Home
/
Red Hat
/
DIRECTORY SERVER 8.0
/
Administration Manual

Red Hat DIRECTORY SERVER 8.0, Administration Manual, Page: 465 / 552

Share

Page: 465 / 552

Red Hat DIRECTORY SERVER 8.0 Administration Manual Download Page 465

Chapter 19.

447

Synchronizing Red Hat Directory

Server with Microsoft Active Directory

The Windows Sync feature allows synchronization of adds, deletes, and changes in groups, users,
and passwords between Red Hat Directory Server and Microsoft Active Directory. It provides an
efficient and effective way to maintain consistent information across directories.

19.1. About Windows Sync

Synchronization allows the user and group entries in Active Directory to be matched with the entries in
the Red Hat Directory Server. As entries are created, modified, or deleted, the corresponding change
is made to the sync peer server, allowing two-way synchronization of users, passwords, and groups.

The synchronization process is analogous to the replication process: the synchronization is enabled
by a plug-in, configured and initiated through a sync agreement, and record of directory changes is
maintained and updates are sent according to that changelog. This synchronizes users and groups
between Directory Server and a Windows server.

Windows Sync has two parts, the sync service for directory entries and the sync service for
passwords:

•

Directory Server Windows Sync.

The Directory Server leverages the Multi-Master Replication

Plug-in to synchronize user and group entries. The same changelog that is used for multi-master
replication is also used to send updates from the Directory Server to Active Directory as an LDAP
operation. The server also performs LDAP search operations against its Windows server to
synchronize changes made to Windows entries to the corresponding Directory Server entry. This is
illustrated in

Figure 19.1, “Active Directory - Directory Server Synchronization Process”

.

Figure 19.1. Active Directory - Directory Server Synchronization Process

•

Password Sync Service.

This application captures password changes for Windows users and relays

those changes back to the Directory Server over LDAPS. It must be installed on the Active Directory
machine. This is done separately from the Windows Sync service to accommodate password
encryption.

Synchronization is configured and controlled by one or more

synchronization agreements

, which

establishes synchronization between

sync peers

, the directory servers being synced. These are

«
...
463
464
465
466
467
...
»

Summary of Contents for DIRECTORY SERVER 8.0

Page 1: ...Directory Server 8 0 Administration Guide A Guide for Using and Maintaining Red Hat Directory Server Ella Deon Lackey Publication date January 15 2008 updated on February 11 2010 ...

Page 2: ... you must provide the URL for the original version Red Hat as the licensor of this document waives the right to enforce and agrees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countri...

Page 3: ...Directory Entries 14 2 1 3 Modifying Directory Entries 16 2 1 4 Deleting Directory Entries 20 2 2 Managing Entries from the Command Line 20 2 2 1 Providing Input from the Command Line 21 2 2 2 Creating a Root Entry from the Command Line 22 2 2 3 Adding Entries Using LDIF 22 2 2 4 Adding and Modifying Entries Using ldapmodify 22 2 2 5 Deleting Entries Using ldapdelete 25 2 2 6 Using Special Charact...

Page 4: ...and Line 97 4 2 Exporting Data 100 4 2 1 Exporting Directory Data to LDIF Using the Console 102 4 2 2 Exporting a Single Database to LDIF Using the Console 102 4 2 3 Exporting to LDIF from the Command Line 103 4 3 Backing up and Restoring Data 104 4 3 1 Backing up All Databases 105 4 3 2 Backing up the dse ldif Configuration File 106 4 3 3 Restoring All Databases 106 4 3 4 Restoring a Single Datab...

Page 5: ...Using Boolean Bind Rules 170 6 5 Creating ACIs from the Console 170 6 5 1 Displaying the Access Control Editor 171 6 5 2 Creating a New ACI 173 6 5 3 Editing an ACI 178 6 5 4 Deleting an ACI 179 6 6 Viewing ACIs 179 6 7 Get Effective Rights Control 179 6 7 1 Using Get Effective Rights from the Command Line 181 6 7 2 Using Get Effective Rights from the Console 183 6 7 3 Get Effective Rights Return ...

Page 6: ... 4 Changelog 228 8 1 5 Replication Identity 228 8 1 6 Replication Agreement 229 8 1 7 Replicating Attributes with Fractional Replication 229 8 1 8 Compatibility with Earlier Versions of Directory Server 229 8 2 Replication Scenarios 230 8 2 1 Single Master Replication 230 8 2 2 Multi Master Replication 231 8 2 3 Cascading Replication 233 8 3 Creating the Supplier Bind DN Entry 235 8 4 Configuring ...

Page 7: ...13 Replication over SSL 289 8 14 Replicating o NetscapeRoot for Administration Server Failover 290 8 15 Replication with Earlier Releases 291 8 16 Using the Retro Changelog Plug in 292 8 16 1 Enabling the Retro Changelog Plug in 293 8 16 2 Trimming the Retro Changelog 294 8 16 3 Searching and Modifying the Retro Changelog 294 8 16 4 Retro Changelog and the Access Control Policy 294 8 17 Monitoring...

Page 8: ...ing SSL Summary of Steps 341 11 1 2 Command Line Functions for Start TLS 342 11 2 Obtaining and Installing Server Certificates 343 11 2 1 Step 1 Generate a Certificate Request 344 11 2 2 Step 2 Send the Certificate Request 347 11 2 3 Step 3 Install the Certificate 348 11 2 4 Step 4 Trust the Certificate Authority 349 11 2 5 Step 5 Confirm That The New Certificates Are Installed 349 11 3 Using cert...

Page 9: ...mand Line 388 13 5 Monitoring Database Link Activity 390 14 Monitoring Directory Server Using SNMP 393 14 1 About SNMP 393 14 2 Configuring the Master Agent 394 14 3 Configuring the Subagent 394 14 3 1 Subagent Configuration File 394 14 3 2 Starting the Subagent 395 14 3 3 Testing the Subagent 395 14 4 Configuring SNMP Traps 396 14 5 Configuring the Directory Server for SNMP 396 14 6 Using the Man...

Page 10: ...5 PTA Plug in 419 16 1 26 Referential Integrity Postoperation Plug in 420 16 1 27 Retro Changelog Plug in 421 16 1 28 Roles Plug in 422 16 1 29 Space Insensitive String Syntax Plug in 422 16 1 30 State Change Plug in 423 16 1 31 Telephone Syntax Plug in 423 16 1 32 UID Uniqueness Plug in 423 16 1 33 URI Plug in 424 16 2 Enabling and Disabling Plug ins 425 17 Using the Pass through Authentication P...

Page 11: ...3 Step 3 Select or Create the Sync Identity 451 19 2 4 Step 4 Install and Configure the Password Sync Service 451 19 2 5 Step 5 Configure the Password Sync Service 453 19 2 6 Step 6 Configure the Directory Server Database for Synchronization 454 19 2 7 Step 7 Create the Synchronization Agreement 455 19 2 8 Step 7 Begin Synchronization 457 19 3 Using Windows Sync 457 19 3 1 Synchronizing Users 457 ...

Page 12: ...B 2 2 ldapsearch Command Line Format 479 B 2 3 Commonly Used ldapsearch Options 480 B 2 4 ldapsearch Examples 481 B 3 LDAP Search Filters 484 B 3 1 Search Filter Syntax 484 B 4 Searching an Internationalized Directory 487 B 4 1 Matching Rule Filter Syntax 488 B 4 2 Supported Search Types 490 B 4 3 International Search Examples 491 C LDAP URLs 495 C 1 Components of an LDAP URL 495 C 2 Escaping Unsa...

Page 13: ...es and classes of service Provides a flexible mechanism for grouping and sharing attributes between entries in a dynamic fashion Improved access control mechanisms Provides support for macros that dramatically reduce the number of access control statements used in the directory and increase the scalability of access control evaluation Resource limits by bind DN Grants the power to control the amou...

Page 14: ... to disable SASL which OpenLDAP tools use by default Certain words are represented in different fonts styles and weights Different character formatting is used to indicate the function or purpose of the phrase being highlighted Formatting Style Purpose Monospace font Monospace is used for commands package names files and directory paths and any text displayed in a prompt Monospace with a backgroun...

Page 15: ...ation on the command line scripts configuration attributes and log files shipped with Directory Server Red Hat Directory Server Installation Guide contains procedures for installing your Directory Server as well as procedures for migrating from a previous installation of Directory Server For the latest information about Directory Server including current release notes complete product documentatio...

Page 16: ... references to the Directory Server Gateway or Org Chart Revision 8 0 14 September 5 2009 Ella Deon Lackey Fixing the ldapmodify examples for adding new role entries to include the a option which is requred related to Bug 521336 Revision 8 0 13 August 6 2009 Ella Deon Lackey Fixing links in configuration for o Netscape replication per Bug 514020 Revision 8 0 12 May 4 2009 Ella Deon Lackey Clarifyi...

Page 17: ...e fractional replication and password policy replication sections per Bugzilla 450973 Edits to certutil sections per Bugzilla 441889 Revision 8 0 3 April 30 2008 Ella Deon Lackey Correcting the labels in the graphic dirtree3 png per Bugzilla 443809 Correcting password expiration description per Bugzilla 239642 Revision 8 0 2 April 7 2008 Ella Deon Lackey Correcting bad cross reference links in the...

Page 18: ...xviii ...

Page 19: ... Server is the management agent which administers Directory Server instances It communicates with the Directory Server Console and performs operations on the Directory Server instances It also provides a simple HTML interface and online help pages Most Directory Server administrative tasks are available through the Directory Server Console but it is also possible to administer the Directory Server...

Page 20: ...d instance Database files var lib dirsrv slapd instance Runtime files var lock dirsrv slapd instance var run dirsrv slapd instance Initscripts etc rc d init d dirsrv and etc sysconfig dirsrv etc rc d init d dirsrv admin and etc sysconfig dirsrv admin Tools usr bin usr sbin Table 1 2 Red Hat Enterprise Linux 4 and 5 x86_64 File or Directory Location Log files var log dirsrv slapd instance Configura...

Page 21: ...Solaris usr lib sparcv9 mozldap HP UX opt dirsrv bin For all Red Hat Directory Server guides and documentation the LDAP tools used in the examples such as ldapsearch and ldapmodify are the Mozilla LDAP tools For most Linux systems OpenLDAP tools are already installed in the usr bin directory These OpenLDAP tools are not supported for Directory Server operations For the best results with the Direct...

Page 22: ... directory provides startup or run command rc scripts On Red Hat Enterprise Linux use the chkconfig command to enable the Directory Server and Administration Server to start on boot On Solaris the commands are already set up in the etc rc d directories to start up the servers at boot time For HP UX check the operating system documentation for details on adding these scripts 1 3 1 Starting and Stop...

Page 23: ... Linux is dirsrv Solaris uses etc init d etc init d dirsrv start stop restart instance The Directory Server instance name can be specific in both the start stop restart slapd and system scripts If an instance name is not given the start or stop operation applies to all instances on the machine 1 3 3 Starting and Stopping Administration Server There are two ways to start stop or restart the Adminis...

Page 24: ...logging into a Directory Server for the first time On subsequent logins the URL is saved If you do not pass the Administration Server port number with the redhat idm console command then you are prompted for it at the Console login screen 1 4 1 Logging into Directory Server After starting the Directory Server Console a login screen opens requiring the username and password for the user logging in ...

Page 25: ...uring a session you can log in as a different user without having to restart the Console To change the login identity do the following 1 In the Directory Server Console select the Tasks tab 2 Click Log on to the Directory Server as a New User 3 A login dialog box appears ...

Page 26: ...hich maintains the o NetscapeRoot subtree should be done through the Directory Server Console Changing the configuration directory or user directory port or secure port numbers has the following repercussions The Directory Server port number must also be updated in the Administration Server configuration If there are other Directory Server instances that point to the configuration or user director...

Page 27: ...b of the Directory Server Console click Restart Directory Server A dialog to confirm that you want to restart the server Click Yes 13 Open the Configuration DS tab of the Administration Server Console and select Save A dialog will appear reading The Directory Server setting has been modified You must shutdown and restart your Administration Server and all the servers in the Server Group for the ch...

Page 28: ...iguring the Directory Manager The Directory Manager is the privileged database administrator comparable to the root user in UNIX Access control does not apply to the Directory Manager entry likewise limits on searches and other operations do not apply The Directory Manager entry is created during installation the default DN is cn Directory Manager The password for this user is defined in the nssla...

Page 29: ...Configuring the Directory Manager 11 6 Enter the new password and confirm it 7 Click Save ...

Page 30: ...12 ...

Page 31: ...Directory Entries Section 2 1 3 Modifying Directory Entries Section 2 1 4 Deleting Directory Entries NOTE You cannot modify your directory unless the appropriate access control rules have been set For information on creating access control rules for your directory see Chapter 6 Managing Access Control 2 1 1 Creating a Root Entry Each time you create a new database you associate it with the suffix ...

Page 32: ...ectory entries Templates are available for the following types of entries User Group Organizational Unit Role Class of Service Table 2 1 Entry Templates and Corresponding Object Classes shows what type of object class is used for each template Template Object Class User inetOrgPerson Group groupOfUniqueNames Organizational Unit organizationalUnit Role nsRoleDefinition Class of Service cosSuperDefi...

Page 33: ...ction 1 4 Starting the Directory Server Console 2 In the left pane right click the main entry under which to add the new entry and select Other The New Object window opens 3 In the object class list select an object class to define the new entry 4 Click OK If you selected an object class related to a type of entry for which a predefined template is available the corresponding Create window opens a...

Page 34: ...king the Advanced button as in Section 2 1 2 1 Creating an Entry Using a Predefined Template From the New Object window by clicking OK as in Section 2 1 2 2 Creating Other Types of Entries 2 1 3 2 Adding an Object Class to an Entry To add an object class to an entry do the following 1 In the Directory tab of the Directory Server Console right click the entry to modify and select Advanced from the ...

Page 35: ...Add Attribute The Add Attribute dialog box opens 3 Select the attribute to add from the list and click OK The Add Attribute window is dismissed and the selected attribute appears in the list of attributes in the Advanced Property Editor 4 Type in the value for the new attribute in the field to the right of the attribute name 5 Click OK in the Advanced Property Editor to save the attribute to the e...

Page 36: ...tiple value for one attribute to be added to an entry To add an attribute value to a multi valued attribute 1 In the Directory tab of the Directory Server Console right click the entry to modify and select Advanced from the pop up menu Alternatively double click the entry to open the Property Editor and click the Advanced button 2 Select the attribute to which to add a value and then click Add Val...

Page 37: ...nstance in an entry To assign multiple language subtypes add another attribute instance to the entry and then assign the new language subtype For example the following is illegal cn lang ja lang en GB value Instead use cn lang ja ja value cn lang en GB value 2 1 3 8 2 Binary Subtype Assigning the binary subtype to an attribute indicates that the attribute value is binary such as user certificates ...

Page 38: ...nsole select the Directory tab For information on starting the Directory Server Console see Section 1 4 Starting the Directory Server Console 2 Right click the entry to delete in the navigation tree or in the right pane To select multiple entries use Ctrl or Shift 3 Select Delete from the Edit menu WARNING The server deletes the entry or entries immediately There is no way to undo the delete opera...

Page 39: ...EOF escape sequence almost always control D D For example to input some LDIF update statements to ldapmodify you would do the following ldapmodify D bindDN w password h hostname dn cn Barry Nixon ou people dc example dc com changetype modify delete telephonenumber add manager manager cn Harry Cruise ou people dc example dc com D When adding an entry from the command line or from LDIF make sure tha...

Page 40: ...ng Entries Using LDIF You can use an LDIF file to add multiple entries or to import an entire database To add entries using an LDIF file and the Directory Server Console 1 Define the entries in an LDIF file LDIF files are described in Appendix A LDAP Data Interchange Format 2 Import the LDIF file from the Directory Server Console See Section 4 1 2 Importing a Database from the Console for informat...

Page 41: ...the Directory Server and the LDIF file to use For example ldapmodify a D cn Directory Manager w King Pin h cyclops p 845 f new ldif This ldapmodify example has the following values The entries to be created are specified in the file new ldif In this example the LDIF statements in the new ldif file do not specify a change type They follow the format defined in Section A 1 About the LDIF File Format...

Page 42: ...rectory Manager w King Pin h cyclops p 845 f modify_statements This ldapmodify example has the following values The entries to modify are specified in the file modify_statements Before the entries can be modified you must first create the modify_statements file with the appropriate LDIF update statements LDIF update statements are described in Section 2 4 LDIF Update Statements The bind DN is cn D...

Page 43: ...he following three entries only the last two entries can be deleted ou People dc example dc com cn Paula Simon ou People dc example dc com cn Jerry O Connor ou People dc example dc com The entry that identifies the People subtree can be deleted only if there are not any entries below it To delete ou People dc example dc com you must first delete Paula Simon and Jerry O Connor s entries and all oth...

Page 44: ...ntain characters that have special meaning to the command line interpreter such as space asterisk or backslash When this situation occurs enclose the value in quotation marks For example D cn Barbara Jensen ou Product Development dc example dc com Depending on the command line utility use either single or double quotation marks see your operating system documentation for more information Additiona...

Page 45: ...creatorsName createTimestamp modifiersName and modifyTimestamp attributes to every newly created or modified entry 4 Click Save 5 Open the Tasks tab and click Restart Directory Server NOTE The Directory Server must be restarted for the changes to take effect 2 4 LDIF Update Statements LDIF update statements define how ldapmodify changes the directory entry In general LDIF update statements contain...

Page 46: ... In addition the line continuation operator is a single space Therefore the following two statements are identical dn cn Lisa Jangles ou People dc example dc com dn cn Lisa Jangles ou People dc example dc com The following sections describe the change types in detail 2 4 1 Adding an Entry Using LDIF changetype add adds an entry to the directory When you add an entry make sure to create an entry re...

Page 47: ...dc example dc com member cn Pete Minsky ou People dc example dc com cn Administrators dn ou example com Bolivia S A dc example dc com changetype add objectclass top objectclass organizationalUnit ou example com Bolivia S A dn cn Carla Flores ou example com Bolivia S A dc example dc com changetype add objectclass top objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn C...

Page 48: ... you must create a new entry in the alternative subtree using the old entry s attributes and then delete the old entry Also for the same reasons that you cannot delete an entry if it is a branch point you cannot rename an entry if it has any children Doing so would orphan the children in the tree which is not allowed by the LDAP protocol For example of the following three entries only the last two...

Page 49: ...ing LDIF Using changetype modify with the add operation cam add an attribute and an attribute value to an entry For example the following LDIF update statement adds a telephone number to the entry dn cn Barney Fife ou People dc example dc com changetype modify add telephonenumber telephonenumber 555 1212 The following example adds two telephone numbers to the entry dn cn Barney Fife ou People dc e...

Page 50: ...ttribute Value Using LDIF changetype modify with the replace operation changes all values of an attribute in an entry For example the following LDIF update statement changes Barney s manager from Sally Nixon to Wally Hensford dn cn Barney Fife ou People dc example dc com changetype modify replace manager manager cn Wally Hensford ou People dc example dc com If the entry has multiple instances of t...

Page 51: ...y delete telephonenumber To delete just a specific instance of the telephonenumber attribute simply delete that specific attribute value as described in the next section 2 4 3 4 Deleting a Specific Attribute Value Using LDIF Running changetype modify with the delete operation can delete a single value for an attribute value from an entry as well as deleting all instances of the attribute For examp...

Page 52: ...suffix o NetscapeRoot The Administration Server uses this suffix to store information about installed Directory Servers Deleting this suffix could force you to reinstall the Directory Server 2 4 5 Modifying an Entry in an Internationalized Directory If the attribute values in the directory are associated with languages other than English the attribute values are associated with language tags When ...

Page 53: ...me known as the update interval the server performs a search on all attributes for which referential integrity is enabled and matches the entries resulting from that search with the DNs of deleted or modified entries present in the log file If the log file shows that the entry was deleted the corresponding attribute is deleted If the log file shows that the entry was changed the corresponding attr...

