manualshive.com logo in svg

Red Hat DIRECTORY SERVER 7.1, Administrator'S Manual, Page: 255 / 652

Share
Download
Red Hat DIRECTORY SERVER 7.1 Administrator'S Manual Download Page 255

Access Control Usage Examples

Chapter 6

Managing Access Control

255

Granting Conditional Access to a Group or Role

In many cases, when you grant a group or role privileged access to the directory, 

you want to ensure that those privileges are protected from intruders trying to 

impersonate your privileged users. Therefore, in many cases, access control rules 

that grant critical access to a group or role are often associated with a number of 

conditions.

example.com

, for example, has created a Directory Administrator role for each of 

its hosted companies, 

HostedCompany1

 and 

HostedCompany2

. It wants these 

companies to be able to manage their own data and implement their own access 

control rules while securing it against intruders. For this reason, 

HostedCompany1

 

and 

HostedCompany2

 have full rights on their respective branches of the directory 

tree, provided the following conditions are fulfilled:

• Connection authenticated using SSL,

• Access requested between 8 a.m. and 6 p.m., Monday through Thursday, and

• Access requested from a specified IP address for each company.

These conditions are illustrated in a single ACI for each company, ACI 

“HostedCompany1” and ACI “HostedCompany2.” Because the content of these 

ACIs is the same, the examples below illustrate the “HostedCompany1” ACI only.

ACI “HostedCompany1”

In LDIF, to grant HostedCompany1 full access to their own branch of the directory 

under the conditions stated above, you would write the following statement:

aci: 
(target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=co
m")
(targetattr= "*") (version 3.0; acl "HostedCompany1";
allow (all) 
(roledn="ldap:///cn=DirectoryAdmin,ou=HostedCompany1,
ou=corporate-clients, dc=example,dc=com") and (authmethod="ssl") 
and 
(dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and 
timeofday <= "1800") and (ip="255.255.123.234"); )

This example assumes that the ACI is added to the 

ou=HostedCompany1, 

ou=corporate-clients,dc=example,dc=com

 entry.

From the Console, you can set this permission by doing the following:

Summary of Contents for DIRECTORY SERVER 7.1

Page 1: ...Administrator s Guide Red Hat Directory Server Version7 1 May 2005 Updated February 2009 ...

Page 2: ...org openpub Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder Distribution of the work or derivative of the work in any standard paper book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder Red Hat and the Red Hat Shadow Man logo are registered trademarks of R...

Page 3: ... Entry DNs to the Clipboard 35 Configuring the Directory Manager 35 Binding to the Directory from Red Hat Console 36 Changing Login Identity 36 Viewing the Current Bind DN from the Console 37 Starting and Stopping the Directory Server 37 Starting and Stopping the Server from the Console 37 Starting and Stopping the Server from the Command Line 38 Configuring LDAP Parameters 38 Changing Directory S...

Page 4: ...s 55 Managing Entries from the Command Line 55 Providing Input from the Command Line 56 Creating a Root Entry from the Command Line 57 Adding Entries Using LDIF 57 Adding and Modifying Entries Using ldapmodify 58 Adding Entries Using ldapmodify 59 Modifying Entries Using ldapmodify 60 Deleting Entries Using ldapdelete 61 Using Special Characters 62 LDIF Update Statements 63 Adding an Entry Using L...

Page 5: ...ix 89 Deleting a Suffix 89 Creating and Maintaining Databases 90 Creating Databases 90 Creating a New Database for an Existing Suffix Using the Console 92 Creating a New Database for a Single Suffix from the Command Line 93 Adding Multiple Databases for a Single Suffix 94 Adding the Custom Distribution Function to a Suffix 94 Maintaining Directory Databases 95 Placing a Database in Read Only Mode ...

Page 6: ...utes 136 Cascading Chaining Configuration Example 136 Configuring Server One 137 Configuring Server Two 139 Configuring Server Three 141 Using Referrals 143 Setting Default Referrals 143 Setting a Default Referral Using the Console 143 Setting a Default Referral from the Command Line 144 Creating Smart Referrals 144 Creating Smart Referrals Using the Directory Server Console 145 Creating Smart Ref...

Page 7: ...ling Read Only Mode 166 Chapter 5 Advanced Entry Management 167 Using Groups 167 Managing Static Groups 168 Adding a New Static Group 168 Modifying a Static Group 169 Managing Dynamic Groups 169 Adding a New Dynamic Group 169 Modifying a Dynamic Group 170 Using Roles 170 About Roles 171 Managing Roles Using the Console 172 Creating a Managed Role 173 Creating a Filtered Role 174 Creating a Nested ...

Page 8: ...reating Role Based Attributes 198 Access Control and CoS 199 Chapter 6 Managing Access Control 201 Access Control Principles 202 ACI Structure 202 ACI Placement 203 ACI Evaluation 203 ACI Limitations 204 Default ACIs 205 Creating ACIs Manually 206 The ACI Syntax 206 Example ACI 207 Defining Targets 207 Targeting a Directory Entry 209 Targeting Attributes 211 Targeting Both an Entry and Attributes ...

Page 9: ...ing Access at a Specific Time of Day or Day of Week 234 Examples 234 Defining Access Based on Authentication Method 235 Examples 236 Using Boolean Bind Rules 236 Creating ACIs from the Console 237 Displaying the Access Control Editor 238 Viewing Current ACIs 240 Creating a New ACI 240 Editing an ACI 241 Deleting an ACI 242 Access Control Usage Examples 242 Granting Anonymous Access 244 ACI Anonymo...

Page 10: ...ess Control Information 276 Compatibility with Earlier Releases 277 Chapter 7 User Account Management 279 Managing the Password Policy 279 Configuring the Password Policy 280 Configuring a Global Password Policy Using the Console 281 Configuring a Subtree User Password Policy Using the Console 282 Configuring a Global Password Policy Using the Command Line 283 Configuring Subtree User Password Pol...

Page 11: ... 320 Configuring the Read Only Replica on the Consumer Server 321 Configuring the Read Write Replica on the Supplier Server 322 Initializing the Replicas for Single Master Replication 324 Configuring Multi Master Replication 324 Configuring 2 Way Multi Master Replication 325 Configuring the Read Only Replicas on the Consumer Servers 325 Configuring the Read Write Replicas on the Supplier Servers 3...

Page 12: ...he Replication Agreement Wizard 355 Replication with Earlier Releases 355 Configuring Directory Server as a Consumer of a Legacy Directory Server 356 Using the Retro Changelog Plug in 357 Enabling the Retro Changelog Plug in 358 Trimming the Retro Changelog 359 Searching and Modifying the Retro Changelog 359 Retro Changelog and the Access Control Policy 360 Monitoring Replication Status 360 Monito...

Page 13: ... Benefits of Indexing 395 Creating Indexes 397 Creating Indexes from the Server Console 397 Creating Indexes from the Command Line 398 Adding an Index Entry 399 Running the db2index pl Script 401 Creating VLV Indexes from the Server Console 402 Creating VLV Indexes from the Command Line 403 Adding a Browsing Index Entry 404 Running the vlvindex Script 406 Setting Access Control for VLV Information...

Page 14: ...onsole 430 Creating a Password File 433 Setting Security Preferences 433 Using Certificate Based Authentication 435 Setting up Certificate Based Authentication 436 Allowing Requiring Client Authentication 437 Configuring LDAP Clients to Use SSL 437 Introduction to SASL 439 Authentication Mechanisms 440 SASL Identity Mapping 441 Legacy Identity Mapping 442 Configuring SASL Identity Mapping from the...

Page 15: ...formance Monitors 462 Overview of Database Performance Monitor Information 462 General Information Database 462 Summary Information Table 463 Database Cache Information Table 464 Database File Specific Table 464 Monitoring Databases from the Command Line 465 Monitoring Database Link Activity 467 Chapter 13 Monitoring Directory Server Using SNMP 469 About SNMP 470 Configuring the Master Agent 470 C...

Page 16: ...operation Plug in 491 Binary Syntax Plug in 491 Boolean Syntax Plug in 492 Case Exact String Syntax Plug in 492 Case Ignore String Syntax Plug in 493 Chaining Database Plug in 494 Class of Service Plug in 494 Country String Syntax Plug in 495 Distinguished Name Syntax Plug in 495 Generalized Time Syntax Plug in 496 Integer Syntax Plug in 497 Internationalization Plug in 498 ldbm Database Plug in 4...

Page 17: ...tiple Subtrees 525 Using Non Default Parameter Values 525 Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers 526 Chapter 17 Using the Attribute Uniqueness Plug in 529 Overview of the Attribute Uniqueness Plug in 529 Overview of the UID Uniqueness Plug in 531 Attribute Uniqueness Plug in Syntax 531 Creating an Instance of the Attribute Uniqueness Pl...

Page 18: ...ly Initiating Synchronization 565 The Need for Resynchronization 566 Checking Synchronization Status 566 Modifying the Synchronization Agreement 567 Active Directory Schema Compatibility 567 NT4 Specific Limitations 568 Troubleshooting 569 Part 3 Appendixes 571 Appendix A LDAP Data Interchange Format 573 LDIF File Format 573 Continuing Lines in LDIF 575 Representing Binary Data 575 Specifying Dire...

Page 19: ...Search Filters 596 Using Operators in Search Filters 596 Using Compound Search Filters 597 Search Filter Examples 598 Searching an Internationalized Directory 599 Matching Rule Filter Syntax 599 Matching Rule Formats 600 Using Wildcards in Matching Rule Filters 602 Supported Search Types 602 International Search Examples 603 Less Than Example 603 Less Than or Equal to Example 604 Equality Example ...

Page 20: ...20 Red Hat Directory Server Administrator s Guide May 2005 Glossary 619 Index 635 ...

Page 21: ...le Classic CoS 186 Figure 6 1 Using Inheritance With the userattr Keyword 231 Figure 6 2 Selecting an Object in the Navigation Tree to Set Access Control 239 Figure 6 3 Access Control Editor Window 239 Figure 6 4 Example Directory Tree for Macro ACIs 271 Figure 8 1 Single Master Replication 307 Figure 8 2 Multi Master Replication Two Suppliers 308 Figure 8 3 Multi Master Replication Four Suppliers...

Page 22: ...22 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 23: ...on Parameters 127 Table 3 7 Cascading Chaining Configuration Attributes 136 Table 4 1 Import Method Comparison 150 Table 5 1 Object Classes and Attributes for Roles 178 Table 5 2 CoS Definition Entry Object Classes 191 Table 5 3 CoS Definition Entry Attributes 191 Table 5 4 CoS Definitions 193 Table 6 1 LDIF Target Keywords 208 Table 6 2 LDIF Bind Rule Keywords 220 Table 6 3 Permissions That Can B...

Page 24: ...ons 475 Table 13 3 Interaction Managed Objects and Descriptions 476 Table 15 1 Details of 7 Bit Check Plug in 489 Table 15 2 Details of ACI Plug in 490 Table 15 3 Details of Preoperation Plug in 491 Table 15 4 Details of Binary Syntax Plug in 491 Table 15 5 Details of Boolean Syntax Plug in 492 Table 15 6 Details of Case Exact String Syntax Plug in 492 Table 15 7 Details of Case Ignore String Synt...

Page 25: ... URI Plug in 511 Table 16 1 PTA Plug in Parameters 516 Table 17 1 Attribute Uniqueness Plug in Variables 533 Table 18 1 User Entry Schema Mapping between Directory Server and Windows Servers 562 Table 18 2 User Entry Schema That Is the Same in Directory Server and Windows Servers 563 Table 18 3 Group Entry Schema Mapping between Directory Server and Windows Servers 565 Table 18 4 Group Entry Schem...

Page 26: ...26 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 27: ...ce for both read and write operations Multi master replication can be combined with simple and cascading replication scenarios to provide a highly flexible and scalable replication environment Chaining and referrals Increases the power of your directory by storing a complete logical view of your directory on a single server while maintaining data on a large number of directory servers transparentl...

Page 28: ...rmits you to monitor your Directory Server in real time using the Simple Network Management Protocol SNMP Online backup and restore Allows you to create backups and restore from backups while the server is running Prerequisite Reading This manual describes how to administer the Directory Server and its contents However this manual does not describe many of the basic directory and architectural con...

Page 29: ...Root is the installation directory The default installation directory is opt redhat ds servers If you have installed Directory Server in a different location you should adapt the path accordingly serverID is the ID or identifier you assigned to an instance of Directory Server when you installed it For example if you gave the server an identifier of phonebook then the actual path would look like th...

Page 30: ...write server plug ins in order to customize and extend the capabilities of Directory Server Red Hat Directory Server Gateway Customization Guide Introduces Directory Server Gateway and explains how to implement a gateway instance with basic directory look up functionality Also contains information useful for implementing a more powerful gateway instance with directory authentication and administra...

Page 31: ...reating Directory Entries Chapter 3 Configuring Directory Databases Chapter 4 Populating Directory Databases Chapter 5 Advanced Entry Management Chapter 6 Managing Access Control Chapter 7 User Account Management Chapter 8 Managing Replication Chapter 9 Extending the Directory Schema Chapter 10 Managing Indexes ...

Page 32: ...y Server Administrator s Guide May 2005 Chapter 11 Managing SSL and SASL Chapter 12 Monitoring Server and Database Activity Chapter 13 Monitoring Directory Server Using SNMP Chapter 14 Tuning Directory Server Performance ...

Page 33: ...e Directory Server Console page 34 Configuring the Directory Manager page 35 Binding to the Directory from Red Hat Console page 36 Starting and Stopping the Directory Server page 37 Configuring LDAP Parameters page 38 Cloning a Directory Server page 42 Starting the Server in Referral Mode page 43 Overview of Directory Server Management The Directory Server is a robust scalable server designed to m...

Page 34: ... start the Directory Server Console from Red Hat Console as described below Starting Directory Server Console 1 Check that the Directory Server daemon slapd serverID is running If it is not as root user enter the following command to start it serverRoot slapd serverID start slapd 2 Check that the Administration Server daemon admin serv is running If it is not as root user enter the following comma...

Page 35: ... tab 2 Browse through the tree until the entry whose DN you want to copy is displayed 3 Select the entry in the tree and then select Edit Copy DN or press Shift Ctrl C Configuring the Directory Manager The Directory Manager is the privileged database administrator comparable to the root user in UNIX Access control does not apply to the entry you define as Directory Manager You initially defined th...

Page 36: ...option to log in by providing a bind DN and a password This option lets you indicate who is accessing the directory tree This determines the access permissions granted to you and whether you can perform the requested operation Changing Login Identity You can log in with the Directory Manager DN when you first start the Red Hat Console At any time you can choose to log in as a different user withou...

Page 37: ...If you have enabled SSL for the Directory Server you cannot restart the server from the Console you must use the command line It is possible to restart without being prompted for a password see Creating a Password File on page 433 for more information Rebooting the system does not automatically start the ns slapd process This is because the directory does not automatically create startup or run co...

Page 38: ...ings through the Directory Server Console This section provides information on Changing Directory Server Port Numbers Placing the Entire Directory Server in Read Only Mode Tracking Modifications to Directory Entries For information on schema checking see chapter 9 Extending the Directory Schema Changing Directory Server Port Numbers You can modify the port or secure port number of your user Direct...

Page 39: ...r non SSL communications in the Port text box The default value is 389 4 Enter the port number you want the server to use for SSL communications in the Encrypted Port text box The encrypted port number that you specify must not be the same port number as you are using for normal LDAP communications The default value is 636 5 Click Save A warning will appear You are about to change the port number ...

Page 40: ...click on Restart Admin Server A dialog will appear saying that the Admin Server has been successfully restarted Click on Close Placing the Entire Directory Server in Read Only Mode If you maintain more than one database with your Directory Server and you need to place all your databases in read only mode you can do this in a single operation However if your Directory Server contains replicas you m...

Page 41: ...inguished name of the person who last modified the entry modifyTimestamp The timestamp for when the entry was last modified in GMT format NOTE This operation also makes the Directory Server configuration read only therefore you cannot update the server configuration enable or disable plug ins or even restart the Directory Server while it is in read only mode Once you have enabled read only mode yo...

Page 42: ...up and configured your Directory Server Red Hat Console offers a simple way of duplicating your configuration on another instance of the Directory Server This is a two phase procedure First you must create a new instance of the Directory Server Second you must clone the configuration of your first Directory Server instance and apply it to the new one Creating a New Directory Server Instance 1 In t...

Page 43: ... it click OK Cloning the Directory Configuration 1 In the Red Hat Console window expand the Server Group folder and right click on the Directory Server that you want to clone 2 From the pop up menu select Clone Server Config A new window is displayed with the list of target servers for cloning 3 In this window select the server to which you want the configuration to apply and click the Clone To bu...

Page 44: ...ectory Server in referral mode 1 Go to the bin slapd server directory under your installation directory cd serverRoot slapd serverID bin slapd server 2 Run the refer command as follows ns slapd refer D instance_dir p port r referral_url instance_dir is the directory instance for which queries will be referred port is the option port number of the Directory Server you want to start in referral mode...

Page 45: ...ver through Windows User Sync see chapter 18 Windows Sync for more information on adding or modifying synchronized entries through Windows User Sync This chapter consists of the following sections Managing Entries from the Directory Console page 45 Managing Entries from the Command Line page 55 LDIF Update Statements page 63 Maintaining Referential Integrity page 72 Managing Entries from the Direc...

Page 46: ...ng that suffix is not automatically created To create a root entry for a database 1 In the Directory Server Console select the Configuration tab For information on starting the Directory Server Console refer to Using the Directory Server Console on page 34 2 Create a new database as explained in Creating and Maintaining Databases on page 90 3 In the Directory tab right click the top object represe...

Page 47: ...Property Editor for the new entry is displayed You can either accept the current values by clicking OK or modify the entry as explained in Modifying Directory Entries on page 49 Creating Directory Entries Directory Server Console offers several predefined templates for creating directory entries Templates are available for the following types of entries User Group Organizational Unit Role Class of...

Page 48: ...nizational Unit Role Class of Service or Other The corresponding Create window is displayed 3 Supply values for all of the mandatory attributes identified by an asterisk and if you want for any of the optional attributes The Create window does not provide fields for all optional attributes 4 To display the full list of attributes click the Advanced button The Property Editor is displayed Refer to ...

Page 49: ...he naming attribute you want to use to name your new entry To provide values for optional attributes that are not listed refer to Modifying Directory Entries on page 49 6 Click OK to save the new entry and dismiss the Property Editor window The new entry is displayed in the right pane Modifying Directory Entries To modify directory entries from Directory Server Console you must start the Property ...

Page 50: ... add an object class to an entry 1 In the Directory tab of the Directory Server Console right click the entry you want to modify and select Advanced from the pop up menu You can also double click the entry The Property Editor is displayed click on the Advanced button 2 Select the object class field and click Add Value The Add Object Class window is displayed It shows a list of object classes that ...

Page 51: ...r allows the attribute See Adding an Object Class to an Entry on page 50 and chapter 9 Extending the Directory Schema for more information To add an attribute to an entry 1 In the Directory tab of the Directory Server Console right click the entry you want to modify and select Advanced from the pop up menu You can also double click the entry The Property Editor is displayed click on the Advanced b...

Page 52: ...each attribute name in the request The size of the values of each of the attributes in the request The size of the DN in the request Some overhead 10Kbytes should be sufficient For further information about the nsslapd maxbersize attribute and for information about setting this attribute see the section nsslapd maxbersize Maximum Message Size in chapter 2 Core Server Configuration Reference in Red...

Page 53: ... Property Editor when you have finished editing the entry The Advanced Property Editor is dismissed Click OK in the Property Editor The Property Editor is dismissed Adding an Attribute Subtype You can add three different kinds of subtypes to attributes contained within an entry language binary and pronunciation Language Subtype Sometimes a user s name can be more accurately represented in characte...

Page 54: ...e pronunciation subtype to an attribute indicates that the attribute value is a phonetic representation The subtype is added to the attribute name as attribute phonetic This subtype is commonly used in combination with a language subtype for languages that have more than one alphabet where one is a phonetic representation You might want to use this with attributes that are expected to contain user...

Page 55: ... the entry you want to delete in the navigation tree or in the right pane and select Delete from the pop up menu To select multiple entries use Ctrl click or Shift click and then select Delete from the Edit menu The server deletes the entry or entries immediately There is no undo Managing Entries from the Command Line The command line utilities allow you to manipulate the contents of your director...

Page 56: ...put you supplied Typically the EOF escape sequence is one of the following depending upon the type of machine you use almost always control D D For example suppose you want to input some LDIF update statements to ldapmodify Then you would do the following prompt ldapmodify D bindDN w password h hostname dn cn Barry Nixon ou people dc example dc com changetype modify delete telephonenumber add mana...

Page 57: ...me objectclass newobjectclass The DN corresponds to the DN of the root or sub suffix contained by the database The newobjectclass value depends upon the type of object class you are adding to the database You may need to specify additional mandatory attributes depending upon the root object you add Adding Entries Using LDIF You can use an LDIF file to add multiple entries or to import an entire da...

Page 58: ... ldapmodify uses LDIF update statements ldapmodify can do everything that ldapdelete can do If schema checking is turned on when you use this utility then the server performs schema checking for the entire entry when it is modified If the server detects an attribute or object class in the entry that is not known to the server then the modify operation will fail when it reaches the erroneous entry ...

Page 59: ...ops p 845 f new ldif The following table describes the ldapmodify parameters used in the example Table 2 2 Description of ldapmodify Parameters Used for Adding Entries Parameter Name Description a Specifies that the modify operation will add new entries to the directory D Specifies the distinguished name with which to authenticate to the server The value must be a DN recognized by the Directory Se...

Page 60: ...ents and then enter the following command ldapmodify D cn Directory Manager w King Pin h cyclops p 845 f modify_statements The following table describes the ldapmodify parameters used in the example Table 2 3 Description of ldapmodify Parameters Used for Modifying Entries Parameter Name Description D Specifies the distinguished name with which to authenticate to the server The value must be a DN r...

Page 61: ...ree can be deleted only if there aren t any entries below it If you want to delete ou People dc example dc com you must first delete Paula Simon and Jerry O Connor s entries and all other entries in that subtree Here is a typical example of how to use the ldapdelete utility Suppose that You want to delete the entries identified by the distinguished names cn Robert Jenkins ou People dc example dc c...

Page 62: ...stem documentation for more information In addition if you are using DNs that contain commas you must escape the commas with a backslash For example D cn Patricia Fuentes ou people o example com Bolivia S A To delete user Patricia Fuentes from the example com Bolivia S A tree you would enter the following command ldapdelete D cn Directory Manager dc example dc com w King Pin h cyclops p 845 cn Pat...

Page 63: ... is required that indicates how the entry should be changed If you specify changetype modrdn change operations are required that specify how the relative distinguished name RDN is to be modified A distinguished name s RDN is the left most value in the DN For example the distinguished name uid ssarette dc example dc com has an RDN of uid ssarette The general format of LDIF update statements is as f...

Page 64: ... that branch That is if you want to place an entry in a People and a Groups subtree then create the branch point for those subtrees before creating entries within the subtrees The following LDIF update statements can be used to create the People and the Groups subtrees and then to create entries within those trees dn dc example dc com changetype add objectclass top objectclass organization o examp...

Page 65: ...inistrators ou Groups dc example dc com changetype add objectclass top objectclass groupOfNames member cn Sue Jacobs ou People dc example dc com member cn Pete Minsky ou People dc example dc com cn Administrators dn ou example com Bolivia S A dc example dc com changetype add objectclass top objectclass organizationalUnit ou example com Bolivia S A dn cn Carla Flores ou example com Bolivia S A dc e...

Page 66: ...eople dc example dc com can be modified to be cn Susan Jacobs ou People dc example dc com but it cannot be modified to be cn Sue Jacobs ou old employees dc example dc com The following example can be used to rename Sue Jacobs to Susan Jacobs dn cn Sue Jacobs ou Marketing dc example dc com changetype modrdn newrdn cn Susan Jacobs deleteoldrdn 0 Because deleteoldrdn is 0 this example retains the exi...

Page 67: ...ly the last two entries The entry that identifies the People subtree can be renamed only if no other entries exist below it Modifying an Entry Using LDIF Use changetype modify to add replace or remove attributes and or attribute values to the entry When you specify changetype modify you must also provide a change operation to indicate how the entry is to be modified Change operations can be as fol...

Page 68: ...to Existing Entries Using LDIF You use changetype modify with the add operation to add an attribute and an attribute value to an entry For example the following LDIF update statement adds a telephone number to the entry dn cn Barney Fife ou People dc example dc com changetype modify add telephonenumber telephonenumber 555 1212 The following example adds two telephone numbers to the entry dn cn Bar...

Page 69: ...pecify the ldapmodify b parameter However you must add the following line to the beginning of your LDIF file or your LDIF update statements version 1 For example you could use the following ldapmodify command prompt ldapmodify D userDN w user_password version 1 dn cn Barney Fife ou People dc example dc com changetype modify add userCertificate userCertificate binary file BarneysCert Changing an At...

Page 70: ...ephonenumber 555 4321 Barney s entry is now as follows cn Barney Fife ou People dc example dc com objectClass inetOrgPerson cn Barney Fife sn Fife telephonenumber 555 6789 telephonenumber 555 4321 Deleting All Values of an Attribute Using LDIF Use changetype modify with the delete operation to delete an attribute from an entry If the entry has more than one instance of the attribute you must indic...

