directory stores in the history You can store from 2 to 24 passwords in the history This featu...

Page 269: ...into the directory by repeatedly trying to guess a user s password You can set up your password policy so that a specific user is locked out of the directory after a given number of failed attempts to...

Page 270: ...out Policy Attributes Attribute Name Definition passwordLockout This attribute indicates whether users are locked out of the directory after a given number of failed bind attempts You set the number o...

Page 271: ...te specifies the time in seconds after which the password failure counter will be reset Each time an invalid password is sent from the user s account the password failure counter is incremented If the...

Page 272: ...on for example the server identities need to have passwords that never expire To make sure that these special users have passwords that do not expire add the passwordExpirationTime attribute to the en...

Page 273: ...view the state of the object by selecting Inactivation State from the View menu The icon of the object then appears in the right pane of the console with a red slash through it Inactivating User and R...

Page 274: ...pane The right pane states that the role or user is activated Click Activate to activate the user or role 4 If the user or role is a member of another inactivated role the console displays an option...

Page 275: ...he Bind DN You can control server limits for search operations using special operational attribute values on the client application binding to the directory You can set the following search operation...

Page 276: ...e navigation tree in the left navigation pane and double click the user or role for which you want to set resource limits The Edit Entry dialog box appears 3 Click Account in the left pane The right p...

Page 277: ...a search return size limit of 500 entries nsSizeLimit Specifies the maximum number of entries the server returns to a client application in response to a search operation Giving this attribute a valu...

Page 278: ...Setting Resource Limits Based on the Bind DN 278 Netscape Directory Server Administrator s Guide August 2002...

Page 279: ...ter includes the following topics Replication Overview page 280 Replication Scenarios page 284 Summary of Steps for Complex Replication Configurations page 289 Detailed Replication Tasks page 290 Conf...

Page 280: ...ication Replication Identity Replication Agreement Compatibility with Earlier Versions of Directory Server Read Write Replica Read Only Replica A database that participates in replication is defined a...

Page 281: ...ge log is a record that describes the modifications that have occurred on a replica The supplier server then replays these modifications to the replicas stored on consumer servers or to other supplier...

Page 282: ...erver that receives updates from another server that is on every hub supplier or a dedicated consumer When you configure a replica that receives updates from another server you must specify this entry...

Page 283: ...eplication mechanism in this version of Directory Server is different from the mechanism used in earlier versions of Directory Server Compatibility is provided through the Legacy Replication Plug in T...

Page 284: ...ad write replica on one server called the supplier server The supplier server also maintains change log for this replica On another server called the consumer server you have as many read only replica...

Page 285: ...eplicated to two read only replicas located on Server B and Server C For information on setting up a single master replication environment refer to Configuring Single Master Replication on page 296 Mu...

Page 286: ...te requests that they receive Such scenarios are called multi master configurations Figure 8 2 shows an example of multi master replication scenario Figure 8 2 Multi Master Replication Multi master co...

Page 287: ...for a particular replica It holds a read only replica and maintains a change log It receives updates from the supplier server that holds the master copy of the data and in turn supplies those updates...

Page 288: ...n on setting up cascading replication refer to Configuring Cascading Replication on page 305 NOTE You can combine multi master and cascading replication For example in the multi master scenario illust...

Page 289: ...supplier DN entry Specify the supplier settings for replication includes change log configuration Specify the replica settings for a read write replica 3 On all suppliers Create the replica databases...

Page 290: ...ntry that the suppliers will use to bind to the consumer servers to perform replication updates The supplier bind DN must meet the following criteria It must be unique It must be created on the consum...

Page 291: ...passwords expiring To disable the password expiration policy on the userPassword attribute add the passwordExpirationTime attribute with a value of 20380119031407Z which means that the password will n...

Page 292: ...click Browse to display a file selector 6 Set the change log number and age parameters You must clear the unlimited checkboxes to specify different values 7 Click Save to save the supplier settings Co...

Page 293: ...e Using the Directory Server Console on page 32 2 In the left navigation tree expand the Replication folder and highlight the replica database The Replica Settings tab is displayed in the right naviga...

Page 294: ...rm ldap servername port If you want clients to bind to the supplier using SSL you can use this field to specify a referral of the form ldaps servername port where the s in ldaps indicates secure conne...

Page 295: ...red to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replication agreement that includes the current replica You can choose to...

Page 296: ...ion agreement icon indicates that your replication agreement is set up Configuring Single Master Replication This section provides information on configuring single master replication The steps descri...

Page 297: ...ication settings required for a read only replica a In the Directory Server Console click the Configuration tab b In the navigation tree expand the Replication folder and highlight the replica databas...

Page 298: ...udes the current replica Automatic referrals assume that clients will bind over a regular connection and therefore are of the form ldap servername port If you want clients to bind to the supplier usin...

Page 299: ...he IDs used for read write replicas on this server and on other servers e In the Common Settings section specify a purge delay in the Purge delay field This option indicates how often the state inform...

Page 300: ...to the detailed task descriptions are provided at each step To set up multi master replication such as the configuration shown in Figure 8 2 on page 286 between two suppliers Server A and Server B tha...

Page 301: ...tab is displayed in the right hand side of the window c Check the Enable Replica checkbox d In the Replica Role section select the Dedicated Consumer radio button e In the Common Settings section spec...

Page 302: ...re of the form ldap servername port If you want clients to bind to the supplier using SSL you can use this field to specify a referral of the form ldaps servername port where the s in ldaps indicates...

Page 303: ...member to disable it to prevent replication from failing due to passwords expiring To disable the password expiration policy on the userPassword attribute add the passwordExpirationTime attribute with...

Page 304: ...to save the replication settings for the database 4 On Server A set up the following replication agreements One with supplier Server B where B is configured as a consumer for the replica One for each...

Page 305: ...ication In the case of multi master replication you should initialize replicas in the following order 1 Ensure one master has the complete set of data to replicate Use this master to initialize the re...

Page 306: ...rver 1 On the consumer server create the database for the replica if it does not exist For instructions refer to Creating Suffixes on page 80 2 On the consumer server create the entry corresponding to...

Page 307: ...eferred to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replication agreement that includes the current replica In the case o...

Page 308: ...t exist This is the special entry that the supplier will use to bind a In the Directory Server Console click the Directory tab and create an entry For example you could use cn Replication Manager cn c...

Page 309: ...entry DN field Click Add You supplier bind DN will appear in the Current Supplier DNs or entry DNs to which the supplier s certificate is mapped field directly above Repeat the operation for every sup...