Page 54: ...u can enable or disable referential integrity as follows 1 Start the Directory Server Console See Section 1 4 Starting the Directory Server Console 2 Select the Configuration tab 3 Expand the Plugins folder in the navigation tree and select Referential Integrity Postoperation Plug in from the list The settings for the plug in are displayed in the right pane 4 Check the Enable plugin checkbox to en...

Page 55: ...delete attributes to be updated through the Directory Server Console such as adding the nsroledn attribute if roles are being used NOTE Keep in mind that any attribute specified in the Referential Integrity Plug in parameter list must have equality indexing on all databases Otherwise the plug in scans every entry of the databases for matching the deleted or modified DN degrading performance severe...

Page 56: ...s used in referential integrity must be indexed for presence and equality not indexing those attributes results poor server performance for modify and delete operations See Section 10 2 Creating Indexes for more information about checking and creating indexes ...

Page 57: ...a simple directory tree might appear as illustrated in Figure 3 1 A Sample Directory Tree with One Root Suffix Figure 3 1 A Sample Directory Tree with One Root Suffix The ou people suffix and all the entries and nodes below it might be stored in one database the ou groups suffix on another database and the ou contractors suffix on yet another database This section describes creating suffixes on Di...

Page 58: ...a client application s perspective the directory tree looks as illustrated in Figure 3 3 A Sample Directory Tree with a Root Suffix Off Limits to Search Operations Figure 3 3 A Sample Directory Tree with a Root Suffix Off Limits to Search Operations Searches performed by client applications on the dc example dc com branch of Example Corporation s directory will not return entries from the l europe...

Page 59: ... up menu The Create new root suffix dialog box is displayed 3 Enter a unique suffix in the New suffix field The suffix must be named with dc naming conventions such as dc example dc com 4 Select the Create associated database automatically to create a database at the same time as the new root suffix an enter a unique name for the new database in the Database name field such as example2 The name ca...

Page 60: ...box to create a database for the new sub suffix later The new sub suffix will be disabled until a database is created 5 Click OK The suffix appears automatically under its root suffix in the Data tree in the left navigation pane 3 1 1 3 Creating Root and Sub Suffixes from the Command Line Use the ldapmodify command line utility to add new suffixes to the directory configuration file The suffix con...

Page 61: ...ollowing table describes the attributes used to configure a suffix entry Attribute Name Value dn Defines the DN for the suffix The DN is contained in quotes The value entered takes the form cn dc domain dc com cn mapping tree cn config This attribute is required cn Defines the relative DN RDN of the entry This attribute is required objectclass Tells the server that the entry is root or sub suffix ...

Page 62: ...en more than one database is specified in the nsslapd backend attribute See Section 3 2 Creating and Maintaining Databases for more information about the custom distribution function nsslapd distribution funct Specifies the name of the custom distribution function This attribute is required only when more than one database is specified in the nsslapd backend attribute See Section 3 2 Creating and ...

Page 63: ...pplications 6 Click Save 3 1 2 2 Enabling Referrals Only During Update Operations It is possible to configure the directory to redirect update and write requests made by client applications to a read only database For example there may be a local copy of directory data and that data should be available company wide for searches but not for updates Enabling referrals for that Directory Server only ...

Page 64: ...1 2 4 Deleting a Suffix WARNING Deleting a suffix also deletes all database entries and replication information associated with that suffix 1 In the Directory Server Console select the Configuration tab 2 Under Data in the left navigation pane select the suffix to delete 3 Select Delete from the Object menu Alternatively right click the suffix and select Delete from the pop up menu 4 Select Delete...

Page 65: ...ed in separate suffixes This division of the tree corresponds to three databases Database one contains the data for ou people plus the data for dc example dc com so that clients can conduct searches based at dc example dc com Database two contains the data for ou groups and database three contains the data for ou contractors Multiple databases for one suffix ...

Page 66: ...an Existing Suffix Using the Console 1 In the Directory Server Console select the Configuration tab 2 In the left pane expand Data then click the suffix to which to add the new database 3 Right click the suffix and select New Database from the pop up menu The Create New Database dialog box is displayed 4 In the Create New Database dialog box enter a unique name for the database such as example2 Th...

Page 67: ...ffixes from the Command Line The database name given in the DN attribute must correspond with the value in the nsslapd backend attribute of the suffix entry 3 2 1 3 Adding Multiple Databases for a Single Suffix A single suffix can be distributed across multiple databases However to distribute the suffix a custom distribution function has to be created to extend the directory For more information o...

Page 68: ...hine 6 Enter the name of the distribution function in the Function name field 7 Click Save 3 2 1 3 2 Adding the Custom Distribution Function to a Suffix Using the Command Line 1 Run ldapmodify 1 ldapmodify p 389 D cn directory manager w secret h us example com 2 Add the following attributes to the suffix entry itself supplying the information about the custom distribution logic nsslapd backend Dat...

Page 69: ...2 1 2 Making a Database Read Only from the Command Line Section 3 2 2 1 3 Placing the Entire Directory Server in Read Only Mode 3 2 2 1 1 Making a Database Read Only Using the Console To place a database in read only mode from the Directory Server Console do the following 1 In the Directory Server Console select the Configuration tab 2 Expand Data in the left pane Expand the suffix containing the ...

Page 70: ...cannot cannot be undone from the Console you must modify the configuration files NOTE If Directory Server contains replicas do not use read only mode because it will disable replication To put the Directory Server in read only mode do the following 1 In the Directory Server Console select the Configuration tab and then select the top entry in the navigation tree in the left pane 2 Select the Setti...

Page 71: ...nit d dirsrv stop example 2 Create the new directory if necessary where the transaction logs will be located mkdir home exampledb txnlogs 3 Set the appropriate file permissions on the directory so that the Directory Server user can access it the default Directory Server user and group are nobody nobody chown nobody nobody home exampledb txnlogs 4 Open the Directory Server instance s configuration ...

Page 72: ...tion change then re import the data to the database The server does not enforce consistency between encryption configuration and stored data therefore pay careful attention that all existing data are exported before enabling or disabling encryption Indexed attributes may be encrypted and database encryption is fully compatible with indexing The contents of the index files that are normally derived...

Page 73: ...ng ciphers are supported Advanced Encryption Standard AES Triple Data Encryption Standard 3DES All ciphers are used in Cipher Block Chaining mode Once the encryption cipher is set it should not be changed without exporting and re importing the data 3 2 3 3 Configuring Database Encryption from the Console 1 In the Console open the Directory Server 2 Open the Configuration tab and select the Data no...

Page 74: ...abase encryption configuration schema refer to Database Attributes under cn attributeName cn encrypted attributes cn database_name cn ldbm database cn plugins cn config in the Directory Server Configuration Command and File Reference 3 2 3 5 Exporting and Importing an Encrypted Database Exporting and importing encrypted databases is similar to exporting and importing regular databases However the ...

Page 75: ...lication is used The server does not attempt to protect unencrypted data stored in memory This data may be copied into a system page file by the operating system For this reason ensure that any page or swap files are adequately protected 3 3 Creating and Maintaining Database Links Chaining means that a server contacts other servers on behalf of a client application and then returns the combined re...

Page 76: ...e ACI must exist in the suffix assigned to the database link The following table lists component names the potential side effects of allowing them to chain internal operations and the permissions they need in the ACI on the remote server Component Name Description Permissions ACI plug in This plug in implements access control Operations used to retrieve and update ACI attributes are not chained be...

Page 77: ...n with chaining helps simplify the management of static groups when the group members are remote to the static group definition To chain this component s operations add the chaining component attribute nsActiveChainingComponents cn referential integrity postoperation cn plugins cn config Read write search and compare Attribute Uniqueness plug in This plug in checks that all the values for a specif...

Page 78: ...ect Components to Add dialog box displays Select a component from the list and click OK 4 To delete a component from the list select it and click Delete 5 Click Save 6 Restart the server in order for the change to take effect After allowing the component to chain create an ACI in the suffix on the remote server to which the operation will be chained For example this creates an ACI for the Referent...

Page 79: ...ged DSA This controls returns smart referrals as entries rather than following the referral so the smart referral itself can be changed or deleted Loop detection This control keeps track of the number of times the server chains with another server When the count reaches the configured number a loop is detected and the client application is notified For more information about using this control see...

Page 80: ... www mozilla org directory 3 3 2 Creating a New Database Link The basic configuration of the database link involves the following information Suffix information A suffix is created in the directory tree that is managed by the database link not a regular database This suffix corresponds to the suffix on the remote server that contains the data Bind credentials When the database link binds to a remo...

Page 81: ...etween servers checkbox for the database link to use SSL to communicate to the remote server 11 Enter the name of the remote server in the Remote server field Enter the server port number used for the bind in the Remote server port field The default port number is 389 The default SSL port number is 636 12 Enter the name of a failover server in the Failover Server s field and specify a port number ...

Page 82: ...e Changes to the default configuration only affect new database links The default configuration attributes on existing database links cannot be changed Each database link contains its own specific configuration information which is stored with the database link entry itself cn database_link cn chaining database cn plugins cn config For more information about configuration attributes refer to the D...

Page 83: ...base link For information on adding entries see Chapter 2 Creating Directory Entries Provide proxy access rights for the administrative user created in step 1 on the subtree chained to by the database link For more information on configuring ACIs see Chapter 6 Managing Access Control 2 On the server containing the database link use ldapmodify to provide a user DN for the database link in the nsMul...

Page 84: ...y corresponding to the nsMultiplexorBindDN and set the proxy authentication rights for this user To set the proxy authorization correctly set the proxy ACI as any other ACI WARNING Carefully examine access controls when enabling chaining to avoid giving access to restricted areas of the directory For example if a default proxy ACI is created on a branch the users that connect via the database link...

Page 85: ...the remote server using LDAP over SSL the LDAP URL of the remote server uses the protocol LDAPS instead of LDAP in the URL such as ldaps example com 636 For more information about chaining and SSL see Section 3 3 3 Chaining Using SSL 3 3 2 2 4 Providing a List of Failover Servers There can be additional LDAP URLs for servers included to use in the case of failure Add alternate servers to the nsFar...

Page 86: ...rver This bind DN cannot be the Directory Manager If this attribute is not specified the database link binds as anonymous nsMultiplexorCredentials Password for the administrative user given in plain text If no password is provided it means that users can bind as anonymous The password is encrypted in the configuration file nsCheckLocalACI Reserved for advanced use only Controls whether ACIs are ev...

Page 87: ...stance attribute This global configuration attribute is located in the cn config cn chaining database cn plugins cn config entry The global attributes are dynamic meaning any changes made to them automatically take effect on all instances of the database link within the directory Table 3 4 Database Link Configuration Attributes 3 3 2 2 6 Database Link Configuration Example Suppose a server within ...

Page 88: ... on Server B to which to chain from Server A The nsFarmServerURL attribute contains the LDAP URL of Server B The second entry creates a new suffix allowing the server to route requests made to the new database link The cn attribute contains the same suffix specified in the nsslapd suffix attribute of the database link The nsslapd backend attribute contains the name of the database link The nsslapd...

Page 89: ...re information about this attribute see Section 3 3 2 2 3 Providing an LDAP URL For example nsFarmServerURL ldaps africa example com 636 3 Enable SSL on the server that contains the database link For more information on enabling SSL see Section 11 1 1 Enabling SSL Summary of Steps When the database link and remote server are configured to communicate using SSL this does not mean that the client ap...

Page 90: ... select it 3 From the Object menu select Delete Alternatively right click the database link and select Delete from the pop up menu The Deleting Database Link confirmation dialog box is displayed 4 Click Yes to confirm the deletion of the database link Once deleted the database link no longer appears in the right pane 3 3 5 Database Links and Access Control Evaluation When a user binds to a server ...

Page 91: ...aluated on the server containing the database link and the entry is located on a remote server For performance reasons clients cannot do remote inquiries and evaluate access controls The database link does not necessarily have access to the entries being modified by the client application When performing a modify operation the database link does not have access to the full entry stored on the remo...

Page 92: ...aximum LDAP connection s Maximum number of LDAP connections that the database link establishes with the remote server The default value is 10 connections Maximum bind retries Number of times a database link attempts to bind to the remote server A value of 0 indicates that the database link will try to bind only once The default value is 3 attempts Maximum operations per connection Maximum number o...

Page 93: ...nLife Connection lifetime in seconds Connections between the database link and the remote server can be kept open for an unspecified time or closed after a specific period of time It is faster to keep the connections open but it uses more resources For example it may be wise to limit the connection time for a slow connection A value of 0 indicates there is no limit By default the value is set to 0...

Page 94: ... can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected This period is given in seconds The default delay period is 60 seconds Once this delay period has been met the database link tests the connection with the remote server nsMaxTestResponseDelay Duration of the test issued by the database link to check whether the remote server is re...

Page 95: ... 2 Configuring Cascading Chaining Defaults Using the Console Section 3 3 7 3 Configuring Cascading Chaining Using the Console Section 3 3 7 4 Configuring Cascading Chaining from the Command Line Section 3 3 7 5 Detecting Loops Section 3 3 7 6 Summary of Cascading Chaining Configuration Attributes Section 3 3 7 7 Cascading Chaining Configuration Example 3 3 7 1 Overview of Cascading Chaining Cascad...

Page 96: ...s split as follows The root suffix dc example dc comand the ou people and ou groups sub suffixes are stored on Server A The l europe dc example dc com and ou groups suffixes are stored in on Server B and the ou people branch of the l europe dc example dc com suffix is stored on Server C With cascading configured on servers A B and C a client request targeted at the ou people l europe dc example dc...

Page 97: ... branch Because at least two hops are required for the directory to service the client request this is considered a cascading chain 3 3 7 2 Configuring Cascading Chaining Defaults Using the Console To set cascading chaining defaults for all database links in Directory Server do the following 1 In the Directory Server Console select the Configuration tab 2 Expand the Data folder in the left pane an...

Page 98: ...chain Click the database link then click the Limits and Controls tab in the right navigation pane 3 Select the Check local ACI checkbox to enable the evaluation of local ACIs on the intermediate database links involved in the cascading chain Selecting this checkbox may require adding the appropriate local ACIs to the database link 4 Enter the maximum number of times a database link can point to an...

Page 99: ...ts this security breach a Create a database if one does not already exist on the server containing the intermediate database link This database will contain the admin user entry and the ACI For information about creating a database see Section 3 2 1 Creating Databases b Create an entry that corresponds to the administrative user in the database c Create an ACI for the administrative user that targ...

Page 100: ...attr version 3 0 acl Client authentication for database link users allow all userdn ldap uid cn config This ACI allows client applications that have a uid in the cn config entry of Server 1 to perform any type of operation on the data below the ou people dc example dc com suffix on server three 3 3 7 5 Detecting Loops An LDAP control included with Directory Server prevents loops When first attempt...

Page 101: ...The second OID corresponds to the Loop Detection Control aci This attribute must contain the following ACI aci targetattr version 3 0 acl Proxied authorization for database links allow proxy userdn ldap cn proxy admin cn config nsCheckLocalACI To enable evaluation of local ACIs on all database links involved in chaining turn local ACI evaluation on as follows nsCheckLocalACI on Table 3 7 Cascading...

Page 102: ...Server Two Section 3 3 7 7 3 Configuring Server Three 3 3 7 7 1 Configuring Server One 1 Run ldapmodify 1 ldapmodify a D cn directory manager w secret h host p 389 2 Then specify the configuration information for the database link DBLink1 on Server 1 as follows dn cn DBLink1 cn chaining database cn plugins cn config ...

Page 103: ... in cn config cn chaining database cn plugins cn config entry on Server 1 dn cn config cn chaining database cn plugins cn config changeType modify add nsTransmittedControl nsTransmittedControl 1 3 6 1 4 1 1466 29539 12 As the nsTransmittedControl attribute is usually configured by default with the loop detection control OID 1 3 6 1 4 1 1466 29539 12 value it is wise to check beforehand whether it ...

Page 104: ...smit the proxy authorization control and the loop detection control To implement the proxy authorization control and the loop detection control specify both corresponding OIDs Add the following information to the cn config cn chaining database cn plugins cn config entry on Server 2 dn cn config cn chaining database cn plugins cn config changeType modify add nsTransmittedControl nsTransmittedContro...

Page 105: ...s to the l Zanzibar c africa ou people dc example dc com branch All users within c us ou people dc example dc com may need to have update access to the entries in l Zanzibar c africa ou people dc example dc com on server three Create the following ACI on Server 2 on the c africa ou people dc example dc com suffix to allow this aci targetattr target l Zanzibar c africa ou people dc example dc com v...

Page 106: ... Using Referrals Referrals tell client applications which server to contact for a specific piece of information This redirection occurs when a client application requests a directory entry that does not exist on the local server or when a database has been taken off line for maintenance This section contains the following information about referrals Section 3 4 1 Starting the Server in Referral Mo...

Page 107: ... the right pane 4 Enter an LDAP URL in the Referrals to text box For example ldap directory example com 389 dc example dc com Enter multiple referral URLs separated by spaces and in quotes as follows ldap dir1 example com 389 dc example dc com ldap dir2 example com For more information about LDAP URLs see Appendix C LDAP URLs 5 Click OK 3 4 2 2 Setting a Default Referral from the Command Line ldap...

Page 108: ...ee in the left navigation pane and select the entry for which to add the referral 3 Right click the entry and select Set Smart Referrals The Edit Smart Referrals dialog box opens 4 Select the Enable Smart Referral option to define smart referrals for the selected entry Unchecking the option removes all smart referrals from the entry and deletes the referral object class from the entry 5 In the Ent...

Page 109: ...rectory europe example com cn john 20doe ou people l europe dc example dc com NOTE Any information after a space in an LDAP URL is ignored by the server For this reason use 20 instead of spaces in any LDAP URL used as a referral To add the entry uid jdoe ou people dc example dc com with a referral to directory europe example com include the following in the LDIF file before importing dn uid jdoe o...

Page 110: ...turn the entire list of referrals in response to requests from client applications 6 Click Save 3 4 4 2 Creating Suffix Referrals from the Command Line Add a suffix referral to the root or sub suffix entry in the directory configuration file under the cn mapping tree cn config branch 1 Run ldapmodify 1 For example ldapmodify a h example com p 389 D cn directory manager w secret The ldapmodify util...

Page 111: ...Creating Suffix Referrals 93 For more information about the suffix configuration attributes refer to Table 3 1 Suffix Attributes ...

Page 112: ...94 ...

Page 113: ...rts configuration information cn config Yes No Table 4 1 Import Method Comparison 4 1 1 Importing Entries with Large Attributes The nsslapd cachememsize attribute defines the size allowed for the entry cache The import buffer is automatically set to 80 of the cache memory size setting If the memory cache is 1GB for example then the import buffer is 800MB When importing a very large database or ent...

Page 114: ...n the Options box select one or both of the following options Add Only The LDIF file may contain modify and delete instructions in addition to the default add instructions For the server to ignore operations other than add select the Add only checkbox Continue on Error Select the Continue on error checkbox for the server to continue with the import even if errors occur For example use this option ...

Page 115: ...the database to initialize then click the database itself 3 Right click the database and select Initialize Database Alterntatively select Initialize Database from the Object menu 4 In the LDIF file field enter the full path to the LDIF file to import or click Browse 5 If the Console is running from a machine local to the file being imported click OK and proceed with the import immediately If the C...

Page 116: ...ng an Encrypted Database for more information 4 1 4 1 Importing Using the ldif2db Command Line Script The ldif2db script overwrites the data in the specified database Also the script requires that the Directory Server be stopped when the import begins By default the script first saves and then merges any existing o NetscapeRoot configuration information with the o NetscapeRoot configuration inform...

Page 117: ...ey are specified from the command line n Specifies the name of the database to which to import the data Table 4 2 ldif2db Parameters For more information about using this script see the Directory Server Configuration Command and File Reference 4 1 4 2 Importing Using the ldif2db pl Perl Script As with the ldif2db script the ldif2db pl script overwrites the data in the specified database This scrip...