Page 71: ...le dc example dc com objectClass inetOrgPerson cn Barney Fife sn Fife telephonenumber 555 6789 Deleting an Entry Using LDIF Use changetype delete to delete an entry from your directory You can only delete leaf entries Therefore when you delete an entry make sure that no other entries exist under that entry in the directory tree That is you cannot delete an organizational unit entry unless you have...

Page 72: ...omePostalAddress lang fr 34 rue de Seine Maintaining Referential Integrity Referential integrity is a database mechanism that ensures relationships between related entries are maintained In the Directory Server referential integrity can be used to ensure that an update to one entry in the directory is correctly reflected in any other entries that may refer to the updated entry For example if a use...

Page 73: ...y was changed the corresponding attribute value is modified accordingly By default when the Referential Integrity Plug in is enabled it performs integrity updates on the member uniquemember owner and seeAlso attributes immediately after a delete or rename operation You can however configure the behavior of the Referential Integrity Plug in to suit your own needs You can do any of the following Rec...

Page 74: ... in This task is described in Enabling Disabling Referential Integrity on page 74 2 Configure the plug in to record any integrity updates in the changelog This task is described in Recording Updates in the Changelog on page 75 3 Ensure that the Referential Integrity Plug in is disabled on all consumer servers Enabling Disabling Referential Integrity You can enable or disable referential integrity ...

Page 75: ...rRoot slapd serverID logs directory You must do this if you want referential integrity updates to be replicated to consumer servers in the context of replication You can make this change from the Directory Server Console From the Directory Server Console 1 In the Directory Server Console select the Configuration tab For information on starting the Directory Server Console refer to Using the Direct...

Page 76: ...nds updates occur every 8 hours 86 400 seconds updates occur once a day 604 800 seconds updates occur once a week You can modify the update interval from the Directory Server Console From the Directory Server Console 1 In the Directory Server Console select the Configuration tab For information on starting the Directory Server Console refer to Using the Directory Server Console on page 34 2 Expand...

Page 77: ...e ensure that it is indexed in all the backends You can improve the performance by removing any unused attributes from the list From the Directory Server Console 1 In the Directory Server Console select the Configuration tab For information on starting the Directory Server Console refer to Using the Directory Server Console on page 34 2 Expand the Plugins folder in the navigation tree and select t...

Page 78: ...Maintaining Referential Integrity 78 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 79: ...base Links page 103 Using Referrals page 143 For conceptual information on distributing your directory data refer to the Red Hat Directory Server Deployment Guide Creating and Maintaining Suffixes You can store different pieces of your directory tree in different databases and then distribute these databases across multiple servers Your directory tree contains branch points called nodes These node...

Page 80: ...taining Suffixes Creating Suffixes You can create both root and subsuffixes to organize the contents of your directory tree A root suffix is the parent of a sub suffix It can be part of a larger tree you have designed for your Directory Server A sub suffix is a branch underneath a root suffix The data for root and subsuffixes are contained by databases Your directory might contain more than one ro...

Page 81: ...ve the directory tree looks as illustrated in Figure 3 3 Figure 3 3 A Sample Directory Tree with a Root Suffix Off Limits to Search Operations Searches performed by client applications on the dc example dc com branch of example com Corporation s directory will not return entries from the l europe dc example dc com branch of the directory as it is a separate root suffix If example com Corporation d...

Page 82: ... a database 1 In the Directory Server Console select the Configuration tab 2 Right click Data in the left navigation pane and select New Root Suffix from the pop up menu The Create new root suffix dialog box is displayed 3 Enter a unique suffix in the New suffix field The suffix must be named according to dc naming conventions For example you might enter a new suffix name of dc example dc com 4 Se...

Page 83: ...t New Sub Suffix from the pop up menu The Create new sub suffix dialog box is displayed 3 Enter a unique suffix name in the New suffix field The suffix must be named according to dc naming conventions For example you might enter a new suffix name of ou groups The root suffix is automatically added to the name For example if you are creating the sub suffix ou groups under the dc example dc com suff...

Page 84: ...modify a h example1 p 389 D cn directory manager w secret The ldapmodify utility binds to the server and prepares it to add an entry to the configuration file Next you create the root suffix entry for example com Corporation as follows dn cn dc example dc com cn mapping tree cn config objectclass top objectclass extensibleObject objectclass nsMappingTree nsslapd state backend nsslapd backend UserD...

Page 85: ...the same spacing you use to name the root and subsuffixes via the command line For example if you name a root suffix ou groups dc example dc com with two spaces after groups any subsuffixes you create under this root will need to specify two spaces after ou groups as well Table 3 1 Suffix Attributes Attribute Name Value dn Defines the DN for the suffix The DN is contained in quotes The value you e...

Page 86: ...nsslapd backend Gives the name of the database or database link used to process requests This attribute can be multi valued with one database or database link per value Refer to Creating and Maintaining Database Links on page 103 for more information about database links This attribute is required when the value of the nsslapd state attribute is set to backend or referral on update nsslapd distrib...

Page 87: ...neral refer to Red Hat Directory Server Deployment Guide To set referrals in a suffix 1 In the Directory Server Console select the Configuration tab 2 Under Data in the left pane select the suffix for which you want to add a referral 3 Click the Suffix Settings tab and select the Return Referrals for all Operations radio button nsslapd parent suffix Provides the DN of the parent entry for a sub su...

Page 88: ... do not own You want the data to be available for searches but not for updates You do this by enabling referrals only during update requests When a client application asks to update an entry the client is referred to the server that owns the data where the modification request can proceed To enable referrals only during update operations 1 In the Directory Server Console select the Configuration t...

Page 89: ...x Setting tab and deselect the Enable this suffix checkbox A red dot appears on the Suffix Setting tab to alert you to changes that need to be saved 4 Click Save The suffix is no longer enabled Deleting a Suffix The following procedure describes deleting a suffix 1 In the Directory Server Console select the Configuration tab 2 Under Data in the left navigation pane select the suffix you want to de...

Page 90: ...tion about creating databases to contain your directory data deleting databases using database encryption and making databases temporarily read only Creating Databases Maintaining Directory Databases Database Encryption Creating Databases Directory Server supports the use of multiple databases over which you can distribute your directory tree There are two ways you can distribute your data across ...

Page 91: ...clients can conduct searches based at dc example dc com Database two contains the data for ou groups and database three contains the data for ou contractors Multiple databases for one suffix Suppose the number of entries in the ou people branch of your directory tree is so large that you need two databases to store them In this case the data contained by ou people could be distributed across two d...

Page 92: ...r Creating a New Database for an Existing Suffix Using the Console The following procedure describes adding a database to a suffix you have already created 1 In the Directory Server Console select the Configuration tab 2 In the left pane expand Data then click the suffix to which you want to add the new database 3 Right click the suffix and select New Database from the pop up menu The Create New D...

Page 93: ...utility cd serverRoot shared bin Add a new entry to the configuration file by performing an ldapmodify as follows ldapmodify a h example1 p 389 D cn directory manager w secret The ldapmodify utility binds to the server and prepares it to add an entry to the configuration file Next you create the entry for the new database as follows dn cn UserData cn ldbm database cn plugins cn config objectclass ...

Page 94: ...that start above the suffix You can insert a distribution function into a suffix using both the Console and the command line For information about creating your own custom distribution logic contact Red Hat Professional Services Adding Custom Distribution Using the Console 1 In the Directory Server Console select the Configuration tab 2 Expand Data in the left navigation pane Select the suffix to ...

Page 95: ...tself nsslapd backend Database1 nsslapd backend Database2 nsslapd backend Database3 nsslapd distribution plugin full name of a shared library nsslapd distribution funct distribution function name The nsslapd backend attribute specifies all of the databases associated with this suffix The nsslapd distribution plugin attribute specifies the name of the library that your plug in uses The nsslapd dist...

Page 96: ...se Read Only Using the Console To place a database in read only mode from the Directory Server Console 1 In the Directory Server Console select the Configuration tab 2 Expand Data in the left pane Expand the suffix containing the database you want to put in read only mode 3 Select the database you want to put into read only mode 4 Select the Database Settings tab in the right pane 5 Select the Dat...

Page 97: ...ion Once deleted the database no longer appears in the right pane Configuring Transaction Logs for Frequent Database Updates When the server is going to be asked to perform frequent database updates LDAP adds modifies replication the database transaction log files should be configured to be on a different disk than the primary database files Storing the transaction log files on a separate physical...

Page 98: ...information from directory database files from copies of files or old hard drives because information in a database is stored in plain text Thus sensitive information such as government identification numbers may not be protected enough by standard access control measures Since this potential information loss can present a significant security risk Directory Server can encrypt selected portions of...

Page 99: ...the server s SSL certificate and the resulting wrapped key is stored within the server s configuration files The effective strength of the database encryption is never higher than the strength of the server s SSL key Without access to the server s private key it is not possible to recover the symmetric keys from the wrapped copies Encryption Ciphers The following ciphers are supported for database...

Page 100: ...king file even after a successful re import with encryption To remove this data stop the server delete the file named db guardian and then re start the server This will force recovery which deletes the backing file However it is possible that the data from the deleted file could still be recovered from the hard drive unless steps are taken to overwrite the disk blocks that it occupied After enabli...

Page 101: ...e Delete button When you hit Save a dialog box will appear asking if you want to delete the selected attributes Click on yes to continue with the deletion Any deleted attributes have to be manually re added after you save Configuring Database Encryption Using the Command Line To configure database encryption from the command line use the ldapmodify command to add a configuration entry This example...

Page 102: ...o the database Using the E option when running the db2ldif and ldif2db scripts will decrypt the data on export and re encrypt it on import 1 Export the data using the db2ldif script as follows db2ldif n Database1 E a output ldif s dc example dc com s o userRoot See Exporting to LDIF from the Command Line on page 159 for more information 2 Make any configuration changes 3 Re import the data using t...

Page 103: ...he following sections describe the procedures for creating and maintaining a database link Configuring the Chaining Policy Creating a New Database Link Chaining Using SSL Maintaining Database Links Database Links and Access Control Evaluation Advanced Feature Tuning Database Link Performance Advanced Feature Configuring Cascading Chaining For information about monitoring the activity of your datab...

Page 104: ...ng them to chain internal operations and the permissions they need in the ACI you create on the remote server Table 3 2 Components Allowed to Chain Component Name Description Permissions ACI Plug in This plug in implements the access control feature Operations used to retrieve and update ACI attributes are not chained because it is not safe to mix local and remote ACI attributes However requests u...

Page 105: ... if you delete an entry that is a member of a group the entry is automatically removed from the group Using this plug in with chaining helps simplify the management of static groups when the group members are remote to the static group definition To chain this component s operations specify the following nsActiveChainingComponents cn referential integrity postoperation cn plugins cn config Read wr...

Page 106: ... 4 To delete a component from the list select it and click Delete After making modifications to the components list a red dot appears on the tab and the field name turns gray 5 Click Save to save your changes 6 Restart the server in order for the change to take effect After allowing the component to chain you must create an ACI in the suffix on the remote server to which the operation will be chai...

Page 107: ...fied the nsActiveChainingComponents attribute you must restart the server for your change to take effect After allowing the component to chain you must create an ACI in the suffix on the remote server to which the operation will be chained For example you would create the following ACI for the referential integrity component aci targetattr target ldap ou customers l us dc example dc com version 3 ...

Page 108: ...t from the LDAP controls forwarded to the remote server list and click Delete 5 After making modifications to the components list a red dot appears on the tab and the components field name turns gray Click Save to save your changes Chaining LDAP Controls from the Command Line You can alter the controls that the database link forwards by changing the nsTransmittedControls attribute of the cn config...

Page 109: ...edentials you want each database link to use to bind with remote servers LDAP URL You provide the LDAP URL of the remote server to which the database link connects List of failover servers You can provide a list of alternative servers for the database link to contact in the event of a failure This configuration item is optional The following sections describe creating a new database link from the ...

Page 110: ...ane right click the suffix you just created and select New Database Link from the pop up menu The Create New Database Link dialog box is displayed 7 Enter the name of the new database link in the Database link name field Use only ASCII 7 bit characters for naming the database link This value cannot contain commas tabs an equals sign asterisk backslash forward slash plus sign quote double quote or ...

Page 111: ...ig entry Default configuration attributes are contained in the cn default config cn chaining database cn plugins cn config entry These configuration attributes apply to all database links at creation time Changes to the default configuration only affect new database links You cannot change the default configuration attributes on existing database links Each database link contains its own specific ...

Page 112: ...e chained to a remote server you can provide special bind credentials for the client application This gives the remote server the proxied authorization rights needed to chain operations If you do not specify bind credentials the database link binds to the remote server as anonymous Providing bind credentials involves the following steps 1 On the remote server you need to do the following a Create ...

Page 113: ...me cn chaining database cn plugins cn config entry For example a client application sends a request to Server A Server A contains a database link that chains the request to a database on Server B The database link on Server A binds to Server B using a special user as defined in the nsMultiplexorBindDN attribute and a user password as defined in the nsMultiplexorCredentials attribute In this exampl...

Page 114: ...amine access controls when enabling chaining to avoid giving access to restricted areas of your directory For example if you create a default proxy ACI on a branch the users that connect via the database link will be able to see all entries below the branch There may be cases when you do not want all of the subtrees to be viewed by a user To avoid a security hole you may need to create an addition...

Page 115: ...rtnumber For more information about chaining and SSL refer to Chaining Using SSL on page 120 Providing a List of Failover Servers You can include additional LDAP URLs for servers to use in the case of failure To do so add alternate servers to the nsFarmServerURL attribute separated by spaces For example you might enter the following nsFarmServerURL ldap example com us example com 389 africa exampl...

Page 116: ...d sizelimit Default size limit for the database link given in number of entries The default value is 2000 entries nsFarmServerURL Gives the LDAP URL of the remote server or farm server that contains the data This attribute can contain optional servers for failover separated by spaces If using cascading chaining this URL can point to another database link nsMultiplexorBindDN DN of the administrativ...

Page 117: ...Components Lists the components using chaining A component is any functional unit in the server The value of this attribute in the database link instance overrides the value in the global configuration attribute To disable chaining on a particular database instance use the value none The default policy is not to allow chaining Refer to Chaining Component Operations on page 103 for more information...

Page 118: ...secret h us example com Then specify the configuration information for the database link dn cn DBLink1 cn chaining database cn plugins cn config objectclass top objectclass extensibleObject objectclass nsBackendInstance nsslapd suffix l Zanzibar ou people dc example dc com nsfarmserverurl ldap africa example com 389 nsmultiplexorbinddn cn proxy admin cn config nsmultiplexorcredentials secret cn DB...

Page 119: ...e link The nsslapd parent suffix attribute specifies the parent of this new suffix ou people dc example dc com Next you create an administrative user on Server B as follows dn cn proxy admin cn config objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn proxy admin sn proxy admin userPassword secret description Entry for use by database links Add the following proxy aut...

Page 120: ...rica example com 636 Enable SSL on the server that contains the database link For more information on enabling SSL refer to Enabling SSL Summary of Steps on page 418 When you configure the database link and remote server to communicate using SSL this does not mean that the client application making the operation request must also communicate using SSL The client can bind using a normal port NOTE W...

Page 121: ...w LDAP URL in the Remote Server URL field Unlike the standard LDAP URL format the URL of the remote server does not specify a suffix It takes the following form ldap servername portnumber 5 Update the bind DN used by the database link to bind with the remote server by entering a new DN in the Database link bind DN field 6 Update the password used by the database link to bind with the remote server...

Page 122: ...ct access controls on the subtree contained on the remote server This means that you need to add the usual access controls to the remote server with a few restrictions You cannot use all types of access control For example role based or filter based ACIs need access to the user entry Because you are accessing the data via database links only the data in the proxy control can be verified Consider d...

Page 123: ...When performing a modify operation the database link does not have access to the full entry stored on the remote server If performing a delete operation the database link is only aware of the entry s DN If an access control specifies a particular attribute then a delete operation will fail when being conducted through a database link Advanced Feature Tuning Database Link Performance The following ...

Page 124: ...onnections that the database link establishes with the remote server The default value is 3 connections Bind timeout Amount of time in seconds before the database link s bind attempt times out The default value is 15 seconds Maximum binds per connection Maximum number of outstanding bind operations per TCP connection The default value is 10 outstanding bind operations per connection Time out befor...

Page 125: ...gement attributes for a specific database link are stored in the following entry cn database_link_name cn chaining database cn plugins cn config where database_link_name is the name of the database link The connection management attributes specified in this entry take precedence over the attributes specified in the cn default instance config entry The following table lists the attributes associate...

Page 126: ...he ping is set using the nsMaxTestResponseDelay nsBindRetryLimit Number of times a database link attempts to bind to the remote server A value of zero 0 indicates that the database link will try to bind only once The default value is 3 attempts nsConnectionLife Connection lifetime in seconds You can keep connections between the database link and the remote server open for an unspecified time or yo...

Page 127: ... too long However the database link forwards operations to remote servers for processing The database link contacts the remote server forwards the operation waits for the result and then sends the result back to the client application The entire operation can take much longer than a local operation Table 3 6 Database Link Processing Error Detection Parameters Attribute Name Description nsMaxRespon...

Page 128: ...e the thread number to 50 to improve performance After changing the thread number restart the server to implement your changes Advanced Feature Configuring Cascading Chaining You can configure your database link to point to another database link creating a cascading chaining operation A cascading chain occurs any time more than one hop is required to access all of the data in a directory tree The ...

Page 129: ...ta the clients wants to modify in a database Two hops are required to access the piece of data the client want to modify During a normal operation request a client binds to the server and then any ACIs applying to that client are evaluated With cascading chaining the client bind request is evaluated on Server 1 but the ACIs applying to the client are evaluated only after the request has been chain...

Page 130: ...ubsuffixes are stored on Server A The l europe dc example dc com and ou groups suffixes are stored in on Server B and the ou people branch of the l europe dc example dc com suffix is stored on Server C With cascading configured on servers A B and C a client request targeted at the ou people l europe dc example dc com entry would be routed by the directory as follows ...

Page 131: ...e l europe dc example dc com branch Because at least two hops are required for the directory to service the client request this is considered a cascading chain Configuring Cascading Chaining Defaults Using the Console To set cascading chaining defaults for all database links in your Directory Server 1 In the Directory Server Console select the Configuration tab 2 Expand the Data folder in the left...

Page 132: ...following 1 In the Directory Server Console select the Configuration tab 2 Expand the Data folder in the left pane and locate the database link you want to include in a cascading chain Click the database link then click the Limits and Controls tab in the right navigation pane 3 Select the Check local ACI checkbox if you want to enable the evaluation of local ACIs on the intermediate database links...

Page 133: ...ase link must contain the URL of the server containing another database link Suppose the database link on the server called example1 com points to a database link on the server called africa example com The cn database_link_name cn chaining database cn plugins cn config entry of the database link on Server 1 would contain the following nsFarmServerURL ldap africa example com 389 Transmitting the P...

Page 134: ...I for the administrative user that targets the appropriate suffix This ensures the administrator has access only to the suffix of the database link Add the following ACI to the administrative user s entry aci targetattr version 3 0 acl Proxied authorization for database links allow proxy userdn ldap cn proxy admin cn config This ACI is like the ACI you create on the remote server when configuring ...

Page 135: ...ed to add any client ACIs to this superior suffix entry For example you might add the following aci targetattr version 3 0 acl Client authentication for database link users allow all userdn ldap uid cn config This ACI allows client applications that have a uid in the cn config entry of Server 1 to perform any type of operation on the data below the ou people dc example dc com suffix on server thre...

Page 136: ...er Two Configuring Server Three Table 3 7 Cascading Chaining Configuration Attributes Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain nsTransmittedControls Enter the following OIDs to the database links involved in the cascading chain nsTransmittedControls 2 16 840 1 113730 3 4 12 nsTransmittedControls 1 3 6 1 4 1 1466 29539 12 The f...

Page 137: ...ring Server One First use the ldapmodify command line utility to add a database link to Server 1 To use the utility type the following to change to the directory containing the utility cd serverRoot shared bin Run the utility as follows ldapmodify a D cn directory manager w secret h host p 389 ...

Page 138: ...rst section creates the entry associated with DBLink1 The second section creates a new suffix allowing the server to direct requests made to the database link to the correct server You do not need to configure the nsCheckLocalACI attribute to check local ACIs as this is only required on the database link DBLink2 on Server 2 Since you want to implement loop detection you need to specify the OID of ...

Page 139: ...e database link DBLink2 on Server 2 Using ldapmodify specify the configuration information for DBLink2 as follows dn cn DBLink2 cn chaining database cn plugins cn config objectclass top objectclass extensibleObject objectclass nsBackendInstance nsslapd suffix l Zanzibar c africa ou people dc example dc com nsfarmserverurl ldap zanz africa example com 389 nsmultiplexorbinddn cn server2 proxy admin ...

Page 140: ...ittedControl 1 3 6 1 4 1 1466 29539 12 where nsTransmittedControl 2 16 840 1 113730 3 4 12 is the OID for the proxy authorization control and nsTransmittedControl 1 3 6 1 4 1 1466 29539 12 is the OID for the loop detection control Again check beforehand whether the loop detection control is already configured and adapt the above command accordingly The next step is to configure your ACIs On Server...

Page 141: ...target l Zanzibar c africa ou people dc example dc com version 3 0 acl Client authorization for database links allow all userdn ldap uid c us ou people dc example dc com This ACI allows clients that have a uid in c us ou people dc example dc com on Server 1 to perform any type of operation on the l Zanzibar c africa ou people dc example dc com suffix tree on server three Should you have users on S...

Page 142: ...in read only access to the data contained on the remote server server three within the l Zanzibar ou people dc example dc com subtree only You then need to create a local client ACI on the l Zanzibar ou people dc example dc com subtree that corresponds to the original client application Use the same ACI as the one you created for the client on Server 2 aci targetattr target l Zanzibar c africa ou ...

Page 143: ...are returned to client applications that submit operations on a DN not contained within any of the suffixes maintained by your directory The following procedures describes setting a default referral for your directory using the Console and the command line utilities Setting a Default Referral Using the Console Set a default referral to your directory as follows 1 In the Directory Server Console se...

Page 144: ...er dn cn config changetype modify replace nsslapd referral nsslapd referral ldap dir2 example com Once you have added the default referral to the cn config entry of your directory the directory will return the default referral in response to requests made by client applications You do not need to restart the server Creating Smart Referrals Smart referrals allow you to map a directory entry or dire...

Page 145: ... enter a referral in the LDAP URL format and then click Add to add the referral to the list The LDAP URL to which you want to refer client application requests must be in the following format ldap hostname portnumber optional_dn where optional_dn is the explicit DN you want the server to return to the requesting client application For example you might enter an LDAP URL as follows ldap directory e...

Page 146: ...te the relevant directory entry and add the Referral object class This object class allows a single attribute ref The ref attribute is expected to contain an LDAP URL For example add the following to return a smart referral for an existing entry uid jdoe dn uid jdoe ou people dc example dc com objectclass referral ref ldap directory europe example com cn john 20doe ou people l europe dc example dc...

Page 147: ...l using the Console 1 In the Directory Server Console select the Configuration tab 2 Under Data in the left pane click the suffix to which you want to add a referral 3 In the Suffix Settings tab select one of the following radio buttons Return Referrals for all Operations This means that a referral will be returned when this suffix receives any request from a client application Return Referrals fo...

Page 148: ...89 D cn directory manager w secret The ldapmodify utility binds to the server and prepares it to add information to the configuration file Next you add a suffix referral to the ou people dc example dc com root suffix as follows dn cn ou people dc example dc com cn mapping tree cn config objectclass extensibleObject objectclasss nsmappingtree nsslapd state referral nsslapd referral ldap zanzibar co...

Page 149: ...m the Directory Server Console You can use the Directory Server Console to append data to all of your databases including database links Initialize databases You can use the Directory Server Console to import data to one database This method overwrites any data contained by the database Importing data from the command line You can import data using the command line utilities Table 4 1 describes th...

Page 150: ...h your Directory Server has a configured database link You must be logged in as the Directory Manager in order to perform an import To import data from the Directory Server Console Table 4 1 Import Method Comparison Action Import Initialize Database Overwrites database No Yes LDAP operations Add modify delete Add only Performance More time consuming Fast Partition speciality Works on all partition...

Page 151: ...f you want the server to ignore operations other than add select the Add only checkbox Continue on Error Select the Continue on error checkbox if you want the server to continue with the import even if errors occur For example you might use this option if you are importing an LDIF file that contains some entries that already exist in the database in addition to new ones The server notes existing e...

Page 152: ...n click the database itself 3 Right click the database and select Initialize Database You can also select Initialize Database from the Object menu 4 In the LDIF file field enter the full path to the LDIF file you want to import or click Browse to locate it on your machine 5 If you are operating the Console from a machine local to the file being imported skip to step 6 If you are operating the Cons...

Page 153: ...he script requires you to shut down the server before proceeding with the import By default the script first saves and then merges any existing o NetscapeRoot configuration information with the o NetscapeRoot configuration information in the files being imported To import LDIF with the server stopped 1 From the command line change to the following directory serverRoot slapd serverID 2 Stop the ser...

Page 154: ...uires the server to be running in order to perform the import 1 From the command line change to the following directory serverRoot slapd serverID CAUTION If you a specify a database in the n option that does not correspond with the suffix contained by the LDIF file all of the data contained by the database is deleted and the import fails Make sure that you do not misspell the database name Option ...