Page 310: ...Default button or click the Browse button to display a file selector f Set the change log parameters number and age You must clear the unlimited checkboxes if you want to specify different values g Cl...

Page 311: ...e following order 1 Use the supplier server to initialize the replica on the hub supplier 2 From the hub supplier initialize the replica on the consumer For information on initializing replicas refer...

Page 312: ...cess afresh To delete the change log you can either remove it or move it to a new location This section contains the information for the following procedures Removing the Change Log Moving the Change...

Page 313: ...umers This section is divided into the following parts When to Initialize a Consumer Online Consumer Initialization Using the Console Manual Consumer Initialization Using the Command Line When to Init...

Page 314: ...er online 1 Create a replication agreement See Creating a Replication Agreement on page 295 2 On the supplier server on the Directory Server Console select the Configuration tab 3 Expand the Replicati...

Page 315: ...consumer initialization process is more complex than the online consumer initialization process We suggest you use the manual process whenever you find that the online process is inappropriate due to...

Page 316: ...s in the Directory Server Console or by using either the ldif2db script or ldif2db pl script Both import methods are described in Importing From the Command Line on page 147 If you use the ldif2db scr...

Page 317: ...the Console To ensure that replication updates are sent immediately when a consumer or a supplier in a multi master replication configuration comes back online after a period of time you can perform t...

Page 318: ...bin sh SUP_HOST supplier_hostname SUP_PORT supplier_portnumber SUP_MGRDN supplier_directoryManager SUP_MGRPW supplier_directoryManager_passwd MY_HOST consumer_hostname MY_PORT consumer_portnumber ldap...

Page 319: ...SUP_MGRPW f tmp ldif Table 8 1 Replicate_Now Variables Variable Definition supplier_hostname Hostname of the supplier to contact for information on replication agreements with the current consumer su...

Page 320: ...SSL Configure your consumer server to recognize your supplier server s certificate as the supplier DN You do this only if you want to use SSL client authentication rather than simple authentication Th...

Page 321: ...on If you select SSL Client Authentication the supplier and consumer servers will use certificates to authenticate to each other If you select Simple Authentication the supplier and consumer servers w...

Page 322: ...ory Server can be involved in replication scenarios with earlier releases of Directory Server providing the following conditions are met Directory Server is defined as a consumer in the replication ag...

Page 323: ...t contain at least 8 characters 5 Click Save You must now configure legacy consumer settings for each replica that will receive updates from a legacy supplier 6 In the navigation tree expand the Repli...

Page 324: ...e level of entries Each entry in the change log has the object class changeLogEntry and can include the attributes listed in Table 8 2 NOTE The Directory Server Console will not prevent you from confi...

Page 325: ...etro Changelog Plugin cn plugins cn config cn Retro Changelog Plugin changetype modify replace nsslapd pluginenabled nsslapd pluginenabled on 2 Use the ldapmodify command to import the LDIF file into...

Page 326: ...ich entries are automatically deleted from the change log you must set the nsslapd changelogmaxage configuration attribute in the cn Retro Changelog Plugin cn plugins cn config entry The nsslapd chang...

Page 327: ...not granted except implicitly to the Directory Manager You should not grant read access to anonymous users because the change log entries can contain modifications to sensitive information such as pa...

Page 328: ...tus Table Header Description Agreement Contains the name you provided when you set up the replication agreement Replica suffix Contains the suffix that is replicated Supplier Specifies the supplier se...

Page 329: ...the MM DD YYYY HH MI Seq SubSeq format where Seq and SubSeq are omitted if they are zero Shows the output result in the HTML format The script writes the output to an HTML file which can be configured...

Page 330: ...r there are some cases where change conflicts require manual intervention in order to reach a resolution Entries that have a change conflict that cannot be resolved automatically by the replication pr...

Page 331: ...ss ou people dc example dc com created at time t1 nsuniqueid 66446001 1dd211b2 uid adamss dc example dc com created at time t2 The second entry needs to be renamed in such a way that it has a unique D...

Page 332: ...1 Rename the entry using a different naming attribute and keep the old RDN For example prompt ldapmodify D adminDN w passwd dn nsuniqueid 66446001 1dd211b2 dc pubs dc example dc com changetype modrdn...

Page 333: ...o avoid having orphaned entries in the directory In the same way when an add operation is replicated and the consumer server cannot find the parent entry the conflict resolution procedure creates a gl...

Page 334: ...ify the default ACI that grants anonymous read access using the following command ldapmodify h hostname D cn Directory Manager w passwd dn dc example dc com changetype modify delete aci aci target lda...

Page 335: ...ation Command and File Reference enables you to troubleshoot replication related problems Depending on the usage options the script can selectively dump a particular replica Dump the contents of a rep...

Page 336: ...Troubleshooting Replication Related Problems 336 Netscape Directory Server Administrator s Guide August 2002...

Page 337: ...to your schema you must create a new object class to contain them Although it may seem convenient to just add the attributes you need to an existing object class that already contains most of the att...

Page 338: ...lowing sections describe how to manage attributes Viewing Attributes Creating Attributes Editing Attributes Deleting Attributes For information on managing object classes see Managing Object Classes o...

Page 339: ...your enterprise send mail to the IANA Internet Assigned Number Authority at iana iana org or visit the IANA website at http www iana org Syntax The attribute syntax Case Ignore String Indicates that v...

Page 340: ...one instance of a multi valued attribute per entry 7 Click OK Editing Attributes You can edit only attributes you have created You cannot edit standard attributes To edit an attribute 1 Display the At...

Page 341: ...n Viewing Attributes on page 338 2 In the User Defined Attributes table select the attribute and click Delete 3 If prompted confirm the delete The server immediately deletes the attribute There is no...

Page 342: ...ationalPerson Typically if you want to add new attributes for user entries the parent would be the inetOrgPerson object class If you want to add new attributes for corporate entries the parent is usua...

Page 343: ...the Parent drop down menu You can choose from any existing object class See Table 9 2 on page 342 for more information on parent object classes 6 To add an attribute that must be present in entries t...

Page 344: ...you want to edit from the Object Classes list and click Edit The Edit Object Class dialog box is displayed 3 To change the name of the object class enter the new name in the Name text box 4 To change...

Page 345: ...move and click Delete 3 If prompted confirm the delete The server immediately deletes the object class There is no undo Turning Schema Checking On and Off When schema checking is on the Directory Serv...

Page 346: ...on tree then select the Settings tab in the right pane 3 To enable schema checking check the Enable Schema Checking checkbox clear it to turn off schema checking 4 Click Save You can also turn schema...