Page 118: ...re imported to all directory databases at the same time The server must be running in order to import using ldif2ldap To import LDIF using ldif2ldap do the following 1 Open the Directory Server instance directory cd usr lib dirsrv slapd instance_name 2 Run the ldif2ldap command line script ldif2ldap cn Directory Manager secretpwd var lib dirsrv slapd instance_name ldif demo ldif The ldif2ldap scri...

Page 119: ... of the old databases and importing it into the two new databases as illustrated in Figure 4 1 Splitting a Database Contents into Two Databases NOTE The export operations do not export the configuration information cn config schema information cn schema or monitoring information cn monitor Figure 4 1 Splitting a Database Contents into Two Databases The Directory Server Console or command line util...

Page 120: ... or click Browse to locate the file Browse is not enabled if the Console is running on a remote server When the Browse button is not enabled the file is stored in the default directory var lib dirsrv slapd instance_name ldif 1 3 If the Console is running on a machine remote to the server two radio buttons are displayed beneath the LDIF File field Select To local machine to export the data to an LD...

Page 121: ...en the server is running or stopped NOTE To export a database that has been encrypted you must use the E option with the script See Section 3 2 3 5 Exporting and Importing an Encrypted Database for more information NOTE If the database being exported is a replica then the server must be stopped before the export script is run and the export script must have the r To export to LDIF from the command...

Page 122: ...LDIF This file must be an absolute path If the a option is not given the output ldif is stored in the the var lib dirsrv slapd instance_name ldif directory and is automatically named serverID database YYYY_MM_DD_hhmmxx ldif with the n option or serverID firstsuffixvalue YYYY_MM_DD_hhmmxx ldif with the s option r Specifies that the exported database is a consumer replica In this case the appropriat...

Page 123: ...Enter the full path of the directory to store the backup file in the Directory text box or click Use default and the server provides a name for the backup directory If the Console is running on the same machine as the directory click Browse to select a local directory With the default location the backup files are placed in var lib dirsrv slapd instance_name bak 1 By default the backup directory n...

Page 124: ... in a file named dse ldif startOK in the etc dirsrv slapd instance_name directory When the dse ldif file is modified the file is first backed up to a file called dse ldif bak in the etc dirsrv slapd instance_name directory before the directory writes the modifications to the dse ldif file 4 3 3 Restoring All Databases The following procedures describe restoring all of the databases in the director...

Page 125: ...ver is running 4 3 3 2 1 Using the bak2db Command Line Script To restore the directory from the command line do the following 1 If the Directory Server is running stop it 2 service dirsrv stop instance 2 Open the Directory Server instance directory cd usr lib dirsrv slapd instance_name 3 Run the bak2db command line script The bak2db script requires the full path and name of the input file bak2db v...

Page 126: ...saction log files in var lib dirsrv slapd instance_name db log then retry starting the server 4 3 5 Restoring Databases That Include Replicated Entries If a database that supplies entries to other servers is restored then you must reinitialize all of the servers that receive updates from the restored database for example consumer servers hub servers and in multi master replication environments oth...

Page 127: ...rs For information on managing replication see Chapter 8 Managing Replication 4 3 6 Restoring the dse ldif Configuration File The directory creates two backup copies of the dse ldif file in the etc dirsrv slapd instance_name directory The dse ldif startOK file records a copy of the dse ldif file at server start up The dse ldif bak file contains a backup of the most recent changes to the dse ldif f...

Page 128: ...110 ...

Page 129: ...Managing Roles Using the Command Line Section 5 1 4 Using Roles Securely 5 1 1 About Roles Roles unify the static and dynamic group concept supported by previous versions of Directory Server Roles can be used to organize users in number of different ways To enumerate the members of a role Having an enumerated list of role members can be useful for resolving queries for role members quickly To dete...

Page 130: ...ssigned entries to the role depending upon the attribute contained by each entry specified in an LDAP filter Entries that match the filter are said to possess the role Nested roles are roles that contain other roles The concept of activating inactivating roles allows entire groups of entries to be activated or inactivated in just one operation That is the members of a role can be temporarily disab...

Page 131: ...o entries by adding the nsRoleDN attribute to the entry To create and add members to a managed role do the following 1 In the Directory Server Console select the Directory tab 2 Browse the tree in the left navigation pane and select the parent entry for the new role 3 Go to the Object menu and select New Role Alternatively right click the entry and select New Role The Create New Role dialog box is...

Page 132: ... left pane A search dialog box appears briefly 3 In the right pane select Filtered Role 4 Enter an LDAP filter in the text field or click Construct to be guided through the construction of an LDAP filter 5 The Construct opens the standard LDAP URL construction dialog Ignore the fields for LDAP Server Host Port Base DN and Search since the search scope cannot be set filtered role definitions Select...

Page 133: ...ting a Managed Role 2 Click Members in the left pane A search dialog box appears briefly 3 In the right pane select Nested Role 4 Click Add to add roles to the list The members of the nested role are members of other existing roles The Role Selector dialog box opens 5 Select a role from the Available roles list and click OK 6 Click OK to save the new role The new role appears in the right pane NOT...

Page 134: ...ole select the Directory tab 2 Browse the navigation tree in the left pane to locate the base DN for the role Roles are listed in the right pane with other entries 3 Double click the role The Edit Entry dialog box appears 4 Click General in the left pane to change the role name and description 5 Click Members in the left pane to change the members of managed and nested roles or to change the filte...

Page 135: ...t pane to locate the base DN for the role Roles appear in the right pane with other entries 3 Right click the role and select Delete A dialog box appears to confirm the deletion Click Yes NOTE Deleting a role deletes the role entry but does not delete the nsRoleDN attribute for each role member To delete the nsRoleDN attribute for each role member enable the Referential Integrity plug in and confi...

Page 136: ...h args uid scarter nsRole nsRoleDN Similarly for the role definition entries they are operational entries and are not returned by default with regular searches This means that if roles are defined under the ou People dc example dc com subtree for example the following ldapsearch command will not return the role definitions for any entry ldapsearch s sub b ou People dc example dc com objectclass To...

Page 137: ...le dc com The nsRoleDN attribute in the entry indicates that the entry is a member of a managed role cn Marketing ou people dc example dc com 5 1 3 2 Example Filtered Role Definition Example Corporation s administrator is creating a filtered role for sales managers 1 Run ldapmodify with the a option to add a new entry ldapmodify a D cn Directory Manager w secret h host p 389 2 Create the filtered ...

Page 138: ...rketingSales nsRoleDN cn SalesManagerFilter ou people dc example dc com nsRoleDN cn Marketing ou people dc example dc com Both of the users in the previous examples Bob and Pat would be members of this new nested role 5 1 4 Using Roles Securely Not every role is suitable for use in a security context When creating a new role consider how easily the role can be assigned to and removed from an entry...

Page 139: ...ed role For more information about account inactivation see Section 7 2 Inactivating Users and Roles 5 2 Assigning Classes of Service A Class of Service definition CoS shares attributes between entries in a way that is transparent to applications CoS simplifies entry management and reduces storage requirements Section 5 2 1 About CoS Section 5 2 2 Managing CoS Using the Console Section 5 2 3 Manag...

Page 140: ... the value of one of the target entry s attributes For more information about the object classes and attributes associated with each type of CoS refer to Section 5 2 3 Managing CoS from the Command Line If the CoS logic detects that an entry contains an attribute for which the CoS is generating values the CoS by default supplies the client application with the attribute value in the entry itself H...

Page 141: ...mplate entry is identified by its DN cn exampleUS cn data in the CoS definition entry Each time the postalCode attribute is queried on the entry cn wholiday ou people dc example dc com the Directory Server returns the value available in the template entry cn exampleUS cn data 5 2 1 4 How an Indirect CoS Works An administrator creates an indirect CoS that uses the manager attribute of the target en...

Page 142: ...r attribute contains a pointer to the DN of the template entry cn Carla Fuentes ou people dc example dc com The template entry in turn provides the departmentNumber attribute value of 318842 5 2 1 5 How a Classic CoS Works An administrator creates a classic CoS that uses a combination of the template DN and a CoS specifier to identify the template entry containing the postal code The three CoS ent...

Page 143: ...ainst regular entries If the CoS defined attribute is indexed with any kind of index including presence then any attribute with a value set by the CoS is not returned with a search For example The postalCode attribute for Ted Morris is defined by a CoS The postalCode attribute for Barbara Jensen is set in her entry The postalCode attribute is indexed If an ldapsearch command uses the filter postal...

Page 144: ...ating the CoS Template Entry Section 5 2 2 3 Editing an Existing CoS Section 5 2 2 4 Deleting a CoS 5 2 2 1 Creating a New CoS 1 In the Directory Server Console select the Directory tab 2 Browse the tree in the left navigation pane and select the parent entry for the new class of service 3 Go to the Object menu and select New Class of Service Alternatively right click the entry and select New Clas...

Page 145: ...the template entry identified by the value of one of the target entry s attributes an indirect CoS enter the attribute name in the Attribute Name field Click Change to select a different attribute from the list of available attributes Using both its DN and the value of one of the target entry s attributes To have the template entry identified by both its DN and the value of one of the target entry...

Page 146: ...n be full time or temporary 8 Click the Add Attribute button and add the attributes listed in the CoS The values used here will be used throughout the directory in the targeted entries 9 Set the cospriority There may be more than one CoS that applies to a given attribute in an entry the cospriority attribute ranks the importance of that particular CoS The higher cospriority will take precedence in...

Page 147: ...DAP tools can be used for CoS configuration and management This section contains the following topics Section 5 2 3 1 Creating the CoS Definition Entry from the Command Line Section 5 2 3 2 Creating the CoS Template Entry from the Command Line Section 5 2 3 3 Example of a Pointer CoS Section 5 2 3 4 Example of an Indirect CoS Section 5 2 3 5 Example of a Classic CoS 5 2 3 1 Creating the CoS Defini...

Page 148: ...or which to generate a value There can be more than one cosAttribute value This attribute is used by all types of CoS definition entries cosIndirectSpecifier Specifies the attribute value used by an indirect CoS to identify the template entry cosSpecifier Specifies the attribute value used by a classic CoS which along with the template entry s DN identifies the template entry cosTemplateDn Provide...

Page 149: ... cn pointerCoS ou People dc example dc com objectclass top objectclass cosSuperDefinition objectclass cosPointerDefinition objectclass ldapSubEntry cosTemplateDn cn exampleUS ou data dc example dc com cosAttribute postalCode override Then use a special search filter objectclass ldapSubEntry with the search This filter can be added to any other search filter using OR ldapsearch s sub b ou People dc...

Page 150: ... CoS 5 2 3 3 Example of a Pointer CoS Example Corporation s administrator is creating a pointer CoS that shares a common postal code with all entries in the dc example dc com tree 1 Add a new pointer CoS definition entry to the dc example dc com suffix using ldapmodify ldapmodify a D cn directory manager w secret h host p 389 The ldapmodify utility binds to the server and prepares it to add inform...

Page 151: ...nager attribute because this attribute is specified in the cosIndirectSpecifier attribute of the definition entry It then checks the departmentNumber value in the manager entry that is listed The value of the departmentNumber attribute will automatically be relayed to all of the manager s subordinates that have the manager attribute The value of departmentNumber will vary depending on the departme...

Page 152: ...es department The marketing template provides a postal code specific to employees in the marketing department 5 2 3 6 Handling Physical Attribute Values The cosAttribute attribute contains the name of another attribute which is governed by the class of service This attribute allows an override qualifier after the attribute value which sets how the CoS handles existing attribute values on entries w...

Page 153: ...ntains an attribute value generated by a CoS the value of the attribute cannot be manually updated if it is defined with the operational or override qualifiers For more information about the CoS attributes see the Directory Server Configuration Command and File Reference 5 2 3 7 Handling Multi valued Attributes with CoS Any attribute can be generated using a class of service including multi valued...

Page 154: ...they have the same or no priority a value is chosen arbitrarily NOTE The behavior for negative cosPriority values is not defined in Directory Server do not enter negative values 5 2 4 Creating Role Based Attributes Classic CoS schemes generate attribute values for an entry based on the role possessed by the entry For example role based attributes can be used to set the server look through limit on...

Page 155: ...ng upon the value of attributes generated by CoS will not work This is the same restriction that applies to using CoS generated attributes in search filters 5 3 Using Views Virtual directory tree views or views create a virtual directory hierarchy so it is easy to navigate entries without having to make sure those entries physically exist in any particular place The view uses information about the...

Page 156: ...Views in the Console To create a view in the Directory Server Console do the following 1 Select the Directory tab 2 In the left navigation tree create a suffix to hold the views For instance for views based on the locality l attribute name this organizational unit Location Views 3 Right click ou Location Views and select New Other 4 Select nsview from the New Object menu and hit OK 5 In the Proper...

Page 157: ...box appears to confirm the deletion of the entry Click Yes 5 3 3 Creating Views from the Command Line To create a view from the command line do the following 1 Use the ldapmodify utility to bind to the server and prepare it to add the new view entry to the configuration file ldapmodify a D cn directory manager w secret h host p 389 2 Add the new views container entry in this example under the dc e...

Page 158: ...edures for creating and modifying static groups Section 5 4 1 1 Adding a New Static Group Section 5 4 1 2 Modifying a Static Group NOTE If a user has an entry on a remote Directory Server for example in a chained database different from the Directory Server which has the entry that defines the static group then use the Referential Integrity plug in to ensure that deleted user entries are automatic...

Page 159: ...all possible selections during a search operation if there is no VLV index for users search This problem occurs only when the number of users is 1000 or more and there is no VLV index for search To work around the problem create a VLV index for the users suffix with the filter objectclass person and scope sub tree 5 4 2 Managing Dynamic Groups Dynamic groups filter users based on their DN and incl...

Page 160: ...ject menu The Edit Group dialog box appears 3 Make any changes to the group information Click OK To view the changes go to the View menu and select Refresh NOTE The Console for managing dynamic groups may not display all possible selections during a search operation if there is no VLV index for users search This problem can occur when the number of users is 1000 or more and there is no VLV index f...

Page 161: ...f entry attributes For a specific user all users belonging to a specific group or role or all users of the directory For a specific location such as an IP address or a DNS name 6 1 1 ACI Structure Access control instructions are stored in the directory as attributes of entries The aci attribute is an operational attribute it is available for use on every entry in the directory regardless of whethe...

Page 162: ...on their placement in the directory tree This means that ACIs that are close to the root of the directory tree do not take precedence over ACIs that are closer to the leaves of the directory tree For Directory Server ACIs the precedence rule is that ACIs that deny access take precedence over ACIs that allow access Between ACIs that allow access union semantics apply so there is no precedence For e...

Page 163: ...ACI keywords If you do the LDAP URL is not taken into account at all For more information on LDAP URLs see Appendix C LDAP URLs 6 2 Default ACIs When the Administration Server is set up the following default ACIs apply to the directory information stored in the userRoot database Users can modify a list of common attributes in their own entries including the mail telephoneNumber userPassword and se...

Page 164: ...e 6 3 1 The ACI Syntax The aci attribute uses the following syntax aci target version 3 0 acl name permissionbind_rules target specifies the entry attributes or set of entries and attributes for which to control access The target can be a distinguished name one or more attributes or a single LDAP filter The target is an optional part of the ACI version 3 0 is a required string that identifies the ...

Page 165: ...ttribute value or a combination of values that match a specified LDAP filter as described in Section 6 3 2 5 Targeting Attribute Values Using LDAP Filters The general syntax for a target is as follows keyword expression keyword expression keyword indicates the type of target equal indicates that the target is the object specified in the expression and not equal indicates the target is not the obje...

Page 166: ...ou want to deny access to a particular attribute use deny in the permissions clause rather than using allow with targetattr value For example usages such as these are recommended acl1 target targetattr a version 3 0 acl name deny acl2 target targetattr b version 3 0 acl name deny 6 3 2 1 Targeting a Directory Entry To target a directory entry and the entries below it you must use the target keywor...

Page 167: ...c example dc com node In other words this target matches with longer expressions such as uid andy ou eng dc example dc com or uid andy ou marketing dc example dc com NOTE You cannot use wildcards in the suffix part of a distinguished name That is if your directory uses the suffixes c US and c GB then you cannot use target ldap dc example c as a target to reference both suffixes Neither can you use...

Page 168: ...es to the entire Marketing subtree However you can also explicitly specify a target using the target keyword aci target ldap ou Marketing dc example dc com targetattr uid access_control_rules The order in which you specify the target and the targetattr keywords is not important 6 3 2 4 Targeting Entries or Attributes Using LDAP Filters You can use LDAP filters to target a group of entries that mat...

Page 169: ...u can grant or deny permissions on an attribute if that attribute s value meets the criteria defined in the ACI An ACI that grants or denies access based on an attribute s value is called a value based ACI For example you might grant all users in your organization permission to modify the nsroledn attribute in their own entry However you would also want to ensure that they do not give themselves c...

Page 170: ...e targetattr and targetfilter keywords You can use the targetattr keyword to specify an attribute that is only present in the entry you want to target and not in any of the entries below your target For example if you want to target ou people dc example dc com and there are not any organizational units ou defined below that node you could specify an ACI that contains targetattr ou A safer method i...

Page 171: ...hether users can create an entry This permission applies only to the add operation Delete Indicates whether users can delete an entry This permission applies only to the delete operation Search Indicates whether users can search for the directory data Users must have Search and Read rights in order to view the data returned as part of a search result This permission applies only to the search oper...

Page 172: ...o way to restrict the proxy rights to only certain users For example if an entity has proxy rights to the dc example dc com tree that entity can do anything Make sure you set the proxy ACI at the lowest possible level of the DIT see Section 6 9 11 Proxied Authorization ACI Example 6 3 3 3 Rights Required for LDAP Operations This section describes the rights you need to grant to users depending on ...

Page 173: ... bkolics can be granted access aci targetattr mail version 3 0 acl self access to mail allow read search userdn ldap self The search result list is empty because this ACI does not grant access to the objectclass attribute If you want the search operation described above to be successful modify the ACI to allow read and search access for the mail and objectclass attributes aci targetattr mail objec...

Page 174: ...lso be more complex such as requiring that a person must belong to a specific group must log in from a machine with a specific IP address and is restricted to access between 8 a m and 5 p m Bind rules define who can access the directory when and from where by defining any of the following Users groups and roles that are granted access Locations from which an entity must bind Times or days on which...

Page 175: ...te bindType orattribute value No ip IP_address Yes dns DNS_host_name Yes dayofweek sun mon tue wed thu fri sat No timeofday 0 2359 No authmethod none simple ssl sasl sasl_mechanism No Table 6 3 LDIF Bind Rule Keywords 6 4 2 Defining User Access userdn Keyword User access is defined using the userdn keyword The userdn keyword requires one or more valid distinguished names in the following format us...

Page 176: ... Server Console you define general access on the Access Control Editor For more information see Section 6 5 Creating ACIs from the Console 6 4 2 3 Self Access self Keyword Specifies that users are granted or denied access to their own entries In this case access is granted or denied if the bind DN matches the DN of the targeted entry From the Directory Server Console you set up self access on the ...

Page 177: ...dc example dc com indicates that only users with a bind DN beginning with the letter u are allowed or denied access based on the permissions you set From the Directory Server Console you set user access from the Access Control Editor For more information see Section 6 5 Creating ACIs from the Console 6 4 2 7 Examples Scenario Userdn keyword containing an LDAP URL Userdn keyword containing logical ...

Page 178: ...targeted entry is granted or denied if the user binds using a DN that belongs to a specific group The groupdn keyword requires one or more valid distinguished names in the following format groupdn ldap dn ldap dn ldap dn The bind rule is evaluated to be true if the bind DN belongs to the named group NOTE If a DN contains a comma the comma must be escaped by a backslash From the Directory Server Co...

Page 179: ... same way as the groupdn keyword 6 4 5 Defining Access Based on Value Matching You can set bind rules to specify that an attribute value of the entry used to bind to the directory must match an attribute value of the targeted entry For example you can specify that the bind DN must match the DN in the manager attribute of a user entry in order for the ACI to apply In this case only the user s manag...