Page 155: ...through LDAP Using this script you import data to all directory databases at the same time The server must be running in order to import using ldif2ldap To import LDIF using ldif2ldap 1 From the command line change to the following directory serverRoot slapd serverID 2 Run the ldif2ldap command line script For more information about using this script refer to Red Hat Directory Server Configuration...

Page 156: ...Data You can use the LDAP Data Interchange Format LDIF to export database entries from your databases LDIF is a standard format described in RFC 2849 The LDAP Data Interchange Format LDIF Technical Specification Exporting data can be useful for the following Backing up the data in your database Copying your data to another Directory Server Exporting your data to another application Repopulating da...

Page 157: ...mote to the server you can export all of the databases and database links To export directory data to LDIF from the Directory Server Console while the server is running 1 In the Directory Server Console select the Tasks tab Scroll to the bottom of the screen and click Export Database s To export all of your databases you can also select the Configuration tab and select Export from the Console menu...

Page 158: ...rt the file Exporting a Single Database to LDIF Using the Console To export one database to LDIF from the Directory Server Console while the server is running 1 In the Directory Server Console select the Configuration tab 2 Expand the Data tree in the left navigation pane Expand the suffix maintained by the database you want to export Select the database under the suffix that you want to export 3 ...

Page 159: ... using the db2ldif UNIX shell script db2ldif n database1 a output ldif s dc example dc com s o NetscapeRoot The following table describes the db2ldif options used in the examples Backing Up and Restoring Data You can back up and restore your databases using the Directory Server Console or a command line script NOTE To export a database that has been encrypted you must use the E option with the scr...

Page 160: ...tory Server Console and from the command line Backing Up All Databases from the Server Console When you back up your databases from the Directory Server Console the server copies all of the database contents and associated index files to a backup location You can perform a backup while the server is running To back up your databases from theDirectory Server Console 1 In the Directory Server Consol...

Page 161: ...pt This script works when the server is running or when the server is stopped You cannot back up the configuration information using this backup method For information on backing up the configuration information refer to Backing Up the dse ldif Configuration File on page 162 To back up your directory from the command line using the db2bak script 1 At the command prompt change to the following dire...

Page 162: ...le and from the command line Restoring All Databases from the Console If your databases become corrupted you can restore data from a previously generated backup using the Directory Server Console This process consists of stopping the server and then copying the databases and associated index files from the backup location to the database directory To restore your databases from a previously create...

Page 163: ...rRoot slapd serverID 2 If the server is running type the following to stop it stop slapd 3 Run the bak2db command line script For more information about using this script refer to Red Hat Directory Server Configuration Command and File Reference This example performs an import using the bak2db UNIX shell script bak2db opt redhat ds servers slapd dirserver bak bak_20010701103056 The bak2db script r...

Page 164: ...userRoot 4 Restart the Directory Server by typing the following start slapd Restoring Databases That Include Replicated Entries If you are restoring a database that is supplying entries to other servers then you must reinitialize all of the servers that receive updates from the restored database for example consumer servers hub servers and in multi master replication environments other supplier se...

Page 165: ...e old changelog file and creates a new empty one Changelog entries have expired on the supplier server since the time of the local backup If changelog entries have expired you need to initiate consumer reinitialization For more information on reinitializing consumers refer to Initializing Consumers on page 345 For information on managing replication see Managing Replication on page 301 Restoring t...

Page 166: ...Only Mode 1 In the Directory Server Console select the Configuration tab and expand the Data folder in the navigation tree 2 Select the database that you want to place in read only mode and click the Database Settings tab in the right pane 3 Select the Database is Read Only checkbox 4 Click Save Your change takes effect immediately Before performing an import or restore operation you should ensure...

Page 167: ...y roles and class of service determine your directory topology in the planning phase of your directory deployment Refer to the Red Hat Directory Server Deployment Guide for more information Using Groups Groups are a mechanism for associating entries for ease of administration This mechanism was provided with previous versions of Directory Server and should be used primarily for compatibility with ...

Page 168: ... is required 4 Enter a description of the new group in the Description field 5 Click Members in the left pane In the right pane select the Static Group tab Click Add to add new members to the group The standard Search users and groups dialog box appears 6 In the Search drop down list select what sort of entries to search for users groups or both then click Search Select one of the entries returned...

Page 169: ...ew Dynamic Group Modifying a Dynamic Group Adding a New Dynamic Group 1 Follow steps 1 4 of Adding a New Static Group on page 168 2 Click Members in the left pane In the right pane select the Dynamic Group tab Click Add to create a LDAP URL for querying the database The standard Construct and Test LDAP URL dialog box displays 3 Enter an LDAP URL in the text field or select Construct to be guided t...

Page 170: ...s Roles are a new entry grouping mechanism that unify the static and dynamic groups described in the previous sections Roles are designed to be more efficient and easier to use for applications For example an application can locate the role of an entry rather than select a group and browse the members list This section contains the following topics About Roles Managing Roles Using the Console Mana...

Page 171: ...ng filtered roles as you used to do with dynamic groups Roles are easier to use than groups more flexible in their implementation and reduce client complexity However evaluating roles is more resource intensive because the server does the work for the client application With roles the client application can check role membership by searching the nsRole attribute The nsRole attribute is a computed ...

Page 172: ...ch they belong When a role is said to be inactivated it does not mean that you cannot bind to the server using that role entry The meaning of an inactivated role is that you cannot bind to the server using any of the entries that belong to that role the entries that belong to an inactivated role will have the nsaccountlock attribute set to true In the case of the nested role an inactivated nested ...

Page 173: ... the parent entry for your new role 3 Go to the Object menu and select New Role You can also right click the entry and select New Role The Create New Role dialog box is displayed 4 Click General in the left pane Type a name for your new role in the Role Name field The role name is required 5 Enter a description of the new role in the Description field 6 Click Members in the left pane A search dial...

Page 174: ...filtered role definitions fields a Select the types of entries you want to filter from the For drop down list You can choose between users groups or both b Select an attribute from the Where drop down list The two fields following it allow you to refine your search by selecting one of the qualifiers from the drop down list such as contains does not contain is is not and enter an attribute value in...

Page 175: ...Server Console select the Directory tab 2 In the left navigation pane browse the tree and select the entry for which you want to view or edit a role 3 Select Set Roles from the Object menu The Roles dialog box displays 4 Select the Managed Roles tab to display the managed roles to which this entry belongs To add a new managed role click Add and select an available role from the Role Selector windo...

Page 176: ...ur changes Making a Role Inactive You can temporarily disable the members of a role by inactivating the role to which they belong Inactivating a role inactivates the entries possessed by the role not the role itself To temporarily disable the members of a role 1 In the Directory Server Console select the Directory tab 2 Browse the navigation tree in the left pane to locate the base DN for your rol...

Page 177: ...ght click the role and select Delete A dialog box appears asking you to confirm the deletion Click Yes 4 The Deleted Entries dialog box appears to inform you that the role was successfully deleted Click OK Managing Roles Using the Command Line Roles inherit from the ldapsubentry object class which is defined in the ISO IEC X 509 standard In addition each type of role has two specific object classe...

Page 178: ...llows dn cn Marketing ou people dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsSimpleRoleDefinition objectclass nsManagedRoleDefinition cn Marketing description managed role for marketing staff Table 5 1 Object Classes and Attributes for Roles Role Type Object Classes Attributes Managed Role nsSimpleRoleDefinition nsManagedRoleDefinition Descr...

Page 179: ...dapmodify script as follows ldapmodify D cn Directory Manager w secret h host p 389 Specify the filtered role as follows dn cn SalesManagerFilter ou people dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsComplexRoleDefinition objectclass nsFilteredRoleDefinition cn SalesManagerFilter nsRoleFilter o sales managers Description filtered role for s...

Page 180: ...bject classes The nsRoleDN attributes contain the DN of the marketing managed role and the sales managers filtered role Both of the users in the previous examples Bob and Pat would be members of this new nested role Using Roles Securely Not every role is suitable for use in a security context When creating a new role consider how easily the role can be assigned to and removed from an entry Sometim...

Page 181: ...moving the appropriate nsRoleDN aci targetattr nsRoleDN targattrfilters add nsRoleDN nsRoleDN cn AdministratorRole dc example dc com del nsRoleDN nsRoleDN cn nsManagedDisabledRole dc exampl e dc com version3 0 aci allow mod of nsRoleDN by self but not to critical values allow write userdn ldap self Filtered roles The attributes that are part of the filter should be protected so that the user canno...

Page 182: ...lf Instead they are generated by class of service logic as the entry is sent to the client application Each CoS is comprised of the following two types of entry in your directory CoS Definition Entry The CoS definition entry identifies the type of CoS you are using Like the role definition entry it inherits from the LDAPsubentry object class The CoS definition entry is below the branch at which it...

Page 183: ...ute is then used to identify the template entry The target entry s attribute must be single valued and contain a DN Classic CoS A classic CoS identifies the template entry using a combination of the template entry s base DN and the value of one of the target entry s attributes For more information about the object classes and attributes associated with each type of CoS refer to Managing CoS from t...

Page 184: ...mplate is associated with a classic CoS How a Pointer CoS Works You create a pointer CoS that shares a common postal code with all of the entries stored under dc example dc com The three entries for this CoS appear as illustrated in Figure 5 1 Figure 5 1 Sample Pointer CoS In this example the template entry is identified by its DN cn exampleUS cn data in the CoS definition entry Each time the post...

Page 185: ...liam s manager is Carla Fuentes so the manager attribute contains a pointer to the DN of the template entry cn Carla Fuentes ou people dc example dc com The template entry in turn provides the departmentNumber attribute value of 318842 How a Classic CoS Works You can create a classic CoS that uses a combination of the template DN and a CoS specifier to identify the template entry containing the po...

Page 186: ...S cn data The template entry then provides the value of the postalCode attribute to the target entry Managing CoS Using the Console This section describes creating and editing CoS through the Directory Server Console It includes the following sections Creating a New CoS Creating the CoS Template Entry Editing an Existing CoS Deleting a CoS Creating a New CoS 1 In the Directory Server Console selec...

Page 187: ...stored with the entry Select Overrides target entry attribute to make the value of the attribute generated by the CoS override the local value Select Overrides target entry attribute and is operational to make the attribute override the local value and to make the attribute operational so that it is not visible to client applications unless explicitly requested Select Does not override target entr...

Page 188: ...name The template DN in a classic CoS is more general than for a pointer CoS set the suffix or subsuffix where you will place the template entries there can be more than one template 8 Click OK Creating the CoS Template Entry If you created a pointer CoS or a classic CoS you need to create a template entry according to the template DN you set when you created the class of service Although you can ...

Page 189: ...bute in an entry the cospriority attribute ranks the importance of that particular CoS The higher cospriority will take precedence in a conflict The highest priority is 0 Templates that contain no cosPriority attribute are considered the lowest priority In the case where two or more templates are considered to supply an attribute value and they have the same or no priority a value is chosen arbitr...

Page 190: ... or remove attributes generated by the CoS 6 Click OK to save your changes The target entries of the CoS are automatically updated Deleting a CoS The following procedure describes deleting a CoS 1 In the Directory Server Console select the Directory tab 2 Browse the tree in the left navigation pane and select the parent entry that contains your class of service The CoS appears in the right pane wi...

Page 191: ...ject Classes Description Pointer CoS cosPointerDefinition Identifies the template entry associated with the CoS definition using the template entry s DN value The DN of the template entry is specified in the cosTemplateDn attribute Indirect CoS cosIndirectDefinition Identifies the template entry using the value of one of the target entry s attributes The attribute of the target entry is specified ...

Page 192: ...ere specified Operational default This qualifier indicates that the server only returns a generated value if there is no corresponding attribute value stored with the entry and if it is explicitly requested in the search If you do not indicate a qualifier default is assumed cosIndirectSpecifier Specifies the attribute value used by an indirect CoS to identify the template entry cosSpecifier Specif...

Page 193: ...re information about the attributes refer to the Red Hat Directory Server Configuration Command and File Reference Now that you have been introduced to the object classes and attributes used by a CoS definition it is time to put them together to create the definition entry itself Table 5 4 describes the CoS definition for each type of CoS NOTE If an entry contains an attribute value generated by a...

Page 194: ...ition entry In such a case you can specify a template priority on each template entry to determine which template provides the attribute value Set the template priority using the cosPriority attribute This attribute represents the global priority of a particular template A priority of zero is the highest priority Classic CoS objectclass top objectclass cosSuperDefinition objectclass cosClassicDefi...

Page 195: ...ority of zero meaning this template takes precedence over any other conflicting templates that define a different departmentNumber value The following sections provide examples of template entries along with examples of each type of CoS definition entry Example of a Pointer CoS You want to create a pointer CoS that shares a common postal code with all entries in the dc example dc com tree To add a...

Page 196: ...ares it to add information to the configuration file Next you add the indirect CoS definition to the dc example dc com root suffix as follows dn cn indirectCoS dc example dc com objectclass top objectclass cosSuperDefinition objectclass cosIndirectDefinition cosIndirectSpecifier manager cosAttribute departmentNumber You do not need to add any additional entries to the directory or modify the manag...

Page 197: ...Attribute postalCode override Next you create the template entries for the sales and marketing departments Add the CoS attributes to the template entry The cn of the template sets the value of the businessCategory attribute in the target entry and then the attributes are added or overwritten according to the value in the template dn cn sales cn classicCoS dc example dc com objectclass top objectcl...

Page 198: ...box quota The manager role exists as follows dn cn ManagerRole ou people dc example dc com objectclass top objectclass nsRoleDefinition objectclass nsComplexRoleDefinition objectclass nsFilteredRoleDefinition cn ManagerRole nsRoleFilter o managers Description filtered role for managers The classic CoS definition entry would look as follows dn cn managerCOS dc example dc com objectclass top objectc...

Page 199: ...00000 The template provides the value for the mailboxquota attribute 1000000 Access Control and CoS The server controls access to attributes generated by a CoS in exactly the same way as regular stored attributes However access control rules depending upon the value of attributes generated by CoS will not work NOTE The role entry and the CoS definition and template entries should be located at the...

Page 200: ...Assigning Class of Service 200 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 201: ... Control Usage Examples page 242 Viewing the ACIs for an Entry page 263 Advanced Access Control Using Macro ACIs page 269 Access Control and Replication page 276 Logging Access Control Information page 276 Compatibility with Earlier Releases page 277 To take full advantage of the power and flexiblity of the access control mechanism while you are in the planning phase for your directory deployment ...

Page 202: ...ttributes You can set permissions for a specific user all users belonging to a specific group or role or all users of the directory Finally you can define access for a specific location such as an IP address or a DNS name ACI Structure Access control instructions are stored in the directory as attributes of entries The aci attribute is an operational attribute it is available for use on every entr...

Page 203: ...u could create an ACI that targets entries that include the inetorgperson object class You can use this feature to minimize the number of ACIs in the directory tree by placing general rules at high level branch points To limit the scope of more specific rules you should place them as close as possible to leaf entries ACI Evaluation To evaluate the access rights to a particular entry the server com...

Page 204: ...f the group must have an entry on the server too If the group is static the members entries can be located on remote servers ACIs that depend on role definitions roledn keyword must be located on the same server as the role definition entry Every entry that is intended to have the role must also be located on the same server However you can do value matching of values stored in the target entry wi...

Page 205: ... include mail telephoneNumer userPassword seeAlso and so on Operational and most of the security attributes such as aci nsroledn and passwordExpirationTime can t be modified by the users Users have anonymous access to the directory for search compare and read operations The administrator by default uid admin ou Administrators ou TopologyManagement o NetscapeRoot has all rights except proxy rights ...

Page 206: ...ntries and attributes for which you want to control access The target can be a distinguished name one or more attributes or a single LDAP filter The target is an optional part of the ACI version 3 0 is a required string that identifies the ACI version name is a name for the ACI The name can be any string that identifies the ACI The ACI name is required TIP LDIF ACI statements can be very complex H...

Page 207: ...ermission bind_rule Example ACI The following is an example of a complete LDIF ACI aci target ldap uid bjensen dc example dc com targetattr version 3 0 acl aci1 allow write userdn ldap self In this example the ACI states that the user bjensen has rights to modify all attributes in her own directory entry The following sections describe the syntax of each portion of the ACI in more detail Defining ...

Page 208: ...nt upon the keyword that you supply The following table lists each keyword and the associated expressions In all cases you must keep in mind that when you place an ACI on an entry if it is not a leaf entry the ACI also applies to all entries below it For example if you target the entry ou accounting dc example dc com the permissions you set will apply to all entries in the accounting branch of the...

Page 209: ...ant to deny access to a particular attribute use deny in the permissions clause rather than using allow with targetattr value For example usages such as these are recommended acl1 target targetattr a version 3 0 acl name deny acl2 target targetattr b version 3 0 acl name deny Targeting a Directory Entry To target a directory entry and the entries below it you must use the target keyword The target...

Page 210: ...ending with A Depending on the position of the wildcard it can apply to the full DN not only to attribute values Therefore the wildcard can be used as a substitute for portions of the DN For example uid andy dc example dc com targets all the directory entries in the entire example com tree with a matching uid attribute and not just the entries that are immediately below the dc example dc com node ...

Page 211: ...mplement an access control policy when you set up your directory service for the first time even if the ACLs you create do not apply to the current directory content To target attributes you use the targetattr keyword The keyword uses the following syntax targetattr attribute You can target multiple attributes by using the targetattr keyword with the following syntax targetattr attribute1 attribut...

Page 212: ...ntire Marketing subtree However you can also explicitly specify a target using the target keyword as follows aci target ldap ou Marketing dc example dc com targetattr uid access_control_rules The order in which you specify the target and the targetattr keywords is not important Targeting Entries or Attributes Using LDAP Filters You can use LDAP filters to target a group of entries that match certa...

Page 213: ...e s value meets the criteria defined in the ACI An ACI that grants or denies access based on an attribute s value is called a value based ACI For example you might grant all users in your organization permission to modify the nsRoleDN attribute in their own entry However you would also want to ensure that they do not give themselves certain key roles such as Top Level Administrator LDAP filters ar...

Page 214: ...onsider the following attribute filter targattrfilters add nsroleDN nsRoleDN cn superAdmin telephoneNumber telephoneNumber 123 This filter can be used to allow users to add any role nsRoleDN attribute to their own entry except the superAdmin role It also allows users to add a telephone number with a 123 prefix Targeting a Single Directory Entry Targeting a single directory entry is not straightfor...

Page 215: ...pecific operations in the directory The various operations that can be assigned are known as rights There are two parts to setting permissions Allowing or denying access Assigning rights Allowing or Denying Access You can either explicitly allow or deny access permissions to your directory tree For more guidelines on when to allow and when to deny access refer to the Red Hat Directory Server Deplo...

Page 216: ... This permission applies only to the compare operation Selfwrite Indicates whether users can add or delete their own DN from a group This right is used only for group management Proxy Indicates whether the specified DN can access the target with the rights of another entry For an overview of proxy access refer to the Red Hat Directory Server Deployment Guide All Indicates that the specified DN has...

Page 217: ... Grant write permission on the value of each attribute type This right is granted by default but could be restricted using the targattrfilters keyword Modifying the RDN of an entry Grant write permission on the entry NOTE The proxy mechanism is very powerful and must be used sparingly Proxy rights are granted within the scope of the ACL and there is no way to restrict who an entry that has the pro...

Page 218: ...n example Consider the following ldapsearch operation ldapsearch h host s base b uid bjensen dc example dc com objectclass mail The following ACI is used to determine whether user bkolics can be granted access aci targetattr mail version 3 0 acl self access to mail allow read search userdn ldap self The search result list is empty because this ACI does not grant access to the objectclass attribute...

Page 219: ... authenticating yourself to the directory by providing a bind DN and password or if using SSL a certificate The credentials provided in the bind operation and the circumstances of the bind determine whether access to the directory is allowed or denied Every permission set in an ACI has a corresponding bind rule that details the required credentials and bind parameters Bind rules can be simple For ...

Page 220: ...d not equal indicates that keyword and expression must not match in order for the bind rule to be true The quotation marks around expression and the delimiting semicolon are required The expressions you can use depend on the associated keyword The following table lists each keyword and the associated expressions It also indicates whether wildcard characters are allowed in the expression NOTE The t...

Page 221: ...xpressions anyone all self or parent userdn ldap anyone defines anonymous access userdn ldap all defines general access userdn ldap self defines self access userdn ldap parent defines access for the parent entry The userdn keyword can also be expressed as an LDAP filter of the form userattr attribute bindType or attribute value no ip IP_address yes dns DNS_host_name yes dayofweek sun mon tue wed t...

Page 222: ...sers This allows general access while preventing anonymous access From the Server Console you define general access on the Access Control Editor For more information see Creating ACIs from the Console on page 237 Self Access self Keyword Specifies that users are granted or denied access to their own entries In this case access is granted or denied if the bind DN matches the DN of the targeted entr...

Page 223: ...Editor For more information see Creating ACIs from the Console on page 237 Examples This section contains examples of the userdn syntax Userdn keyword containing an LDAP URL userdn ldap uid dc example dc com The bind rule is evaluated to be true if the user binds to the directory using any distinguished name of the specified pattern For example both of the following bind DNs would be evaluated to ...

Page 224: ...s in the example com tree write access to their userPassword attribute you would create the following ACI on the dc example dc com node aci targetattr userPassword version 3 0 acl write self allow write userdn ldap self Userdn keyword containing the all keyword userdn ldap all The bind rule is evaluated to be true for any valid bind DN To be true a valid distinguished name and password must have b...

Page 225: ...g or sales subtree Defining Group Access groupdn Keyword Members of a specific group can access a targeted resource This is known as group access Group access is defined using the groupdn keyword to specify that access to a targeted entry will be granted or denied if the user binds using a DN that belongs to a specific group The groupdn keyword requires one or more valid distinguished names in the...

Page 226: ...to either the Administrators or the Mail Administrators group Defining Role Access roledn Keyword Members of a specific role can access a targeted resource This is known as role access Role access is defined using the roledn keyword to specify that access to a targeted entry will be granted or denied if the user binds using a DN that belongs to a specific role The roledn keyword requires one or mo...

Page 227: ...which attribute values must match between the entry used to bind and the targeted entry You can specify A user DN A group DN A role DN An LDAP filter in an LDAP URL Any attribute type The LDIF syntax of the userattr keyword is as follows userattr attrName bindType or if you are using an attribute type that requires a value other than a user DN group DN role DN or an LDAP filter userattr attrName a...

Page 228: ...ed entry For example you can use this mechanism to allow a group to manage employees status information You can use an attribute other than owner as long as the attribute you use contains the DN of a group entry The group you point to can be a dynamic group and the DN of the group can be under any suffix in the database However the evaluation of this type of ACI by the server is very resource inte...

Page 229: ... quickly than the previous example Example with LDAPURL Bind Type The following is an example of the userattr keyword associated with a bind based on an LDAP filter userattr myfilter LDAPURL The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter attribute of the targeted entry The myfilter attribute can be replaced by any attribute that contains an LDAP f...

Page 230: ...r an LDAP filter userattr parent inheritance_level attrName attrValue where inheritance_level is a comma separated list that indicates how many levels below the target will inherit the ACI You can include five levels 0 1 2 3 4 below the targeted entry zero 0 indicates the targeted entry attribute is the attribute targeted by the userattr or groupattr keyword bindType can be one of USERDN GROUPDN o...

Page 231: ...ion 3 0 acl profiles access allow read search userattr owner USERDN Granting Add Permission Using the userattr Keyword If you use the userattr keyword in conjunction with all or add permissions you might find that the behavior of the server is not what you expect Typically when a new entry is created in the directory Directory Server evaluates access rights on the entry being created and not on th...

Page 232: ...f You can however use the parent keyword to grant add rights below existing entries You must specify the number of levels below the parent for add rights For example the following ACI allows child entries to be added to any entry in the dc example dc com that has a manager attribute that matches the bind DN aci target ldap dc example dc com targetattr version 3 0 acl parent access allow add userat...

Page 233: ...main The LDIF syntax for setting a bind rule based on the DNS hostname is dns DNS_Hostname or dns DNS_Hostname The dns keyword requires a fully qualified DNS domain name Granting access to a host without specifying the domain creates a potential security threat For example the following expression is allowed but not recommended dns legend eng You should use a fully qualified name such as dns legen...

Page 234: ... to not equal to greater than greater than or equal to less than or less than or equal to The timeofday keyword requires a time of day expressed in hours and minutes in the 24 hour clock 0 to 2359 The LDIF syntax for setting a bind rule based on the day in the week is as follows dayofweek day1 day2 The possible values for the dayofweek keyword are the English three letter abbreviations for the day...

Page 235: ... to the directory using a specific authentication method The authentication methods available are None Authentication is not required This is the default It represents anonymous access Simple The client must provide a user name and password to bind to the directory SSL The client must bind to the directory over a Secure Sockets Layer SSL or Transport Layer Security TLS connection In the case of SS...

Page 236: ...a certificate over LDAPS This is not evaluated to be true if the client authenticates using simple authentication bind DN and password over LDAPS authmethod sasl DIGEST MD5 The bind rule is evaluated to be true if the client is accessing the directory using the SASL DIGEST MD5 mechanism The other supported SASL mechanisms are EXTERNAL and GSS API Using Boolean Bind Rules Bind rules can be complex ...