Page 347: ...dexing mechanism in context and then describes how to create delete and manage indexes This chapter contains the following sections About Indexes page 347 Creating Indexes page 356 Deleting Indexes pa...

Page 348: ...he presence index is not used for base object searches Equality index eq The equality index allows you to search efficiently for entries containing a specific attribute value For example an equality i...

Page 349: ...ins hundreds of entries for example the ou people branch You can create a browsing index on any branchpoint in the directory tree to improve display performance You do this through the Directory Serve...

Page 350: ...plug in See Netscape Directory Server Administrator s Guide for more information seeAlso X Improves Netscape server performance This index is also used by the referential integrity plug in See Maintai...

Page 351: ...umber Overview of the Searching Algorithm Indexes are used to speed up searches To understand how the directory uses indexes it helps to understand the searching algorithm Each index contains a list o...

Page 352: ...rectory consults multiple indexes and then combines the resulting lists of candidate entries 4 If there is an index for the attribute the directory takes the candidate matches from the index files in...

Page 353: ...d in the entry string All of the query string codes are in the same order as the entry string codes For example NOTE The metaphone phonetic algorithm in Directory Server supports only US ASCII letters...

Page 354: ...lthough the search performance may be degraded significantly depending on the type of search Keep in mind that the more indexes you maintain the more disk space you will require The following example...

Page 355: ...entry for John and John Doe 2 Create the appropriate common name approximate index entries for John and John Doe 3 Create the appropriate common name substring index entries for John and John Doe 4 C...

Page 356: ...equality approximate substring and international indexes for specific attributes To create indexes 1 In the Directory Server Console select the Configuration tab NOTE Given that this version of Direc...

Page 357: ...ng multiple languages by listing multiple OIDs separated by commas but no whitespace For a list of languages their associated OIDs and further information regarding collation orders see Appendix D Int...

Page 358: ...corresponds to the name of the database For information on the LDIF update statements required to add entries see LDIF Update Statements on page 62 For example assume you want to create presence equal...

Page 359: ...index in this example the sn attribute The entry is a member of the nsIndex object class The nsSystemIndex attribute is false indicating that the index is not essential to Directory Server operations...

Page 360: ...ctory Server Configuration Command and File Reference Running the db2index pl Script Once you have created an indexing entry or added additional index types to an existing indexing entry run the db2in...

Page 361: ...File Reference Creating Browsing Indexes From the Server Console To create a browsing index or virtual list view VLV index using the Directory Server Console 1 In the Directory Server Console select t...

Page 362: ...ines dn oid 2 16 840 1 113730 3 4 9 cn features cn config objectClass top objectClass directoryServerFeature oid 2 16 840 1 113730 3 4 9 cn VLV Request Control aci targetattr aci version 3 0 acl VLV R...

Page 363: ...tes you want to sort The filter of the search For more information on specifying filters for searches see Appendix B Finding Directory Entries The ldbm database to which the entry that forms the base...

Page 364: ...s example the dc example dc com entry that is the browsing index identifier The vlvscope attribute is one indicating that the base for the search you want to accelerate is one A search base of one mea...

Page 365: ...Server Configuration Command and File Reference Two examples of generating browsing indexes using the vlvindex script follow Windows batch file you need to run the script from the bin slapd admin bin...

Page 366: ...V Request Control aci targetattr aci version 3 0 acl VLV Request Control allow read search compare proxy userdn ldap all creatorsName cn server cn plugins cn config modifiersName cn server cn plugins...

Page 367: ...ndex 3 Locate the attribute containing the index you want to delete Clear the checkbox under the index If you want to delete all indexes maintained for a particular attribute select the attribute s ce...

Page 368: ...escribe the steps involved in deleting an index Deleting an Index Entry Use the ldapdelete command line utility to delete either the entire indexing entry or the unwanted index types from an existing...

Page 369: ...ning the db2index pl Script Once you have deleted an indexing entry or deleted some of the index types from an indexing entry run the db2index pl script to generate the new set of indexes to be mainta...

Page 370: ...er w password n Example1 UNIX shell script db2index pl D cn Directory Manager w password n Example1 The following table describes the db2index pl options used in the examples For more information abou...

Page 371: ...dex entries or edit existing browsing index entries Running the vlvindex script to generate the new set of browsing indexes to be maintained by the server The following sections describe the steps inv...

Page 372: ...type the following to change to the directory containing the utility cd serverRoot shared bin Perform the ldapdelete as follows ldapdelete D cn Directory Manager w password h ExampleServer p 845 cn d...

Page 373: ...e new set of browsing indexes to be maintained by the Directory Server Once you run the script the new set of browsing indexes is active for any new data you add to your directory and any existing dat...

Page 374: ...ndex key In effect the All IDs token causes the server to behave as if no index was available for that type of search The directory assumes that some other aspect of the search request will allow the...

Page 375: ...mined when servicing the search request However over time your directory may continue to grow As it does more and more James may be added but at the same relatively small proportion of total directory...

Page 376: ...eshold is as little as 0 5 percent of your current database size or as great as 50 percent of your current database size However we nevertheless recommend you aim to stay as close to the 5 percent rul...

Page 377: ...ou to increase your directory size If your directory takes years to grow then plan to do a database rebuild If in a few months your directory increases in size by an order of magnitude or greater cons...

Page 378: ...IDs being returned will contain the notes U flag The notes U flag will be returned for Searches for which you are not maintaining an index Searches for which an ID list is not maintained because the...

Page 379: ...e increased in memory requirements will differ depending on the number and types of indexes that you are maintaining but the requirements will never be larger than the factor by which you increased th...

Page 380: ...e Quick Reference Table Attribute Primary Name Attribute Alias dn distinguishedName cn commonName sn surName c countryName l localityName st stateOrProvinceName street streetAddress o organization ou...

Page 381: ...erver page 381 Obtaining and Installing Server Certificates page 383 Activating SSL page 387 Setting Security Preferences page 389 Using Certificate Based Authentication page 391 Configuring LDAP Clie...

Page 382: ...s means that you do not have to choose between SSL or non SSL communications for your Directory Server you can use both at the same time Enabling SSL Summary of Steps To configure your Directory Serve...

Page 383: ...nerate a Certificate Request Step 2 Send the Certificate Request to the Certificate Authority Step 3 Install the Certificate Step 4 Trust the Certificate Authority Step 5 Confirm That Your New Certifi...

Page 384: ...o character abbreviation for your country s name ISO format The country code for the United States is US The Netscape Schema Reference Guide contains a complete list of ISO Country Codes 5 Enter the p...

Page 385: ...pany it could take several weeks to respond to your request When the CA sends a response be sure to save the information in a text file You will need the data when you install the certificate You shou...