Page 180: ...te in the targeted entry is expressed as a full DN The following example grants a manager full access to his or her employees entries aci target ldap dc example dc com targetattr version 3 0 acl manager write allow all userattr manager USERDN 6 4 5 1 2 Example with GROUPDN Bind Type The following associates the userattr keyword with a bind based on a group DN userattr owner GROUPDN The bind rule i...

Page 181: ...t also assumes that the value of this attribute is the DN of a role entry For information on adding attributes to the schema see Section 9 2 2 Creating Attributes The DN of the role can be under any suffix in the database If you are also using filtered roles the evaluation of this type of ACI uses a lot of resources on the server If you are using a static role definition and the role entry is unde...

Page 182: ...han a user DN group DN role DN or an LDAP filter the syntax is as follows userattr parent inheritance_level attrName attrValue inheritance_level is a comma separated list that indicates how many levels below the target inherits the ACI You can include five levels 0 1 2 3 4 below the targeted entry zero 0 indicates the targeted entry attribute is the attribute targeted by the userattr or groupattr ...

Page 183: ... news entries aci targetattr version 3 0 acl profiles access allow read search userattr owner USERDN 6 4 5 1 7 Granting Add Permission Using the userattr Keyword Using the userattr keyword in conjunction with all or add permissions does not behave as one would typically expect Typically when a new entry is created in the directory Directory Server evaluates access rights on the entry being created...

Page 184: ...tribute that matches the bind DN aci target ldap dc example dc com targetattr version 3 0 acl parent access allow add userattr parent 0 1 manager USERDN This ACI ensures that add permission is granted only to users whose bind DN matches the manager attribute of the parent entry 6 4 6 Defining Access from a Specific IP Address Using bind rules you can indicate that the bind operation must originate...

Page 185: ...ldcards For example dns example com The bind rule is evaluated to be true if the client accessing the directory is located in the named domain This can be useful for allowing access only from a specific domain Wildcards will not work if your system uses a naming service other than DNS In such a case if you want to restrict access to a particular domain use the ip keyword as described in Section 6 ...

Page 186: ...is evaluated to be true if the client is accessing the directory at noon timeofday 1200 The bind rule is evaluated to be true if the client is accessing the directory at any time other than 1 a m timeofday 0100 The bind rule is evaluated to be true if the client is accessing the directory at any time after 8 a m timeofday 0800 The bind rule is evaluated to be true if the client is accessing the di...

Page 187: ...T MD5 and GSS API for Kerberos systems For information on setting up SASL see Chapter 12 Managing SASL NOTE You cannot set up authentication based bind rules through the Access Control Editor The LDIF syntax for setting a bind rule based on an authentication method is as follows authmethod sasl_mechanism sasl_mechanism can be none simple ssl or sasl sasl_mechanism 6 4 9 1 Examples The following ar...

Page 188: ...l administrators dc example dc com and dns example com The trailing semicolon is a required delimiter that must appear after the final bind rule Boolean expressions are evaluated in the following order Innermost to outermost parenthetical expressions first All expressions from left to right NOT before AND or OR operators OR and AND operators have no order of precedence Consider the following Boole...

Page 189: ... access Section 6 4 2 4 Parent Access parent Keyword Create ACIs that contain Boolean bind rules Section 6 4 10 Using Boolean Bind Rules Create ACIs that use the roledn userattr authmethod keywords NOTE In the Access Control Editor click the Edit Manually button at any time to check the LDIF representation of the ACI changes made through the graphical interface 6 5 1 Displaying the Access Control ...

Page 190: ...Chapter 6 Managing Access Control 172 4 Click New to open the Access Control Editor ...

Page 191: ...trol Editor If the view displayed is different from Figure 6 2 Access Control Editor Window click the Edit Visually button 2 Type the ACI name in the ACI Name field The name can be any unique string to identify the ACI If you do not enter a name the server uses unnamed ACI 3 In the Users Groups tab select the users to whom you are granting access by highlighting All Users or clicking the Add butto...

Page 192: ...rch results are displayed in the list below b Highlight the entries you want in the search result list and click the Add button to add them to the list of entries which have access permission c Click OK to dismiss the Add Users and Groups window The selected entries are now listed on the Users Groups tab in the ACI editor 4 In the Access Control Editor click the Rights tab and use the checkboxes t...

Page 193: ...Creating a New ACI 175 5 Click the Targets tab Click This Entry to display the current node as the target for the ACI or click Browse to select a different suffix ...

Page 194: ...the ACI enter a filter in the Filter for Sub entries field The filter applies to every entry below the target entry for example setting a filter of ou Sales means that only entries with ou Sales in their DN are returned Additionally you can restrict the scope of the ACI to only certain attributes by selecting the attributes to target in the attribute list 6 Click the Hosts tab then the Add button ...

Page 195: ... asterisk as a wildcard 7 Click the Times tab to display the table showing at what times access is allowed By default access is allowed at all times You can change the access times by clicking and dragging the cursor over the table You cannot select discrete blocks of time only continuous time ranges ...

Page 196: ...he LDIF statement corresponding to the wizard input You can modify this statement but your changes may not be visible in the graphical interface 6 5 3 Editing an ACI To edit an ACI do the following 1 In the Directory tab right click the top entry in the subtree and choose Set Access Permissions from the pop up menu The Access Control Manager window opens listing the ACIs belonging to the entry 2 I...

Page 197: ...ormation on using the ldapsearch utility From the Directory Server Console all of the ACIs that apply to a particular entry can be viewed through the Access Control Manager 1 Start the Directory Server Console See Section 1 4 Starting the Directory Server Console 2 In the Directory tab right click the entry in the navigation tree and select Set Access Permissions The Access Control Manager opens w...

Page 198: ...he get effective rights control returns the access controls placed on a particular entry The entryLevelRights and attributeLevelRights returns are added as attributes to the bottom of the query results If ldapsearch is run without J then the entry information is returned as normal without the entryLevelRights or attributeLevelRights information A get effective rights result looks like the followin...

Page 199: ...trol OID is the OID for the get effective rights control 1 3 6 1 4 1 42 2 27 9 5 2 boolean criticality specifies whether the search operation should return an error if the server does not support this control true or if it should be ignored and let the search return as normal false AuthId is the DN of the entry whose rights over the user account are being checked If the AuthId is left blank dn tha...

Page 200: ...ctClass version 1 dn uid tmorris ou People dc example dc com givenName Ted sn Morris ou Accounting ou People l Santa Clara manager uid dmiller ou People dc example dc com roomNumber 4117 mail tmorris example com facsimileTelephoneNumber 1 408 555 5409 objectClass top objectClass person objectClass organizationalPerson objectClass inetOrgPerson uid tmorris cn Ted Morris userPassword SSHA bz0uCmHZM5...

Page 201: ... rights from the Console do the following 1 Open the Directory tab and right click the entry which rights you want to check 2 Select Advanced Properties from the drop down menu The Property Editor appears 3 Check the Show effective rights checkbox The attribute level effective rights r s c w o appear next to the attributes The entry level rights v a d n appear under the full DN for the entry in th...

Page 202: ... nsslapd errorlog level value field For example if the value already displayed is 8192 replication debugging change the value to 8320 For complete information on error log levels see the Directory Server Configuration Command and File Reference 4 Click OK to dismiss the Property Editor 6 9 Access Control Usage Examples The examples provided in this section illustrate how an imaginary ISP company e...

Page 203: ... 9 7 Denying Access Grant anonymous access to the world to the individual subscribers subtree except for subscribers who have specifically requested to be unlisted This part of the directory could be a consumer server outside of the firewall and be updated once a day See Section 6 9 1 Granting Anonymous Access and Section 6 9 8 Setting a Target Using Filtering 6 9 1 Granting Anonymous Access Most ...

Page 204: ...rch access of the individual subscribers subtree to the world while denying access to information on unlisted subscribers write the following statement aci targetfilter unlistedSubscriber yes targetattr homePostalAddress homePhone mail version 3 0 acl Anonymous World allow read search userdn ldap anyone This example assumes that the ACI is added to the ou subscribers dc example dc com entry It als...

Page 205: ...y to let their subscribers update their own personal information in the example com tree provided that they establish an SSL connection to the directory This is illustrated in Section 6 9 2 2 ACI Write Subscribers 6 9 2 1 ACI Write example com NOTE By setting this permission you are also granting users the right to delete attribute values Granting example com employees the right to update their pa...

Page 206: ... Filter dialog box In the DNS host filter field type example com Click OK to dismiss the dialog box 7 Click OK in the Access Control Editor window The new ACI is added to the ones listed in the Access Control Manager window 6 9 2 2 ACI Write Subscribers NOTE By setting this permission you are also granting users the right to delete attribute values In LDIF to grant example com subscribers the righ...

Page 207: ...ary click the Check None button to clear the checkboxes for all attributes in the table then click the Name header to organize them alphabetically and select the appropriate ones c Optionally to require users to authenticate using SSL switch to manual editing by clicking the Edit Manually button and add authmethod ssl to the LDIF statement so that it reads as follows targetattr homePostalAddress h...

Page 208: ...ew to display the Access Control Editor 3 In the Users Groups tab in the ACI name field type Roles In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box opens b Set the Search area in the Add Users and Groups dialog box to Special Rights and select Self from the search results list c Click the Add button to ...

Page 209: ...ction 6 9 4 1 ACI HR 6 9 4 1 ACI HR In LDIF to grant the HR group all rights on the employee branch of the directory use the following statement aci version 3 0 acl HR allow all userdn ldap cn HRgroup ou example people dc example dc com This example assumes that the ACI is added to the ou example people dc example dc com entry From the Console set this permission by doing the following 1 In the Di...

Page 210: ...up Only the group owner can modify or delete a group entry This is illustrated in Section 6 9 5 2 ACI Delete Group 6 9 5 1 ACI Create Group In LDIF to grant example com employees the right to create a group entry under the ou Social Committee branch write the following statement aci target ldap ou social committee dc example dc com targattrfilters add objectClass objectClass groupOfNames version 3...

Page 211: ... Edit Manually button Add the following to the beginning of the LDIF statement targattrfilters add objectClass objectClass groupOfNames The LDIF statement should read as follows targattrfilters add objectClass objectClass groupOfNames targetattr target ldap ou social committee dc example dc com version 3 0 acl Create Group allow read search add userdn ldap all and dns example com 8 Click OK The ne...

Page 212: ... the content of these ACIs is the same the examples below illustrate the HostedCompany1 ACI only 6 9 6 1 ACI HostedCompany1 In LDIF to grant HostedCompany1 full access to their own branch of the directory under the conditions stated above write the following statement aci target ou HostedCompany1 ou corporate clients dc example dc com targetattr version 3 0 acl HostedCompany1 allow all roledn ldap...

Page 213: ...time block 8 To enforce SSL authentication from HostedCompany1 administrators switch to manual editing by clicking the Edit Manually button Add the following to the end of the LDIF statement and authmethod ssl The LDIF statement should be similar to the following aci targetattr target ou HostedCompany1 ou corporate clients dc example dc com version 3 0 acl HostedCompany1 allow all roledn ldap cn D...

Page 214: ...ens b Set the Search area in the Add Users and Groups dialog box to Special Rights and select Self from the search results list c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 In the Rights tab select the checkboxes for search and read rights Make sure the other checkboxes are clear 5 In the Targ...

Page 215: ...Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 In the Rights tab select the checkbox for write Make sure the other checkboxes are clear 5 Click the Edit Manually button and in the LDIF statement that opens change the word allow to deny 6 In the Targets tab click This Entry to display the ou subscr...

Page 216: ...ectories set ACIs that allow users to add or remove themselves from groups This is useful for example for allowing users to add and remove themselves from mailing lists At example com employees can add themselves to any group entry under the ou social committee subtree This is illustrated in Section 6 9 9 1 ACI Group Members 6 9 9 1 ACI Group Members In LDIF to grant example com employees the righ...

Page 217: ...ire special treatment within your LDIF ACI statements In the target and bind rule portions of the ACI statement commas must be escaped by a single backslash For example dn dc example com Bolivia S A dc com objectClass top objectClass organization aci target ldap dc example com Bolivia S A dc com targetattr version 3 0 acl aci 2 allow all groupdn ldap cn Directory Administrators dc example com Boli...

Page 218: ...d the password of the proxy entry NOTE There are some restrictions on binding with proxy authorization You cannot use the Directory Manager s DN root DN as a proxy DN Additionally if Directory Server receives more than one proxied authentication control an error is returned to the client application and the bind attempt is unsuccessful 6 10 Advanced Access Control Using Macro ACIs In organizations...

Page 219: ...stedCompany1 dc example dc com tree Figure 6 3 Example Directory Tree for Macro ACIs The following ACI is located on the dc hostedCompany1 dc example dc com node aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com The following ACI is located on the dc subdomain1 dc hosted...

Page 220: ...n this example the number of ACIs is reduced from four to one The real benefit is a factor of how many repeating patterns you have down and across your directory tree 6 10 2 Macro ACI Syntax Macro ACIs include the following types of expressions to replace a DN or part of a DN dn dn attr attrName where attrName represents an attribute contained in the target entry In this section the ACI keywords u...

Page 221: ...ain1 dc hostedCompany1 then the same string is used in the subject The ACI is then expanded as follows aci target ldap ou Groups dc subdomain1 dc hostedCompany1 dc example dc com targetattr version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc subdomain1 dc hostedCompany1 dc example dc com Once the macro has been expanded Directory Server evaluates the ACI follo...

Page 222: ...allow read search groupdn ldap cn DomainAdmins ou Groups dn dc example dc com It grants access to the members of cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com to all of the subdomains under dc hostedCompany1 so an administrator belonging to that group could access a subtree like ou people dc subdomain1 1 dc subdomain1 However at the same time members of cn DomainAdmins ou Groups dc...

Page 223: ...dc example dc com 6 11 Access Control and Replication ACIs are stored as attributes of entries therefore if an entry containing ACIs is part of a replicated database the ACIs are replicated like any other attribute ACIs are always evaluated on the Directory Server that services the incoming LDAP requests This means that when a consumer server receives an update request it returns a referral to the...

Page 224: ...206 ...

Page 225: ...nt lockout policy Account lockout protects against hackers who try to break into the directory by repeatedly guessing a user s password This section provides information about configuring password and account lockout policies Section 7 1 1 Configuring the Password Policy Section 7 1 2 Setting User Passwords Section 7 1 3 Password Change Extended Operation Section 7 1 4 Configuring the Account Lock...

Page 226: ...on the screen active 4 To require users to change their password the first time they log on select the User must change password after reset checkbox If this checkbox is selected only the Directory Manager is authorized to reset the user s password A regular administrative user cannot force the users to update their password 5 To allow users to change their own passwords select the User may change...

Page 227: ...a user logs in 11 For the server to check the syntax of a user password to make sure it meets the minimum requirements set by the password policy select the Check Password Syntax checkbox Then specify required password complexity such as the minimum length and required number of numeric and special characters The password syntax requirements are described more in Table 7 1 Password Policy Attribut...

Page 228: ... user add the required entries and attributes at the subtree or user level set the appropriate values to the password policy attributes and enable fine grained password policy checking This section describes the attributes to create a password policy for the entire server globally using ldapmodify to change these attributes in the cn config entry Table 7 1 Password Policy Attributes describes the ...

Page 229: ...ds after which user passwords expire To use this attribute enable password expiration using the passwordExp attribute This attribute is a dynamic parameter in that its maximum value is derived by subtracting January 18 2038 from today s date The attribute value must not be set to the maximum value or too close to the maximum value If the value is set to the maximum value Directory Server may fail ...

Page 230: ...n the passwordInHistory attribute in a history If a user attempts to reuse one of the passwords the password will be rejected When this attribute is set to off any passwords stored in the history remain there When this attribute is set back to on users will not be able to reuse the passwords recorded in the history before the attribute was disabled This attribute is off by default meaning users ca...

Page 231: ...pectively By default this attribute is set to 0 meaning there is no required minimum passwordMinDigits This attribute sets the minimum number of numeric characters 0 through 9 which must be used in the password By default this attribute is set to 0 meaning there is no required minimum passwordMinSpecials This attribute sets the minimum number of special ASCII characters such as which must be used ...

Page 232: ...secure The Directory Server supports SSHA SSHA 256 SSHA 384 and SSHA 512 SSHA is the default method SHA Secure Hash Algorithm A one way hash algorithm it is supported only for backwards compatibility with Directory Server 4 x and should not be used otherwise This includes support for SHA SHA 256 SHA 384 and SHA 512 algorithms which protects against some insecurities in the SHA 1 algorithm MD5 MD5 ...

Page 233: ...nd all its children For example dn cn nsPwPolicyContainer ou people dc example dc com objectClass top objectClass nsContainer cn nsPwPolicyContainer The actual password policy specification entry nsPwPolicyEntry for holding all the password policy attributes that are specific to the subtree For example dn cn cn nsPwPolicyEntry ou people dc example dc com cn nsPwPolicyContainer ou people dc example...

Page 234: ...ibute of the target entry For example this assigns the password policy to the user entry dn uid jdoe ou people dc example dc com changetype modify replace pwdpolicysubentry pwdpolicysubentry cn nsPwPolicyEntry uid jdoe ou people dc example dc com cn nsPwPolicyContainer ou people dc example dc com 4 Set the password policy attributes of subtree or user entry with the appropriate values Table 7 1 Pa...

Page 235: ...rs and Roles Passwords can also be set and reset in the Users and Groups area of the Administration Server For information on how to use the Users and Groups area see the online help that is available in the Red Hat Administration Server 7 1 3 Password Change Extended Operation While most passwords can be changed through the Console and other Directory Server features or through the ldapmodify ope...

Page 236: ... contains the CA certificate of the CA that issued the Directory Server client certificate If the ldappasswd command is run on the same machine that the Directory Server is installed on this can be etc dirsrv slapd instance_name cert8 db If this is not given the default is the current directory D Gives the bind DN w Gives the password for the bind DN a Optional Gives the old password which is bein...

Page 237: ...en number of failed attempts to bind Configuring the account lockout policy is described in the following sections Section 7 1 4 1 Configuring the Account Lockout Policy Using the Console Section 7 1 4 2 Configuring the Account Lockout Policy Using the Command Line 7 1 4 1 Configuring the Account Lockout Policy Using the Console To set up or modify the account lockout policy for the Directory Serv...

Page 238: ...swordLockout attribute is set to on This attribute is set to 3 bind failures by default passwordUnlock This attribute sets whether a user can log back into the server without administrator intervation The default is for this attribute to be on meaning that the user can log back into the server after a certain lockout period has passed If this attribute is turned off then the user cannot log back i...

Page 239: ...uration information is kept locally and is not replicated This information includes the password syntax and the history of password modifications Account lockout counters and tiers are not replicated either When configuring a password policy in a replicated environment consider the following points Warnings from the server of an impending password expiration will be issued by all replicas This inf...

Page 240: ...Make sure to create the same or similar password policies on both Directory Server and Active Directory servers Entries that are created for synchronization for example the server identities need to have passwords that never expire To make sure that these special users have passwords that do not expire add the passwordExpirationTime attribute to the Directory Server entry and give it a value of 20...

Page 241: ...ivate the user or role 4 Click OK Once inactivated the state of the object can be viewed by selecting Inactivation State from the View Display menu The icon of the object then appears in the right pane of the Console with a red slash through it 7 2 2 Inactivating User and Roles Using the Command Line To inactivate a user account use the ns inactivate pl script The following example describes using...

Page 242: ...slash through the icon indicating it was inactive disappears 7 2 4 Activating User and Roles Using the Command Line To activate a user account use the ns activate pl script The following example describes using the ns activate pl script to activate Joe Frasier s user account ns activate pl D Directory Manager w secretpwd p 389 h example com I uid jfrasier ou people dc example dc com The following ...

Page 243: ...e limits for a user or a role using the Directory Server Console 1 Select the Directory tab 2 Browse the navigation tree in the left navigation pane and double click the user or role for which to set resource limits The Edit Entry dialog box appears 3 Click Account in the left pane The right pane contains the four limits that can be set in the Resource Limits section Entering a value of 1 indicate...