Page 237: ...d rules bind_rule_A OR bind_rule_B bind_rule_B OR bind_rule_A Because Boolean expressions are evaluated from left to right in the first case bind rule A is evaluated before bind rule B and in the second case bind rule B is evaluated before bind rule A However the Boolean NOT is evaluated before the Boolean OR and Boolean AND Thus in the following example bind_rule_A AND NOT bind_rule_B bind rule B...

Page 238: ...hat contain Boolean bind rules see Using Boolean Bind Rules on page 236 Generally create ACIs that use the following keywords roledn userattr authmethod Displaying the Access Control Editor 1 Start the Directory Server Console Log in using the bind DN and password of a privileged user such as the Directory Manager who has write access to the ACIs configured for the directory For instructions refer...

Page 239: ...le Chapter 6 Managing Access Control 239 Figure 6 2 Selecting an Object in the Navigation Tree to Set Access Control 4 Click New The Access Control Editor is displayed as shown in Figure 6 3 Figure 6 3 Access Control Editor Window ...

Page 240: ...ss Control Editor This task is explained in Displaying the Access Control Editor on page 238 If the view displayed is different from Figure 6 3 on page 239 click the Edit Visually button 2 Name the ACI by typing a name in the ACI Name text box The name can be any string you want to use to identify uniquely the ACI If you do not enter a name the server uses unnamed ACI 3 In the Users Groups tab sel...

Page 241: ...ibutes by selecting the attributes you want to target in the attribute list 6 Click the Hosts tab then the Add button to display the Add Host Filter dialog box You can specify a hostname or an IP address If you specify an IP address you can use the wildcard character 7 Click the Times tab to display the table showing at what times access is allowed By default access is allowed at all times You can...

Page 242: ...Control Editor 4 When you have finished editing the ACI click OK The ACI Editor is dismissed and the modified ACI is listed in the ACI Manager Deleting an ACI To delete an ACI 1 In the Directory tab right click the top entry in the subtree and choose Set Access Permissions from the pop up menu The Access Control Manager window is displayed It contains the list of ACIs belonging to the entry 2 In t...

Page 243: ...ffix on page 251 Grant all example com employees the right to create group entries under the Social Committee branch of the directory and to delete group entries that they own see Granting Rights to Add and Delete Group Entries on page 252 Grant all example com employees the right to add themselves to group entries under the Social Committee branch of the directory see Allowing Users to Add or Rem...

Page 244: ...us Example allow read search compare userdn ldap anyone and dns example com This example assumes that the aci is added to the dc example dc com entry The userPassword attribute is excluded from the scope of the ACI From the Console you can set this permission by doing the following 1 In the Directory tab right click the example com node in the left navigation tree and choose Set Access Permissions...

Page 245: ...criber attribute which is set to yes or no The target definition filters out the unlisted subscribers based on the value of this attribute For details on the filter definition refer to Setting a Target Using Filtering on page 260 From the Console you can set this permission by doing the following 1 In the Directory tab right click the Subscribers entry under the example com node in the left naviga...

Page 246: ...to change their own password home telephone number and home address but nothing else This is illustrated in the ACI Write example com example It is also example com s policy to let their subscribers update their own personal information in the example com tree provided that they establish an SSL connection to the directory This is illustrated in the ACI Write Subscribers example ACI Write example ...

Page 247: ...x 4 In the Rights tab select the checkbox for write right Make sure the other checkboxes are clear 5 In the Targets tab click This Entry to display the dc example dc com suffix in the target directory entry field In the attribute table tick the checkboxes for the homePhone homePostalAddress and userPassword attributes All other checkboxes should be clear This task is made easier if you click the C...

Page 248: ...ribers entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 In the Users Groups tab in the ACI name field type Write Subscribers In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Us...

Page 249: ...s You can use role definitions in the directory to identify functions that are critical to your business the administration of your network and directory or another purpose For example you might create a superAdmin role by identifying a subset of your system administrators that are available at a particular time of day and day of the week at corporate sites worldwide Or you might want to create a ...

Page 250: ...nager 2 Click New to display the Access Control Editor 3 In the Users Groups tab in the ACI name field type Roles In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area in the Add Users and Groups dialog box to to Special Rights and select Self from the Search results list c...

Page 251: ...ccess to all or part of the directory By applying the access rights to the group you can avoid setting the access rights for each member individually Instead you grant users these access rights simply by adding them to the group For example when you install the Directory Server using the Typical Install process an Administrators group with full access to the directory is created by default At exam...

Page 252: ...of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 In the Rights tab click the Check All button All checkboxes are ticked except for Proxy rights 5 Click OK The new ACI is added to the ones listed in the Access Control Manager window Granting Rights to Add and Delete Group Entries Some organizations want to allow employees to create entries in th...

Page 253: ...t Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 In the Users Groups tab in the ACI name field type Create Group In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area to Special Rights and sel...

Page 254: ...ap ou social committee dc example dc com version 3 0 acl Create Group allow read search add userdn ldap all and dns example com 8 Click OK The new ACI is added to the ones listed in the Access Control Manager window ACI Delete Group In LDIF to grant example com employees the right to modify or delete a group entry which they own under the ou Social Comittee branch you would write the following sta...

Page 255: ...itions are fulfilled Connection authenticated using SSL Access requested between 8 a m and 6 p m Monday through Thursday and Access requested from a specified IP address for each company These conditions are illustrated in a single ACI for each company ACI HostedCompany1 and ACI HostedCompany2 Because the content of these ACIs is the same the examples below illustrate the HostedCompany1 ACI only A...

Page 256: ...dministrators role with a cn of DirectoryAdmin c Click the Add button to list the administrators role in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 In the Rights tab click the Check All button 5 In the Targets tab click This Entry to display the ou HostedCompany1 ou corporate clients dc example dc com suffix in the target directo...

Page 257: ... window Denying Access If your directory holds business critical information you might specifically want to deny access to it For example example com wants all subscribers to be able to read billing information such as connection time or account balance under their own entries but explicitly wants to deny write access to that information This is illustrated in ACI Billing Info Read and ACI Billing...

Page 258: ...dialog box 4 In the Rights tab tick the checkboxes for search and read rights Make sure the other checkboxes are clear 5 In the Targets tab click This Entry to display the ou subscribers dc example dc com suffix in the target directory entry field In the attribute table tick the checkboxes for the connectionTime and accountBalance attributes All other checkboxes should be clear This task is made e...

Page 259: ...s and select Self from the Search results list c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 In the Rights tab tick the checkbox for write Make sure the other checkboxes are clear 5 Click the Edit Manually button and in the LDIF statement that is displayed change the word allow to deny 6 In the...

Page 260: ...ion Before you can set these permissions you must create the accounting branch point ou accounting dc example dc com You can create organizational unit branch points using the directory tab on the Directory Server Console Allowing Users to Add or Remove Themselves from a Group Many directories set ACIs that allow users to add or remove themselves from groups This is useful for example for allowing...

Page 261: ...st of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 In the Rights tab tick the checkbox for selfwrite Make sure the other checkboxes are clear 5 In the Targets tab type dc example dc com suffix in the target directory entry field In the attribute table tick the checkbox for the member attribute All other checkboxes should be clear This task is ...

Page 262: ...on to gain access to the Accounting subtree using the same access permissions as the Accounting Administrator The Accounting Administrator must have access permissions to the ou Accounting dc example dc com subtree For example the following ACI grants all rights to the Accounting Administrator entry aci target ldap ou Accounting dc example dc com targetattr version 3 0 acl allowAll AcctAdmin allow...

Page 263: ...guration Command and File Reference for information on using the ldapsearch utility From the Console you can view all of the ACIs that apply to a particular entry through the Access Control Manager 1 In the Directory Console on the Directory tab right click the entry in the navigation tree and select Set Access Permissions The Access Control Manager is displayed It contains a list of the ACIs belo...

Page 264: ...d attributes like manager and salary but only HR Group members have the rights to modify or delete them A user can run the get effective rights command to see what attributes he can view or modify on his personal entry For instance a user should have access to attributes such as homePostalAddress and cn but may only have read access to manager and salary An ldapsearch run with the J tool will retu...

Page 265: ... Table 6 4 summarize the permissions that can be set on entries and on attributes that are retrieved by the get effective rights operation Using Get Effective Rights from the Command Line To retrieve the effective rights with ldapsearch you must pass the control information with the ldapsearch utility s J option as follows ldapsearch p port h host D bindDN w bindPassword b user J control OID boole...

Page 266: ...l entry as shown below Along with returning the effective rights information the ldapsearch returns the regular entry information ldapsearch p 389 h localhost D uid tmorris ou people dc example dc com w password b uid tmorris ou people dc example dc com J 1 3 6 1 4 1 42 2 27 9 5 2 true dn uid tmorris ou people dc example dc com objectClass version 1 dn uid tmorris ou People dc example dc com given...

Page 267: ...example dc com roomNumber 4117 mail tmorris example com facsimileTelephoneNumber 1 408 555 5409 objectClass top objectClass person objectClass organizationalPerson objectClass inetOrgPerson uid tmorris cn Ted Morris userPassword SSHA bz0uCmHZM5b357zwrCUCJs1IOHtMD6yqPyhxBA entryLevelRights vadn attributeLevelRights givenName rscwo sn rscwo ou rscwo l rscwo manager rscwo roomNumber rscwo mail rscwo ...

Page 268: ...givenName rsc sn rsc ou rsc l rsc manager rsc roomNumber rsc mail rsc facsimileTelephoneNumber rsc objectClass rsc uid rsc cn rsc userPassword none This means that Sam Carter has the right to view the DN of the entry and to read search and compare the ou givenName l and other attributes and no rights to the userPassword attribute Using Get Effective Rights from the Console To view effective rights...

Page 269: ...tory tree structures it is possible to optimize the number of ACIs used in the directory by using macros Reducing the number of ACIs in your directory tree makes it easier to manage your access control policy and improves the efficiency of ACI memory usage Table 6 5 Returned Result Codes Code Description 0 Successfully completed 1 Operation error 12 The critical extension is unavailable If the cri...

Page 270: ...igure 6 4 on page 271 shows a directory tree in which using macro ACIs is an effective way of reducing the overall number of ACIs This illustration uses repeating pattern of subdomains with the same tree structure ou groups ou people This pattern is also repeated across the tree because the example com directory tree stores the suffixes dc hostedCompany2 dc example dc com and dc hostedCompany3 dc ...

Page 271: ...xample Directory Tree for Macro ACIs The following ACI is located on the dc hostedCompany1 dc example dc com node aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com ...

Page 272: ... nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc subdomain1 dc hostedCompany2 dc example dc com In the four ACIs shown above the only differentiator is the DN specified in the groupdn keyword By using a macro for the DN it is possible to replace these ACIs by a single ACI at the root of the tree on the dc example dc com node This ACI reads ...

Page 273: ...s dn If you use dn in targetfilter userdn roledn groupdn userattr you must define a target that contains dn In short you when using any macro you always need a target definition that contains the dn macro You can combine the dn macro and the attr attrName macro Macro Matching for dn The dn macro is replaced by the matching part of the resource targeted in an LDAP request For example you have an LD...

Page 274: ...ver evaluates the ACI following the normal process to determine whether access is granted Macro Matching for dn The matching mechanism for dn is slightly different than for dn The DN of the targeted resource is examined several times each time dropping the left most RDN component until a match is found For example you have an LDAP request targeted at the cn all ou groups dc subdomain1 dc hostedCom...

Page 275: ...members of cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com to all of the subdomains under dc hostedCompany1 so an administrator belonging to that group could access for example the subtree ou people dc subdomain1 1 dc subdomain1 However at the same time members of cn DomainAdmins ou Groups dc subdomain1 1 would be denied access to the ou people dc hostedCompany1 and ou people dc host...

Page 276: ...performs a logical OR on the following expanded expressions roledn ldap cn DomainAdmins ou Engineering dc HostedCompany1 dc example dc com roledn ldap cn DomainAdmins ou People dc HostedCompany1 dc example dc com Access Control and Replication ACIs are stored as attributes of entries therefore if an entry containing ACIs is part of a replicated database the ACIs are replicated like any other attri...

Page 277: ... to Red Hat Directory Server Configuration Command and File Reference Compatibility with Earlier Releases Some ACI keywords that were used in earlier releases of Directory Server have been deprecated in release 6 1 and later However for reasons of backward compatibility they are still supported These keywords are userdnattr groupdnattr Therefore if you have set up a replication agreement between a...

Page 278: ...Compatibility with Earlier Releases 278 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 279: ... the directory and limiting system resources available to users depending upon their bind DNs This chapter contains the following sections Managing the Password Policy page 279 Inactivating Users and Roles page 296 Setting Resource Limits Based on the Bind DN page 299 Managing the Password Policy A password policy minimizes the risks of using passwords by enforcing the following Users must change ...

Page 280: ...y Server Deployment Guide Configuring the Password Policy Directory Server supports fine grained password policy enabling you to define a policy that can be applied to the entire directory global password policy a particular subtree subtree level or local password policy or a particular user user level or local password policy Essentially your password policy is comprised of the following informat...

Page 281: ...ct this checkbox only the Directory Manager is authorized to reset the users s password A regular administrative user cannot force the users to update their password 4 If you want to allow users to change their own passwords select the User may change password checkbox 5 If you want to prevent users from changing their password for a specific duration enter the number of days in the Allow changes ...

Page 282: ...es text enter the number of days before password expiration to send a warning 10 If you want the server to check the syntax of a user password to make sure it meets the minimum requirements set by the password policy select the Check Password Syntax checkbox Then specify the minimum acceptable password length in the Password Minimum Length text box 11 From the Password Encryption pull down menu se...

Page 283: ...checkbox to add the required attributes fill in the appropriate values and click Save e In the Account Lockout tab specify the appropriate information and click Save Configuring a Global Password Policy Using the Command Line This section describes the attributes you set to create a password policy for your entire server Use ldapmodify to change these attributes in the cn config entry Table 7 1 de...

Page 284: ...efault passwordExp When on this attribute indicates that the user s password will expire after an interval given by the passwordMaxAge attribute Making passwords expire helps protect your directory data because the longer a password is in use the more likely it is to be discovered This attribute is off by default passwordMaxAge This attribute indicates the number of seconds after which user passwo...

Page 285: ...ds A trivial word is any value stored in the uid cn sn givenName ou or mail attributes of the user s entry This attribute is off by default passwordMinLength This attribute specifies the minimum number of characters that must be used in passwords Shorter passwords are easier to crack You can require passwords that are 2 to 512 characters long Generally a length of 6 to 8 characters is long enough ...

Page 286: ...ry stores in the history You can store from 2 to 24 passwords in the history This feature is not enabled unless the passwordHistory attribute is set to on This attribute is set to 6 by default passwordStorageScheme This attribute specifies the type of encryption used to store Directory Server passwords The following encryption types are supported by Directory Server SSHA Salted Secure Hash Algorit...

Page 287: ...people dc example dc com the following entries are added A container entry nsPwPolicyContainer at the subtree level for holding various password policy related entries for the subtree and all its children For example dn cn nsPwPolicyContainer ou people dc example dc com objectClass top objectClass nsContainer cn nsPwPolicyContainer The actual password policy specification entry nsPwPolicyEntry for...

Page 288: ... example dc com cosAttribute pwdpolicysubentry default operational For a user for example uid jdoe ou people dc example dc com the following entries are added A container entry nsPwPolicyContainer at the parent level for holding various password policy related entries for the user and all its children For example dn cn nsPwPolicyContainer ou people dc example dc com objectClass top objectClass nsC...

Page 289: ...ample you can use the ldapmodify command to make these changes dn cn config changetype modify replace nsslapd pwpolicy local on nsslapd pwpolicy local off You can also disable the attribute by modifying it directly in the configuration file dse ldif To do this 1 Stop the server NOTE The nsslapd pwpolicy local attribute of the cn config entry controls the type of password policy the server enforces...

Page 290: ...on on how to use the Users and Groups area see the online help that is available in the Red Hat Administration Server For information on how to use the Gateway to create or modify directory entries see the online help that is available in the Gateway Password Change Extended Operation While most passwords can be changed through the Console and other Directory Server features or through the ldapmod...

Page 291: ...tion and providing separate credentials as follows ldappasswd H ldaps server example com 636 ZZ P K export servers alias key3 db D cn Directory Manager w rootpassword a oldpassword s newpassword uid jsmith ou People dc example dc com Access control is enforced for the password change operation If the bindDN does not have rights to change the specified password the operation will fail with an Insuf...

Page 292: ...ode 2 In the right pane select the Account Lockout tab 3 To enable account lockout select the Accounts may be locked out checkbox 4 Enter the maximum number of allowed bind failures in the Lockout account after X login failures text box The server locks out users who exceed the limit you specify here 5 Enter the number of minutes you want the server to wait before resetting the bind failure counte...

Page 293: ...icates the time in seconds that users will be locked out of the directory You can also specify that a user is locked out until the password is reset by an administrator using the passwordUnlock attribute By default the user is locked out for 3600 seconds passwordResetFailureCount This attribute specifies the time in seconds after which the password failure counter will be reset Each time an invali...

Page 294: ...Warnings from the server of an impending password expiration will be issued by all replicas This information is kept locally on each server so if a user binds to several replicas in turn they will be issued the same warning several times In addition if the user changes the password it may take time for this information to filter to the replicas If a user changes a password and then immediately reb...

Page 295: ... Password Sync utility must be installed locally on the Windows machine that will be synchronized with a Directory Server Password Sync can only link the Windows machine to a single Directory Server to sync changes with multiple Directory Server configure the Directory Server for multi master replication Password expiration warnings and times failed bind attempts and other password related informa...

Page 296: ...f this section describes the following procedures Inactivating User and Roles Using the Console Inactivating User and Roles Using the Command Line Activating User and Roles Using the Console Activating User and Roles Using the Command Line Inactivating User and Roles Using the Console The following procedure describes inactivating a user or a role using the Console 1 In the Directory Server Consol...

Page 297: ...s inactivate pl script to inactivate Joe Frasier s user account ns inactivate pl D Directory Manager w secretpwd p 389 h example com I uid jfrasier ou people dc example dc com The following table describes the ns inactivate pl options used in the example For more information about running the ns inactivate pl script refer to Red Hat Directory Server Configuration Command and File Reference Activat...

Page 298: ...ivation State from the View menu The icon of the role or user in the right pane of the Console appears as normal The red slash through the icon indicating it was inactive disappears Activating User and Roles Using the Command Line To activate a user account use the ns activate pl script The following example describes using the ns activate pl script to activate Joe Frasier s user account ns activa...

Page 299: ...the connection is dropped The resource limits you set for the client application take precedence over the default resource limits you set for in the global server configuration This section gives procedures for the following Setting Resource Limits Using the Console Setting Resource Limits Using the Command Line Setting Resource Limits Using the Console The following procedure describes setting re...

Page 300: ...to Babs Jensen s entry and gives it a search return size limit of 500 entries Attribute Description nsLookThroughLimit Specifies how many entries examined for a search operation Specified as a number of entries Giving this attribute a value of 1 indicates that there is no limit nsSizeLimit Specifies the maximum number of entries the server returns to a client application in response to a search op...

Page 301: ...er includes the following topics Replication Overview page 302 Replication Scenarios page 306 Handling Complex Replication Configurations page 312 Configuring Single Master Replication page 320 Configuring Multi Master Replication page 324 Configuring Cascading Replication page 337 Making a Replica Updatable page 343 Deleting the Changelog page 343 Initializing Consumers page 345 Forcing Replicati...

Page 302: ... Servers using replication This section contains information on the following replication concepts Read Write Replica Read Only Replica Supplier Consumer Changelog Unit of Replication Replication Identity Replication Agreement Compatibility with Earlier Versions of Directory Server Read Write Replica Read Only Replica A database that participates in replication is defined as a replica There are tw...

Page 303: ...pplier server never by the consumer This operation is called supplier initiated replication It allows you to configure a supplier server to push data to one or more consumer servers Earlier versions of the Directory Server allowed consumer initiated replication where you could configure consumer servers to pull data from a supplier server Changelog Every supplier server maintains a changelog A cha...

Page 304: ...tocol exchanges The Replication Manager entry or any entry you create to fulfill that role must meet the following criteria It is created on the consumer server or hub supplier and not on the supplier server You must create this entry on every server that receives updates from another server meaning on every hub supplier or dedicated consumer When you configure a replica that receives updates from...

Page 305: ...actional replication refer to the Red Hat Directory Server Deployment Guide Compatibility with Earlier Versions of Directory Server The replication mechanism in current versions of Directory Server is different from the mechanism used in earlier versions 4 x of Directory Server Compatibility is provided through the following Legacy Replication Plug in The Legacy Replication Plug in makes Directory...

Page 306: ...d write replica on one server called the supplier server The supplier server also maintains changelog for this replica On another server called the consumer server you have as many read only replicas as you like Such scenarios are called single master configurations Figure 8 1 shows an example of single master replication NOTE Whatever replication scenario you choose to implement remember to consi...

Page 307: ...replicated to two read only replicas located on Server B and Server C For information on setting up a single master replication environment refer to Configuring Single Master Replication on page 320 Multi Master Replication Directory Server also supports complex replication scenarios in which the same suffix database can be mastered on many servers This suffix is held in a read write replica on ea...

Page 308: ...nsumers receive Such scenarios are called multi master configurations Figure 8 2 shows an example of multi master replication scenario with two supplier servers and two consumer servers Figure 8 2 Multi Master Replication Two Suppliers Figure 8 3 shows a sample of multi master replication scenario with four supplier servers and eight consumer servers In this sample setup each supplier server is co...

Page 309: ...ter 8 Managing Replication 309 Multi master configurations have the following advantages Automatic write failover when one supplier is inaccessible Updates are made on a local supplier in a geographically distributed environment ...

Page 310: ... changelog It receives updates from the supplier server that holds the master copy of the data and in turn supplies those updates to the consumer Cascading replication is very useful when you need to balance heavy traffic loads or have supplier servers based locally in geographically distributed environments Figure 8 4 shows an example of cascading replication This example shows a simple cascading...

Page 311: ...up cascading replication refer to Configuring Cascading Replication on page 337 NOTE You can combine multi master and cascading replication For example in the multi master scenario illustrated in Figure 8 2 on page 308 Server C and Server D could be hub suppliers that would replicate to any number of consumer servers ...

Page 312: ... supplier bind DN entry Specify the supplier settings for replication includes changelog configuration Specify the replica settings for a read only replica 3 On all suppliers Create the replica databases Specify the supplier settings for replication includes changelog configuration Specify the replica settings for a read write replica 4 Configure replication agreements on all suppliers Between sup...

Page 313: ...riteria It must be unique It must be created on the consumer server or hub supplier and not on the supplier server It must correspond to an actual entry on the consumer server It must be created on every server that receives updates from another server It must not be part of the replicated database for security reasons It must be defined in the replication agreement on the supplier server For exam...

Page 314: ... must remember to disable it to prevent replication from failing due to passwords expiring To disable the password expiration policy on the userPassword attribute add the passwordExpirationTime attribute with a value of 20380119031407Z which means that the password will never expire 5 The final entry should resemble this example dn cn replication manager cn config objectClass inetorgperson objectC...

Page 315: ...lect the Configuration tab For information on starting the Directory Server Console see Using the Directory Server Console on page 34 2 In the left navigation tree highlight the Replication node 3 In the right pane select the Supplier Settings tab 4 Check the Enable Changelog checkbox This activates all of the fields in the pane below that were previously grayed out 5 Specify a changelog by clicki...

Page 316: ...cify an ID that is different from the IDs used for read write replicas on this server and on other servers 6 In the Common Settings section specify a purge delay in the Purge delay field This option indicates how often the state information stored in the replicated entries is purged 7 Click Save to save the replication settings for the database Configuring a Read Only Replica For each read only re...

Page 317: ...pecify any supplier servers to which you want to refer updates By default all updates are first referred to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replication agreement that includes the current replica Automatic referrals assume that clients will bind over a regular connection and therefore are of the form ldap hostn...

Page 318: ...to which you want to refer updates By default all updates are first referred to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replication agreement that includes the current replica You can choose either to add the supplier servers that you specify to the automatically generated list or to use the supplier servers that you s...

Page 319: ...pplier2 4 way MMR 4 On the next screen fill in the consumer hostname and port Unless you have more than one instance of Directory Server configured by default there are no consumers available in the drop down menu Also select the bind method for replication If you have enabled SSL on your servers you may select Using encrypted SSL connection radio button and use SSL client authentication Otherwise...

Page 320: ...splayed under the database icon This replication agreement icon indicates that your replication agreement is set up Configuring Single Master Replication This section provides information on configuring single master replication The steps described in this section provide a high level overview of the procedure you need to follow Cross references to the detailed task descriptions are provided at ea...

Page 321: ...not exist This is the special entry that the supplier will use to bind to the consumer a In the Directory Server Console select the Directory tab and create an entry For example you could use cn Replication Manager cn config b Specify a userPassword attribute value pair c If you have enabled the password expiration policy or intend to do so in future you must remember to disable it to prevent repl...

Page 322: ...e Enter a new Supplier DN field and click Add You supplier bind DN will appear in the Current Supplier DNs list Repeat the operation for every supplier bind DN you want to include in the list g Specify any supplier servers to which you want to refer updates By default all updates are first referred to the supplier servers that you specify here If you specify none updates are referred to the suppli...

Page 323: ...guration tab expand the Replication node and highlight the database to replicate The Replica Settings tab is displayed in the right hand side of the window b Check the Enable Replica checkbox c In the Replica Role section select the Single Master radio button d In the Common Settings section specify a Replica ID an integer between 1 and 254 inclusive The replica ID must be unique for a given suffi...