Page 386: ...Authority from which you obtained the server s certificate Step 4 Trust the Certificate Authority Configuring your Directory Server to trust the certificate authority consists of obtaining your CA s c...

Page 387: ...r you should first make sure that the certificates have been installed correctly Step 5 Confirm That Your New Certificates Are Installed 1 On the Directory Server Console select the Tasks tab and clic...

Page 388: ...6 Select the certificate that you want to use from the drop down menu 7 Click Cipher Settings The Cipher Preference dialog box is displayed 8 Select the checkbox next to the cipher you want to use an...

Page 389: ...inds that the peer server s hostname doesn t match the name specified in its certificate DATE SSL alert ldap_sasl_bind LDAP_SASL_EXTERNAL 81 Netscape runtime error 12276 Unable to communicate securely...

Page 390: ...ation FIPS DES with 56 bit encryption and SHA message authentication This cipher meets the FIPS 140 1 U S government standard for implementations of cryptographic modules FIPS Triple DES with 168 bit...

Page 391: ...uthentication can occur between An LDAP client connecting to the Directory Server A Directory Server connecting to another Directory Server replication or chaining Setting up Certificate Based Authent...

Page 392: ...ers You will have to use the appropriate command line utilities instead However if at a later date you wish to change your directory configuration to no longer require but allow client authentication...

Page 393: ...If it does not already exist the certificate database will be created 2 Use Communicator to connect to your Certificate Authority If you are using an internally deployed Netscape Certificate Managemen...

Page 394: ...BhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP MQswCQYDVQQGEwJVUzE...

Page 395: ...ng Directory Entries on page 49 You can now use SSL with your LDAP clients For information on how to use SSL with ldapmodify ldapdelete and ldapsearch refer to Netscape Directory Server Configuration...

Page 396: ...Configuring LDAP Clients to Use SSL 396 Netscape Directory Server Administrator s Guide August 2002...

Page 397: ...abase Activity page 411 Monitoring Database Link Activity page 416 For information on using SNMP to monitor your Directory Server see Chapter 13 Monitoring Directory Server Using SNMP Viewing and Conf...

Page 398: ...r the maximum age defined in the next step the directory archives the file and starts a new one If you set the maximum number of logs to 1 the directory ignores this attribute How often the directory...

Page 399: ...ter is ignored in the number of log files is set to 1 Access Log The access log contains detailed information about client connections to the directory This section contains the following procedures V...

Page 400: ...beneficial troubleshooting information To configure the access log for your directory 1 In the Directory Server Console select the Configuration tab Then in the navigation tree expand the Logs folder...

Page 401: ...m the Select Log pull down menu 4 To specify a different number of messages enter the number you want to view in the Lines to show text box and click Refresh 5 You can display messages containing a st...

Page 402: ...evel options see Log Level in the Netscape Directory Server Configuration Command and File Reference Changing these values from the defaults may cause your error log to grow very rapidly so it is reco...

Page 403: ...igure audit logging 1 On the Directory Server Console select the Configuration tab Then in the navigation tree expand the Logs folder and select the Audit Log icon The audit log configuration attribut...

Page 404: ...og file you are rotating in case you need the old log file for future reference 3 Restart the server See Starting and Stopping the Directory Server on page 35 for instructions Monitoring Server Activi...

Page 405: ...rview of Server Performance Monitor Information The server provides monitoring information as described in the following sections General Information Server Resource Summary Current Resource Usage Con...

Page 406: ...2 1 Server Performance Monitoring Resource Summary Resource Usage since startup Average per minute Connections Total number of connections to this server since server startup Average number of connect...

Page 407: ...available to a task On Windows NT and IBM AIX the number of allowed concurrent connections is generated by the operating system but is not based on file descriptors Refer to your operating system docu...

Page 408: ...rver is trying to send data to the client or read data from the client but cannot The probable cause is a slow network or client Table 12 4 Server Performance Monitoring Global Database Cache Table He...

Page 409: ...ersion number threads Current number of active threads used for handling requests Additional threads may be created by internal server tasks such as replication or chaining connection fd opentime opsi...

Page 410: ...ne file descriptor one for every open index one for log file management and one for ns slapd itself Essentially this value lets you know about how many more concurrent connections can be serviced by t...

Page 411: ...mance monitors and what sort of information the performance monitors provide Viewing Database Performance Monitors To monitor your database s activities 1 On the Directory Server Console select the St...

Page 412: ...equest by obtaining data from the cache rather than by going to disk Entry cache tries Indicates the total number of entry cache lookups since the directory was last started That is the total number o...

Page 413: ...Indicates the number of times the database cache was asked for a page Hit ratio Indicates the ratio of database cache hits to database cache tries The closer this value is to 100 the better Whenever...

Page 414: ...mber of read write pages discarded from the cache to make room for new pages This value differs from Pages Written Out in that these are discarded read write pages that have not been modified Table 12...

Page 415: ...cachehitratio Provides the same information as described in Entry cache hit ratio on page 412 in Table 12 5 currententrycachesize Provides the same information as described in Current entry cache size...

Page 416: ...14 Monitoring Database Link Activity You can monitor the activity of your database links from the command line using the monitoring attributes Use the ldapsearch command line utility to return the att...

Page 417: ...of modify operations received nsRenameCount Number of rename operations received nsSearchBaseCount Number of base level searches received nsSearchOneLevelCount Number of one level searches received n...

Page 418: ...Monitoring Database Link Activity 418 Netscape Directory Server Administrator s Guide August 2002...

Page 419: ...ad popularity It is this interoperability combined with the fact that SNMP can take on numerous jobs specific to a whole range of different device classes that make SNMP the ideal standard mechanism f...

Page 420: ...chine For example if you have Directory Server Netscape Enterprise Server and Netscape Messaging Server all installed on the same host the subagents for each of these servers communicates with the sam...

Page 421: ...col data unit from the NMS is a request for information about variables the subagent gives information to the master agent and the master agent sends it back to the NMS in the form of another protocol...

Page 422: ...ldap nsldapd OBJECT IDENTIFIER 1 3 6 1 4 1 1450 7 The object identifier is located in the serverRoot plugins snmp directory You can see administrative information about your directory and monitor the...

Page 423: ...number of read operations serviced by this directory since application start The value of this object will always be 0 because LDAP implements read operations indirectly via the search operation dsCom...

Page 424: ...nd service errors Partially serviced requests will not be counted as an error Table 13 2 Entries Table Managed Objects and Descriptions Managed Object Description dsMasterEntries The number of directo...