Page 244: ... the connection is dropped The value is given in seconds Giving this attribute a value of 1 indicates that there is no limit For example this sets the size limit for Barbara Jensen by using ldapmodify 1 to modify her entry ldapmodify h myserver p 389 D cn directory manager w secretpwd dn uid bjensen ou people dc example dc com changetype modify add nsSizeLimit nsSizeLimit 500 The ldapmodify statem...

Page 245: ...ch can be replicated is a database This means that one can replicate an entire database but not a subtree within a database Therefore when creating the directory tree consider any replication plans as part of determining how to distribute information Replication also requires that one database correspond to one suffix This means that a suffix or namespace that is distributed over two or more datab...

Page 246: ...ther applications to read the changelog use the Retro Changelog Plug in as described in Section 8 16 Using the Retro Changelog Plug in 8 1 5 Replication Identity When replication occurs between two servers the replication process uses a special entry called the replication manager entry to identify replication protocol exchanges and to control access to the directory data The replication manager e...

Page 247: ...plier to the consumer Administrators can therefore replicate a database without replicating all the information that it contains or all of the information in every entry Fractional replication is enabled and configured per replication agreement Excluding attributes from replication is applied equally to all entries within the replication agreement s scope As far as the consumer server is concerned...

Page 248: ...used replication scenarios Section 8 2 1 Single Master Replication Section 8 2 2 Multi Master Replication Section 8 2 3 Cascading Replication These basic strategies can be combined in a variety of ways to create the best replication environment NOTE Whatever replication scenario is implemented consider schema replication To avoid conflict resolution loops the Referential Integrity Plug in should o...

Page 249: ...lication scenarios in which the same suffix database can be mastered on many servers This suffix is held in a read write replica on each server This means that each server maintains a changelog for the read write replica This type of configuration can work with any number of consumer servers Each consumer server holds a read only replica The consumers can receive updates from all the suppliers The...

Page 250: ... Master Replication Four Masters shows a sample of multi master replication scenario with four supplier servers and eight consumer servers In this sample setup each supplier server is configured with ten replication agreements to feed data to two other supplier servers and all eight consumer servers ...

Page 251: ...nd realize that changes to one directory may not be quickly replicated to other directories over slow links such as wide area networks in geographically distributed environments For the procedure to set up multi master replication see Section 8 5 Configuring Multi Master Replication 8 2 3 Cascading Replication In a cascading replication scenario one server a hub acts both as a consumer and a suppl...

Page 252: ...hough it is possible to create more complex scenarios with several hub servers Figure 8 4 Cascading Replication For information on setting up cascading replication see Section 8 6 Configuring Cascading Replication NOTE Multi master and cascading replication can be combined For example in the multi master scenario illustrated in Figure 8 2 Multi Master Replication Two Masters Server C and Server D ...

Page 253: ...y are stored under cn config performance will suffer However although Red Hat recommends not storing simple user entries under cn config for performance reasons it can be useful to store special user entries such as the Directory Manager entry or replication manager supplier bind DN entry under cn config since this centralizes configuration information On each server that acts as a consumer in rep...

Page 254: ...re 8 1 Single Master Replication between supplier Server A which holds a read write replica and the two consumers Server B and Server C which each hold a read only replica there are two major steps Section 8 4 1 Configuring the Read Write Replica on the Supplier Server Section 8 4 2 Configuring the Read Only Replica on the Consumer Section 8 4 3 Create the Replication Agreement 8 4 1 Configuring t...

Page 255: ...ues g Click Save 2 Specify the replication settings required for a read write replica a In the navigation tree on the Configuration tab expand the Replication node and highlight the database to replicate The Replica Settings tab opens in the right hand side of the window b Check the Enable Replica checkbox c In the Replica Role section select the Single Master radio button d In the Common Settings...

Page 256: ...instructions on creating suffixes 2 Create the entry for the supplier bind DN on the consumer server if it does not exist The supplier bind DN is the special entry that the supplier will use to bind to the consumer This is described in Section 8 3 Creating the Supplier Bind DN Entry 3 Specify the replication settings required for a read only replica a In the Directory Server Console select the Con...

Page 257: ...s how often the state information stored in the replicated entries is purged f In the Update Settings section specify the bind DN that the supplier will use to bind to the replica Enter the supplier bind DN in the Enter a new Supplier DN field and click Add The supplier bind DN appears in the Current Supplier DNs list The supplier bind DN should be the entry created in step 2 The supplier bind DN ...

Page 258: ...tion 4 Click Save Repeat these steps for every consumer server in the replication configuration 8 4 3 Create the Replication Agreement Create one replication agreement for each read only replica For example in the scenario illustrated in Figure 8 1 Single Master Replication Server A has two replication agreements one for Server B and one for Server C 1 In the navigation tree of the Configuration t...

Page 259: ...irectory Server instance is configured to run over SSL This port number is used only for identification of the Directory Server instance in the Console it does not specify the actual port number or protocol that is used for replication If SSL is enabled on the servers it is possible to select the Using encrypted SSL connection radio button for SSL client authentication Otherwise fill in the suppli...

Page 260: ...plicated between servers By default all attributes are replicated To select attributes that will not be replicated to the consumer check the Enable Fractional Replication checkbox Then highlight the attribute or attributes in the Included column on the right and click Remove All attributes that will not be replicated are listed in the Excluded column on the left as well as in the summary the repli...

Page 261: ... fractional replication must be a dedicated consumer not a multi master supplier or hub This is not enforced at the time the replication agreement is made but replication will fail if the consumer is not a read only replica 5 Set the schedule for when replication runs By default replication runs continually ...

Page 262: ...that the consumer can be initialized later It is also possible to initialize the consumer as soon as the replication agreement is completed or not at all For information on initializing consumers see Section 8 10 Initializing Consumers NOTE Replication will not begin until the consumer is initialized Hit Next 7 The final screen shows the settings for the replication agreement as it will be include...

Page 263: ...lication agreement is set up NOTE After creating a replication agreement the connection type SSL or non SSL cannot be changed because LDAP and LDAPS connections use different ports To change the connection type re create the replication agreement ...

Page 264: ...Read Only Replicas on the Consumer Servers Section 8 5 3 Setting up the Replication Agreements Section 8 5 4 Preventing Monopolization of the Consumer in Multi Master Replication NOTE More than 10 databases running with replication or more than 20 replication agreements on a supplier can cause performance degradation To support that many consumers introduce hub replicas between the suppliers and c...

Page 265: ... the consumer server if it does not exist This is the special entry that the other suppliers will use to bind to this supplier as in other supplier consumer relationships This is described in Section 8 3 Creating the Supplier Bind DN Entry NOTE For multi master replication it is necessary to create this supplier bind DN on the supplier servers as well as the consumers because the suppliers act as ...

Page 266: ...ton e In the Common Settings section specify a Replica ID which is an integer between 1 and 65534 inclusive The replica ID must be unique for a given suffix different from any other ID used for read write replicas on this server and on other servers f In the Common Settings section specify a purge delay in the Purge delay field The purge delay is how often the state information stored in the repli...

Page 267: ...t Only specify the URL for the supplier server For clients to bind using SSL specify a URL beginning with ldaps i Click Save 8 5 2 Configuring the Read Only Replicas on the Consumer Servers First configure every consumer 1 Create the database for the read only replica if it does not exist See Section 3 1 1 Creating Suffixes for instructions on creating suffixes 2 Create the entry for the supplier ...

Page 268: ...nformation stored in the replicated entries is purged f In the Update Settings section specify the bind DN that the supplier will use to bind to the replica Enter the supplier bind DN in the Enter a new Supplier DN field and click Add The supplier bind DN appears in the Current Supplier DNs list The supplier bind DN should be the entry created in step 2 The supplier bind DN is a privileged user be...

Page 269: ...reements on a single supplier the data master between the other multi master suppliers and initialize all of the other suppliers Then create replication agreements for all other suppliers in the multi master replication set but do not reinitialize any of the suppliers Then create replication agreements for all of the consumers from the single data master and initialize the consumers Then create re...

Page 270: ...rectory Server instance is configured to run over SSL This port number is used only for identification of the Directory Server instance in the Console it does not specify the actual port number or protocol that is used for replication If SSL is enabled on the servers it is possible to select the Using encrypted SSL connection radio button for SSL client authentication Otherwise fill in the supplie...

Page 271: ... replicated between servers By default all attributes are replicated To select attributes that will not be replicated to the consumer check the Enable Fractional Replication checkbox Then highlight the attribute or attributes in the Included column on the right and click Remove All attributes that will not be replicated are listed in the Excluded column on the left as well as in the summary the re...

Page 272: ...fractional replication must be a dedicated consumer not a multi master supplier or hub This is not enforced at the time the replication agreement is made but replication will fail if the consumer is not a read only replica 5 Set the schedule for when replication runs By default replication runs continually ...

Page 273: ...on initializing consumers see Section 8 10 Initializing Consumers For multi master replication consider the following Ensure one supplier has the complete set of data to replicate to the other suppliers Use this one supplier to initialize the replica on all other suppliers in the multi master replication set Initialize the replicas on the consumer servers from any of the multi master suppliers Do ...

Page 274: ...lication will not begin until the consumer is initialized Hit Next 7 The final screen shows the settings for the replication agreement as it will be included in the dse ldif file Hit Done to save the agreement The replication agreement is set up ...

Page 275: ...ending updates and then has more pending changes to send it will immediately attempt to reacquire the consumer and will most likely succeed since the other suppliers usually will be sleeping This can cause a single supplier to monopolize a consumer for several hours or longer Two attributes address this issue nsds5ReplicaBusyWaitTime and nsds5ReplicaSessionPauseTime nsds5ReplicaBusyWaitTime The ns...

Page 276: ...2 The log levels are described in more detail in the Directory Server Configuration Command and File Reference 8 6 Configuring Cascading Replication This section provides information on setting up cascading replication The steps described in this section provide a high level overview of the procedure and cross references to the detailed task descriptions are provided at each step Setting up cascad...

Page 277: ...ues g Click Save 2 Specify the replication settings required for a read write replica a In the navigation tree on the Configuration tab expand the Replication node and highlight the database to replicate The Replica Settings tab opens in the right hand side of the window b Check the Enable Replica checkbox c In the Replica Role section select the Single Master radio button d In the Common Settings...

Page 278: ...xist See Section 3 1 1 Creating Suffixes for instructions on creating suffixes 2 Create the entry for the supplier bind DN on the consumer server if it does not exist The supplier bind DN is the special entry that the supplier will use to bind to the consumer This is described in Section 8 3 Creating the Supplier Bind DN Entry 3 Specify the replication settings required for a read only replica a I...

Page 279: ...n the state information stored in the replicated entries is purged f In the Update Settings section specify the bind DN that the supplier will use to bind to the replica Enter the supplier bind DN in the Enter a new Supplier DN field and click Add The supplier bind DN appears in the Current Supplier DNs list The supplier bind DN should be the entry created in step 2 The supplier bind DN is a privi...

Page 280: ...tion then configure the hub replica 8 6 3 Configuring the Read Only Replica on the Hub Do this to set up a hub which receives replication updates from the supplier and propagates them to consumers 1 Create the database for the read only replica if it does not exist See Section 3 1 1 Creating Suffixes for instructions on creating suffixes 2 Create the entry for the supplier bind DN on the consumer ...

Page 281: ...n to display a file selector f Set the changelog parameters for the number and age of the log files Clear the unlimited checkboxes to specify different values g Click Save 4 Specify the required hub replica settings a In the Directory Server Console select the Configuration tab b In the navigation tree expand the Replication folder and highlight the replica database The Replica Settings tab for th...

Page 282: ...ion stored in the replicated entries is purged f In the Update Settings section specify the bind DN that the supplier will use to bind to the replica Enter the supplier bind DN in the Enter a new Supplier DN field and click Add The supplier bind DN appears in the Current Supplier DNs list The supplier bind DN should be the entry created in step 2 The supplier bind DN is a privileged user because i...

Page 283: ...lication requires two sets of replication agreements the first between the supplier and the hub and the second between the hub and the consumer To set up the replication agreements do the following 1 Create the replication agreement on the supplier for the hub then use the supplier server to initialize the replica on the hub server 2 Then create the replication agreement on the hub for each consum...

Page 284: ...rectory Server instance is configured to run over SSL This port number is used only for identification of the Directory Server instance in the Console it does not specify the actual port number or protocol that is used for replication If SSL is enabled on the servers it is possible to select the Using encrypted SSL connection radio button for SSL client authentication Otherwise fill in the supplie...

Page 285: ... replicated between servers By default all attributes are replicated To select attributes that will not be replicated to the consumer check the Enable Fractional Replication checkbox Then highlight the attribute or attributes in the Included column on the right and click Remove All attributes that will not be replicated are listed in the Excluded column on the left as well as in the summary the re...

Page 286: ...fractional replication must be a dedicated consumer not a multi master supplier or hub This is not enforced at the time the replication agreement is made but replication will fail if the consumer is not a read only replica 5 Set the schedule for when replication runs By default replication runs continually ...

Page 287: ... can be initialized later It is also possible to initialize the consumer as soon as the replication agreement is completed or not at all For information on initializing consumers see Section 8 10 Initializing Consumers For cascading replication consider the following Create the supplier hub replication agreement on the supplier first and initialize the hub from the supplier Create the hub consumer...

Page 288: ...ation 270 NOTE Replication will not begin until the consumer is initialized Hit Next 7 The final screen shows the settings for the replication agreement as it will be included in the dse ldif file Hit Done to save the agreement ...

Page 289: ...uring Hubs from the Command Line 6 Create the replication agreements Section 8 7 4 Configuring Replication Agreements from the Command Line For cascading replication create the agreement between the supplier and hub then between the hub and consumers for multi master create the agreements between all suppliers then between the suppliers and consumers 7 Lastly initialize all of the consumers Sectio...

Page 290: ...aPurgeDelay 604800 nsds5ReplicaBindDN cn replication manager cn config Example 8 3 Example Supplier Replica Entry nsds5replicaroot sets the subtree suffix which is being replicated nsds5replicatype sets what kind of replica this database is For either a single master or a multi master supplier this value must be 3 nsds5replicaid sets the replica ID The value must be unique among all suppliers and ...

Page 291: ... Class or Attribute Description Values objectclass top Required object class for every entry objectclass extensibleObject An object class which allows any other object class or attribute to be added to an entry objectclass nsds5replica An object class which allows replication attributes to be added to an entry cn replica The naming attribute for the replica Any string the default usage is to set t...

Page 292: ...fig NOTE For security it is strongly recommended that you do not use the Directory Manager as the supplier bind DN nsds5replicareferral URL Optional An LDAP URL which a consumer or hub to which a consumer or hub can forward update requests By default update requests are sent to the masters for the consumer use this parameter to override the default Any LDAP URL For example nsds5replicareferral lda...

Page 293: ...e changelog database since the hub keeps a record of changes sent by the supplier and second configuring the hub replica 1 On the hub server such as hub1 example com use ldapmodify to create the changelog 1 entry ldapmodify v h hub1 example com p 389 D cn directory manager w password dn cn changelog5 cn config changetype add objectclass top objectclass extensibleObject cn changelog5 nsslapd change...

Page 294: ...ing up replication agreements first set them up between all suppliers then between the suppliers and the hubs and last between the hub and the consumers The replication agreement has to define seven things The consumer host nsds5replicahost and port nsds5replicaport The DN for the supplier to use to bind with the consumer nsds5ReplicaBindDN the way that the supplier binds nsds5replicabindmethod an...

Page 295: ...SL is enabled the fully qualified domain name is required Any hostname For example nsds5replicahost consumer1 nsds5replicaport number Gives the LDAP port for the consumer server To use TLS SSL give the secure port number 636 by default and set the nsds5ReplicaTransportInfo attribute to SSL Any port number nsds5replicatransportinfo method To use TLS SSL set this parameter to SSL If TLS SSL is not u...

Page 296: ...es and the days on which replication occurs If the schedule is omitted replication will take place all the time Has the following value with the start SSSS and end EEEE times set in the form HHMM The times are given in 24 hour clock format so 0000 is midnight and 2359 is 11 59 PM For example the setting 1030 1630 schedules replication from 10 30 AM to 4 30 PM The times cannot wrap around midnight ...

Page 297: ...e initialized For example ldapsearch h supplier1 example com p 389 D cn directory manager w password s sub b cn config objectclass nsds5ReplicationAgreement This command returns all of the replication agreements configured on the supplier in LDIF format Get the DN of the replication agreement with the consumer to be initialized This is the replication agreement which will be edited 2 Edit the repl...

Page 298: ...to a supplier 1 Make sure there are no updates in progress 2 Stop the supplier server 3 Open the Directory Server Console for the read only replica 4 In the Configuration tab select Replication In the right pane select the Enable changelog checkbox 5 Select the suffix and in the Replica Settings tab change the replica role to a single master or multi master and assign a unique replica ID 6 Save th...

Page 299: ...g the changelog a new changelog is created in the specified directory and the old changelog is deleted Changing the location of the changelog requires consumer reinitialization 8 10 Initializing Consumers Once a replication agreement is created the consumer must be initialized that is the data must be physically copied from the supplier server to the consumer servers This section first describes c...

Page 300: ...plier server Manual consumer initialization using the command line is a more effective method of initializing a large number of consumers from a single LDIF file 8 10 2 Online Consumer Initialization Using the Console Online consumer initialization using the Console is the easiest way to initialize or reinitialize a consumer However for replicating across a slow link this process can be very time ...

Page 301: ...ier1 example com p 389 D cn directory manager w password dn cn ExampleAgreement cn replica cn dc example dc com cn mapping tree cn config changetype modify replace nsds5beginreplicarefresh nsds5beginreplicarefresh start ldapmodify does not prompt for input simply type in the LDIF statement and then hit enter twice when the LDIF statement is complete Close the ldapmodify utility by hitting Ctrl C T...

Page 302: ... command as described in Section 4 2 3 Exporting to LDIF from the Command Line Exporting to LDIF with any of the command line tools requires using an option to export the database as a replica this means that the exported LDIF contains the proper entries to initialize the consumer when the LDIF is imported For the db2ldif and db2ldif pl scripts this is the r option For example db2ldif r n database...

Page 303: ...rver to match the database from the source server Before initializing the consumer from the backup files be certain that the appropriate database has been created on the destination server so that the database exists to be restored and initialized 2 Enable replication on the backend as a dedicated consumer 3 If there is already a replication agreement to that host and port then replication should ...

Page 304: ...r server Even if the replication agreements are configured to keep the supplier and consumer servers always in sync it is not sufficient to bring back up to date a server that has been offline for over five minutes The Always Keep in Sync option means that the server generates a replication operation for every update operation it processes However if this replication operation cannot be performed ...

Page 305: ...ST consumer_hostname MY_PORT consumer_portnumber ldapsearch 1 T h SUP_HOST p SUP_PORT D SUP_MGRDN w SUP_MGRPW b cn mapping tree cn config objectclass nsds5replicationagreement nsDS5ReplicaHost MY_HOST nsDS5ReplicaPort MY_PORT dn nsds5ReplicaUpdateSchedule tmp cat tmp awk BEGIN s 0 dn print 0 print changetype modify print replace nsds5ReplicaUpdateSchedule print nsds5ReplicaUpdateSchedule 0000 2359...

Page 306: ...lated to the account lockout counts for an entry so that the malicious user is locked out of every supplier and consumer replica in the configuration if a login attempt fails on a single master By default three password policy attributes are not replicated even if other password attributes are These attributes are related to of login failures and lockout periods passwordRetryCount retryCountResetT...

Page 307: ...utes box Select the passwordRetryCount retryCountResetTime and accountUnlockTime parameters and click the arrow button to move them into the Do Not Replicate box 3 Finish configuring the replication agreement 8 13 Replication over SSL The Directory Servers involved in replication can be configured so that all replication operations occur over an SSL connection To use replication over SSL first do ...

Page 308: ...cation usually occurs between Directory Server user databases to distribute directory data but it is also possible to use replication to provide failover support for the Administration Server database o NetscapeRoot 1 Install and configure the first Directory Server instance The setup ds admin pl script has an option f which references an inf The inf can be used to import LDIF files through the Co...