Page 324: ...om the Replication Agreement Wizard or at anytime afterwards For information on initializing read only replicas refer to Initializing Consumers on page 345 When you have finished the replication agreement is set up Configuring Multi Master Replication This section provides information on configuring multi master replication In a multi master configuration many suppliers can accept updates synchron...

Page 325: ...if it does not exist For instructions refer to Creating Suffixes on page 80 2 Create the entry corresponding to the supplier bind DN if it does not exist a In the Directory Server Console select the Directory tab b Create an entry For example you could use cn Replication Manager cn config c Specify a userPassword attribute value pair d If you have enabled the password expiration policy or intend t...

Page 326: ... DNs per replica but only one supplier DN per replication agreement To specify your supplier bind DN enter your supplier bind DN in the Enter a new Supplier DN field and click Add You supplier bind DN will appear in the Current Supplier DNs list Repeat the operation for every supplier bind DN you want to include in the list g Specify any supplier servers to which you want to refer updates By defau...

Page 327: ...he Browse button to display a file selector f Set the changelog parameters number and age You must clear the unlimited checkboxes if you want to specify different values g Click Save to save the supplier settings 2 Create the entry corresponding to the supplier bind DN if it does not exist For multi master replication it is necessary to create this supplier bind DN on the supplier servers as well ...

Page 328: ... Common Settings section specify a Replica ID The replica ID must be an integer between 1 and 254 both inclusive and must be unique for a given suffix Make sure you specify an ID that is different from the IDs used for read write replicas on this server and on other servers f In the Common Settings section specify a purge delay in the Purge delay field This option indicates how often the state inf...

Page 329: ... on the order and procedure for initializing read only replicas refer to Initializing the Replicas for Multi Master Replication on page 330 and Initializing Consumers on page 345 When you have finished the replication agreement is set up 5 On Server B set up the following replication agreements One with supplier Server A where Server A is declared as a consumer for the replica During this operatio...

Page 330: ...er M1 through server M4 that each hold a read write replica and eight consumer servers Server C1 through Server C8 that each hold a read only replica you need to perform the following procedures Configuring the Read Only Replicas on the Consumer Servers Configuring the Read Write Replicas on the Supplier Servers Initializing the Replicas for Multi Master Replication Configuring the Read Only Repli...

Page 331: ...dExpirationTime attribute with a value of 20380119031407Z which means that the password will never expire 3 Specify the replication settings required for a read only replica a In the Directory Server Console select the Configuration tab b In the navigation tree expand the Replication folder and select the replica database The Replica Settings tab is displayed on the right pane c Check the Enable R...

Page 332: ...updates are referred to the supplier servers that have a replication agreement that includes the current replica Automatic referrals assume that clients will perform a simple bind and therefore are of the form ldap hostname port If you want clients to bind to the supplier using SSL you can use this field to specify a referral of the form ldaps hostname port where the s in ldaps indicates secure co...

Page 333: ...fy a userPassword attribute value pair d If you have enabled the password expiration policy or intend to do so in the future disable it to prevent replication from failing due to expiration of passwords To disable the password expiration policy on the userPassword attribute add the passwordExpirationTime attribute with a value of 20380119031407Z which means that the password will never expire 3 Sp...

Page 334: ...the multi master set Only specify the URL for the supplier server If you want clients to bind using SSL you must specify a URL beginning with ldaps h Click Save to save the replication settings for the database 4 Set up replication agreements on all the supplier servers On server M1 set up the following replication agreements one with supplier server M2 where server M2 is configured as a consumer ...

Page 335: ...eplicas the necessary replication agreements and the servers holding the read only replicas you are ready to initialize replication You can perform this task when you create the replication agreements on the supplier servers or at any time afterwards For information on the order and procedure for initializing read only replicas refer to Initializing the Replicas for Multi Master Replication on pag...

Page 336: ...ding changes to send it will immediately attempt to reacquire the consumer and will most likely succeed since the other suppliers usually will be sleeping This can cause a single supplier to monopolize a consumer for several hours or longer Two attributes address this issue nsds5ReplicaBusyWaitTime Amount of time in seconds a supplier should wait after a consumer sends back a busy response before ...

Page 337: ...ved to the configuration file From an external viewpoint the attribute value appears as originally set Replica busy errors are no longer logged by default because they are usually benign If you want to see them turn on the replication error log level Configuring Cascading Replication This section provides information on setting up cascading replication The steps described in this section provide a...

Page 338: ...corresponding to the supplier bind DN if it does not exist This is the special entry that the supplier will use to bind 3 On the consumer server specify the replication settings for the read only replica a In the Directory Server Console select the Configuration tab b In the navigation tree expand the Replication folder and highlight the replica database The Replica Settings tab is displayed on th...

Page 339: ...d to the supplier servers that have a replication agreement that includes the current replica In the case of cascading replication referrals are automatically sent to the hub supplier which in turn refers the request to the original supplier Therefore you should set a referral to the original supplier to replace the automatically generated referral 4 On the supplier server set up the replication a...

Page 340: ...onding to the supplier bind DN if it does not exist a In the Directory Server Console select the Directory tab b Create an entry For example you could use cn Replication Manager cn config c Specify a userPassword attribute value pair d If you have enabled the password expiration policy or intend to do so in the future disable it to prevent replication from failing due to expiration of passwords To...

Page 341: ...d and click Add Your supplier bind DN will appear in the Current Supplier DNs list Repeat the operation for every supplier bind DN you want to include in the list g Specify any supplier servers to which you want to refer updates By default all updates are first referred to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replic...

Page 342: ...he navigation tree of the Configuration tab expand the Replication node and then highlight the database to replicate The Replica Settings tab is displayed in the right hand side of the window b Check the Enable Replica checkbox c In the Replica Role section select the Single Master radio button d In the Common Settings section specify a Replica ID The replica ID must be an integer between 1 and 25...

Page 343: ...pane enable changelog 5 Select the suffix and in the Replica Settings tab change Replica Role to Single Master and assign a unique replica ID 6 Save your changes and restart the server Deleting the Changelog The changelog is a record of all modifications on a given replica that the supplier uses to replay these modifications to replicas on consumer servers or suppliers in the case of multi master ...

Page 344: ...ory Server 6 Reinitialize your consumers See Initializing Consumers on page 345 for information Moving the Changelog to a New Location To delete the changelog while the server is still running and continuing to log changes you simply move the changelog to a new location By moving the changelog a new changelog is created in the directory you specify and the old changelog is deleted If you change th...

Page 345: ...y placed on the consumer the supplier server can begin replaying update operations to the consumer server Under normal operations the consumer should not ever have to be initialized again However if the data on the supplier server is restored from backup for any reason then you should reinitialize all of the consumers supplied by it You can either initialize the consumer online using the Console o...

Page 346: ...base Right click the replication agreement and choose Initialize Consumer from the pop up menu A message is displayed to warn you that any information already stored in the replica on the consumer will be removed 4 Click Yes in the confirmation box Online consumer initialization begins immediately You can check the status of the online consumer initialization on the Summary tab in the Status box I...

Page 347: ...initialize a server manually 1 Create a replication agreement See Creating a Replication Agreement on page 318 2 Export the replica on the supplier server to an LDIF file See Exporting a Replica to LDIF on page 347 3 Import the LDIF file with the supplier replica contents to the consumer server See Importing the LDIF File to the Consumer Server on page 348 for instructions Exporting a Replica to L...

Page 348: ...s especially useful in replication over wide area networks or over networks with slow or unstable connections Instead of sending entries via LDAP to replica servers filesystem replica initialization populates the new database on the destination server by backing up the supplier database on one server and restoring that database on the destination server Since this is done by transferring the files...

Page 349: ...should resume immediately after running the restore script 4 At the command prompt change to the following directory on the source Directory Server cd serverRoot slapd serverID 5 Stop the source Directory Server if it is running by typing the following stop slapd 6 From the command line run the db2bak utility and archive your current directory installation You can also create a new backup by hitti...

Page 350: ...ular maintenance when it comes back online you need to ensure that it gets updated through replication immediately In the case of a supplier in a multi master environment the directory information needs to be updated by the other supplier in the multi master set In other cases when a hub supplier or a dedicated consumer is taken offline for maintenance when they come back online they need to be up...

Page 351: ...e click the Configuration tab expand the Replication folder and the database nodes until you select the replication agreement corresponding to the replica that you must update 2 Right click the replication agreement and choose Send Updates Now from the drop down list This initiates replication toward the server that holds the information that needs to be updated Forcing Replication Updates from th...

Page 352: ...nsumer_hostname MY_PORT consumer_portnumber ldapsearch 1 T h SUP_HOST p SUP_PORT D SUP_MGRDN w SUP_MGRPW b cn mapping tree cn config objectclass nsds5replicationagreement nsDS5ReplicaHost MY _HOST nsDS5ReplicaPort MY_PORT dn nsds5ReplicaUpdateSchedule tmp cat tmp awk BEGIN s 0 dn print 0 print changetype modify print replace nsds5ReplicaUpdateSchedule print nsds5ReplicaUpdateSchedule 0000 2359 012...

Page 353: ... SUP_MGRPW f tmp ldif Table 8 1 Replicate_Now Variables Variable Definition supplier_hostname Hostname of the supplier to contact for information on replication agreements with the current consumer supplier_portnumber LDAP port in use on the supplier supplier_directoryManager DN of the privileged Directory Manager user on the supplier supplier_directoryManager_password Password of the privileged D...

Page 354: ...cation rather than simple authentication These procedures are described in chapter 11 Managing SSL and SASL When your servers are configured to use SSL you can ensure replication operations occur over SSL connections by using the Replication Agreement Wizard which enables you to set up a replication agreement between two Directory Servers Keep in mind that once you create a replication agreement y...

Page 355: ...r and consumer servers will use a bind DN and password to authenticate to each other You must specify this information in the text fields provided When you specify this option simple authentication takes place over a secure channel but without certificates 6 Click Next and proceed with the replication setup Replication with Earlier Releases This section provides information on how to optimize repl...

Page 356: ...onsole Using the Directory Server Console on page 34 2 In the Configuration tab select the Replication node and click the Legacy Consumer Settings tab in the right pane 3 Check the Enable Legacy Consumer checkbox This activates the fields in the Authentication box 4 Specify the Supplier DN that the legacy supplier server will use to bind Optionally you can specify a password The password must cont...

Page 357: ... style changelog To use the retro changelog plug in Directory Server must be configured as a supplier server in a single master replication scenario When you have configured Directory Server to maintain a retro changelog this changelog is stored in a separate database under a special suffix cn changelog The retro changelog consists of a single level of entries Each entry in the changelog has the o...

Page 358: ... config cn Retro Changelog Plugin changetype modify replace nsslapd pluginenabled nsslapd pluginenabled on targetDN This attribute contains the DN of the entry that was affected by the LDAP operation In the case of a modrdn operation the targetDN attribute contains the DN of the entry before it was modified or moved changeType Specifies the type of LDAP operation This attribute can have one of the...

Page 359: ... entries in the changelog can be automatically removed after a specified period of time To configure the period of time after which entries are automatically deleted from the changelog you must set the nsslapd changelogmaxage configuration attribute in the cn Retro Changelog Plugin cn plugins cn config entry The nsslapd changelogmaxage attribute is a single valued attribute Its syntax is as follow...

Page 360: ...e and delete access are not granted except implicitly to the Directory Manager You should not grant read access to anonymous users because the changelog entries can contain modifications to sensitive information such as passwords Only authenticated applications and users should be allowed to access this information To modify the default access control policy which applies to the retro changelog yo...

Page 361: ...er Description Agreement Contains the name you provided when you set up the replication agreement Replica suffix Contains the suffix that is replicated Supplier Specifies the supplier server in the agreement Consumer Specifies the consumer server in the agreement Number of changes Indicates the number of changes sent to this replica since the server started Last replica update began Indicates when...

Page 362: ...f hex strings in the MM DD YYYY HH MI Seq SubSeq format where Seq and SubSeq are omitted if they are zero Shows the output result in the HTML format The script writes the output to an HTML file which can be configured to refresh itself automatically the refresh interval is also configurable The script is integrated into the Red Hat Administration Express enabling you to view the replication status...

Page 363: ...er has replayed that was originated from the supplier identified in the Table Header Time Lag It shows the time difference between the supplier and the consumer s max CSNs for the changes originated from the supplier identified in the Table Header A consumer is in sync with its supplier when its time lag is 0 Last Modify Time It is roughly the time when the consumer s max CSN was replayed Supplier...

Page 364: ...nd ldapsearch D adminDN w password b dc example dc com nsds5ReplConflict For performance reasons if you find that you have many conflicting entries every day you may want to index the nsds5ReplConflict attribute For information on indexing refer to chapter 10 Managing Indexes This section contains the procedures for the following conflict resolution procedures Solving Naming Conflicts Solving Orph...

Page 365: ...dn uid NewValue deleteoldrdn 0 2 Remove the old RDN value of the naming attribute and the conflict marker attribute For example prompt ldapmodify D adminDN w password dn uid NewValue dc example dc com changetype modify delete uid uid adamss delete nsds5ReplConflict For more information on the ldapmodify command refer to Managing Entries from the Command Line on page 55 and Red Hat Directory Server...

Page 366: ...uid uid jdoe ldapmodify changetype modrdn newrdn uid jdoe1 deleteoldrdn 1 Renaming an Entry with a Single Valued Naming Attribute To rename an entry that has a single valued naming attribute 1 Rename the entry using a different naming attribute and keep the old RDN For example prompt ldapmodify D adminDN w password dn nsuniqueid 66446001 1dd211b2 dc pubs dc example dc com changetype modrdn newrdn ...

Page 367: ... to avoid having orphaned entries in the directory In the same way when an add operation is replicated and the consumer server cannot find the parent entry the conflict resolution procedure creates a glue entry representing the parent so that the new entry is not an orphan entry Glue entries are temporary entries that include the object classes glue and extensibleObject Glue entries can be created...

Page 368: ...following command ldapmodify h localhost p 389 D cn Directory Manager w password33 dn dc example dc com changetype modify delete aci aci target ldap dc example dc com targetattr userPassword version 3 0 acl Anonymous read search access allow read search compare userdn ldap anyone add aci aci target ldap dc example dc com targetattr userPassword targetfilter nsds5ReplConflict version 3 0 acl Anonym...

Page 369: ...ously To turn off replication debugging log set the same attribute to 0 Error Message agmt s s d Replica has a different generation ID than the local data Reason The consumer specified at the beginning of this message has not been successfully initialized yet or it was initialized from a different root supplier Impact The local supplier will not replicate any data to the consumer Remedy Ignore thi...

Page 370: ...er s maxcsn no longer exists in the server s changelog Remedy Check the disk space and the possible core file under the server s logs directory If this is a single master replication reinitialize the consumers Otherwise if the server later complains that it can t locate some CSN for a consumer see if the consumer can get the CSN from other suppliers If not reinitialize the consumer Error Message a...

Page 371: ... is not responding Impact If the consumer recovers without being restarted there is a chance that the replica on the consumer will be locked forever if it did not receive the release lock message from the supplier Remedy Watch if the consumer can receive any new change from any of its suppliers or start the replication monitor and see if all the suppliers of this consumer warn that the replica is ...

Page 372: ...Replication Monitor see Monitoring Replication Status on page 360 Reason The SSL port is specified in some replication agreement but the certificate database is not specified or not accessible by the Replication Monitor If there is no SSL port problem one of the servers in the replication topology might hang Remedy Map the SSL port to a non SSL port in the configuration file of the Replication Mon...

Page 373: ...and File Reference enables you to troubleshoot replication related problems Depending on the usage options the script can selectively dump a particular replica Dump the contents of a replication change log file and in memory variables purgeRUV and maxRUV Grep and interpret change sequence numbers CSNs in the changelog Get the base 64 encoded changelog from the Directory Server and then decode the ...

Page 374: ...Troubleshooting Replication Related Problems 374 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 375: ...ew object class to contain them Although it may seem convenient to just add the attributes you need to an existing object class that already contains most of the attributes you require doing so compromises interoperability with LDAP clients Interoperability of Directory Server with existing LDAP clients relies on the standard LDAP schema If you change the standard schema you will also have difficu...

Page 376: ... attributes Viewing Attributes Creating Attributes Editing Attributes Deleting Attributes For information on managing object classes see Managing Object Classes on page 379 Viewing Attributes To view information about all attributes that currently exist in your directory schema 1 In the Directory Server Console select the Configuration tab 2 In the left navigation tree select the Schema folder and...

Page 377: ...your enterprise send mail to the IANA Internet Assigned Number Authority at iana iana org or visit the IANA website at http www iana org Syntax The attribute syntax Case Ignore String Indicates that values for this attribute are not case sensitive Case Exact String Indicates that values for this attribute are case sensitive Distinguished Name Indicates that values for this attribute are DNs Binary...

Page 378: ...to be multi valued select the Multi Valued checkbox The Directory Server allows more than one instance of a multi valued attribute per entry 7 Click OK Editing Attributes You can only edit attributes you have created You cannot edit standard attributes To edit an attribute 1 Display the Attributes tab This procedure is explained in Viewing Attributes on page 376 2 Select the attribute that you wan...

Page 379: ...d attributes To delete an attribute 1 Display the Attributes tab This procedure is explained in Viewing Attributes on page 376 2 In the User Defined Attributes table select the attribute and click Delete 3 If prompted confirm the delete The server immediately deletes the attribute There is no undo Managing Object Classes You can use Directory Server Console to manage your schema s object classes T...

Page 380: ...tionalPerson Typically if you want to add new attributes for user entries the parent would be the inetOrgPerson object class If you want to add new attributes for corporate entries the parent is usually organization or organizationalUnit If you want to add new attributes for group entries the parent is usually groupOfNames or groupOfUniqueNames OID The object identifier of the object class An OID ...

Page 381: ...m the Parent drop down menu You can choose from any existing object class See Table 9 2 on page 380 for more information on parent object classes 6 To add an attribute that must be present in entries that use the new object class highlight the attribute in the Available Attributes list and then click the Add button to the left of the Required Attributes box You can use either the standard attribut...

Page 382: ...ou want to edit from the Object Classes list and click Edit The Edit Object Class dialog box is displayed 3 To change the name of the object class enter the new name in the Name text box 4 To change the object identifier for the object class enter the new OID in the OID Optional text box OIDs are described in Table 9 2 on page 380 5 To change the parent object for the object class select the new p...

Page 383: ...emove and click Delete 3 If prompted confirm the delete The server immediately deletes the object class There is no undo Turning Schema Checking On and Off When schema checking is on the Directory Server ensures that The object classes and attributes you are using are defined in the directory schema The attributes required for an object class are contained in the entry Only attributes allowed by t...

Page 384: ...n tree then select the Settings tab in the right pane 3 To enable schema checking check the Enable Schema Checking checkbox clear it to turn off schema checking 4 Click Save You can also turn schema checking on and off by using the nsslapd schemacheck attribute For information see the Red Hat Directory Server Configuration Command and File Reference ...

Page 385: ...exing mechanism in context and then describes how to create delete and manage indexes This chapter contains the following sections About Indexes page 385 Creating Indexes page 397 Deleting Indexes page 407 Attribute Name Quick Reference Table page 415 About Indexes This section provides an overview of indexing in Directory Server It contains the following topics About Indexes and Indexing Performa...

Page 386: ...is balanced by overall improved performance Also the secondary index structure has been redesigned to allow grately improved indexing write change and search performance which also offsets the costs of indexing In previous versions write performance was limited by the number of bytes per second that could be written into the storage manager s transaction log file The secondary index structure was ...

Page 387: ...ch database page For each entry ID list there is a size limit that is globally applied to all index keys managed by the server This limit used to be called the All IDs Threshold which set a limit on how large a single entry ID list could get because maintaining large ID lists in memory can affect performance When a list hit a certain pre determined size the search acted as if the index contained t...

Page 388: ...ows efficient approximate or sounds like searches For example an entry may include the attribute value cn Robert E Lee An approximate search would return this value for searches against cn Robert Lee cn Robert or cn Lee Similarly a search against l San Fransisco note the misspelling would return entries including l San Francisco NOTE While Directory Server can support the old database design only ...

Page 389: ...nternationalization If you want to configure the Directory Server to accept additional matching rules contact Red Hat Professional Services Browsing virtual list view index The browsing index or virtual list view index speeds up the display of entries in the Directory Server Console This index is particularly useful if a branch of your directory contains hundreds of entries for example the ou peop...

Page 390: ...formance of the most common types of user directory searches mail X X X Improves the performance of the most common types of user directory searches mailHost X Used by a messaging server member X Improves Directory Server performance This index is also used by the Referential Integrity Plug in See Maintaining Referential Integrity on page 72 for more information owner X Improves Directory Server p...

Page 391: ...ne uniquemember X Improves Directory Server performance This index is also used by the Referential Integrity Plug in See Maintaining Referential Integrity on page 72 for more information Table 10 2 System Indexes Attribute Eq Pres Purpose aci X Allows the Directory Server to quickly obtain the access control information maintained in the database dnComp X Used to help accelerate subtree searches i...

Page 392: ... the incoming request to make sure that the specified base DN matches a suffix contained by one or more of its databases or database links If they do match the directory processes the request If they do not match the directory returns an error to the client indicating that the suffix does not match If a referral has been specified in the nsslapd referral attribute under cn config the directory als...

Page 393: ... the maximum number of entries in an ID list before the list is considered to equal the entire database See Red Hat Directory Server Configuration Command and File Reference for further information about these attributes idlistscanlimit When the server uses indexes in the processing of a search operation it is possible that one index key matches a large number of entries For example consider a sea...

Page 394: ...ctory uses a variation of the metaphone phonetic algorithm to perform searches on an approximate index Each value is treated as a sequence of words and a phonetic code is generated for each word Values entered on an approximate search are similarly translated into a sequence of phonetic codes An entry is considered to match a query if both of the following are true All of the query string codes ma...

Page 395: ...nificantly depending on the type of search The more indexes you maintain the more disk space you will require The following example illustrates exactly how time consuming indexes can become Consider the procedure for creating a specific attribute 1 The Directory Server receives an add or modify operation 2 The Directory Server examines the indexing attributes to determine whether an index is maint...

Page 396: ...e directory the Directory Server must perform these steps 1 Create the common name equality index entry for John and John Doe 2 Create the appropriate common name approximate index entries for John and John Doe 3 Create the appropriate common name substring index entries for John and John Doe 4 Create the surname equality index entry for Doe 5 Create the appropriate surname approximate index entry...

Page 397: ...ate substring and international indexes for specific attributes To create indexes 1 In the Directory Server Console select the Configuration tab NOTE Given that this version of Directory Server can operate in either a single or multi database environment you need to remember to create your new indexes in every database instance since newly created indexes are not automatically created in the other...

Page 398: ...e attribute using multiple languages by listing multiple OIDs separated by commas but no whitespace For a list of languages their associated OIDs and further information regarding collation orders see Appendix D Internationalization 8 Click Save The Indexes dialog box appears displaying the status of the index creation and informing you when the indexes have been created You can click on the Statu...

Page 399: ... the name of the database For information on the LDIF update statements required to add entries see LDIF Update Statements on page 63 For example assume you want to create presence equality and substring indexes for the sn surname attribute in the Example1 database NOTE You cannot create new system indexes because system indexes are hard coded in Directory Server NOTE Avoid creating entries under ...

Page 400: ...ibute you want to index in this example the sn attribute The entry is a member of the nsIndex object class The nsSystemIndex attribute is false indicating that the index is not essential to Directory Server operations The multi valued nsIndexType attribute specifies the presence pres equality eq and substring sub indexes Each keyword has to be entered on a separate line The nsMatchingRule attribut...

Page 401: ...nfiguration Command and File Reference Running the db2index pl Script Once you have created an indexing entry or added additional index types to an existing indexing entry run the db2index pl script to generate the new set of indexes to be maintained by the Directory Server Once you run the script the new set of indexes is active for any new data you add to your directory and any existing data in ...

Page 402: ...To create a VLV index from the Console 1 In the Directory Server Console select the Directory tab 2 In the left navigation tree create a suffix where you want to create the VLV index For instance for views based on the locality l attribute name this organizational unit Location Views 3 Right click on ou Location Views and select New Other 4 Select nsview from the New Object menu and hit okay 5 In ...

Page 403: ...ries To create a browsing index using the Directory Server Console 1 In the Directory Server Console select the Directory tab 2 In the left navigation tree for example People select the entry for which you want to create the index 3 From the Object menu select Create Browsing Index The Create Browsing Index dialog box appears displaying the status of the index creation You can click on the Status ...

Page 404: ...mation on the ldapsearch b option which allows you to specify the base of searches see the Red Hat Directory Server Configuration Command and File Reference The attributes you want to sort The filter of the search For more information on specifying filters for searches see Appendix B Finding Directory Entries The ldbm database to which the entry that forms the base of the search belongs You can on...

Page 405: ...ur browsing index identifier which is the approach adopted by the Directory Server Console to prevent identical browsing indexes from being created The entry is a member of the vlvSearch object class The vlvbase attribute value specifies the entry on which you want to create the browsing index in this example the ou People dc example dc com entry the browsing index identifier The vlvscope attribut...

Page 406: ... run the script the new set of browsing indexes is active for any new data you add to your directory and any existing data in your directory To run the vlvindex script 1 From the command line change to the following directory serverRoot slapd serverID 2 Stop the server stop slapd 3 Run the vlvindex script For more information about using this script refer to Red Hat Directory Server Configuration ...