Page 425: ...y containing interaction details of a Directory Server with a peer Directory Server dsIntIndex Together with applIndex it forms the unique key to identify the conceptual row which contains useful info...

Page 426: ...2 Enable Directory Server statistics collection See Configuring SNMP for the Directory Server on page 429 for information 3 Restart the Windows NT SNMP service See Starting and Stopping the SNMP Serv...

Page 427: ...agent See Configuring SNMP for the Directory Server on page 429 for information 4 Start the directory subagent See Starting and Stopping the SNMP Subagent on UNIX on page 428 for information Configuri...

Page 428: ...t to stop the subagent you must do so from this tab Starting and Stopping the SNMP Service on Windows NT It is important to note that the master agent on Windows NT is the SNMP Service and not the SNM...

Page 429: ...ble Statistics Collection checkbox to enable Directory Server statistics collection Clear the checkbox to disable it 5 For UNIX servers enter the hostname on which the master agent resides and the por...

Page 430: ...inistrator s Guide August 2002 10 Click Save 11 Restart the subagent UNIX or restart the SNMP service Windows NT See Starting and Stopping the SNMP Subagent on UNIX on page 428 or Starting and Stoppin...

Page 431: ...e You can manage your server s performance by limiting the amount of resources the server uses to proces client search requests You can define The maximum number of entries the server returns to the c...

Page 432: ...rch request in the Time Limit text box If you do not want to set a limit type zero 1 in this text box 5 Enter the time in seconds during which you want the server to maintain an idle connection before...

Page 433: ...ributes Your ability to improve server performance with these attributes depends on the size of your database the amount of physical memory available on your machine and whether directory searches are...

Page 434: ...ne This tab contains the database attributes for all databases stored on this server 3 In the Maximum Cache Size field enter a value corresponding to the amount of memory that you want to make availab...

Page 435: ...directory does not perform the operation immediately Instead the operation is stored in a temporary memory cache on the Directory Server until the operation is completed If the server experiences a fa...

Page 436: ...attribute to the cn config cn ldbm database cn plugins cn config entry Provide the full path to the log directory in the attribute For information on the nsslapd db logdirectory attribute syntax see...

Page 437: ...to Adding and Modifying Entries Using ldapmodify on page 57 Disabling Durable Transactions Durable transaction logging means that the temporary database transaction log is in fact physically written t...

Page 438: ...attribute to a value of greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value For transaction batching to be valid...

Page 439: ...r entries As a result if many entries and particularly entries that are likely to be updated frequently are stored under cn config performance will probably suffer However although we recommend you do...

Page 440: ...Miscellaneous Tuning Tips 440 Netscape Directory Server Administrator s Guide August 2002...

Page 441: ...ns Reference Chapter 15 Administering Directory Server Plug Ins Chapter 16 Using the Pass Through Authentication Plug In Chapter 17 Using the Attribute Uniqueness Plug In Chapter 18 Configuring IM Pre...

Page 442: ...442 Netscape Directory Server Administrator s Guide August 2002...

Page 443: ...Console page 464 Server Plug in Functionality Reference The following tables provide you with a quick overview of the plug ins provided with Directory Server along with their configurable options conf...

Page 444: ...ies None Performance Related Information None Further Information If your Directory Server uses non ASCII characters for example Japanese turn this plug in off Table 15 2 Details of ACI Plug In Plug i...

Page 445: ...Configurable Arguments None Dependencies database Performance Related Information None Further Information Chapter 6 Managing Access Control Table 15 4 Details of Binary Syntax Plug In Plug in Name B...

Page 446: ...s None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 6 Details of Case Exact String Sy...

Page 447: ...ents None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 8 Details of...

Page 448: ...ncies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter 5 Advanced Entry Management Ta...

Page 449: ...ments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 12 Details...

Page 450: ...15 13 Details of Integer Syntax Plug In Plug in Name Integer Syntax DN of Configuration Entry cn Integer Syntax cn plugins cn config Description Syntax for handling integers Configurable Options on o...

Page 451: ...of this plug in You should leave this plug in running at all times Further Information See Appendix D Internationalization Table 15 15 Details of ldbm Database Plug In Plug in Name ldbm database Plug...

Page 452: ...s on off Default Setting on Configurable Arguments None This plug in can be disabled if the server is not and never will be a consumer of a 4 1 server Dependencies database Performance Related Informa...

Page 453: ...cription Syntax for handling octet strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration...

Page 454: ...s cn plugins cn config Description CRYPT password storage scheme used for password encryption Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance R...

Page 455: ...with earlier versions of Directory Server See Chapter 7 User Account Management Table 15 22 Details of SHA Password Storage Plug In Plug in Name SHA DN of Configuration Entry cn SHA cn Password Storag...

Page 456: ...pendencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter 7 User Account Management...

Page 457: ...Further Information Chapter 18 Configuring IM Presence Information in the Netscape Directory Server Administrator s Guide Table 15 26 Details of PTA Plug In Plug in Name Pass Through Authentication P...

Page 458: ...he post operation Referential Integrity plug in performs integrity updates on the member uniquemember owner and seeAlso attributes immediately after a delete or rename operation You can reconfigure th...

Page 459: ...tro Changelog Plugin cn plugins cn config Description Used by LDAP clients for maintaining application compatibility with Directory Server 4 x versions Maintains a log of all changes occuring in the D...

Page 460: ...plug in You should leave this plug in running at all times Further Information Chapter 5 Advanced Entry Management Table 15 30 Details of Space Insensitive String Syntax Plug In Plug in Name Space Ins...

Page 461: ...llowing Screen Name values johndoe john doe and John Doe For more information about finding directory entries see Appendix B Finding Directory Entries Note that the nsAIMID attribute type which is a p...

Page 462: ...figurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in...

Page 463: ...Uniqueness plug in will not work at all and should therefore not be enabled If you try to add a new entry to a server where the UID Uniqueness plug in is enabled and a referral has been created in a...

Page 464: ...gins list 4 To disable the plug in clear the Enabled checkbox To enable the plug in check this checkbox 5 Click Save 6 Restart the Directory Server Table 15 34 Details of URI Plug In Plug in Name URI...

Page 465: ...Directory Server Uses PTA page 465 PTA Plug In Syntax page 467 Configuring the PTA Plug In page 469 PTA Plug In Syntax Examples page 475 How Directory Server Uses PTA If you install the configuration...

Page 466: ...Machine A Server Name configdir example com Suffix o NetscapeRoot 2 You install the user directory server PTA directory on Machine B Server Name userdir example com Suffix dc example dc com 3 During t...