Page 309: ...peRoot database from server1 usr sbin register ds admin pl 5 Disable the PTA Plug in on server2 so that it does not pass bind operations for the administrative users in its o NetscapeRoot to server1 See Section 16 2 Enabling and Disabling Plug ins 8 15 Replication with Earlier Releases This section provides information on how to optimize replication with earlier releases of Directory Server Direct...

Page 310: ...n step 4 will be used c Click Save 7 Repeat step 6 for each read only replica that will receive updates from a legacy supplier 8 To complete the legacy replication setup configure the legacy supplier to replicate to the Directory Server 8 0 instance For instructions on configuring a replication agreement on a 4 x Directory Server refer to the documentation for the legacy Directory Server NOTE The ...

Page 311: ...have a value of add delete modify or modrdn changes For add and modify operations contains the changes made to the entry in LDIF format newRDN In the case of modrdn operations specifies the new RDN of the entry deleteOldRdn In the case of modrdn operations specifies whether the old RDN was deleted newSuperior In the case of modrdn operations specifies the newSuperior attribute of the entry Table 8...

Page 312: ...angelog set the nsslapd changelogmaxage configuration attribute in the cn Retro Changelog Plugin cn plugins cn config entry The nsslapd changelogmaxage attribute is a single valued attribute Its syntax is as follows nsslapd changelogmaxage Integer timeUnit Integer is a number and timeUnit can be s for seconds m for minutes h for hours d for days or w for weeks NOTE There should not be a space betw...

Page 313: ...on 8 17 2 Monitoring Replication Status from Administration Express 8 17 1 Monitoring Replication Status from the Directory Server Console To view a summary of replication status in the Directory Server Console do the following 1 Open the Directory Server Console 2 Select the Status tab and then in the left navigation tree select Replication Status In the right pane a table appears that contains i...

Page 314: ... sequence number maxcsn Lists corresponding to each supplier replica listed above and for each direct or indirect consumer replicas discovered server URL or alias replica root replica type connection type of the replication sessions replication schedule replication status supplier maxcsn and time lag between the consumer maxcsn and the supplier maxcsn The time lag field uses different colors to in...

Page 315: ... replica ID Table Row Each row represents a direct or indirect consumer of the supplier identified in the Table Header Max CSN It is the most recent CSN the consumer has replayed that was originated from the supplier identified in the Table Header Time Lag It shows the time difference between the supplier and the consumer s max CSNs for the changes originated from the supplier identified in the Ta...

Page 316: ...nsds5ReplConflict attribute in other indexes For information on indexing see Chapter 10 Managing Indexes This section contains the procedures for the following conflict resolution procedures Section 8 18 1 Solving Naming Conflicts Section 8 18 2 Solving Orphan Entry Conflicts Section 8 18 3 Solving Potential Interoperability Problems 8 18 1 Solving Naming Conflicts When two entries are created wit...

Page 317: ...de an entry can be created on each server with the same user ID and then the new entries RDN changed to the nsuniqueid uid value Attempting to modify this entry from the Console returns the error Changes cannot be saved for entries with multi valued RDNs Opening the entry in the advanced mode shows that the naming attribute has been set to nsuniqueid uid However the entry cannot be changed or corr...

Page 318: ...onfiguration Command and File Reference 8 18 2 Solving Orphan Entry Conflicts When a delete operation is replicated and the consumer server finds that the entry to be deleted has child entries the conflict resolution procedure creates a glue entry to avoid having orphaned entries in the directory In the same way when an add operation is replicated and the consumer server cannot find the parent ent...

Page 319: ...lter nsds5ReplConflict version 3 0 acl Anonymous read search access allow read search compare userdn ldap anyone The new ACI filters out all entries that contain the nsds5ReplConflict attribute from search results For more information on the ldapmodify command see Section 2 2 Managing Entries from the Command Line and the Directory Server Configuration Command and File Reference 8 19 Troubleshooti...

Page 320: ...alizes M3 and so on The important thing to note is that M2 must not start initializing M3 until M2 s own initialization is done check the total update status from the M1 s Console or M1 or M2 s error log Also M2 should not initialize M1 back Warning data for replica s was reloaded and it no longer matches the data in the changelog Recreating the changelog file This could affect replication with re...

Page 321: ...s Because the adjustment is limited to a certain amount any difference that exceeds the permitted limit will cause the replication session to be aborted Synchronize the system clocks on the Directory Server host machines If applicable run the network time protocol ntp daemon on those hosts agmt s s d Warning Unable to send endReplication extended operation s The consumer is not responding If the c...

Page 322: ...l the direct consumers of this supplier supplier or hub If it appears that the changelog is not purged when the purge threshold is reached check the maximum time lag from the replication monitor among all the consumers Irrespective of what the purge threshold is no change will be purged before it is replayed by all the consumers The Replication Monitor is not responding For information on Replicat...

Page 323: ...ollowing line in the connection section 636 389 password In the Replication Monitor some consumers show just the header of the table For information on Replication Monitor see Section 8 17 Monitoring Replication Status No change has originated from the corresponding suppliers In this case the MaxCSN in the header part should be None There is nothing wrong if there is no change originated from a su...

Page 324: ...306 ...

Page 325: ...bility of Directory Server with existing LDAP clients relies on the standard LDAP schema Changing the standard schema can also create difficulties when upgrading the Directory Server For these reasons standard schema elements both attributes and object classes cannot be edited or deleted 9 2 Managing Attributes The Directory Server Console shows all attributes in the schema and you can create edit...

Page 326: ...ANA Internet Assigned Number Authority For more information about OIDs or to request a prefix email IANA at mailto iana iana org or visit the IANA website at http www iana org Syntax Sets the syntax for the attribute values The attribute syntax can be for example any of the following Case Ignore String Values for this attribute are not case sensitive Case Exact String Values for this attribute are...

Page 327: ...le 9 1 Attributes Tab Reference 6 Select a syntax that describes the data to be held by the attribute from the Syntax drop down menu Available syntaxes are described in Table 9 1 Attributes Tab Reference 7 To make the attribute multi valued select the Multi Valued checkbox Multi valued means that the Directory Server allows more than one instance of the attribute per entry 8 Click OK 9 2 3 Editing...

Page 328: ... This procedure is explained in Section 9 2 4 Deleting Attributes 2 In the User Defined Attributes table select the attribute and click Delete 3 If prompted confirm the delete WARNING The server immediately deletes the attribute There is no undo 9 3 Managing Object Classes The Directory Server Console can manage and show the directory schema s object classes You can view all of the current object ...

Page 329: ...ser entries the parent is the inetOrgPerson object class To add new attributes for corporate entries the parent is usually organization or organizationalUnit To add new attributes for group entries the parent is usually groupOfNames or groupOfUniqueNames OID The object identifier of the attribute An OID is a string usually of dotted decimal numbers that uniquely identifies an object such as an obj...

Page 330: ...list select the object class 4 Click Create in the Object Classes tab The Create Object Class dialog box opens 5 Enter a unique name for the object class in the Name text box 6 Enter an object identifier for the new object class in the OID Optional text box OIDs are described in Table 9 2 Object Classes Tab Reference 7 Select a parent object for the object class from the Parent drop down menu Any ...

Page 331: ...e text box b To change the object identifier for the object class enter the new OID in the OID Optional text box OIDs are described in Table 9 2 Object Classes Tab Reference c To change the parent object for the object class select the new parent from the Parent pull down menu d To add an attribute that must be present in entries that use the new object class highlight the attribute in the Availab...

Page 332: ...lass are contained in the entry Schema checking is turned on by default in the Directory Server and the Directory Server should always run with schema checking turned on The only situation where is may be beneficial to turn schema checking off is to accelerate LDAP import operations However there is a risk of importing entries that do not conform to the schema Consequently it is impossible to sear...

Page 333: ...Turning Schema Checking On and Off 315 For information see the Directory Server Configuration Command and File Reference ...

Page 334: ...316 ...

Page 335: ...ery useful for searched For example it makes it easy to examine any entries that contain access control information Generating an aci db4 file that includes a presence index efficiently performs the search for ACI to generate the access control list for the server The presence index is not used for base object searches Equality index eq improves searches for entries containing a specific attribute...

Page 336: ... improve display performance through the Directory Server Console or by using the vlvindex command line tool which is explained in the Directory Server Configuration Command and File Reference 10 1 2 About Default System and Standard Indexes When you install Directory Server a set of default and system indexes is created per database instance To maintain these indexes the directory uses standard i...

Page 337: ...ction 2 5 Maintaining Referential Integrity for more information see Also Improves Directory Server performance This index is also used by the Referential Integrity Plug in See Section 2 5 Maintaining Referential Integrity for more information sn Improves the performance of the most common types of user directory searches telephoneNumber Improves the performance of the most common types of user di...

Page 338: ...Class Used to help accelerate subtree searches in the directory entryDN Speeds up entry retrieval based on DN searches parentID Enhances directory performance during one level searches numSubordinates Used by the Directory Server Console to enhance display performance on the Directory tab nsUniqueID Used to search for specific entries Table 10 2 System Indexes 10 1 2 3 Overview of Standard Indexes...

Page 339: ... consults multiple indexes and then combines the resulting lists of candidate entries If there is an index for the attribute the directory takes the candidate matches from the index files in the form of a series of entry ID numbers 3 The directory uses the returned entry ID numbers to read the corresponding entries from the id2entry db4 file The Directory Server then examines each of the candidate...

Page 340: ...rrect order Alice Sarrette ALS SRT Matches Codes are specified in the correct order despite the misspelling of Sarette Surette SRT Matches The generated code exists in the original name despite the misspelling of Sarette Bertha Sarette BR0 SRT No match The code BR0 does not exist in the original name Sarette Alice SRT ALS No match The codes are not specified in the correct order 10 1 5 Balancing t...

Page 341: ...of widgets The Directory Server is maintaining the following indexes Equality approximate and substring indexes for cn common name and sn surname attributes Equality and substring indexes for the telephone number attribute Substring indexes for the description attribute When adding that entry to the directory the Directory Server must perform these steps 1 Create the cn equality index entry for Jo...

Page 342: ...cond database instance it will not be maintained in your first database instance but will be maintained in any subsequent instances NOTE The procedure for creating browsing indexes is different than for creating other index types that procedure is covered in Section 10 2 3 Creating Browsing Indexes from the Server Console Section 10 2 1 Creating Indexes from the Server Console Section 10 2 2 Creat...

Page 343: ...ry You do not have to restart your server 10 2 2 Creating Indexes from the Command Line Creating presence equality approximate substring and international indexes for specific attributes from the command line involves two steps 1 Using the ldapmodify command line utility to add a new index entry or edit an existing index entry See Section 10 2 2 1 Adding an Index Entry 2 Running the db2index pl Pe...

Page 344: ...n the Example1 database do the following 1 Open the Directory Server LDAP tool directory 1 cd usr lib mozldap 2 Run ldapmodify ldapmodify a h server p 389 D cn directory manager w password The ldapmodify utility binds to the server and prepares it to add an entry to the configuration file 3 Add the LDIF entry for the new indexes dn cn sn cn index cn Example1 cn ldbm database cn plugins cn config o...

Page 345: ... creating an indexing entry or added additional index types to an existing indexing entry run the db2index pl script to generate the new set of indexes to be maintained by the Directory Server After the script is run the new set of indexes is active for any new data added to the directory and any existing data in the directory To run the db2index pl Perl script do the following 1 Open the Director...

Page 346: ...e VLV search information or the access control rules that are set by default for VLV searches see Section 10 2 4 1 Adding a Browsing Index Entry and Section 10 2 4 3 Setting Access Control for VLV Information 10 2 4 Creating Browsing Indexes from the Command Line Creating a browsing index or virtual list view VLV index from the command line has these steps 1 Using ldapmodify to add new browsing in...

Page 347: ...dc example dc com vlvBase ou People dc example dc com vlvScope 1 vlvFilter objectclass objectclass ldapsubentry The cn contains the browsing index identifier which specifies the entry on which to create the browsing index in this example the ou People dc example dc com entry Red Hat recommends using the dn of the entry for the browsing index identifier which is the approach adopted by the Director...

Page 348: ...g the two browsing indexing entries or added additional attribute types to an existing indexing browsing entries run the vlvindex script to generate the new set of browsing indexes to be maintained by the Directory Server After running the script the new set of browsing indexes is active for any new data added to the directory and any existing data in the directory To run the vlvindex script do th...

Page 349: ... 3 4 9 cn VLV Request Control aci targetattr aci version 3 0 acl VLV Request Control allow read search compare proxy userdn ldap all creatorsName cn server cn plugins cn config modifiersName cn server cn plugins cn config 4 Change ldap all to ldap anyone and save your changes 10 3 Deleting Indexes This section describes how to delete presence equality approximate substring international and browsi...

Page 350: ...expand the suffix associated with the database containing the index 3 Select the database from which to delete the index 4 Locate the attribute containing the index to delete Clear the checkbox under the index To delete all indexes maintained for a particular attribute select the attribute s cell under Attribute Name and click Delete Attribute 5 Click Save A Delete Index warning dialog box opens r...

Page 351: ... ldapdelete see the Directory Server Configuration Command and File Reference 2 For example delete the presence equality and substring indexes for the sn attribute on the database named Example1 dn cn sn cn index cn Example1 cn ldbm database cn plugins cn config objectClass top objectClass nsIndex cn sn nsSystemIndex false nsIndexType pres nsIndexType eq nsIndexType sub nsMatchingRule 2 16 840 1 1...

Page 352: ...strative user w Specifies the password of the administrative user n Specifies the name of the database into which you are importing the data Table 10 6 db2index Options 10 3 3 Deleting Browsing Indexes from the Server Console To delete a browsing index through the Directory Server Console do the following 1 Select the Directory tab 2 Select the entry from which to delete the index in the navigatio...

Page 353: ...der for the returned attributes is cn givenName o ou and sn 1 Run ldapdelete 1 ldapdelete D cn Directory Manager w password h ExampleServer p 389 cn MCC ou People dc example dc com cn userRoot cn ldbm database cn plugins cn config cn by MCC ou People dc example dc com cn MCC ou People dc example dc com cn userRoot cn ldbm database cn plugins cn config For full information on ldapdelete options see...

Page 354: ... for any new data added to the directory and any existing data in the directory 1 Open the Directory Server instance directory 2 cd usr lib dirsrv slapd instance_name 2 Stop the server 3 service dirsrv stop instance 3 Run the vlvindex script vlvindex n Example1 T by MCC ou people dc example dc com For more information about using the vlvindex script see the Directory Server Configuration Command a...

Page 355: ...d to be logged for any given index modification The Berkeley DB provides ID list semantics which are implemented by the storage manager The Berkeley API was enhanced to support the insertion and deletion of individual IDs stored against a common key with support for duplicate keys and an optimized mechanism for the retrieval of the complete ID list for a given key The storage manager has direct kn...

Page 356: ...old number of entries is called the idlistscanlimit and is configured with the nsslapd idlistscanlimit configuration attribute The default value is 4000 which is designed to give good performance for a common range of database sizes and access patterns Typically it is not necessary to change this value However in rare circumstances it may be possible to improve search performance with a different ...

Page 357: ...ry or real name as well as an alias When creating indexes be sure to use the primary name Attribute Primary Name Attribute Alias dn distinguishedName cn commonName sn surName c countryName l localityName st stateOrProvinceName street streetAddress o organization ou organizationalUnitName facsimileTelephoneNumber fax uid userId mail rfc822mailbox mobile mobileTelephoneNumber pager pagerTelephoneNum...

Page 358: ...340 ...

Page 359: ... password Improved efficiency When using applications that prompt once for the certificate database password and then use that certificate for all subsequent bind or authentication operations it is more efficient than continuously providing a bind DN and password Improved security The use of certificate based authentication is more secure than non certificate bind operations because certificate ba...

Page 360: ...the filename and path to the certificate database NOTE The ZZZ option enforces the use of Start TLS and the server must respond that a Start TLS command was successful If the ZZZ command is used and the server does not support Start TLS the operation is aborted immediately For information on the command line options available see the Directory Server Configuration Command and File Reference 11 1 2...

Page 361: ...ate has already been generated for the Directory Server instance and the issuing certificate authority CA is already trusted by the Directory Server begin setting up TLS SSL as described in Section 11 4 Starting the Server with TLS SSL Enabled Obtaining and installing certificates consists of the following steps 1 Generate a certificate request 2 Send the certificate request to a certificate autho...

Page 362: ...ate Request Wizard which generates a valid certificate request to submit to any certificate authority CA 1 In the Directory Server Console select the Tasks tab and click Manage Certificates 2 Select the Server Certs tab and click the Request button This opens the Certificate Request Wizard 3 Click Next 4 Enter the Requester Information in the blank text fields then click Next ...

Page 363: ...ution Most CAs require this information to be verified with legal documents such as a copy of a business license Organizational Unit Optional Enter a descriptive name for the organization within the company Locality Optional Enter the company s city name State or Province Enter the full name of the company s state or province no abbreviations Country Select the two character abbreviation for the c...

Page 364: ... supplied 6 The Request Submission dialog box provides two ways to submit a request directly to the CA if there is one internally or manually To submit the request manually select Copy to Clipboard or Save to File to save the certificate request which will be submitted to the CA ...

Page 365: ...f the message BEGIN NEW CERTIFICATE REQUEST MIIBrjCCARcCAQAwbjELMAkGA1UEBhMCVXMxEzARBgNVBAgTCkNBTElGT1J OSUExLDAqBgVBAoTI25ldHNjYXBlIGNvbW11bmljYXRpb25zIGNvcnBvcmF 0aW9uMRwwGgYDVQQDExNtZWxsb24ubmV0c2NhcGUuY29tMIGfMA0GCSqGSI b3DQEBAQUAA4GNADCBiQKBgQCwAbskGh6SKYOgHy UCSLnm3ok3X3u83Us7 ug0EfgSLR0f K41eNqqRftGR83emqPLDOf0ZLTLjVGJaH4Jn4l1gG JDf n zMyahxtV7 mT8GOFFigFfuxaxMjr2j7IvELlxQ4IfZgWwqCm4qQecv3G...

Page 366: ... 11 2 3 Step 3 Install the Certificate 1 In the Directory Server Console select the Tasks tab and click Manage Certificates 2 Select the Server Certs tab and click Install 3 Give the certificate location or paste the certificate text in the text box then click Next In this file Enter the absolute path to the certificate in this field In the following encoded text block Copy the text from the CA s ...

Page 367: ...Check that the certificate information that opens is correct and click Next 5 Name the certificate and click Next 6 Select the purpose of trusting this certificate authority it is possible to select both options Accepting connections from clients Client Authentication The server checks that the client s certificate has been issued by a trusted certificate authority Accepting connections to other s...

Page 368: ... instance_name 2 Make a backup copy of all of the filed in the directory as a precaution If something goes awry with while managing certificates the databases can then be restored For example tar cf tmp db backup tar 3 Create a password file for the security token password vi tmp pwdfile secretpw This password locks the server s private key in the key database and is used when the keys and certifi...

Page 369: ...rectory Server clients because certificate validation may fail if the clients cannot properly resolve the FQDN and some clients refuse to connect if a server certificate does not have its FQDN in the subject Additionally using the format cn hostname domain is essential for Directory Server clients to protect themselves from man in the middle attacks NOTE There should only be one cn in a certificat...

Page 370: ... TLS SSL enabled then create a password file pin txt for the server to use so it will not prompt you for a password every time it restarts Creating the password file is described in Section 11 4 3 Creating a Password File for the Directory Server The certificates created by certutil are automatically available in the Encryption tab of the Console There is no need to import them because they are al...

Page 371: ...protect the sensitive information contained in these files The files must be owned by the Directory Server user such as the default nobody The key and cert databases should be owned by the Directory Server user and should typically have read write access for the owner with no access allowed to any other user mode 0600 The PIN file should also be owned by the Directory Server user and set to read o...

Page 372: ... disabled If it s enabled and if the hostname does not match the cn attribute of the certificate appropriate error and audit messages are logged For example in a replicated environment messages similar to these are logged in the supplier server s log files if it finds that the peer server s hostname doesn t match the name specified in its certificate DATE SSL alert ldap_sasl_bind LDAP_SASL_EXTERNA...