Page 407: ...nfig 2 In a text editor open the dse ldif file 3 Locate oid 2 16 840 1 113730 3 4 9 you should see these lines dn oid 2 16 840 1 113730 3 4 9 cn features cn config objectClass top objectClass directoryServerFeature oid 2 16 840 1 113730 3 4 9 cn VLV Request Control aci targetattr aci version 3 0 acl VLV Request Control allow read search compare proxy userdn ldap all creatorsName cn server cn plugi...

Page 408: ... Configuration tab 2 Expand the Data node and expand the suffix associated with the database containing the index Select the database from which you want to delete the index NOTE Because this version of Directory Server can operate in either a single or multi database environment you have to delete any unwanted indexes from every database instance Any default indexes you delete will not be deleted...

Page 409: ...Command Line You can browsing indexes or virtual list view VLV indexes using the ldapdelete command line utility as follows Delete an entire index entry or delete unwanted index types from an existing index entry using the ldapdelete command line utility Generate the new set of indexes to be maintained by the server using the db2index pl script The following sections describe the steps involved in...

Page 410: ...ager w password h ExampleServer p845 cn sn cn index cn Example1 cn ldbm database cn plugins cn config The following table describes the ldapdelete options used in the example For full information on ldapdelete options refer to the Red Hat Directory Server Configuration Command and File Reference Once you have deleted this entry the presence equality and substring indexes for the sn attribute will ...

Page 411: ...l Perl script refer to Red Hat Directory Server Configuration Command and File Reference This example generates a new set of indexes to be maintained by the server using the db2index pl UNIX shell script db2index pl D cn Directory Manager w password n Example1 The following table describes the db2index pl options used in the examples For more information about the db2index pl Perl script see the R...

Page 412: ...ation tree and select Delete Browsing Index from the Object menu You can also select and right click the entry of the index you want to delete in the navigation tree and then choose Delete Browsing Index from the pop up menu 3 A Delete Browsing Index dialog box appears asking you to confirm that you want to delete the index Click Yes to delete 4 The Delete Browsing Index dialog box appears display...

Page 413: ...objectclass ldapsubentry the scope is 1 and the sorting order for the returned attributes is cn givenname o ou and sn To delete this browsing index you need to delete the two corresponding browsing index entries which follow dn cn MCC ou People dc example dc com cn userRoot cn ldbm database cn plugins cn config objectClass top objectClass vlvSearch cn MCC ou People dc example dc com vlvBase ou Peo...

Page 414: ...jectclass ldapsubentry the scope is 1 and the sorting order for the returned attributes is cn givenname o ou and sn will no longer be maintained by the Example1 database Running the vlvindex Script Once you have deleted browsing indexing entries or deleted unwanted attribute types from existing browsing indexing entries run the vlvindex script to generate the new set of browsing indexes to be main...

Page 415: ...CC ou people dc example dc com The following table describes the vlvindex options used in the examples For more information about the vlvindex script see the Red Hat Directory Server Configuration Command and File Reference Attribute Name Quick Reference Table Table 10 3 lists all attributes which have a primary or real name as well as an alias When creating indexes be sure to use the primary name...

Page 416: ...rganization ou organizationalUnitName facsimileTelephoneNumber fax uid userId mail rfc822mailbox mobile mobileTelephoneNumber pager pagerTelephoneNumber co friendlyCountryName labeledUri labeledUri ttl timeToLive dc domainComponent authorCn documentAuthorCommonName authorSn documentAuthorSurname drink favoriteDrink Table 10 3 Attribute Name Quick Reference Table Continued ...

Page 417: ...upports SASL authentication using the GSS API mechanism allowing Kerberos rather than certificates to authenticate sessions and encrypt data This chapter describes how to use SSL and SASL with your Directory Server in the following sections Introduction to SSL in the Directory Server page 418 Obtaining and Installing Server Certificates page 420 Command Line Functions for Start TLS page 419 Using ...

Page 418: ...Improved security The use of certificate based authentication is more secure than non certificate bind operations This is because certificate based authentication uses public key cryptography As a result bind credentials cannot be intercepted across the network The Directory Server is capable of simultaneous SSL and non SSL communications This means that you do not have to choose between SSL or no...

Page 419: ...ntication Using the command line options you can also specify or enforce Start TLS which which allows a secure connection to be enabled on a cleartext port after a session has been initiated In the following example a network administrator enforces Start TLS for a search for Mike Connor s identification number ldapsearch p 389 ZZZ P certificateDB N certificate_name s base b uid mconnors attribute ...

Page 420: ...fying Authority CA certificate See Obtaining and Installing Server Certificates on page 420 for information on using certificates The server does not support Start TLS as an extended operation For SDK libraries used in client programs if a session is already in TLS mode and Start TLS is requested then the connection continues to be in secure mode but prints the error DSA is unwilling to perform Ob...

Page 421: ...e Certificates window is displayed 2 Select the Server Certs tab and click the Request button The Certificate Request Wizard is displayed 3 Click Next 4 Enter the following Requestor Information in the blank text fields then click Next Server Name Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups for example dir example com Organization Enter the legal name of...

Page 422: ...IFICATE REQUEST MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1J OSUExLDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF 0aW9uMRwwGgYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSI b3DQEBAQUAA4GNADCBiQKBgQCwAbskGh6SKYOgHy UCSLnm3ok3X3u83Us7 ug0EfgSLR0f K41eNqqRftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG JDf n zMyahxtV7 mT8GOFFigFfuxaxMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G N 9YdbjveMVXW0v4XwIDAQABoAA...

Page 423: ... paste it in this field For example BEGIN CERTIFICATE MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBhMCVVMx IzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP MQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTmV0c2NhcGUgRGlyZWN0b3J5IFB1Ymxp Y2F0aW9uczEWMBQGA1UEA...

Page 424: ...isplayed 3 If you saved the CA s certificate to a file enter the path in the field provided If you received the CA s certificate via email copy and paste the certificate including the headers into the text field provided Click Next 4 Check that the certificate information that is displayed is correct and click Next 5 Specify a name for the certificate and click Next 6 Select the purpose of trustin...

Page 425: ...ver certutil tool is serverRoot shared bin certutil can also be downloaded from ftp ftp mozilla org pub mozilla org security nss releases The following steps outline how to make the databases key CA certificate and server client certificate and convert the certificates into pkcs12 format 1 Open the directory where the Directory Server certificate databases are stored cd serverRoot alias 2 Make a b...

Page 426: ...rtutil N d f tmp pwdfile P slapd instance_name 6 Generate the self signed CA certificate certutil creates the required key pairs and the certificate This certificate is used to generate the other server certificates and can be exported for use with other servers and clients certutil S n CA certificate s cn My Org CA cert dc example dc com x t CT 2 m 1000 v 120 d k rsa g 1024 f tmp pwdfile P slapd ...

Page 427: ... sure that every n option nickname and m option serial number is unique for every certificate and make sure that the s option gives the correct FQDN for the server 8 Export the CA certificate for use with other servers and clients A client usually requires the CA certificate to validate the server certificate in an TLS SSL connection Use certutil to export the CA certificate in ASCII PEM format ce...

Page 428: ...s not need to import them Starting the Server with SSL Enabled Most of the time you want your server to run with SSL enabled If you temporarily disable SSL make sure you re enable it before processing transactions that require confidentiality authentication or data integrity There are two ways to use SSL Enabling SSL communications to the Directory Server only Requiring SSL among the Directory Ser...

Page 429: ...navigation tree in the left pane Select the Encryption tab in the right pane 4 Select the Enable SSL for this Server checkbox 5 Check the Use this Cipher Family checkbox 6 Select the certificate that you want to use from the drop down menu 7 Click Cipher Settings The Cipher Preference dialog box is displayed By default all ciphers are selected 8 Set your preferences for client authentication Do no...

Page 430: ...SASL_EXTERNAL 81 Netscape runtime error 12276 Unable to communicate securely with peer requested domain name does not match the server s certificate DATE NSMMReplicationPlugin agmt cn to ultra60 client auth ultra60 1924 Replication bind with SSL client authentication failed LDAP error 81 Can t contact LDAP server It is recommended that you enable this option to protect Directory Server s outbound ...

Page 431: ...entication Do not allow client authentication With this option the server will ignore the client s certificate This does not mean that the bind will fail Allow client authentication This is the default setting With this option authentication is performed on the client s request For more information about certificate based authentication see Using Certificate Based Authentication on page 435 Requir...

Page 432: ... option to protect Directory Server s outbound SSL connections against a Man in the Middle MITM attack 11 Check the Use SSL in the Console box Hit Save 12 In the Administration Server Console select the Configuration tab Select the Encryption tab check the Enable SSL checkbox and fill in the appropriate certificate information 13 In the Configuration DS tab change the port number to the new Direct...

Page 433: ...sword file must be placed in the following location serverRoot alias slapd serverID pin txt where serverID is the identifier you specified for the server when you installed it You need to include the token password in the file mypassword When the server restarts it will use this value as the token PIN Setting Security Preferences You can choose the type of ciphers you want to use for SSL communica...

Page 434: ...S with 56 bit encryption and SHA message authentication This cipher meets the FIPS 140 1 U S government standard for implementations of cryptographic modules FIPS Triple DES with 168 bit encryption and SHA message authentication This cipher meets the FIPS 140 1 US government standard for implementations of cryptographic modules To select the ciphers you want the server to use 1 Make sure SSL is en...

Page 435: ...Triple DES with 168 bit encryption and SHA message authentication Using Certificate Based Authentication Directory Server allows you to use certificate based authentication for the command line tools which are LDAP clients and for replication communications Certificate based authentication can occur between An LDAP client connecting to the Directory Server A Directory Server connecting to another ...

Page 436: ... the Server with SSL Enabled on page 428 NOTE When specifying the key and certificate database filenames you may use absolute or relative paths If using relative paths ensure that they are relative to the server root for example alias slapd phonebook cert8 db and alias slapd phonebook key3 db The name of the certificate database has been changed from cert7 db to cert8 db Directory Server automatic...

Page 437: ...nfiguration to no longer require but allow client authentication so that you can use Red Hat Console you must follow these steps 1 Stop Directory Server For information on stopping and starting the server from the command line see Starting and Stopping the Server from the Command Line on page 38 2 Modify the cn encryption cn config entry by changing the value of the nsSSLClientAuth attribute from ...

Page 438: ...ficate will be similar to BEGIN CERTIFICATE MIICMjCCAZugAwIBAgICCEEwDQYJKoZIhvcNAQEFBQAwfDELMAkGA1UEBh MCVVMxIzAhBgNVBAoTGlBhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0w GwYDVQQLExRXaWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdC BUZXN0IFRlc3QgVGVzdCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3 WhcNOTgwMzI2MDIzMzU3WjBPMQswCQYDVQQGEwJVUzEoMCYGA1UEChMfTm V0c2NhcGUgRGlyZWN0b3 END CERTIFICATE 3 You must convert the c...

Page 439: ...pmodify ldapdelete and ldapsearch refer to Red Hat Directory Server Configuration Command and File Reference Introduction to SASL Directory Server supports LDAP client authentication through the Simple Authentication and Security Layer SASL an alternative to SSL TLS and a native way for some applications to share information securely NOTE Do not map your certificate based authentication certificat...

Page 440: ...t as strong as public key systems or Kerberos authentication methods it is preferred over plaintext passwords and does protect against plaintext attacks Generic Security Services GSS API Generic Security Services GSS is a security API that is the native way for UNIX based operating systems to access and authenticate Kerberos services GSS API also supports session encryption via function calls that...

Page 441: ...tom map is tried and so on until the default is tried If no map works then the bind fails SASL is configured by entries under a container entry dn cn sasl cn config objectClass top objectClass nsContainer cn sasl SASL identity mapping entries are children of second container entry dn cn mapping cn sasl cn config objectClass top objectClass nsContainer cn mapping Mapping entries contain three attri...

Page 442: ...ith base ou People dc example dc com and filter cn userId Legacy Identity Mapping Older versions of Directory Server did support limited SASL mechanisms EXTERNAL and DIGEST MD5 These mechanisms have simple username based identies so the server implements a simple identity mapping scheme using the uid to find the corresponding directory entries A user binds with an authentication DN such as uid bje...

Page 443: ...the following ldapmodify a p 389 h localhost D cn directory manager w password33 dn cn mymap2 cn mapping cn sasl cn config objectclass top objectclass nsSaslMapping cn mymap2 nsSaslMapRegexString nsSaslMapBaseDNTemplate ou People dc example dc com nsSaslMapFilterTemplate cn This will match any user ID and map to the result of the the subtree search with base ou People dc example dc com and filter ...

Page 444: ... cn Europe example com cn engineering cn gssapi cn auth Babs Jensen in the accounting realm of US example com would not have to specify server_instance uid bjensen cn accounting cn gssapi cn auth If realms are supported by the mechanism and the default realm was not used realm must be specified otherwise it is omitted Currently only GSS API supports the concept of realms Configuring the KDC Server...

Page 445: ...tab file This file is created by the Kerberos administrator by exporting the key from the KDC Either the system default keytab file typically etc krb5 keytab is used or a service specific keytab file determined by the value of the KRB5_KTNAME environment variable The Directory Server uses the service name ldap Its Kerberos principal is ldap host fqdn realm A key with this identity must be stored i...

Page 446: ...fault_tgs_enctypes des3 hmac sha1 des cbc crc default_tkt_enctypes des3 hmac sha1 des cbc crc permitted_enctypes des3 hmac sha1 des cbc crc realms COMPANY EXAMPLE COM kdc kdcserver company example com 88 admin_server adminserver company example com 749 default_domain company example com appdefaults pam debug true ticket_lifetime 36000 renew_lifetime 36000 forwardable true krb4_convert false loggin...

Page 447: ...or information on using SNMP to monitor your Directory Server see chapter 13 Monitoring Directory Server Using SNMP Viewing and Configuring Log Files Directory Server provides three types of logs to help you better manage your directory and tune performance These logs include Access Log Error Log Audit Log The following aspects are common to the configuration of all types of logs Defining a log fi...

Page 448: ...t represents the group s permissions and the third digit represents everyone s permissions When changing the default value keep in mind that 000 will not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone The newly configured access mode will only affect new logs that are created the mode will be set when the log r...

Page 449: ... For example the first couple of lines of any log files generated by a Directory Server instance may show lines similar to these Red Hat Directory 7 1 B2003 188 1157 myhost example com 389 opt redhat ds servers slapd ds71 Defining a Log File Deletion Policy If you want the directory to automatically delete old archived logs you can define a log file deletion policy from the Directory Server Consol...

Page 450: ...cess Log icon A table displays a list of the last 25 entries in the access log 2 To refresh the current display click Refresh Select the Continuous checkbox if you want the display to refresh automatically every ten seconds 3 To view an archived access log select it from the Select Log pull down menu 4 To display a different number of messages enter the number you want to view in the Lines to show...

Page 451: ...Logging checkbox Clear this checkbox if you do not want the directory to maintain an access log Access logging is enabled by default 3 Enter the full path and filename you want the directory to use for the access log in the Log File field The default path is serverRoot slapd serverID logs access 4 Set the maximum number of logs log size and periodicity of archiving For information on these paramet...

Page 452: ...is enter the string in the Show only lines containing text box and click Refresh Configuring the Error Log You can change several settings for the error log including where the directory stores the log and what you want the directory to include in the log To configure the error log 1 In the Directory Server Console select the Configuration tab Then in the navigation tree expand the Logs folder and...

Page 453: ...r error log to grow very rapidly so it is recommended that you do not change your logging level unless you are asked to do so by Red Hat Technical Support 8 When you have finished making changes click Save Audit Log The audit log contains detailed information about changes made to each database as well as to server configuration This section contains the following procedures Viewing the Audit Log ...

Page 454: ... expand the Logs folder and select the Audit Log icon The audit log configuration attributes are displayed in the right pane 2 To enable audit logging select the Enable Logging checkbox To disable audit logging clear the checkbox By default audit logging is disabled 3 Enter the full path and filename you want the directory to use for the audit log in the field provided The default path is serverRo...

Page 455: ...le for future reference 3 Restart the server See Starting and Stopping the Directory Server on page 37 for instructions Monitoring Server Activity You can monitor your Directory Server s current activities from either the Directory Server Console or the command line You can also monitor the activity of the caches for all of your database This section contains the following information Monitoring Y...

Page 456: ...he server provides monitoring information as described in the following sections General Information Server Resource Summary Current Resource Usage Connection Status Global Database Cache Information General Information Server The server provides the following general information Server version Identifies the current server version Configuration DN Identifies the distinguished name that you must u...

Page 457: ...r Performance Monitoring Resource Summary Resource Usage since startup Average per minute Connections Total number of connections to this server since server startup Average number of connections per minute since server startup Operations Initiated Total number of operations initiated since server startup Operations include any client requests for server action such as searches adds and modifies O...

Page 458: ...ble to a task Threads Waiting to Write to Client Total number of threads waiting to write to the client Threads may not be immediately written when the server must pause while sending data to a client Reasons for a pause include a slow network a slow client or an extremely large amount of information being sent to the client Threads Waiting to Read from Client Total number of threads waiting to re...

Page 459: ...The total number of requests performed on your directory since server startup Hit Ratio The ratio of cache tries to successful cache hits The closer this number is to 100 the better Pages read in Indicates the number of pages read from disk into the cache Pages written out Indicates the number of pages written from the cache back to disk Read only page evicts Indicates the number of read only page...

Page 460: ... version number threads Current number of active threads used for handling requests Additional threads may be created by internal server tasks such as replication or chaining connection fd opentime opsinitiated opscompleted binddn rw Provides the following summary information for each open connection only available if you bind to the directory as the Directory Manager fd The file descriptor used f...

Page 461: ...er of operations the server has initiated since it started opscompleted Identifies the number of operations the server has completed since it started entriessent Identifies the number of entries sent to clients since the server started bytessent Identifies the number of bytes sent to clients since the server started currentime Identifies the time when this snapshot of the server was taken The time...

Page 462: ...plays current information about database activity If the server is currently not running this tab will not provide performance monitoring information 2 Click Refresh to refresh the currently displayed information If you want the directory to continuously update the displayed information select the Continuous checkbox and then click Refresh Overview of Database Performance Monitor Information The d...

Page 463: ... closer this value is to 100 the better Whenever a search operation attempts to find an entry that is not present in the entry cache the directory has to perform a disk access to obtain the entry Thus as this ratio drops towards zero the number of disk accesses increases and directory search performance drops To improve this ratio you can increase the number of entries that the directory maintains...

Page 464: ...abase page Thus as this ratio drops towards zero the number of disk accesses increases and directory performance drops To improve this ratio you can increase the amount of data that the directory maintains in the database cache by increasing the value of the Maximum Cache Size attribute See Tuning Database Performance on page 480 for information on changing this value using the Server Console Page...

Page 465: ...database Identifies the type of database you are currently monitoring readonly Indicates whether the database is in read only mode 0 indicates that the server is not in read only mode 1 indicates that it is in read only mode entrycachehits Provides the same information as described in Entry cache hits in Table 12 5 on page 463 Table 12 7 Database Performance Monitoring Database File Specific Perfo...

Page 466: ... 464 dbcachepagein Provides the same information as described in Pages read in in Table 12 6 on page 464 dbcachepageout Provides the same information as described in Pages written out in Table 12 6 on page 464 dbcacheroevict Provides the same information as described in Read only page evicts in Table 12 6 on page 464 dbcacherwevict Provides the same information as described in Read write page evic...

Page 467: ...to the directory containing the utility cd serverRoot shared bin Then run ldapsearch as follows ldapsearch h directory example com p 389 D cn Directory Manager w secret s sub b cn monitor cn DBLink1 cn chaining database cn plugins cn config objectclass nsAddCount You can search for the following database link monitoring attributes NOTE The above command should be typed on a single line It does not...

Page 468: ...d and File Reference nsBindCount Number of bind request received nsUnbindCount Number of unbinds received nsCompareCount Number of compare operations received nsOperationConnectionCount Number of open connections for normal operations nsBindConnectionCount Number of open connections for bind operations Table 12 8 Database Link Monitoring Attributes Continued Attribute Name Description ...

Page 469: ...roperability combined with its ability to manage tasks specific to a whole range of different devices makes SNMP the standard mechanism for global network control and monitoring SNMP allows network administrators to unify all network monitoring activities including monitoring Directory Server SNMP statistic reporting is available via a Net SNMP subagent which sends various statistics about your mo...

Page 470: ...have Directory Server and a messaging server all installed on the same host the subagents for both of these servers communicate with the same master agent Values for SNMP attributes or variables that can be queried are kept on the managed device and reported to the NMS as necessary Each variable is known as a managed object which is anything the agent can access and send to the NMS All managed obj...

Page 471: ...ile location and which Directory Server instances to monitor agentx master The agentx master setting tells the subagent how to communicate with the SNMP master agent If this setting is not specified the subagent will try to communicate the the master agent via the Unix domain socket var agentx master This is also where the Net SNMP master agent listens for AgentX communications by default If you c...

Page 472: ...ad permission to this directory Starting the Subagent Once your master agent is running and you have created your subagent configuration file you are ready to start the subagent To start your subagent you must run the ldap agent program specifying your subagent configuration file as an argument You must supply the absolute path to the configuration file ldapagent opt redhat ds ldap agent conf If y...

Page 473: ...the directory instance in the Description text box 4 Type the name the company or organization to which the directory belongs in the Organization text box 5 Type the location within the company or organization where the directory resides in the Location text box 6 Type the email address of the person responsible for maintaining the directory in the Contact text box 7 Click Save Using the Managemen...

Page 474: ...ds The number of binds to the directory that were established using a simple authentication method such as password protection since server startup dsStrongAuthBinds The number of binds to the directory that were established using a strong authentication method such as SSL or a SASL mechanism like Kerberos since server startup dsBindSecurityErrors The number of bind requests that have been rejecte...

Page 475: ...nce server startup dsOneLevelSearchOps The number of one level search operations serviced by this directory since server startup dsWholeSubtreeSearchOps The number of whole subtree search operations serviced by this directory since server startup dsReferrals The number of referrals returned by this directory in response to client requests since server startup dsSecurityErrors The number of operati...

Page 476: ...in the directory dsCacheHits The number of operations serviced from the locally held cache since application startup dsSlaveHits The number of operations that were serviced from locally held replications shadow entries The value of this object will always be 0 Table 13 3 Interaction Managed Objects and Descriptions Managed Object Description dsIntTable Each row of this table contains some details ...

Page 477: ... last attempt made to contact this Directory Server was successful This entry will have a value of zero if there have been no successful attempts or if the last successful attempt was made before the network management subsystem was initialized dsFailuresSinceLastSuccess The number of failures since the last time an attempt to contact this Directory Server was successful If there has been no succe...

Page 478: ...Using the Management Information Base 478 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 479: ...r s performance by limiting the amount of resources the server uses to proces client search requests You can define The maximum number of entries the server returns to the client in response to a search operation size limit attribute The maximum amount of real time in seconds you want the server to spend performing a search request time limit attribute The time in seconds during which the server m...

Page 480: ...text box If you do not want to set a limit type zero 0 in this text box 5 Enter the time in seconds during which you want the server to maintain an idle connection before terminating it in the Idle Timeout text box If you do not want to set a limit type zero 0 in this text box 6 Set the maximum number of file descriptors available to the Directory Server in the Max Number of File Descriptors text ...

Page 481: ...are random that is if your directory clients are searching for random and widely scattered directory data If your database does not fit into memory and if searches are random attempting to increase the values set on these attributes does not help directory performance In fact changing these attributes may harm overall performance You can tune the following attributes The attributes of the database...

Page 482: ...f memory that you want to make available for all databases 4 In the look through limit field enter the maximum number of entries you want the server to check in response to a search request If you do not want to set a limit type 1 in this text box If you bind to the directory as the Directory Manager by default the look through limit is unlimited and overrides any settings you specify here To conf...

Page 483: ...he directory does not perform the operation immediately Instead the operation is stored in a temporary memory cache on the Directory Server until the operation is completed If the server experiences a failure such as a power outage and shuts down abnormally the information about recent directory changes that were stored in the cache is lost However when the server restarts the directory automatica...

Page 484: ...rectory attribute to the cn config cn ldbm database cn plugins cn config entry Provide the full path to the log directory in the attribute For information on the nsslapd db logdirectory attribute syntax see the Red Hat Directory Server Configuration Command and File Reference For instructions on using ldapmodify refer to Adding and Modifying Entries Using ldapmodify on page 58 3 Restart Directory ...

Page 485: ... directory database operation is written to the database transaction log file but may not be physically written to disk immediately If a directory change was written to the logical database transaction log file but not physically written to disk at the time of a system crash you cannot recover the change When durable transactions are disabled the recovered database is consistent but does not refle...

Page 486: ... more information on the syntax and values of the nsslapd db transaction batch val attribute refer to the Red Hat Directory Server Configuration Command and File Reference For instructions on using ldapmodify refer to Adding and Modifying Entries Using ldapmodify on page 58 Miscellaneous Tuning Tips This section provides you with some performance related tips and concepts you ought to remember Avo...

Page 487: ...art 2 Plug ins Reference Chapter 15 Administering Directory Server Plug ins Chapter 16 Using the Pass through Authentication Plug in Chapter 17 Using the Attribute Uniqueness Plug in Chapter 18 Windows Sync ...