Page 467: ...y as defined by the PTA plug in configuration 7 The configuration directory authenticates the user s credentials and sends the information back to the user directory 8 The user directory allows the ad...

Page 468: ...ing the Plug in On or Off on page 470 for more information extension File extension for the plug in The extension is always sl on HP UX so on all other UNIX platforms and dll on Windows NT ldap ldaps...

Page 469: ...ry server If this timeout is exceeded the server returns an error to the client The default is 300 seconds five minutes Specify zero 0 to indicate no time limit should be enforced See Configuring the...

Page 470: ...arameters Turning the Plug in On or Off To turn the PTA plug in on from the command line 1 Create an LDIF file that contains the following LDIF update statements dn cn Pass Through Authentication cn p...

Page 471: ...he nsslapd pluginenabled on statement and add the nsslapd pluginenabled off statement Whenever you enable or disable the PTA plug in from the command line you must restart the server Configuring the S...

Page 472: ...ile that contains the following LDIF update statements dn cn Pass Through Authentication cn plugins cn config cn Pass Through Authentication changetype add add nsslapd pluginarg0 nsslapd pluginarg0 ld...

Page 473: ...0 ldap authDS subtree optional_parameters For example you could set the value of the nsslapd pluginarg0 attribute to ldap dirserver example com o NetscapeRoot Parameters For information on the variabl...

Page 474: ...enticating directory server is listed in the authDS parameter no time limit will be enforced If two or more hosts are listed the default is 300 seconds five minutes In the PTA syntax this parameter is...

Page 475: ...ot subtree The hostname of the authenticating Directory Server is config dir example com dn cn Pass Through Authentication cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass ex...

Page 476: ...PTA directory server to pass through bind requests for more than one subtree using parameter defaults dn cn Pass Through Authentication cn plugins cn config objectClass top objectClass nsSlapdPlugin...

Page 477: ...ng Directory Servers If you want to specify a different pass through subtree and optional parameter values for each authenticating directory server you must specify more than one LDAP URL optional par...

Page 478: ...PTA Plug In Syntax Examples 478 Netscape Directory Server Administrator s Guide August 2002...

Page 479: ...he following sections Overview of the Attribute Uniqueness Plug In page 479 Overview of the UID Uniqueness Plug in page 481 Attribute Uniqueness Plug In Syntax page 481 Creating an Instance of the Att...

Page 480: ...This configuration option is explained in more detail in Specifying a Suffix or Subtree on page 487 You can specify an object class pertaining to an entry in the DN of the updated entry and perform t...

Page 481: ...eness plug in is disabled because it affects the operation of multi master replication For information on using the attribute uniqueness plug in in a replicated environment refer to Replication and th...

Page 482: ...in Table 17 1 Use the following syntax to specify to perform the uniqueness check below an entry containing a specified object class dn cn descriptive_plugin_name cn plugins cn config objectClass top...

Page 483: ...are on or off See Turning the Plug in On or Off on page 487 for more information attribute_name The name of the attribute for which you want to ensure unique values You can specify one attribute name...

Page 484: ...ntiate the attribute uniqueness plug in for the mail attribute you would perform the following steps 1 In the dse ldif file locate the entry for the uid uniqueness plug in cn uid uniqueness cn plugins...

Page 485: ...ns folder The list of plug ins is displayed in the right navigation window You should see the uid uniqueness plug in and any other attribute uniqueness plug ins that you created following the example...

Page 486: ...rd If you use this syntax you can click Add again to specify a requiredObjectClass as described in Attribute Uniqueness Plug In Syntax on page 481 4 To delete an item from the list place the cursor in...

Page 487: ...ry Server on page 35 Specifying a Suffix or Subtree You specify the suffix or subtrees under which you want the plug in to ensure attribute uniqueness by using the nsslapd pluginarg attribute in the e...

Page 488: ...d on nsslapd pluginarg0 attribute mail nsslapd pluginarg1 markerObjectClass ou nsslapd plugin depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 6 1 nsslapd pluginVendor Nets...

Page 489: ...chines Specifying One Attribute and One Subtree Specifying One Attribute and Multiple Subtrees Specifying One Attribute and One Subtree This example configures the plug in to ensure the uniqueness of...

Page 490: ...plugin depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 6 1 nsslapd pluginVendor Netscape Communications Corporation nsslapd pluginDescription Enforce unique attribute val...

Page 491: ...plier It is unnecessary to enable it on the consumer server Enabling the attribute uniqueness plug in on the consumer will not prevent Directory Server from operating correctly but is likely to cause...

Page 492: ...s Guide August 2002 When these conditions are met attribute uniqueness conflicts are reported as naming conflicts at replication time Naming conflicts require manual resolution For information on how...

Page 493: ...emented as a Directory Server plug in giving you the flexibility to turn this feature on off The plug in enables you to configure Directory Server to provide instantaneous knowledge of an IM user s on...

Page 494: ...s ready to use All you have to do is add the default presence attributes to a user s entry Once this is done when queried the plug in will serve the presence information for that user The online statu...

Page 495: ...directoryOperation attributeTypes nsYIMStatusText syntax DirectoryString NO USER MODIFICATION USAGE directoryOperation You can create your own schema and modify the plug in configuration parameters ac...

Page 496: ...er loads similar to your expected usage pattern before deployment Troubleshooting The plug in makes HTTP requests for each queried IM Status attribute Make sure that the machine in which the presence...

Page 497: ...497 Part 3 Appendixes Appendix A LDAP Data Interchange Format Appendix B Finding Directory Entries Appendix C LDAP URLs Appendix D Internationalization...

Page 498: ...498 Netscape Directory Server Administrator s Guide August 2002...

Page 499: ...ta is stored using the UTF 8 encoding of Unicode Therefore the LDIF files you create must also be UTF 8 encoded This chapter provides information about LDIF in the following sections LDIF File Format...

Page 500: ...e A 1 LDIF Fields Field Definition id Optional A positive decimal number representing the entry ID The database creation tools generate this ID for you Never add or edit this value yourself dn disting...

Page 501: ...lines However doing so may improve the readability of your LDIF file Representing Binary Data You can represent binary data such as a JPEG image in LDIF using one of the following methods The standar...

Page 502: ...including new lines Use the ldif command line utility with the b parameter to convert binary data to LDIF format ldif b attribute_name where attribute_name is the name of the attribute to which you a...

Page 503: ...rectory and a list of the most commonly used attributes see the Netscape Directory Server Schema Reference Specifying Organization Entries Directories often have at least one organization entry Typica...

Page 504: ...ganization object class This line defines the entry as an organization See the Netscape Directory Server Schema Reference for a list of the attributes you can use with this object class o organization...