Page 373: ...dirsrv restart instance 4 In the Configuration tab of the Directory Server Console highlight the server name at the top of the table and select the Encryption tab 5 Select the Enable SSL checkbox 6 Check the Use this Cipher Family checkbox 7 Select the certificate to use from the drop down menu 8 Click Cipher Settings The Cipher Preference dialog box opens By default all ciphers are selected 9 Set...

Page 374: ...e Configuration tab Select the Encryption tab check the Enable SSL checkbox and fill in the appropriate certificate information 13 In the Configuration DS tab change the port number to the new Directory Server secure port information See Section 1 5 Changing Directory Server Port Numbers for more information Do this even if the default port of 636 is used Check the Secure Connection checkbox 14 In...

Page 375: ...ssword For example Internal Software Token secret For the NSS software crypto module the token is always called internal The PIN file should be owned by the Directory Server user and set to read only by the Directory Server user with no access to anyone other user mode 0400 11 4 4 Creating a Password File for the Administration Server Like the Directory Server the Administration Server can use a p...

Page 376: ... more difficult it is to decrypt the key When a client initiates an TLS SSL connection with a server the client tells the server what ciphers it prefers to use to encrypt information In any two way encryption process both parties must use the same ciphers There are a number of ciphers available The server needs to be able to use the ciphers that will be used by client applications connecting to th...

Page 377: ...56 SHA tls_dhe_rsa_aes_256_sha DHE with RSA AES 256 SHA tls_dhe_dss_1024_rc4_sha DHE with DSS 1024 bit public key RC4 56 SHA tls_dhe_dss_rc4_128_sha DHE with DSS RC4 128 SHA tls_rsa_export1024_with_rc4_56_sha RSA with 1024 bit public key RC4 56 SHA tls_rsa_export1024_with_des_cbc_sha RSA with 1024 bit public key DES 56 SHA Table 11 2 TLSv1 Ciphers Directory Server provides the following SSLv3 ciph...

Page 378: ...ry Server to use by selecting them from the list and click OK Unless there is a security reason not to use a specific cipher select all of the ciphers except for none MD5 6 In the Encryption tab click Save WARNING Avoid selecting the none MD5 cipher because the server will use this option if no other ciphers are available on the client instead of refusing the connection The none MD5 cipher is not ...

Page 379: ...he locations for the key and certificate databases 11 6 1 Setting up Certificate Based Authentication To set up certificate based authentication do the following 1 Create a certificate database for the client and the server or for both servers involved in replication In the Directory Server the certificate database creation automatically takes place when a certificate is installed For information ...

Page 380: ... For all the users of the Directory Server to use TLS SSL or certificate based authentication when they connect using LDAP client applications they must perform the following tasks Create a certificate database Trust the certificate authority CA that issues the server certificate These operations are sufficient if to ensure that LDAP clients recognize the server s certificate However to require th...

Page 381: ...onitor Mapping a certificate to a DN under cn monitor causes the bind operation to fail Map the certificate to a target located elsewhere in the directory information tree Make sure that the verifyCert parameter is set to on in the certmap conf file If this parameter is not set to on Directory Server simply searches for an entry in the directory that matches the information in the certmap conf fil...

Page 382: ...L 364 Now TLS SSL and client authentication can be used with the LDAP clients For information on how to use TLS SSL with ldapmodify ldapdelete and ldapsearch see the Directory Server Configuration Command and File Reference ...

Page 383: ...uch as TLS SSL It can be used with public keys for strong authentication such as client certificate based authentication CRAM MD5 CRAM MD5 is a simple challenge response authentication method that provides no security layer Red Hat recommends using a more secure mechanism such as DIGEST MD5 or GSS API DIGEST MD5 DIGEST MD5 is a mandatory authentication method for LDAPv3 servers While it is not as ...

Page 384: ...uthentication ID automatically to the entry DN Directory Server has some preconfigured default maps which handle most common configurations and customized maps can be created During a bind attempt the first matching mapping rule is applied If only one user identity is returned the bind is successful if none or more than one are returned then the bind fails Red Hat recommends configuring SASL maps ...

Page 385: ...userId The Directory Server has pre defined SASL mapping rules to handle some of the most common cases Kerberos UID Mapping This mapping matches a Kerberos principal using a two part realm such as user example com The realm is then used to define the search base and the authid defines the filter In this example the search base would be dc example dc com and the filter of uid user RFC 2829 DN Synta...

Page 386: ... select the Add button and fill in the required values Name This field sets the unique name of the SASL mapping Regular expression This field sets the regular expression used to match the DN components such as This field corresponds to the nsSaslMapRegexString value in the SASL mapping LDIF entry ...

Page 387: ...lMapRegexString nsSaslMapBaseDNTemplate ou People dc example dc com nsSaslMapFilterTemplate cn 1 This will match any user ID and map to the result of the the subtree search with base ou People dc example dc com and filter cn userId For more information on the ldapsearch utility see Appendix B Finding Directory Entries 12 5 Configuring Kerberos Kerberos v5 must be deployed on the system to utilize ...

Page 388: ... provided with the operating system kinit klist and kdestroy that can be used to acquire list and destroy the TGT The ticket and the ticket s lifetime are parameters in the Kerberos client and server configuration Refer to the operating system documentation for information on installing and configuring a Kerberos server also called a key distribution center or KDC Configuring a KDC for Directory S...

Page 389: ...de shows a KDC server configured with the company example com realm libdefaults ticket_lifetime 24000 default_realm COMPANY EXAMPLE COM dns_lookup_realm false dns_lookup_kdc false ccache_type 1 forwardable true proxiable true default_tgs_enctypes des3 hmac sha1 des cbc crc default_tkt_enctypes des3 hmac sha1 des cbc crc permitted_enctypes des3 hmac sha1 des cbc crc realms COMPANY EXAMPLE COM kdc k...

Page 390: ...example dirsrv example The default dirsrv file can be used for a single instance To enable SASL authentication uncomment the KRB5_KTNAME line in the etc sysconfig dirsrv or instance specific file and set the keytab location for the KRB5_KTNAME variable For example In order to use SASL GSSAPI the directory server needs to know where to find its keytab file uncomment the following line and set the p...

Page 391: ... to view and configure each type of log NOTE When the server is not running the log files cannot be viewed in the Directory Server Console but they can be viewed in the Admin Express Open the Administration Server URL in a browser http hostname admin_server_port Then log in with the admin login ID and password and click the link for Administration Express 13 1 1 Defining a Log File Rotation Policy...

Page 392: ... Setting the maximum number of logs to 1 causes the directory to ignore this attribute How often the directory archives the current log file and creates a new one The maximum age of the file can be set in minutes hours days weeks or months The logs can also be rotated at a particular time of the day for example every day at midnight The default is every day Setting the maximum number of logs to 1 ...

Page 393: ... the Log folder and select the Access Log icon A table displays a list of the last 25 entries in the access log To refresh the current display click Refresh Select the Continuous checkbox for the display to refresh automatically every ten seconds NOTE Continuous log refresh does not work well with log files over 10 megabytes To view an archived access log select it from the Select Log pull down me...

Page 394: ... log file For information on these parameters see Section 13 1 2 Defining a Log File Deletion Policy 7 Click Save The logconv pl Perl script reports the statistical information retrieved from the access log For more information on logconv pl refer to the Directory Server Configuration Command and File Reference 13 1 4 Error Log The error log contains detailed messages of errors and events the dire...

Page 395: ...re displayed in the right pane 3 Select the Error Log tab in the right pane 4 To enable error logging select the Enable Logging checkbox Clear this checkbox to keep the directory from maintaining an error log Error logging is enabled by default 5 Enter the full path and filename for the directory to use for the error log in the Log File field The default path is the var log dirsrv slapd instance_n...

Page 396: ... list of the last 25 entries in the audit log To refresh the current display click Refresh Select the Continuous checkbox for the display to refresh automatically every ten seconds NOTE Continuous log refresh does not work well with log files over 10 megabytes To view an archived audit log select it from the Select Log pull down menu To display a different number of messages enter the number of li...

Page 397: ...tomatic log file creation or deletion policies configured By default access error and audit log files can be found in the following location var log dirsrv slapd instance_name To rotate log files manually do the following 1 Shut down the server 2 service dirsrv stop instance 2 Move or rename the log file being rotated so that the old log file is available for future reference 3 Restart the server ...

Page 398: ...r supplies replicas to consumer servers The data version information is supplied as follows Server hostname Server port number Database generation number Obsolete A unique identifier that is created only when the directory database is created without a machine data entry in the LDIF file The current changelog number This is the number corresponding to the last change made to the directory This num...

Page 399: ...s The total number of open connections Each connection can account for multiple operations and therefore multiple threads Remaining Available Connections The total number of remaining connections that the server can concurrently open This number is based on the number of currently open connections and the total number of concurrent connections that the server is allowed to open In most cases the l...

Page 400: ...from the client Blocked means that the server is trying to send data to the client or read data from the client but cannot The probable cause is a slow network or client Table 13 4 Connection Status Table Header Description Hits The number of times the server could process a request by obtaining data from the cache rather than by going to the disk Tries The total number of requests performed on th...

Page 401: ...on B 2 Using ldapsearch Monitoring the server s activities using ldapsearch shows the following information Attribute Description version Identifies the directory s current version number threads The current number of active threads used for handling requests Additional threads may be created by internal server tasks such as replication or chaining connection fd opentime opsinitiated opscompleted ...

Page 402: ...many additional concurrent connections can be serviced by the directory For more information on file descriptors refer to the operating system documentation readwaiters Identifies the number of threads waiting to read data from a client opsinitiated Identifies the number of operations the server has initiated since it started opscompleted Identifies the number of operations the server has complete...

Page 403: ...formation as described in the following tables Table 13 7 General Information Database Table 13 8 Summary Information Table 13 9 Database Cache Information Table 13 10 Database File Specific Field Description Database Identifies the type of database being monitored Configuration DN Identifies the distinguished name that must be used as a search base to obtain these results using the ldapsearch com...

Page 404: ...um Entry Cache Size in Bytes The size of the entry cache maintained by the directory This value is managed by the Maximum Cache Size setting See Section 15 2 Tuning Database Performance for information on changing this value using the Directory Server Console Current Entry Cache Size in Entries The total number of directory entries currently present in the entry cache Maximum Entry Cache Size in E...

Page 405: ...res a database page that is not currently stored in cache Read Only Page Evicts The number of read only pages discarded from the cache to make room for new pages Read Write Page Evicts The number of read write pages discarded from the cache to make room for new pages This value differs from Pages Written Out in that these are discarded read write pages that have not been modified Table 13 9 Databa...

Page 406: ...mode 0 means that the server is not in read only mode 1 means that it is in read only mode entrycachehits The total number of successful entry cache lookups That is the total number of times the server could process a search request by obtaining data from the cache rather than by going to disk entrycachetries The total number of entry cache lookups since the directory was last started That is the ...

Page 407: ...ten from the cache back to disk dbcacheroevict The number of read only pages discarded from the cache to make room for new pages Pages discarded from the cache have to be written to disk possibly affecting server performance The lower the number of page evicts the better dbcacherwevict The number of read write pages discarded from the cache to make room for new pages This value differs from Pages ...

Page 408: ... DBLink1 ldapsearch h directory example com p 389 D cn Directory Manager w password s sub b cn monitor cn DBLink1 cn chaining database cn plugins cn config objectclass nsAddCount Table 13 12 Database Link Monitoring Attributes lists the database link monitoring attributes which can be monitored Attribute Name Description nsAddCount The number of add operations received nsDeleteCount The number of ...

Page 409: ...Monitoring Database Link Activity 391 For more information about ldapsearch see the Directory Server Configuration Command and File Reference ...

Page 410: ...392 ...

Page 411: ...werful workstation with one or more network management applications installed A network management application graphically shows information about managed devices which device is up or down which and how many error messages were received and so on Information is transferred between the NMS and the managed device through the use of two types of agents the subagent and the master agent The subagent ...

Page 412: ...ion file is used to specify how to communicate with your master agent logfile location and which Directory Server instances to monitor 14 3 1 1 agentx master The agentx master setting tells the subagent how to communicate with the SNMP master agent If this setting is not specified the subagent tries to communicate the the master agent through the Unix domain socket var agentx master This is also w...

Page 413: ...rsrv config ldap agent conf To enable extra debug logging specify the D option during startup ldap agent D etc dirsrv config ldap agent conf NOTE The Directory Server does not have to be started for the subagent to be started To stop your subagent you must use the kill command against its process ID Your subagent will print its process ID in its logfile or you can run ps ef grep ldap agent to find...

Page 414: ...tityContact variable for one instance while sending a notification to a a pager number in the dsEntityContact variable for another instance There are two traps supported by the subagent DirectoryServerDown This trap is generated whenever the subagent detects the Directory Server is potentially not running This trap will be sent with the Directory Server instance description version physical locati...

Page 415: ...ry MIB The directory MIB is broken into four distinct tables of managed objects Section 14 6 1 Operations Table Section 14 6 2 Entries Table Section 14 6 3 Entity Table Section 14 6 4 Interaction Table 14 6 1 Operations Table The Operations Table provides statistical information about Directory Server access operations and errors Table 14 1 Operations Table Managed Objects and Descriptions describ...

Page 416: ...directory since server startup dsListOps The number of list operations serviced by this directory since server startup The value of this object will always be 0 because LDAP implements list operations indirectly via the search operation dsSearchOps The total number of search operations serviced by this directory since server startup dsOneLevelSearchOps The number of one level search operations ser...

Page 417: ... held replications shadow entries The value of this object will always be 0 Table 14 2 Entries Table Managed Objects and Descriptions 14 6 3 Entity Table The Entity Table contains identifying information about the Directory Server instance The values for the Entity Table are set in the Directory Server Console as described in Section 14 5 Configuring the Directory Server for SNMP Table 14 3 Entity...

Page 418: ...e The distinguished name DN of the peer Directory Server to which this entry belongs dsTimeOfCreation The value of sysUpTime when this row was created If the entry was created before the network management subsystem was initialized this object will contain a value of zero dsTimeOfLastAttempt The value of sysUpTime when the last attempt was made to contact this Directory Server If the last attempt ...

Page 419: ...Table 401 Managed Object Description dsSuccesses Cumulative successes since the creation of this entry dsURL The URL of the Directory Server application Table 14 4 Interaction Table Managed Objects and Descriptions ...

Page 420: ...402 ...

Page 421: ...he Configuration tab and then select the topmost entry in the navigation tree in the left pane The tabs that are displayed in the right pane control server wide configuration attributes 1 Select the Performance tab in the right pane The current server performance settings appear 2 Set the maximum number of entries the server will return to the client in response to a search operation by entering a...

Page 422: ...tabase cache size and sum of each entry cache size Use caution when changing these two attributes The ability to improve server performance with these attributes depends on the size of the database the amount of physical memory available on the machine and whether directory searches are random that is if the directory clients are searching for random and widely scattered directory data If the data...

Page 423: ...depending on the memory available on the machine The larger this parameter the faster the database is created WARNING Setting this value too high can cause import failures because of a lack of memory To configure the attributes of each database that stores the directory data 1 In the Directory Server Console select the Configuration tab then in the navigation tree expand the Data Icon Expand the s...

Page 424: ...e dirsrv stop instance_name 2 Use the ldapmodify 2 command line utility to add the nsslapd db logdirectory attribute to the cn config cn ldbm database cn plugins cn config entry Provide the full path to the log directory in the attribute For information on the nsslapd db logdirectory attribute syntax see the Directory Server Configuration Command and File Reference For instructions on using ldapmo...

Page 425: ...the Directory Server 1 2 Use the ldapmodify 2 command line utility to add the nsslapd db durable transactions attribute to the cn config cn ldbm database cn plugins cn config entry and set the value of this attribute to off For information on the syntax of the nsslapd db durable transactions attribute see the Directory Server Configuration Command and File Reference For instructions on using ldapm...

Page 426: ...t stored in the same highly scalable database as regular entries As a result if many entries particularly entries that are likely to be updated frequently are stored under cn config performance will probably suffer Although Red Hat recommends that simple user entries not be stored under cn config for performance reasons it can be useful to store special user entries such as the Directory Manager e...

Page 427: ...ection cross references further reading where this is available 16 1 1 7 Bit Check Plug in Plug in Information Description Plug in Name 7 bit check NS7bitAtt Configuration Entry DN cn 7 bit check cn plugins cn config Description Checks certain attributes are 7 bit clean Configurable Options on off Default Setting on Configurable Arguments List of attributes uid mail userpassword followed by and th...

Page 428: ...e Performance Related Information Access control incurs a minimal performance hit Leave this plug in enabled since it is the primary means of access control for the server Further Information See Chapter 6 Managing Access Control Table 16 3 Details of the ACL Preoperation Plug in 16 1 4 Binary Syntax Plug in Plug in Information Description Plug in Name Binary Syntax Configuration Entry DN cn Binar...

Page 429: ...plugins cn config Description Syntax for handling case sensitive strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Leave this plug in running at all times Further Information Table 16 6 Details of Case Exact String Syntax Plug in 16 1 7 Case Ignore String Syntax Plug i...

Page 430: ...ation A chaining database is also known as a database link Database links are described in Section 3 3 Creating and Maintaining Database Links Table 16 8 Details of Cloning Database Plug in 16 1 9 Class of Service Plug in Plug in Information Description Plug in Name Class of Service Configuration Entry DN cn Class of Service cn plugins cn config Description Allows for sharing of attributes between...

Page 431: ...Name Syntax cn plugins cn config Description Syntax for handling DNs Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Leave this plug in running at all times Further Information Table 16 11 Details of Distinguished Name Syntax Plug in 16 1 12 Generalized Time Syntax Plug in P...

Page 432: ...DN cn Integer Syntax cn plugins cn config Description Syntax for handling integers Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Leave this plug in running at all times Further Information Table 16 13 Details of Integer Syntax Plug in 16 1 14 Internationalization Plug in P...

Page 433: ...s local databases Configurable Options N A Default Setting on Configurable Arguments None Dependencies None Performance Related Information See the Directory Server Configuration Command and File Reference for further information on ldbm database plug in attributes Further Information See Chapter 3 Configuring Directory Databases Table 16 15 Details of ldbm Database Plug in 16 1 16 Legacy Replicat...

Page 434: ...N A Further Information This plug in can only be turned off if there is only one server which will never replicate See also Chapter 8 Managing Replication Table 16 17 Details of Multi Master Replication Plug in 16 1 18 Octet String Syntax Plug in Plug in Information Description Plug in Name Octet String Syntax Configuration Entry DN cn Octet String Syntax cn plugins cn config Description Syntax fo...

Page 435: ...Plug in Information Description Plug in Name CRYPT Configuration Entry DN cn CRYPT cn Password Storage Schemes cn plugins cn config Description CRYPT password storage scheme used for password encryption Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in Leave this plug in runni...

Page 436: ...mation Description Plug in Name SHA Configuration Entry DN cn SHA cn Password Storage Schemes cn plugins cn config cn SHA256 cn Password Storage Schemes cn plugins cn config cn SHA384 cn Password Storage Schemes cn plugins cn config cn SHA512 cn Password Storage Schemes cn plugins cn config Description SHA password storage scheme for password encryption Configurable Options on off Default Setting ...

Page 437: ...n of this plug in Leave this plug in running at all times Further Information See Section 7 1 Managing the Password Policy Table 16 23 Details of SSHA Password Storage Plug in 16 1 24 Postal Address String Syntax Plug in Plug in Information Description Plug in Name Postal Address Syntax Configuration Entry DN cn Postal Address Syntax cn plugins cn config Description Syntax used for handling postal...

Page 438: ...rough Authentication Plug in Table 16 25 Details of PTA Plug in 16 1 26 Referential Integrity Postoperation Plug in Plug in Information Description Plug in Name Referential Integrity Post Operation Configuration Entry DN cn Referential Integrity Post operation cn plugins cn config Description Enables the server to ensure referential integrity Configurable Options All configuration and on off Defau...