Page 488: ...488 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 489: ... Console page 512 Server Plug in Functionality Reference The following tables provide you with a quick overview of the plug ins provided with Directory Server along with their configurable options configurable arguments default setting dependencies general performance related information and further reading These tables will allow you to weigh up plug in performance gains and costs and choose the ...

Page 490: ...es None Performance Related Information None Further Information If your Directory Server uses non ASCII characters Japanese for example turn this plug in off Table 15 2 Details of ACI Plug in Plug in Name ACL Plug in DN of Configuration Entry cn ACL Plugin cn plugins cn config Description ACL access check plug in Configurable Options on off Default Setting on Configurable Arguments None Dependenc...

Page 491: ...tion ACL access check plug in Configurable Options on off Default Setting on Configurable Arguments None Dependencies database Performance Related Information None Further Information Chapter 6 Managing Access Control Table 15 4 Details of Binary Syntax Plug in Plug in Name Binary Syntax DN of Configuration Entry cn Binary Syntax cn plugins cn config Description Syntax for handling binary data Con...

Page 492: ...ntax DN of Configuration Entry cn Boolean Syntax cn plugins cn config Description Syntax for handling booleans Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 6 Details of Case Exact String Synta...

Page 493: ...g in running at all times Further Information Table 15 7 Details of Case Ignore String Syntax Plug in Plug in Name Case Ignore String Syntax DN of Configuration Entry cn Case Ignore String Syntax cn plugins cn config Description Syntax for handling case insensitive strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information D...

Page 494: ...ff Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter 3 Configuring Directory Databases Table 15 9 Details of Class of Service Plug in Plug in Name Class of Service DN of Configuration Entry cn Class of Service cn plugins cn co...

Page 495: ...ry String Syntax Plug in DN of Configuration Entry cn Country String Syntax cn plugins cn config Description Syntax for handling countries Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 11 Detai...

Page 496: ...ug in running at all times Further Information Table 15 12 Details of Generalized Time Syntax Plug in Plug in Name Generalized Time Syntax DN of Configuration Entry cn Generalized Time Syntax cn plugins cn config Description Syntax for dealing with dates times and time zones Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information...

Page 497: ...gly recommend that you use the Z time zone indication which stands for Greenwich Mean Time Table 15 13 Details of Integer Syntax Plug in Plug in Name Integer Syntax DN of Configuration Entry cn Integer Syntax cn plugins cn config Description Syntax for handling integers Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do n...

Page 498: ...nternationalization Plug in has one argument which must not be modified serverRoot slapd serverID config slapd collations conf This directory stores the collation orders and locales used by the Internationalization Plug in Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information See Appe...

Page 499: ...s Table 15 16 Details of Legacy Replication Plug in Plug in Name Legacy Replication Plug in DN of Configuration Entry cn Legacy Replication plug in cn plugins cn config Description Enables this version of Directory Server to be a consumer of a 4 x supplier Configurable Options on off Default Setting on Configurable Arguments None This plug in can be disabled if the server is not and never will be ...

Page 500: ...Directory Servers Configurable Options on off Default Setting on Configurable Arguments None Dependencies database Performance Related Information N A Further Information You can turn this plug in off if you only have one server which will never replicate See also Chapter 8 Managing Replication Table 15 18 Details of Octet String Syntax Plug in Plug in Name Octet String Syntax DN of Configuration ...

Page 501: ... cn Password Storage Schemes cn plugins cn config Description CLEAR password storage scheme used for password encryption Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter 7 User Account Management T...

Page 502: ...g at all times Further Information Chapter 7 User Account Management Table 15 21 Details of NS MTA MD5 Password Storage Plug in Plug in Name NS MTA MD5 DN of Configuration Entry cn NS MTA MD5 cn Password Storage Schemes cn plugins cn config Description NS MTA MD5 password storage scheme for password encryption Configurable Options on off Default Setting on Configurable Arguments None Dependencies ...

Page 503: ...ation Entry cn SHA cn Password Storage Schemes cn plugins cn config Description SHA password storage scheme for password encryption Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information If your directory does not contain passwords encrypted using the SHA password storage scheme you may turn this plug in off SHA is only included...

Page 504: ...ration of this plug in You should leave this plug in running at all times Further Information Chapter 7 User Account Management Table 15 24 Details of Postal Address String Syntax Plug in Plug in Name Postal Address Syntax DN of Configuration Entry cn Postal Address Syntax cn plugins cn config Description Syntax used for handling postal addresses Configurable Options on off Default Setting on Conf...

Page 505: ...ug in is not listed in Directory Server Console if you use the same server for your user directory and configuration directory Configurable Options on off Default Setting off Configurable Arguments ldap ldaps authDS subtree Dependencies None Performance Related Information Chapter 16 Using the Pass through Authentication Plug in Further Information Chapter 16 Using the Pass through Authentication ...

Page 506: ...est for referential integrity is queued and processed at a later stage This positive integer serves as a wake up call for the thread to process the request at intervals corresponding to the integer specified 2 Log file for storing the change for example opt redhat ds logs referint 3 All the additional attrribute names you want to be checked for referential integrity Dependencies database Performan...

Page 507: ...ff Default Setting off Configurable Arguments See Red Hat Directory Server Configuration Command and File Reference for further information on the two configuration attributes for the Retro Changelog Plug in Dependencies None Performance Related Information May slow down Directory Server performance Further Information Chapter 8 Managing Replication Table 15 28 Details of Roles Plug in Plug in Nam...

Page 508: ...on Syntax for handling space insensitive values Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information This plug in enables the Directory Server to support space and case insensitive values Applications can now ...

Page 509: ...g Description Enables state change notification service Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Further Information Table 15 31 Details of Telephone Syntax Plug in Plug in Name Telephone Syntax DN of Configuration Entry cn Telephone Syntax cn plugins cn config Description Syntax for handling telephone numbers Conf...

Page 510: ...fied attributes are unique each time a modification occurs on an entry Configurable Options on off Default Setting off Configurable Arguments Enter the following arguments uid DN DN if you want to check for uid attribute uniqueness in all listed subtrees However enter the following arguments attribute uid MarkerObjectclass ObjectClassName and optionally requiredObjectClass ObjectClassName if you w...

Page 511: ...you from adding your new entry To prevent being blocked by such an operations error disable the plug in on the server where you created the referral If however you still want to run a UID Uniqueness check make sure that you only activate the plug in on the last of the referred to servers to prevent it from blocking the referral mechanism Further Information Chapter 17 Using the Attribute Uniquenes...

Page 512: ...r LDAP using the Directory Server Console 1 In the Directory Server Console select the Configuration tab 2 Double click the Plugins folder in the navigation tree 3 Select the plug in from the Plugins list 4 To disable the plug in clear the Enabled checkbox To enable the plug in check this checkbox 5 Click Save 6 Restart the Directory Server Further Information Table 15 33 Details of URI Plug in Co...

Page 513: ... Directory Server Uses PTA page 513 PTA Plug in Syntax page 515 Configuring the PTA Plug in page 518 PTA Plug in Syntax Examples page 523 How Directory Server Uses PTA If you install the configuration directory and the user directory on separate instances of Directory Server the installation program automatically sets up PTA to allow the Configuration Administrator user usually admin to perform ad...

Page 514: ...n machine A Server name configdir example com Suffix o NetscapeRoot 2 You install the user directory server PTA directory on machine B Server name userdir example com Suffix dc example dc com 3 During the installation of the user directory on machine B you are prompted to provide an LDAP URL This URL points to the configuration directory on machine A 4 The installation program adds an entry to the...

Page 515: ...est through to the configuration directory as defined by the PTA Plug in configuration 7 The configuration directory authenticates the user s credentials and sends the information back to the user directory 8 The user directory allows the admin user to bind PTA Plug in Syntax PTA Plug in configuration information is specified in the cn Pass Through Authentication cn plugins cn config entry in the ...

Page 516: ...s on page 524 Table 16 1 PTA Plug in Parameters Variable Definition state Defines whether the plug in is enabled or disabled Acceptable values are on or off See Turning the Plug in On or Off on page 518 for more information extension File extension for the plug in The extension is always sl on HP UX PA RISC and so on all other UNIX platforms ldap ldaps Defines whether SSL is used for communication...

Page 517: ... server returns an error to the client The default is 300 seconds five minutes Specify zero 0 to indicate no time limit should be enforced See Configuring the Optional Parameters on page 522 for more information ldver Optional The version of the LDAP protocol used to connect to the authenticating directory Directory Server supports LDAP version 2 and 3 The default is version 3 See Configuring the ...

Page 518: ...ction provides information about configuring the plug in in the following sections Turning the Plug in On or Off Configuring the Servers to Use a Secure Connection Specifying the Authenticating Directory Server Specifying the Pass through Subtree Configuring the Optional Parameters Turning the Plug in On or Off To turn the PTA Plug in on from the command line 1 Create an LDIF file that contains th...

Page 519: ...rvers lib passthru plugin extension nsslapd pluginInitfunc passthruauth_init where extension is always sl on HP UX PA RISC and so on all other UNIX platforms 4 Restart the server For information on restarting the server refer to Starting and Stopping the Directory Server on page 37 To disable the plug in change the LDIF update statements to delete the nsslapd pluginenabled on statement and add the...

Page 520: ...which the client is attempting to bind The PTA directory passes the bind request to the host you define as the authenticating directory You specify the authenticating directory server by replacing authDS in the LDAP URL of the PTA directory with the authenticating directory s hostname To specify the authenticating directory for PTA 1 Create an LDIF file that contains the following LDIF update stat...

Page 521: ...the PTA directory If it does the PTA directory attempts to resolve bind requests using its own directory contents and the binds fail To specify the pass through subtree 1 Create an LDIF file that contains the following LDIF update statements dn cn Pass Through Authentication cn plugins cn config changetype add add nsslapd pluginarg0 nsslapd pluginarg0 ldap authDS subtree optional_parameters For ex...

Page 522: ...0 seconds five minutes The version of the LDAP protocol you want the PTA directory server to use to connect to the authenticating directory server In the PTA syntax this parameter is represented as ldver The default is LDAPv3 The time limit in seconds within which a connection may be used If a bind request is initiated by a client after this time has expired the server closes the connection and op...

Page 523: ...capeRoot 3 5 300 3 300 In this example each of the optional parameters is set to its default value 2 Use the ldapmodify command to import the LDIF file into the directory 3 Restart the server For information on restarting the server refer to Starting and Stopping the Directory Server on page 37 PTA Plug in Syntax Examples This section contains the following examples of PTA Plug in syntax in the ds...

Page 524: ...Type preoperation nsslapd pluginEnabled on nsslapd pluginarg0 ldap configdir example com o NetscapeRoot nsslapd plugin depends on type database nsslapd pluginId passthruauth nsslapd pluginVersion 7 1 nsslapd pluginVendor Red Hat Inc nsslapd pluginDescription pass through authentication plugin Specifying Multiple Authenticating Directory Servers If the connection between the PTA directory server an...

Page 525: ...ectClass top objectClass nsSlapdPlugin objectClass extensibleObject cn Pass Through Authentication nsslapd pluginPath opt redhat ds servers lib passthru plugin so nsslapd pluginInitfunc passthruauth_init nsslapd pluginType preoperation nsslapd pluginEnabled on nsslapd pluginarg0 ldap configdir example com o NetscapeRoot nsslapd pluginarg1 ldap configdir example com dc example dc com nsslapd plugin...

Page 526: ...ifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers If you want to specify a different pass through subtree and optional parameter values for each authenticating directory server you must specify more than one LDAP URL optional parameters pair Separate the LDAP URL optional parameter pairs with a single space as follows dn cn Pass Through Authentication...

Page 527: ... Examples Chapter 16 Using the Pass through Authentication Plug in 527 nsslapd pluginId passthruauth nsslapd pluginVersion 7 1 nsslapd pluginVendor Red Hat Inc nsslapd pluginDescription pass through authentication plugin ...

Page 528: ...PTA Plug in Syntax Examples 528 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 529: ...he following sections Overview of the Attribute Uniqueness Plug in page 529 Overview of the UID Uniqueness Plug in page 531 Attribute Uniqueness Plug in Syntax page 531 Creating an Instance of the Attribute Uniqueness Plug in page 534 Configuring Attribute Uniqueness Plug ins page 535 Attribute Uniqueness Plug in Syntax Examples page 539 Replication and the Attribute Uniqueness Plug in page 541 Ov...

Page 530: ...This configuration option is explained in more detail in Specifying a Suffix or Subtree on page 537 You can specify an object class pertaining to an entry in the DN of the updated entry and perform the uniqueness check on all the entries beneath it This option is useful in hosted environments For example when you add an entry such as uid jdoe ou people o example_a dc example dc com you can enforce...

Page 531: ...ss plug in is disabled because it affects the operation of multi master replication For information on using the attribute uniqueness plug in in a replicated environment refer to Replication and the Attribute Uniqueness Plug in on page 541 Attribute Uniqueness Plug in Syntax Configuration information for the Attribute Uniqueness Plug in is specified in an entry under cn plugins cn config entry The...

Page 532: ...lapd pluginInitfunc NSUniqueAttr_Init nsslapd pluginType preoperation nsslapd pluginEnabled state nsslapd pluginarg0 attribute attribute_name nsslapd pluginarg1 markerObjectClass objectclass1 nsslapd pluginarg2 requiredObjectClass objectclass2 nsslapd plugin depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 7 1 nsslapd pluginVendor Red Hat Inc nsslapd pluginDescription E...

Page 533: ...ess but it is advisable For example cn mail uniqueness cn plugins cn config extension File extension for the plug in The extension is always sl on HP UX PA RISC and so on all other UNIX platforms state Defines whether the plug in is enabled or disabled Acceptable values are on or off See Turning the Plug in On or Off on page 537 for more information attribute_name The name of the attribute for whi...

Page 534: ... Attribute Uniqueness Plug in for the mail attribute you would perform the following steps 1 In the dse ldif file locate the entry for the UID Uniqueness Plug in cn uid uniqueness cn plugins cn config 2 Add the following lines for the mail uniqueness plug in entry before or after the UID Uniqueness Plug in entry dn cn mail uniqueness cn plugins cn config objectClass top objectClass nsSlapdPlugin o...

Page 535: ...tory and how to modify the configuration of the Attribute Uniqueness Plug ins Viewing Plug in Configuration Information From the Directory Server Console you can display the configuration entry for Attribute Uniqueness Plug ins as follows 1 In the Directory Server Console click the Directory tab 2 In the left navigation tree expand the config folder then the plugins folder The list of plug ins is ...

Page 536: ...that you want to modify The configuration parameters for the plug in are displayed in the right pane 2 To turn the plug in on or off check or clear the Enable Plugin checkbox 3 To add a suffix or subtree click Add and type a DN in the blank text field If you do not want to add a DN you can use the markerObjectClass keyword If you use this syntax you can click Add again to specify a requiredObjectC...

Page 537: ...etailed information on the ldapmodify command refer to Red Hat Directory Server Configuration Command and File Reference To disable the plug in change the LDIF update statements to replace the nsslapd pluginenabled on statement with the nsslapd pluginenabled off statement Whenever you enable or disable the plug in you must restart the server For information on restarting the server refer to Starti...

Page 538: ...e DN of the updated entry that has the object class specified in the markerObjectClass keyword To specify to perform the uniqueness check under the entry in the DN of the updated entry that contains the organizational unit ou object class you can create an LDIF file such as the one shown in the following example dn cn mail uniqueness cn plugins cn config objectClass top objectClass nsSlapdPlugin o...

Page 539: ...it nsslapd pluginType preoperation nsslapd pluginEnabled on nsslapd pluginarg0 attribute mail nsslapd pluginarg1 markerObjectClass ou nsslapd pluginarg2 requiredObjectClass person nsslapd plugin depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 7 1 nsslapd pluginVendor Red Hat Inc nsslapd pluginDescription Enforce unique attribute values You cannot repeat the markerObjec...

Page 540: ...in depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 7 1 nsslapd pluginVendor Red Hat Inc nsslapd pluginDescription Enforce unique attribute values Specifying One Attribute and Multiple Subtrees This example configures the plug in to ensure the uniqueness of the mail attribute under the l Chicago dc example dc com and l Boston dc example dc com subtrees dn cn mail unique...

Page 541: ...eplication and the Attribute Uniqueness Plug in When you use the Attribute Uniqueness Plug ins on Directory Servers involved in a replication agreement you must think carefully about how to configure the plug in on each server Consider the following cases Simple replication with one supplier and one or several consumers Complex replication with multiple masters Attribute Uniqueness Plug ins do not...

Page 542: ...rvers is not sufficient to ensure that attribute values will be unique across both masters at any given time Therefore enabling an Attribute Uniqueness Plug in on one server can cause inconsistencies in the data held on each replica However you can use an Attribute Uniqueness Plug in providing both of the following conditions are met The attribute on which you are performing the uniqueness check i...

Page 543: ...lowing sections About Windows Sync page 543 Installing Sync Services page 549 Configuring Windows Sync page 557 Using Windows Sync page 561 Active Directory Schema Compatibility page 567 NT4 Specific Limitations page 568 Troubleshooting page 569 About Windows Sync The complete Windows Sync feature is implemented in three parts Directory Server Windows Sync code The server itself contains code that...

Page 544: ... This is a special LDAP server application that must be installed on the primary domain controller for NT4 sync It is only used for NT4 and is not needed for Active Directory deployments The purpose of the NT4 LDAP Service is to provide a similar view of users and groups as is available via LDAP from Active Directory This allows almost all of the Directory Server Windows Sync code to be the same f...

Page 545: ...About Windows Sync Chapter 18 Windows Sync 545 Figure 18 1 Active Directory Directory Server Synchronization Process ...

Page 546: ...ctory Server Administrator s Guide May 2005 Figure 18 2 Windows NT4 Server Directory Server Synchronization Process Windows Sync is compatible with Directory Server s multi master replication facilities Figure 18 3 shows this arrangement ...

Page 547: ...y Server connects to its peer Windows server via LDAP and SSL to both send and retrieve updates The unit of synchronization is a subtree A single Windows subtree can be synchronized to a single Directory Server subtree and vice versa The Windows and Directory Server subtree DNs are specified in the sync agreement All entries within the respective subtrees are candidates for synchronization includi...

Page 548: ...y Server before it may run Windows Sync During normal operation all the updates made to entries in the Directory Server that need to be sent to the Windows server are generated via the changelog However when the server is initially configured or after major changes to its content it is necessary to initiate a resynchronization process For resynchronization the entire contents of synchronized subtr...

Page 549: ...ices that can be installed on your Windows machine to synchronize more aspects of your Directory Server with a Windows server Password Sync must be installed on the Windows server It synchronizes password changes made on the Windows server with the corresponding entries passwords on the Directory Server The NT4 LDAP Service is installed only on Windows NT4 Server to allow synchronization operation...

Page 550: ...such as cn sync manager cn config the certificate token password and the search base e g ou People dc example dc com NOTE For Windows NT4 servers the Password Sync must be installed on a primary domain controller PDC Synchronization will not function properly on a non PDC machine NOTE On Windows 2000 password complexity policies must be enabled in order for the password hook DLL to be triggered By...

Page 551: ... Synchronization and the passsync exe is the only file in the installation directory The following dlls are installed in C winnt system32 and utilized by Password Sync NOTE You must reboot the Windows machine Without rebooting the password hook DLL will not be enabled and password synchronization will not function passhook dll nsldap32v50 dll nsldapssl32v50 dll libplc4 dll nsldappr32v50 dll nss3 d...

Page 552: ...tory Server Password Sync service in the list of programs 3 Click the Change button This opens the configuration screens Setting Up SSL for the Password Sync Service Next set up certificates that Password Sync Service will use SSL to access the Directory Server 1 Download certutil exe if you do not already have it installed on your machine It is available from ftp ftp mozilla org pub mozilla org s...

Page 553: ...ndows Sync must be configured to a PDC and all sync services must be installed on a PDC Synchronization will not function properly on a non PDC machine 1 Double click the ntds msi file to install This is downloaded into C Program Files Red Hat Directory Synchronization 2 Open C Program Files Red Hat Directory Synchronization bin and double click on installuseresync bat This will set up the LDAP Se...

Page 554: ...s are in bold server net admin password sets the password of the account uid admin ou system This is the bind ID used by the Directory Server to send updates to the NT4 Server server db partition suffix usersync sets the suffix for the NT4 Server since NT4 Server does not use the same directory tree structure used by Directory Server This can be set to the same suffix as the Directory Server to wh...

Page 555: ...min password password33 javax net ssl keyStore c keystore javax net ssl keyStorePassword password server net ldaps enable true server db partition suffix usersync dc example dc com do not modify beyond this point server schemas org apache ldap server schema bootstrap CoreSchema org apache ldap server schema bootstrap CosineSchema org apache ldap server schema bootstrap ApacheSchema org apache ldap...

Page 556: ...me as keystore password Use the same password for the certificate and keystore The first and last name field should be the fully qualified domain name of the machine running the NT4 LDAP Service If a different value is entered as a security precaution you must disable the check hostname against name in certificate option in your Directory Server SSL configuration b Export the CA certificate you cr...

Page 557: ...ey3 db databases that were created were not removed when you uninstall Password Sync Delete these files by hand To uninstall the NT4 LDAP Service 1 Open C Program Files Red Hat Directory Synchronization bin and double click on uninstalluseresync bat 2 Open the Add Remove Programs utility 3 Select click remove to uninstall the User Sync Service Configuring Windows Sync Step 1 Configure SSL on the D...

Page 558: ...tion See Installing and Configuring the NT4 LDAP Service on page 553 for more information Step 5 Select or Create the Sync Identity The Windows user specified in the sync agreement which the Directory Server will use to bind for sync operations should be a member of the Domain Admins group or have equivalent privileges A member of this group has full privileges within the domain but will not neces...

Page 559: ...zation Agreement You can also highlight the suffix and select Menu Object New Synchronization Agreement This will start the Synchronization Agreement Wizard 3 In the two fields supply a name and description of your synchronization agreement Hit Next 4 The second screen reads Windows Sync Server Info By default your Directory Server hostname and port are visible at the top under Supplier At the ver...

Page 560: ...ntroller 6 Select the checkbox es for the Windows entries you are going to synchronize Sync New Windows Users When enabled all user entries found in Windows that are subject to the agreement will automatically be created in the Directory Server Sync New Windows Groups When enabled all group entries found in Windows that are subject to the agreement will automatically be created in the Directory Se...

Page 561: ...finished an icon representing the synchronization agreement is displayed under the suffix This icon indicates that your synchronization agreement is set up Step 6 Begin Synchronization After the sync agreement is created you need to begin the synchronization process Select the sync agreement right click or open the Object menu and select Initiate re synchronization This will begin the synchronizat...

Page 562: ... sync code and should not be modified manually The ntDomainUser attribute holds the value of the samAccountName attribute from the corresponding Windows entry In the case of NT4 it matches the user name ntUserCreateNewAccount and ntUserDeleteAccount attributes control the life cycle of the corresponding Windows entry Only if ntUserCreateNewAccount has the value true will a new entry be created in ...

Page 563: ...erParameters usri_parms ntUserWorkstations userWorkstations usri_workstations Table 18 2 User Entry Schema That Is the Same in Directory Server and Windows Servers description postOfficeBox destinationIndicator postalAddress facsimileTelephoneNumber postalCode givenName registeredAddress homePhone sn homePostalAddress st initials street l telephoneNumber mail teletexTerminalIdentifier mobile telex...

Page 564: ...ndows attributes automatically You can add additional ntUser attributes either by using the Advanced button in the Console or by using ldapmodify see Modifying Entries Using ldapmodify on page 60 Groups Similar to user entires group entries are synchronized if they have the ntGroup and mailgroup object classes There are also two attributes that control creation and deletion of group entries in the...

Page 565: ...rs and Table 18 4 shows the attributes that are the same between the Directory Server and Windows servers Manually Initiating Synchronization While synchronization always occurs based on the schedule set in the synchronization agreement you can manually update the synchronized subtree A manual update synchronizes entries which have been changed since the last synchronization process To perform an ...

Page 566: ... agreement and able to be synchronized There are some cases where an entry can be initially not subject to the agreement for example if it lacks the ntUser object class but subsequently becomes subject to the agreement if the ntUser object class is later added In cases like these the Directory Server is not able to identify the entry s change in status with normal update processing and it fails to...

Page 567: ... X 500 object classes as Directory Server there are a few subtle incompatibilities of which administrators should be aware Both Active Directory and Directory Server can enforce password policy that can enforce certain requirements upon passwords minimum length maximum age and so forth Windows Sync does not synchronize the policies nor does it ensure that the policies are consistent This is someth...

Page 568: ...missing attributes therefore cannot be synchronized There is no support for the incremental Dirsync found in Active Directory What this means is that every time the Directory Server performs a synchronization pass it will pull the complete set of all entries from NT4 This has implications for the consistency of data because if a modification is made to an entry on the Directory Server side and the...

Page 569: ... keystore the keystore filename the path is not escaped correctly or you have configured wrong keystore password in the usersync conf file Error 2 NTDS org apache ldap common exception LdapConfigurationException Failed to bind the LDAP protocol service to the service registry SOCKET ldap 0 0 0 0 0 0 0 0 389 Root exception is java net BindException Address already in use bind The port you are attem...

Page 570: ...the Directory Server If this connection attempt fails check all values port number hostname search base and so forth to see if any of these are the problem If all else fails reconfigure the Directory Server with a new certificate If the LDAPS connection is successful it is likely that the misconfiguration is on the Windows server Check that you have properly configured the NT4 LDAP Service and Pas...