Page 505: ...ar as follows dn distinguished_name objectClass top objectClass organizationalUnit ou organizational_unit_name list_of_optional_attributes The following is a sample organizational unit entry in LDIF f...

Page 506: ...ople dc example dc com objectclass top objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn Babs Jensen sn Jensen givenname Babs uid bjensen ou Marketing ou people descript...

Page 507: ...s This object class specification should be included because some LDAP clients require it during search operations for an organizational person objectClass inetOrgPerson Specifies the inetOrgPerson ob...

Page 508: ...rence 3 Make sure that an entry representing a branch point in the LDIF file is placed before the entries that you want to create under that branch For example if you want to place an entry in a peopl...

Page 509: ...ion Fictional organizational unit for example purposes tel 555 5559 dn cn June Rossi ou People o example com Corp dc example dc com objectClass top objectClass person objectClass organizationalPerson...

Page 510: ...to add a new entry to the directory However if your organization is multinational you may find it necessary to store information in multiple languages so that users in different locales can view direc...

Page 511: ...ensen the administrator creates the following LDIF entry dn uid bjensen ou people dc example dc com objectclass top objectclass person objectclass organizationalPerson name Babs Jensen cn Babs Jensen...

Page 512: ...Storing Information in Multiple Languages 512 Netscape Directory Server Administrator s Guide August 2002...

Page 513: ...g an Internationalized Directory page 525 Finding Entries Using the Server Console Use the Directory tab of the Directory Server Console to browse the contents of the directory tree and search for spe...

Page 514: ...an entry s immediate subentries or an entire tree or subtree Search results are returned in LDIF format This section contains information about the following topics Using Special Characters ldapsearch...

Page 515: ...ttributes returned in the search results This list of attributes must appear after the search filter For an example see Displaying Subsets of Attributes on page 519 If you do not specify a list of att...

Page 516: ...is optional if anonymous access is supported by your server If specified this value must be a DN recognized by the Directory Server and it must also have the authority to search for the entries For ex...

Page 517: ...e password associated with the distinguished name that is specified in the D option If you do not specify this option anonymous access is used For example w diner892 x Specifies that the search result...

Page 518: ...er The suffix under which all data is stored is dc example dc com Returning All Entries Given the previous information the following call will return all entries in the directory ldapsearch h mozilla...

Page 519: ...your directory use the following command line call ldapsearch h mozilla cn babs jensen In this example the default scope of sub is used because the s option was not used to specify the scope Displayi...

Page 520: ...the entries that match either search filter ldapsearch h mozilla f searchdb You can limit the set of attributes returned here by specifying the attribute names that you want at the end of the search l...

Page 521: ...on name values are not case sensitive When the common name attribute has values associated with a language tag all of the values are returned Thus the following two attribute values both match this fi...

Page 522: ...of the attributes associated with types of entries see the Netscape Directory Server Schema Reference Using Operators in Search Filters The operators that you can use in search filters are listed in T...

Page 523: ...ude the following Greater than or equal to Returns entries containing attributes that are greater than or equal to the specified value For example buildingname alpha Less than or equal to Returns entr...

Page 524: ...do not contain the common name Ray Kultgen cn Ray Kultgen The following filter returns all entries that contain a description attribute that contains the substring X 500 description X 500 The followin...

Page 525: ...u can request that the directory sort the results based on any language for which the server has a supporting collation order For a listing of the collation orders supported by the directory see Ident...

Page 526: ...ussion of matching rule formats see Matching Rule Formats on page 526 value is either the attribute value you want to search for or a relational operator plus the attribute value you want to search fo...

Page 527: ...associated language tag For a list of locales supported by the directory server and their associated language tags see Table D 1 on page 541 You can use the language tag in the matching rule portion o...

Page 528: ...see Table D 1 on page 541 For a list of relational operators and their equivalent suffixes see Table B 3 on page 529 Using Wildcards in Matching Rule Filters When performing a substring search using...

Page 529: ...hing rule portion of the filter Table B 3 summarizes each type of search the operator and the equivalent suffix International Search Examples The following sections show examples of how to perform int...

Page 530: ...tching rule filters roomNumber 2 16 840 1 113730 3 3 2 23 1 CZ422 roomNumber hu CZ422 roomNumber 2 16 840 1 113730 3 3 2 23 1 2 CZ422 roomNumber hu 2 CZ422 Equality Example When you perform a locale s...

Page 531: ...ibute in a specific collation order For example to search for all mail hosts that come after host schranka4 in the Czechoslovakian collation order you could use any of the following matching rule filt...

Page 532: ...Searching an Internationalized Directory 532 Netscape Directory Server Administrator s Guide August 2002...

Page 533: ...amples of LDAP URLs page 536 Components of an LDAP URL LDAP URLs have the following syntax ldap s hostname port base_dn attributes scope filter The ldap protocol is used to connect to LDAP servers ove...

Page 534: ...se DN is specified the search starts at the root of the directory tree attributes The attributes to be returned To specify more than one attribute use commas to separate the attributes for example cn...

Page 535: ...space is an unsafe character that must be represented as 20 within the URL Thus the distinguished name o example com corporation must be encoded as o example com 20corporation The following table list...

Page 536: ...ult filter objectclass Example 2 The following LDAP URL retrieves the postalAddress attribute of the entry with the DN dc example dc com ldap ldap example com dc example dc com postalAddress Because n...

Page 537: ...a search for the object class for all entries one level under dc example dc com ldap ldap example com dc example dc com objectClass one Because the search scope is one the search encompasses all entri...

Page 538: ...Examples of LDAP URLs 538 Netscape Directory Server Administrator s Guide August 2002...

Page 539: ...preferences in search operations This appendix contains the following sections About Locales page 539 Identifying Supported Locales page 540 Supported Language Subtypes page 542 About Locales Director...

Page 540: ...mat specifies the monetary symbol used by a specific region whether the symbol goes before or after its value and how monetary units are represented Time date format The time and date format indicates...

Page 541: ...rforming an international search in the directory use either the language tag or the OID to identify the collation order you want to use However when setting up an international index you must use the...

Page 542: ...3 2 28 1 Korean ko 2 16 840 1 113730 3 3 2 29 1 Latvian Lettish lv 2 16 840 1 113730 3 3 2 31 1 Lithuanian lt 2 16 840 1 113730 3 3 2 30 1 Macedonian mk 2 16 840 1 113730 3 3 2 32 1 Norwegian no 2 16...

Page 543: ...Afrikaans be Byelorussian bg Bulgarian ca Catalan cs Czechoslovakian da Danish de German el Greek en English es Spanish eu Basque fi Finnish fo Faroese fr French ga Irish gl Galician hr Croatian hu H...