Page 571: ...571 Part 3 Appendixes Appendix A LDAP Data Interchange Format Appendix B Finding Directory Entries Appendix C LDAP URLs Appendix D Internationalization ...

Page 572: ...572 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 573: ...ta is stored using the UTF 8 encoding of Unicode Therefore the LDIF files you create must also be UTF 8 encoded This chapter provides information about LDIF in the following sections LDIF File Format page 573 Specifying Directory Entries Using LDIF page 577 Defining Directories Using LDIF page 581 Storing Information in Multiple Languages page 584 For information on using LDIF to modify directory ...

Page 574: ...e A 1 LDIF Fields Field Definition id Optional A positive decimal number representing the entry ID The database creation tools generate this ID for you Never add or edit this value yourself dn distinguished_name Specifies the distinguished name for the entry For a complete description of distinguished names refer to the Red Hat Directory Server Deployment Guide objectClass object_class Specifies a...

Page 575: ...IF lines However doing so may improve the readability of your LDIF file Representing Binary Data You can represent binary data such as a JPEG image in LDIF using one of the following methods The standard LDIF notation the lesser than symbol For example jpegphoto file path to photo subtype Optional Specifies subtype language binary or pronunciation Use this tag to identify the language in which the...

Page 576: ...ncluding new lines Use the ldif command line utility with the b parameter to convert binary data to LDIF format ldif b attribute_name where attribute_name is the name of the attribute to which you are supplying the binary data The binary data is read from standard input and the results are written to standard output Thus you should use redirection operators to select input and output files The ldi...

Page 577: ...t commonly used attributes see the Red Hat Directory Server Schema Reference Specifying Organization Entries Directories often have at least one organization entry Typically this is the first or topmost entry in your directory The organization entry often corresponds to the suffix set for your directory For example if your directory is defined to use a suffix of dc example dc com then you will pro...

Page 578: ...he organization object class This line defines the entry as an organization See the Red Hat Directory Server Schema Reference for a list of the attributes you can use with this object class o organization_name Attribute that specifies the organization s name If the organization name includes a comma you must escape the comma by a single backslash and the entire organization argument must be enclos...

Page 579: ...ar as follows dn distinguished_name objectClass top objectClass organizationalUnit ou organizational_unit_name list_of_optional_attributes The following is a sample organizational unit entry in LDIF format dn ou people dc example dc com objectclass top objectclass organizationalUnit ou people description Fictional organizational unit for example purposes Table A 3 defines each element of the LDIF ...

Page 580: ...ople dc example dc com objectclass top objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn Babs Jensen sn Jensen givenname Babs uid bjensen ou Marketing ou people description Fictional person for example purposes telephonenumber 555 5557 userpassword sha dkfljlk34r2kljdsfk9 Table A 4 defines each aspect of the LDIF person entry ou organizational_unit_name Attribute tha...

Page 581: ...ass This object class specification should be included because some LDAP clients require it during search operations for an organizational person objectClass inetOrgPerson Specifies the inetOrgPerson object class The inetOrgPerson object class is recommended for the creation of an organizational person entry because this object class includes the widest range of attributes The uid attribute is req...

Page 582: ...nce 3 Make sure that an entry representing a branch point in the LDIF file is placed before the entries that you want to create under that branch For example if you want to place an entry in a people and a group subtree create the branch point for those subtrees before creating entries within those subtrees 4 Create the directory from the LDIF file using one of the following methods Directory Serv...

Page 583: ...tion Fictional organizational unit for example purposes tel 555 5559 dn cn June Rossi ou People o example com Corp dc example dc com objectClass top objectClass person objectClass organizationalPerson objectClass inetOrgPerson cn June Rossi sn Rossi givenName June mail rossi example com userPassword sha KDIE3AL9DK ou Accounting ou people telephoneNumber 2616 roomNumber 220 dn cn Marc Chambers ou P...

Page 584: ...ctory contains a single language you do not need to do anything special to add a new entry to the directory However if your organization is multinational you may find it necessary to store information in multiple languages so that users in different locales can view directory information in their own language When information in your directory is represented in multiple languages the server associ...

Page 585: ... people dc example dc com objectclass top objectclass person objectclass organizationalPerson name Babs Jensen cn Babs Jensen sn Jensen uid bjensen streetAddress 1 University Street streetAddress lang en 1 University Street streetAddress lang fr 1 rue de l Université preferredLanguage fr Users accessing this directory entry with an LDAP client with the preferred language set to English will see th...

Page 586: ...Storing Information in Multiple Languages 586 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 587: ...ng an Internationalized Directory page 599 Finding Entries Using the Server Console Use the Directory tab of the Directory Server Console to browse the contents of the directory tree and search for specific entries in the directory 1 Make sure the Directory Server is running 2 Start Directory Server Console See Starting Directory Server Console on page 34 for specific instructions NOTE You cannot ...

Page 588: ... entries based on a specified search filter Search scopes can include a single entry an entry s immediate subentries or an entire tree or subtree Search results are returned in LDIF format This section contains information about the following topics Using Special Characters ldapsearch Command Line Format Commonly Used ldapsearch Options ldapsearch Examples Using Special Characters When using the l...

Page 589: ...ttributes separated by a space Specifying a list of attributes reduces the number of attributes returned in the search results This list of attributes must appear after the search filter For an example see Displaying Subsets of Attributes on page 593 If you do not specify a list of attributes the search returns values for all attributes permitted by the access control set in the directory with the...

Page 590: ...s optional if anonymous access is supported by your server If specified this value must be a DN recognized by the Directory Server and it must also have the authority to search for the entries For example D uid bjensen dc example dc com h Specifies the hostname or IP address of the machine on which the Directory Server is installed If you do not specify a host ldapsearch uses the localhost For exa...

Page 591: ...he password associated with the distinguished name that is specified in the D option If you do not specify this option anonymous access is used For example w diner892 x Specifies that the search results are sorted on the server rather than on the client This is useful if you want to sort according to a matching rule as with an international search In general it is faster to sort on the server rath...

Page 592: ...r The suffix under which all data is stored is dc example dc com Returning All Entries Given the previous information the following call will return all entries in the directory ldapsearch h mozilla b dc example dc com s sub objectclass objectclass is a search filter that matches any entry in the directory Specifying Search Filters on the Command Line You can specify a search filter directly on th...

Page 593: ...n your directory use the following command line call ldapsearch h mozilla cn babs jensen In this example the default scope of sub is used because the s option was not used to specify the scope Displaying Subsets of Attributes The ldapsearch command returns all search results in LDIF format By default ldapsearch returns the entry s distinguished name and all of the attributes that you are allowed t...

Page 594: ... the entries that match either search filter ldapsearch h mozilla f searchdb You can limit the set of attributes returned here by specifying the attribute names that you want at the end of the search line For example the following ldapsearch command performs both searches but returns only the DN and the givenname and sn attributes of each entry ldapsearch h mozilla f searchdb sn givenname Specifyi...

Page 595: ...mon name values are not case sensitive When the common name attribute has values associated with a language tag all of the values are returned Thus the following two attribute values both match this filter cn babs jensen cn lang fr babs jensen For a list of all the supported language tags see Table D 1 on page 615 Search Filter Syntax The basic syntax of a search filter is attribute operator value...

Page 596: ...ry Server Schema Reference Using Operators in Search Filters The operators that you can use in search filters are listed in Table B 1 In addition to these search filters you can specify special filters to work with a preferred language collation order For information on how to search a directory with international charactersets see Searching an Internationalized Directory on page 599 Table B 1 Sea...

Page 597: ...llowing Less than or equal to Returns entries containing attributes that are less than or equal to the specified value For example buildingname alpha Presence Returns entries containing one or more values for the specified attribute For example cn telephonenumber manager Approximate Returns entries containing the specified attribute with a value that is approximately equal to the value specified i...

Page 598: ...s all entries that contain a description attribute that contains the substring X 500 description X 500 The following filter returns all entries whose organizational unit is Marketing and whose description field does not contain the substring X 500 ou Marketing description X 500 The following filter returns all entries whose organizational unit is Marketing and that have Julie Fulmer or Cindy Zwask...

Page 599: ...P Search Filters on page 595 For information on searching internationalized directories using the Users and Groups portion of the Red Hat Console refer to the online help or Managing Servers with Red Hat Console This section covers the following topics Matching Rule Filter Syntax Supported Search Types International Search Examples Matching Rule Filter Syntax A matching rule provides special guide...

Page 600: ...ays The one you use is a matter of personal preference The matching rule can be represented in the following ways As the OID of the collation order for the locale on which you want to base your search As the language tag associated with the collation order on which you want to base your search As the OID of the collation order and a suffix that represents a relational operator As the language tag ...

Page 601: ...ttr language tag relational_operator value The relational operator is included in the value portion of the string separated from the value by a single space For example to search the directory for all description attributes with a value of estudiante using the Spanish collation order use the following filter cn es estudiante Using an OID and Suffix for the Matching Rule As an alternative to using ...

Page 602: ...ards in Matching Rule Filters When performing a substring search using a matching rule filter you can use the asterisk character as a wildcard to represent zero or more characters For example to search for an attribute value that starts with the letter l and ends with the letter n you would enter a l n in the value portion of the search filter Similarly to search for all attribute values beginning...

Page 603: ...how examples of how to perform international searches on directory data Each example gives all the possible matching rule filter formats so that you can become familiar with the formats and select the one that works best for you Less Than Example When you perform a locale specific search using the less than operator or suffix 1 you search for all attribute values that come before the given attribu...

Page 604: ...values that match the given attribute in a specific collation order For example to search for all businessCategory attributes with the value softwareprodukte in the German collation order you could use any of the following matching rule filters businessCategory 2 16 840 1 113730 3 3 2 7 1 softwareprodukte businessCategory de softwareprodukte businessCategory 2 16 840 1 113730 3 3 2 7 1 3 softwarep...

Page 605: ... match the given pattern in the specified collation order For example to search for all user IDs that end in ming in the Chinese collation order you could use any of the following matching rule filters uid 2 16 840 1 113730 3 3 2 49 1 ming uid zh ming uid 2 16 840 1 113730 3 3 2 49 1 6 ming uid zh 6 ming Substring search filters that use DN valued attributes such as modifiersName or memberOf do no...

Page 606: ...Searching an Internationalized Directory 606 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 607: ...xamples of LDAP URLs page 609 Components of an LDAP URL LDAP URLs have the following syntax ldap s hostname port base_dn attributes scope filter The ldap protocol is used to connect to LDAP servers over unsecured connections and the ldaps protocol is used to connect to LDAP servers over SSL connections Table C 1 lists the components of an LDAP URL Table C 1 LDAP URL Components Component Descriptio...

Page 608: ...e DN is specified the search starts at the root of the directory tree attributes The attributes to be returned To specify more than one attribute use commas to separate the attributes for example cn mail telephoneNumber If no attributes are specified in the URL all attributes are returned scope The scope of the search which can be one of these values base retrieves information only about the disti...

Page 609: ...e URL Thus the distinguished name o example com corporation must be encoded as o example com 20corporation The following table lists the characters that are considered unsafe within URLs and provides the associated escape characters to use in place of the unsafe character Examples of LDAP URLs Example 1 The following LDAP URL specifies a base search for the entry with the distinguished name dc exa...

Page 610: ...y dc example dc com Because no filter is specified the directory uses the default filter objectclass Example 3 The following LDAP URL retrieves the cn mail and telephoneNumber attributes of the entry for Barbara Jensen ldap ldap example com cn Barbara 20Jensen dc example dc com c n mail telephoneNumber Because no search scope is specified the search is restricted to the base entry cn Barbara Jense...

Page 611: ...ries one level under the base entry dc example dc com The search scope does not include the base entry Because no filter is specified the directory uses the default filter objectclass NOTE The syntax for LDAP URLs does not include any means for specifying credentials or passwords Search requests initiated through LDAP URLs are unauthenticated unless the LDAP client that supports LDAP URLs provides...

Page 612: ...Examples of LDAP URLs 612 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 613: ...er Directory Server allows you to specify matching rules and collation orders based on language preferences in search operations This appendix contains the following sections About Locales page 613 Identifying Supported Locales page 614 Supported Language Subtypes page 616 Troubleshooting Matching Rules page 618 About Locales Directory Server provides support for multiple languages through the use...

Page 614: ... to lower case letters For example in some languages the pipe character is considered punctuation while in others it is considered alphabetic Monetary format The monetary format specifies the monetary symbol used by a specific region whether the symbol goes before or after its value and how monetary units are represented Time date format The time and date format indicates the customary formatting ...

Page 615: ...erforming an international search in the directory use either the language tag or the OID to identify the collation order you want to use However when setting up an international index you must use the OIDs For more information on indexing see chapter 10 Managing Indexes Table D 1 lists each locale supported by Directory Server and identifies the associated language tags and OIDs Table D 1 Support...

Page 616: ... 2 28 1 Korean ko 2 16 840 1 113730 3 3 2 29 1 Latvian Lettish lv 2 16 840 1 113730 3 3 2 31 1 Lithuanian lt 2 16 840 1 113730 3 3 2 30 1 Macedonian mk 2 16 840 1 113730 3 3 2 32 1 Norwegian no 2 16 840 1 113730 3 3 2 35 1 Polish pl 2 16 840 1 113730 3 3 2 38 1 Romanian ro 2 16 840 1 113730 3 3 2 39 1 Russian ru 2 16 840 1 113730 3 3 2 40 1 Serbian Cyrillic sr 2 16 840 1 113730 3 3 2 45 1 Serbian ...

Page 617: ...f Afrikaans be Byelorussian bg Bulgarian ca Catalan cs Czechoslovakian da Danish de German el Greek en English es Spanish eu Basque fi Finnish fo Faroese fr French ga Irish gl Galician hr Croatian hu Hungarian id Indonesian is Icelandic it Italian ja Japanese ko Korean nl Dutch no Norwegian pl Polish pt Portuguese ro Romanian ...

Page 618: ...e dc com sn 2 16 840 1 113730 3 3 2 7 1 passin ldapsearch p 9001 D uid gfarmer ou people dc example dc com w ruling b dc example dc com sn de passin However the rules listed below will work note the 3 in bold ldapsearch p 9001 D uid gfarmer ou people dc example dc com w ruling b dc example dc com sn 2 16 840 1 113730 3 3 2 7 1 3 passin ldapsearch p 9001 D uid gfarmer ou people dc example dc com w ...

Page 619: ...tion Disables a user account group of accounts or an entire domain so that all authentication attempts are automatically rejected All IDs Threshold A size limit which is globally applied to every index key managed by the server When the size of an individual ID list reaches this limit the server replaces that ID list with an All IDs token All IDs token A mechanism which causes the server to assume...

Page 620: ...ectory administrator 2 Allows a client to make sure they are connected to a secure server preventing another computer from impersonating the server or attempting to appear secure when it is not authentication certificate Digital file that is not transferable and not forgeable and is issued by a third party Authentication certificates are sent from server to client or client to server in order to v...

Page 621: ... Common Gateway Interface An interface for external programs to communicate with the HTTP server Programs written to use CGI are called CGI programs or CGI scripts and can be written in many of the common programming languages CGI programs handle forms or perform output parsing that is not done by the server itself chaining A method for relaying requests to another server Results for the request a...

Page 622: ... replica that is copied from a different server is called a consumer for that replica CoS A method for sharing attributes between entries in a way that is invisible to applications CoS definition entry Identifies the type of CoS you are using It is stored as an LDAP subentry below the branch it affects CoS template entry Contains a list of the shared attribute values Also template entry daemon A b...

Page 623: ...s name and location in an LDAP directory DIT See directory tree DN see distinguished name DM See Directory Manager DNS Domain Name System The system used by machines on a network to associate standard IP addresses such as 198 93 93 10 with hostnames such as www example com Machines normally get the IP address for a hostname from a DNS server or they look it up in tables maintained on their systems...

Page 624: ...ribute contained by each entry You do this by specifying an LDAP filter Entries that match the filter are said to possess the role gateway See Directory Server Gateway general access When granted indicates that all authenticated users can access directory information GSS API Generic Security Services The generic access protocol that is the native way for UNIX based systems to access and authentica...

Page 625: ...location of a machine on the Internet for example 198 93 93 10 ISO International Standards Organization knowledge reference Pointers to directory information stored in different databases LDAP Lightweight Directory Access Protocol Directory service protocol designed to run over TCP IP and across multiple platforms LDAPv3 Version 3 of the LDAP protocol upon which Directory Server bases its schema f...

Page 626: ...ster agent matching rule Provides guidelines for how the server compares strings during a search operation In an international search the matching rule tells the server what collation order and operator to use MD5 A message digest algorithm by RSA Data Security Inc which can be used to produce a short digest of data that is unique with high probability and is mathematically extremely hard to produ...

Page 627: ...r messages were received etc network management station See NMS NIS Network Information Service A system of programs and data files that Unix machines use to collect collate and share specific information about machines users filesystems and network parameters throughout a network of computers NMS Also Network Management Station Powerful workstation with one or more network management applications...

Page 628: ...ssages which form the basis of data exchanges between SNMP devices pointer CoS A pointer CoS identifies the template entry using the template DN only presence index Allows searches for entries that contain a specific indexed attribute protocol A set of rules that describes how devices on a network exchange information protocol data unit See PDU proxy authentication A special form of authentication...

Page 629: ...ead write replica This forwarding process is called a referral replica A database that participates in replication read only replica A replica that refers all update operations to read write replicas A server can hold any number of read only replicas read write replica A replica that contains a master copy of directory information and can be updated A server can hold any number of read write repli...

Page 630: ...ing is on by default and users will receive an error if they try to save an entry that does not conform to the schema Secure Sockets Layer See SSL self access When granted indicates that users have access to their own entries if the bind DN matches the targeted entry Server Console Java based application that allows you to perform administrative management of your Directory Server from a GUI serve...

Page 631: ...hat gathers information about the managed device and passes the information to the master agent Also subagent SSL Also Secure Sockets Layer A software library establishing a secure connection between two parties client and server used to implement HTTPS the secure version of HTTP standard index index maintained by default sub suffix A branch underneath a root suffix subagent See SNMP subagent subs...

Page 632: ...ernet and for enterprise company networks template entry See CoS template entry time date format Indicates the customary formatting for times and dates in a specific region TLS Also Transport Layer Security The new standard for secure socket layers a public key based protocol topology The way a directory tree is divided among physical servers and how these servers link with one another Transport L...

Page 633: ...Glossary 633 X 500 standard The set of ISO ITU T documents outlining the recommended information model object classes and attributes used by directory server implementation ...

Page 634: ...634 Red Hat Directory Server Administrator s Guide May 2005 ...

Page 635: ...s 209 targeting using filters 212 using the Access Control Editor 237 value matching 226 viewing Access Control Editor 240 get effective rights 264 Access Control Editor displaying 238 access control instruction ACI See ACI access log configuring 450 manually rotating 455 turning off 450 turning on 450 viewing 450 account inactivation 296 from command line 297 from console 296 account lockout 292 ...

Page 636: ...ing access 215 anonymous access 235 example 225 244 overview 222 anyone keyword 222 approximate index 388 query string codes 394 approximate search 597 attribute ACI 202 203 adding 67 68 adding multiple values 52 adding to entry 51 creating 381 defining 377 deleting 67 379 deleting from object class 382 383 deleting using LDIF update statements 70 multi valued 378 379 nsslapd schemacheck 384 OID 3...

Page 637: ...ing overview 226 ACI syntax 207 all keyword 222 anonymous access 222 example 225 244 LDIF example 224 anyone keyword 222 authmethod keyword 235 Boolean 236 dayofweek keyword 234 dns keyword 233 general access 222 example 224 group access 225 group access example 251 groupdn keyword 225 ip keyword 232 LDAP URLs 222 LDIF keywords 220 overview 219 parent keyword 222 role access 226 roledn keyword 226...

Page 638: ...nt interval 484 ciphers 434 DES 434 FIPS DES 434 FIPS Triple DES 434 list of 434 none MD5 435 overview 433 RC2 434 RC4 434 selecting 433 class of service CoS 182 access control 199 classic example 185 overview 185 cosPriority attribute 194 creating 186 definition entry 191 editing 190 indirect example 184 overview 184 pointer example 184 overview 184 qualifiers 192 template entry creating 188 194 ...

Page 639: ...292 country code 615 creating a database from the command line 93 from the console 92 creating the directory 581 custom distribution function adding to suffix 94 custom distribution logic adding databases 94 adding to suffix 94 D dash in change operation 63 data consistency using referential integrity 72 database and associated suffix 79 backing up db2bak 161 backup 159 backup files 161 backup fro...

Page 640: ...eferrals setting 143 setting from console 143 settings from command line 144 defining access control policy 237 attributes 377 object classes 381 definition entry See CoS definition entry delete right 216 deleting ACI 242 attribute values 71 attributes 67 70 attributes from an object class 382 383 database link 121 entries 71 multiple attributes 67 object classes 383 deleting directory entries 61 ...

Page 641: ...ding using LDIF update statements 64 adding very large attributes 52 cache hit ratio 463 creating 47 59 using LDIF 577 deleting 55 61 using ldapdelete 61 deleting using LDIF update statements 71 distribution 91 finding 588 managing 45 managing from command line 55 managing from console 45 modifying 49 58 60 using ldapmodify 58 using LDIF update statements 67 moving 67 order of creation 57 order of...

Page 642: ...yword 225 LDIF examples 225 groupdnattr keyword 227 groups access control 221 access control example 251 access to directory 225 dynamic 169 creating 169 modifying 170 overview 167 static 168 creating 168 modifying 169 GSS API 440 H hub supplier 303 310 configuration 317 I id field LDIF 574 id2children db2 file 392 id2entry db2 file 391 importing data 149 encrypted database 102 from console 150 ld...

Page 643: ...f LDIF files 584 search filters and 599 supported locales 614 time format 614 ip keyword 232 J jpeg images 575 K Kerberos 440 443 realms 444 L language code in LDIF entries 584 list of supported 615 language subtype 53 language support language tag 615 searching and 599 specifying using locales 614 language tags described 615 in international searches 601 in LDIF update statements 72 LDAP clients ...

Page 644: ...nit 579 update statements 63 using to create directory 581 LDIF entries binary data in 575 commas in 577 579 581 creating 577 organizational person 580 organizational units 579 organizations 577 internationalization and 584 LDIF files continued lines 575 creating directory using 581 creating multiple entries 57 example 583 importing from Server Console 58 internationalization and 584 LDIF format 5...

Page 645: ...473 redhat directory mib 473 entries table 475 interaction table 476 operations table 474 modifying attribute values 69 entries 67 international entries 72 monetary format 614 monitoring database from command line 465 database from server console 462 directory server 447 from console 455 log files 447 replication status 360 threads 458 with SNMP 469 monitoring from console 455 moving 97 moving ent...

Page 646: ...tion specifying entries for 577 organizational person specifying entries for 580 organizational unit specifying entries for 579 override CoS qualifier 192 P parent access 222 parent keyword 222 parent object 381 pass through authentication PTA See PTA plug in password change extended operation 290 password file SSL certificate 433 password policy account lockout 292 attributes 283 configuring 280 ...

Page 647: ...tal address string syntax plug in 504 PTA plug in 505 reference 489 referential integrity plug in 505 retro changelog plug in 506 roles plug in 507 SHA password storage plug in 503 space insensitive string syntax plug in 508 SSHA password storage plug in 503 state change plug in 509 telephone syntax plug in 509 uid uniqueness plug in 510 URI plug in 511 pointer CoS example 184 overview 184 port nu...

Page 648: ...grity 73 75 and SSL 354 cascading 337 changelog 303 compatibility with earlier versions 305 355 configuration tips 312 configuring a hub supplier 317 configuring a read only replica 316 configuring a read write replica 315 configuring legacy replication 356 configuring SSL 355 configuring supplier settings 315 consumer server 303 consumer initiated 303 creating the supplier bind DN 313 forcing syn...

Page 649: ...g from console 82 S SASL authentication 235 439 identity mapping 441 mechanisms DIGEST MD5 440 GSS API 440 password change extended operation 290 schema checking 383 creating new attributes 377 creating new object classes 381 deleting attributes 379 deleting object classes 383 editing object classes 382 extending 375 nsslapd schemacheck attribute 384 standard 375 viewing attributes 376 viewing obj...

Page 650: ...Layer See SSL single master replication introduction 306 setting up 320 smart referrals creating 144 creating from command line 146 creating from console 145 SNMP configuring Directory Server 473 ldap agent 472 managed device 470 managed objects 470 master agent 470 configuring 470 MIB entries table 475 interaction table 476 operations table 474 mib 472 monitoring the directory server 469 overview...

Page 651: ...8 synchronization changelog 548 Password Sync configuring SSL 552 modifying the configuration 552 synchronization agreement 547 syntax ACI statements 206 attribute value 378 379 LDAP URLs 607 ldapsearch 589 LDIF update statements 63 matching rule filter 599 search filter 595 system connections monitoring 458 system indexes 391 system resources monitoring 457 T targattrfilters keyword 213 target AC...

Page 652: ... 72 user level password policy 280 user passwords 290 userattr keyword 227 restriction on add 231 user defined attributes 376 user defined object classes 380 userdn keyword 221 users activating 297 inactivating 296 UTF 8 613 V value based ACI 213 viewing access control get effective rights 264 attributes 376 virtual list view index 389 vlvindex command line tool 389 W wildcard in LDAP URL 223 in t...

Reviews:

No comments