Page 544: ...tscape Directory Server Administrator s Guide August 2002 ru Russian sk Slovakian sl Slovenian sq Albanian sr Serbian sv Swedish tr Turkish uk Ukrainian zh Chinese Table D 2 Supported Language Subtype...

Page 545: ...isables a user account group of accounts or an entire domain so that all authentication attempts are automatically rejected All IDs Threshold A size limit which is globally applied to every index key...

Page 546: ...tions or access files and directories based on the permissions granted to that user by the directory administrator 2 Allows a client to make sure they are connected to a secure server preventing anoth...

Page 547: ...ct attributes Certificate Authority Company or organization that sells and issues authentication certificates You may purchase an authentication certificate from a Certification Authority that you tru...

Page 548: ...sorted This information might include the sequence of letters in the alphabet or how to compare letters with accents to letters without accents consumer Server containing replicated directory trees o...

Page 549: ...ree s root point appearing at the top of the hierarchy Also known as DIT Directory Manager The privileged database administrator comparable to the root user in UNIX Access control does not apply to th...

Page 550: ...index Allows you to search efficiently for entries containing a specific attribute value file extension The section of a filename after the period or dot that typically defines the type of file for ex...

Page 551: ...of replication a server that holds a replica that is copied from a different server and in turn replicates it to a third server See also cascading replication index key Each index that the directory u...

Page 552: ...form leaf entry An entry under which there are no other entries A leaf entry cannot be a branch point in a directory tree Lightweight Directory Access Protocol See LDAP locale Identifies the collatio...

Page 553: ...named and referenced Also called the directory tree monetary format Specifies the monetary symbol used by specific region whether the symbol goes before or after its value and how monetary units are...

Page 554: ...attribute in an object oriented system Object identifiers are assigned by ANSI IETF or similar organizations OID See object identifier operational attribute Operational attributes contain information...

Page 555: ...th a proxy DN proxy DN Used with proxied authorization The proxy DN is the DN of an entry that has access permissions to the target on which the client application is attempting to perform an operatio...

Page 556: ...e replicas A server can hold any number of read only replicas read write replica A replica that contains a master copy of directory information and can be updated A server can hold any number of read...

Page 557: ...have access to their own entries that is if the bind DN matches the targeted entry Server Console Java based application that allows you to perform administrative management of your Directory Server f...

Page 558: ...on about the managed device and passes the information to the master agent SSL Secure Sockets Layer A software library establishing a secure connection between two parties client and server used to im...

Page 559: ...IP Transmission Control Protocol Internet Protocol The main network protocol for the Internet and for enterprise company networks template entry See CoS template entry time date format Indicates the...

Page 560: ...up the display of entries in the Directory Server Console Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance X 500 standard The set of ISO...

Page 561: ...on 227 SSL authentication structure of ACIs target DN containing comma 252 target DN containing comma and 201 targeting 199 targeting attribute values 205 targeting attributes 203 targeting entries 20...

Page 562: ...ACI attribute default index for 350 overview 194 ACI placement 195 ACL See ACI activating accounts from command line 275 from console 274 add right 207 adding directory entries 58 Administration Serve...

Page 563: ...387 authmethod keyword 227 B backing up data 154 all 154 db2bak 155 dse ldif 156 bak2db script 158 bak2db pl perl script 158 base 64 encoding 501 base DN ldapsearch and 519 binary data LDIF and 501 bi...

Page 564: ...87 setting up 305 certificate mapping to a DN 392 password 40 certificate database password 382 certificate based authentication 391 setting up 391 chaining cascading 121 component operations from con...

Page 565: ...cy 266 suffix 85 connections monitoring 407 409 411 viewing number of 406 console starting 32 consumer initialization manual consumer creation 315 online consumer creation 314 consumer server 280 cont...

Page 566: ...g 114 maintaining remote server info 114 overview 96 database server parameters read only 412 database transaction logging described 435 durable transactions 437 log file location 436 databases in dir...

Page 567: ...00 dn db2 file 351 dn2id db2 file 351 dns keyword 224 dse ldif PTA plugin 470 dse ldif file backing up 156 PTA syntax 470 restoring 160 durable transactions 437 dynamic groups 165 creating 165 modifyi...

Page 568: ...FIPS Triple DES cipher 390 format LDIF 499 G general access example 216 overview 213 glossary of terms 545 greater than or equal to search international example 530 531 overview 523 groupdn keyword 2...

Page 569: ...tion order 540 country code 541 date format 540 language tag 541 locales and 539 location of files 540 matching rule filters 526 modifying entries 72 monetary format 540 object identifiers and 541 of...

Page 570: ...d 510 line continuation 501 Server Console and 57 specifying entries organization 503 organizational person 506 organizational unit 505 update statements 62 using to create directory 507 LDIF entries...

Page 571: ...chingRule format 526 using language tag 527 using language tag and suffix 528 using OID 527 using OID and suffix 527 MD5 message authentication 391 metaphone phonetic algorithm 353 MIB directory serve...

Page 572: ...e object identifier operations table 422 operations defined 406 operators Boolean 523 international searches and 528 search filters and 522 suffix 529 optional attributes creating 343 deleting 344 345...

Page 573: ...rd storage plug in 454 octet string syntax plug in 453 postal address string syntax plug in 456 presence plug in 457 493 PTA plug in 457 reference 443 referential integrity plug in 458 retro change lo...

Page 574: ...SSL 320 cascading 305 change log 281 compatibility with earlier versions 283 322 configuration tips 289 configuring a hub supplier 294 configuring a read only replica 293 configuring a read write repl...

Page 575: ...ication 227 schema checking 345 creating new attributes 339 creating new object classes 343 deleting attributes 341 deleting object classes 345 editing object classes 344 extending 337 nsslapd schemac...

Page 576: ...n 427 configuring 426 managed device 420 421 managed objects 420 master agent overview 420 Unix 420 Windows NT 420 MIB entries table 424 interaction table 425 location of 422 operations table 422 moni...

Page 577: ...er server 280 symbols in change operation 63 in LDIF statements 502 in LDIF statements 501 in ldapmodify commands 61 in ldapsearch 514 syntax ACI statements 198 attribute value 340 LDAP URLs 533 ldaps...

Page 578: ...s 214 to own entry 214 LDIF example 215 user and group management referential integrity 72 user passwords 268 userattr keyword 218 restriction on add 223 user defined attributes 338 user defined objec...

Reviews:

No comments

Brands by name

Popular brands

Load more brands