Page 439: ...ndex attributes used for referential integrity checking Table 16 26 Details of Referential Integrity Post Operation Plug in 16 1 27 Retro Changelog Plug in Plug in Information Description Plug in Name Retro Changelog Plug in Configuration Entry DN cn Retro Changelog Plugin cn plugins cn config Description Used by LDAP clients for maintaining application compatibility with Directory Server 4 x vers...

Page 440: ...tion See Section 5 1 Using Roles Table 16 28 Details of Roles Plug in 16 1 29 Space Insensitive String Syntax Plug in Plug in Information Description Plug in Name Space Insensitive String Syntax Configuration Entry DN cn Space Insensitive String Syntax cn plugins cn config Description Syntax for handling space insensitive values Configurable Options on off Default Setting on Configurable Arguments...

Page 441: ... None Performance Related Information Further Information Table 16 30 Details of State Change Plug in 16 1 31 Telephone Syntax Plug in Plug in Information Description Plug in Name Telephone Syntax Configuration Entry DN cn Telephone Syntax cn plugins cn config Description Syntax for handling telephone numbers Configurable Options on off Default Setting on Configurable Arguments None Dependencies N...

Page 442: ...n Directory Server performance In a multi master replication environment the UID Uniqueness Plug in will not work at all and should therefore not be enabled Additionally this plug in does not work with referrals the UID Uniqueness Plug in fails with an operations error if it receives any other error than noSuchObject meaning that the entry does not already exist which prevents the new entry from b...

Page 443: ...gins list 4 To disable the plug in clear the Enabled checkbox To enable the plug in check this checkbox 5 Click Save 6 Restart the Directory Server 1 service dirsrv restart instance_name To disable or enable a plug in through the command line use the ldapmodify utility to edit the value of the nsslapd pluginEnabled attribute For example 2 ldapmodify p 389 D cn directory manager w secret h ldap exa...

Page 444: ...426 ...

Page 445: ...user to bind The user directory in this example acts as the PTA Directory Server the server that passes through bind requests to another Directory Server The configuration directory acts as the authenticating directory the server that contains the entry and verifies the bind credentials of the requesting client The pass through subtree is the subtree not present on the PTA directory When a user s ...

Page 446: ...s cn config entry on the PTA directory the user directory configured to pass through bind requests to the authenticating directory using the required PTA syntax There are only two attributes in this entry that are significant nsslapd pluginEnabled which sets whether the plug in is enabled or disabled The value for this attribute can be on or off nsslapd pluginarg0 which points to the configuration...

Page 447: ...specified in the URL Port 636 if ldaps is specified in the URL See Section 17 3 3 Specifying the Authenticating Directory Server for more information subtree The pass through subtree The PTA Directory Server passes through bind requests to the authenticating Directory Server from all clients whose DN is in this subtree See Section 17 3 4 Specifying the Pass through Subtree for more information Thi...

Page 448: ...client after this time has expired the server closes the connection and opens a new connection to the authenticating directory The server will not close the connection unless a bind request is initiated and the directory determines the connection lifetime has been exceeded If this option is not specified or if only one host is listed no connection lifetime will be enforced If two or more hosts are...

Page 449: ... cn config changetype modify replace nsslapd pluginenabled nsslapd pluginenabled on 2 Restart the server 1 service dirsrv restart instance_name To disable the plug in change the nsslapd pluginenabled attribute value from on to off Whenever the PTA Plug in is enabled or disabled from the command line the server must be restarted 17 3 2 Configuring the Servers to Use a Secure Connection The PTA dire...

Page 450: ...uginarg0 attribute Multiple authenticating Directory Servers are listed in a space separate list of host port pairs with this format ldap ldaps host1 port1 host2 port2 subtree 2 Restart the server 1 service dirsrv restart instance_name 17 3 4 Specifying the Pass through Subtree The PTA directory passes through bind requests to the authenticating directory from all clients with a DN defined in the ...

Page 451: ...initiated by a client after this time has expired the server closes the connection and opens a new connection to the authenticating Directory Server The server will not close the connection unless a bind request is initiated and the server determines the timeout has been exceeded If this option is not specified or if only one authenticating Directory Server is listed in the authDS parameter no tim...

Page 452: ...2 Specifying Multiple Authenticating Directory Servers If the connection between the PTA Directory Server and the authenticating Directory Server is broken or the connection cannot be opened the PTA Directory Server sends the request to the next server specified if any There can be multiple authenticating Directory Servers specified as required to provide failover if the first Directory Server is ...

Page 453: ...x dn cn Pass Through Authentication cn plugins cn config nsslapd pluginEnabled on nsslapd pluginarg0 ldap configdir example com o NetscapeRoot 10 5 300 3 300 17 4 5 Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers To specify a different pass through subtree and optional parameter values for each authenticating Directory Server set more than one L...

Page 454: ...436 ...

Page 455: ...osts the directories for example_a com and example_b com when an entry such as uid jdoe ou people o example_a dc example dc com is added uniqueness needs to be enforced only in the o example_a dc example dc com subtree This is done by listing the DN of the subtree explicitly in the Attribute Uniqueness Plug in configuration This configuration option is explained in more detail in Section 18 4 3 2 ...

Page 456: ...ng syntax to perform the uniqueness check under a suffix or subtree dn cn descriptive_plugin_name cn plugins cn config nsslapd pluginEnabled state nsslapd pluginarg0 attribute_name nsslapd pluginarg1 dn1 nsslapd pluginarg2 dn2 Any value can be given to the cn attribute to name the plug in The name should be descriptive The cn attribute does not contain the name of the attribute which is checked fo...

Page 457: ... attribute can be named dn The DN of the suffix or subtree in which to ensure attribute uniqueness To specify several suffixes or subtrees increment the suffix of the nsslapd pluginarg attribute by one for each additional suffix or subtree attribute attribute_name The name of the attribute for which to ensure unique values Only one attribute can be named markerObjectClass objectclass1 Attribute un...

Page 458: ... of the file 4 Modify the Attribute Uniqueness Plug in entry attributes for the new attribute information dn cn mail uniqueness cn plugins cn config nsslapd pluginEnabled on nsslapd pluginarg0 mail nsslapd pluginarg1 dc example dc com 5 Restart the Directory Server service dirsrv restart instance_name In this example the uniqueness check will be performed on every entry in the dc example dc com en...

Page 459: ...onfiguration parameters for the plug in are displayed in the right pane 2 To turn the plug in on or off check or clear the Enable Plugin checkbox 3 To add a suffix or subtree click Add and type a DN in the blank text field To avoid using a DN enter the markerObjectClass keyword With this syntax it is possible to click Add again to specify a requiredObjectClass as described in Section 18 2 Attribut...

Page 460: ...r Subtree The suffix or subtrees which the plug in checks to ensure attribute uniqueness are defined using the nsslapd pluginarg attribute in the entry defining the plug in To specify the subtree or subtrees use ldapmodify to send LDIF update statements similar to this example ldapmodify p 389 D cn directory manager w secret h ldap example com dn cn mail uniqueness cn plugins cn config changetype ...

Page 461: ... if the updated entry contains a specified object class For example if the uniqueness of the mail attribute is checked it is probably only necessary to perform the check when adding or modifying entries with the person or inetorgperson object class Restrict the scope of the check by using the requiredObjectClass keyword as shown in the following example dn cn mail uniqueness cn plugins cn config n...

Page 462: ...lapd pluginarg1 l Chicago dc example dc com nsslapd pluginarg2 l Boston dc example dc com NOTE The nsslapd pluginarg0 attribute always contains the name of the attribute for which to ensure uniqueness All other occurrences of the nsslapd pluginarg such as nsslapd pluginarg1 contain DNs With this configuration the plug in allows an instance of a value for the mail attribute to exist once under the ...

Page 463: ... and consumers of the same replica Because multi master replication uses a loosely consistent replication model enabling an Attribute Uniqueness Plug in on one of the servers is not sufficient to ensure that attribute values will be unique across both supplier servers at any given time Therefore enabling an Attribute Uniqueness Plug in on one server can cause inconsistencies in the data held on ea...

Page 464: ...446 ...

Page 465: ... server Windows Sync has two parts the sync service for directory entries and the sync service for passwords Directory Server Windows Sync The Directory Server leverages the Multi Master Replication Plug in to synchronize user and group entries The same changelog that is used for multi master replication is also used to send updates from the Directory Server to Active Directory as an LDAP operatio...

Page 466: ...r resynchronization can be run This examines every entry in both sync peers and sends any modifications or missing entries A full Dirsync search is initiated whenever a total update is run See Section 19 3 5 Manually Updating and Resynchronizing Entries for more information Windows Sync provides some control over which entries are synchronized to grant administrators fine grained control of the en...

Page 467: ...ervice it would be impossible to have Windows passwords synchronized because passwords are hashed in Active Directory and the Windows hashing function is incompatible with the one used by Directory Server 19 2 Configuring Windows Sync 19 2 1 Step 1 Configure SSL on Directory Server To configure the Directory Server to run in SSL see Chapter 11 Managing SSL To configure SSL on Active Directory see ...

Page 468: ...re that Password must meet complexity requirements is selected 3 Set up SSL on the Active Directory server a Install a certificate authority in the Windows Components section in Add Remove Programs b Select the Enterprise Root CA option c Reboot the Active Directory server If IIS web services are running the CA certificate can be accessed by opening http servername certsrv d Set up the Active Dire...

Page 469: ... Microsoft documentation The user references in the Password Sync service must have read and write permissions to every entry within the synchronized subtree and absolutely must have write access to password attributes in Directory Server so that Password Sync can update password changes For security reasons the Password Sync user should not be Directory Manager and should not be part of the synch...

Page 470: ...Sync NOTE The Windows machine must be rebooted Without the rebooting PasswordHook dll will not be enabled and password synchronization will not function The first attempt to synchronize passwords which happened when the Password Sync application is installed will always fail because the SSL connection between the Directory Server and Active Directory sync peers The tools to create the certificate ...

Page 471: ...e 1 Download certutil exe if it is not already installed on the machine It is available from ftp ftp mozilla org pub mozilla org security nss releases See Chapter 11 Managing SSL for more information on SSL 2 On the Directory Server export the server certificate cd usr lib dirsrv slapd instance_name certutil d L n CA certificate a dsca crt 3 Copy the exported certificate from the Directory Server ...

Page 472: ...e Enable Changelog database 5 Set the changelog database directory Click the Use default button to use the default or Browse to select a custom directory 6 Save the changelog settings After setting up the changelog then configure the database that will be synchronized as a replica The replica role should be either a single master or multi master 1 In the Directory Server Console select the Configu...

Page 473: ...e is userRoot but additional databases are added as new suffuxes are added to the Directory Server Alternatively highlight the database and in the top tool bar click Object 3 Select New Windows Sync Agreement from the menu This opens the Synchronization Agreement Wizard 4 In the two fields supply a name and description of the synchronization agreement Hit Next 5 The second screen reads Windows Syn...

Page 474: ... the screen are fields for the Windows domain information Fill in the domain name and the domain controller 7 Select the checkboxes for the Windows entries which are going to be synchronized Sync New Windows Users When enabled all user entries found in Windows that are subject to the agreement will automatically be created in the Directory Server ...

Page 475: ... appropriate screen If the agreement is correct click Done When the agreement is complete an icon representing the synchronization agreement is displayed under the suffix This icon indicates that the synchronization agreement is set up 19 2 8 Step 7 Begin Synchronization After the sync agreement is created begin the synchronization process Select the sync agreement right click or open the Object m...

Page 476: ...Directory Server whether they originated in the Directory Server or in Active Directory have special synchronization attributes ntUniqueId This contains the value of the objectGUID attribute for the corresponding Windows entry This attribute is set by the synchronization process and should not be set or modified manually ntUserDomainId This corresponds to the sAMAccountName attribute for Active Di...

Page 477: ...vers and Table 19 2 User Schema That Are the Same in Directory Server and Windows Servers shows the attributes that are the same between the Directory Server and Windows servers For more information on the interaction between Directory Server and Windows schema see Section 19 4 Schema Differences Directory Server Active Directory cn name ntUserDomainId sAMAccountName ntUserHomeDir homeDirectory nt...

Page 478: ...ated a corresponding entry is automatically created on the peer Directory Server if that option is selected in the sync agreement Similar to user entries Directory Server group entries are synchronized if they have the ntGroup object class Like with Directory Server entries there are two attributes that control creation and deletion of entries in Active Directory ntGroupCreateNewAccount and ntGrou...

Page 479: ...the next synchronization interval the unique ID is sychronized back to the Directory Server entry and stored as the ntUniqueId attribute If the Directory Server entry is deleted on Active Directory before the unique ID is synchronized back to Directory Server the entry will not be deleted on Directory Server Directory Server uses the ntUniqueId attribute to identify and synchronize changes made on...

Page 480: ...initially configured there have been major changes to data or synchronization attributes are added to pre existing Directory Server entries it is necessary to initiate a resynchronization Resynchronization is a total update the entire contents of synchronized subtrees are examined and if necessary updated Resynchronization is done without using the changelog To send a total update 1 Go to the Conf...

Page 481: ...s For example a global group contain a domain local group as a member Directory Server has no concept of local and global groups and therefore it is possible to create entries on the Directory Server side that violate Active Directory s constraints when synchronized 19 4 3 Values for street and streetAddress Active Directory uses the attribute streetAddress for a user or group s postal address thi...

Page 482: ... reconfigure Password Sync open the Windows Services panel highlight Password Sync and select Modify This goes back through the configuration screens 19 5 2 Starting and Stopping the Password Sync Service The Password Sync service is configured to start whenever the Active Directory host is started To reconfigure the service so that it does not start when Windows reboots 1 Go to the Control Panel ...

Page 483: ...tory Make sure that the directory suffixes Windows domain and domain host and the administrator DN and password are correct Also verify that the port numbers used for LDAPS is correct If all of this is correct make sure that Active Directory or the Windows machine are running Error 2 After synchronization the status returns error 81 One of the sync peer servers has not been properly configured for...

Page 484: ...466 ...

Page 485: ...ed by a blank line Each LDIF entry consists of an optional entry ID a required distinguished name one or more object classes and multiple attribute definitions The LDIF format is defined in RFC 2849 The LDAP Data Interchange Format LDIF Directory Server is compliant with this standard The basic form of a directory entry represented in LDIF is as follows dn distinguished_name objectClass object_cla...

Page 486: ...lete list of the supported subtypes tags see Table D 2 Supported Language Subtypes attribute_value Specifies the attribute value to be used with the attribute type Table A 1 LDIF Fields NOTE The LDIF syntax for representing a change to an entry in the directory is different from the syntax described in Table A 1 LDIF Fields For information on using LDIF to modify directory entries see Chapter 2 Cr...

Page 487: ...base 64 encoded include the following Any value that begins with a colon or a space Any value that contains non ASCII data including new lines Use the ldif command line utility with the b parameter to convert binary data to LDIF format ldif b attribute_name attribute_name is the name of the attribute to which the binary data is supplied The binary data is read from standard input and the results a...

Page 488: ...DIF entry used to define a domain appears as follows dn distinguished_name objectClass top objectClass domain dc domain_component_name list_of_optional_attributes The following is a sample domain entry in LDIF format dn dc example dc com objectclass top objectclass domain dc example description Fictional example company Each element of the LDIF formatted domain entry is defined in Table A 2 LDIF E...

Page 489: ...nit or branch point within a directory tree The LDIF that defines an organizational unit entry must appear as follows dn distinguished_name objectClass top objectClass organizationalUnit ou organizational_unit_name list_of_optional_attributes The following is a sample organizational unit entry in LDIF format dn ou people dc example dc com objectclass top objectclass organizationalUnit ou people de...

Page 490: ...lPerson objectclass inetOrgPerson cn Babs Jensen sn Jensen givenname Babs uid bjensen ou people description Fictional example person telephonenumber 555 5557 userpassword SSHA dkfljlk34r2kljdsfk9 Table A 4 LDIF Elements in Person Entries defines each aspect of the LDIF person entry LDIF Element Description dn distinguished_name Required Specifies the distinguished name for the entry For example dn...

Page 491: ...IF Using LDIF is an efficient method of directory creation when there are many entries to add to the directory To create a directory using LDIF do the following 1 Create an ASCII file containing the entries to add in LDIF format Make sure each entry is separated from the next by an empty line Use just one line between entries and make sure the first line of the file is not be blank or else the lda...

Page 492: ...dif2db pl can only be used if the server is running WARNING This method is destructive and will erase any existing data in the suffix ldapmodify command line utility with the a parameter Use this method if a new subtree is being added to an existing database or there is existing data in the suffix which should not be deleted Unlike the other methods for creating the directory from an LDIF file Dir...

Page 493: ...umber 167 dn cn Robert Wong ou People example com Corp dc example dc com objectClass top objectClass person objectClass organizationalPerson objectClass inetOrgPerson cn Robert Wong cn Bob Wong sn Wong givenName Robert givenName Bob mail bwong example com userPassword sha nn2msx761 telephoneNumber 2881 roomNumber 211 ou Manufacturing ou people dn ou Groups dc example dc com objectclass top objectc...

Page 494: ... view directory information in their native language When adding directory entries the directory administrator chooses to provide attribute values in both English and French When adding a directory entry for a new employee Babs Jensen the administrator does the following 1 The administrator creates a file street txt with the French street address value 1 rue de l Université 2 The file contents are...

Page 495: ... access control in the directory see Chapter 6 Managing Access Control B 1 Finding Entries Using the Directory Server Console Users can browse the Directory tab of the Directory Server Console to see the contents of the directory tree and search for specific entries in the directory Figure B 1 Browsing Entries in the Directory Tab Depending on the DN used to authenticate to the directory this tab ...

Page 496: ...and password and locates entries based on a specified search filter The search scope can include a single entry an entry s immediate subentries or an entire tree or subtree Search results are returned in LDIF format Red Hat Directory Server uses Mozilla LDAP tools including ldapsearch The MozLDAP tools are installed with Directory Server and are located in the usr lib mozldap directory for Red Hat...

Page 497: ...les Refer to the operating system documentation for more information B 2 2 ldapsearch Command Line Format The ldapsearch command must use the following format ldapsearch optional_options optional_search_filter optional_list_of_attributes optional_options is a series of command line options These must be specified before the search filter if any are used optional_search_filter is an LDAP search fil...

Page 498: ... b cn Barbara Jensen ou Product Development dc example dc com To search the root DSE entry specify an empty string here such as b D Specifies the distinguished name with which to authenticate to the server This is optional if anonymous access is supported by the server If specified this value must be a DN recognized by the Directory Server and it must also have the authority to search for the entr...

Page 499: ...er of entries to return in response to a search request For example z 1000 Normally regardless of the value specified here ldapsearch never returns more entries than the number allowed by the server s nsslapd sizelimit attribute However this limitation can be overridden by binding as the root DN when using this command line argument When binding as the root DN this option defaults to zero 0 The de...

Page 500: ...ffixes supported by the local Directory Server This entry can be searched by supplying a search base of a search scope of base and a filter of objectclass For example ldapsearch h mozilla b s base objectclass B 2 4 4 Searching the Schema Entry Directory Server stores all directory server schema in the special cn schema entry This entry contains information on every object class and attribute defin...

Page 501: ...7 Specifying Search Filters Using a File Search filters can be entered into a file instead of entering them on the command line In this case specify each search filter on a separate line in the file The ldapsearch command runs each search in the order in which it appears in the file For example sn Francis givenname Richard ldapsearch first finds all the entries with the surname Francis then all th...

Page 502: ...e Babs Jensen cn babs jensen This search filter returns all entries that contain the common name Babs Jensen Searches for common name values are not case sensitive When the common name attribute has values associated with a language tag all of the values are returned Thus the following two attribute values both match this filter cn babs jensen cn lang fr babs jensen For a list of all the supported...

Page 503: ...be specified to work with a preferred language collation order For information on how to search a directory with international charactersets see Section B 4 Searching an Internationalized Directory Search Type Operator Description Equality Returns entries containing attribute values that exactly match the specified value For example cn Bob Johnson Substring string string Returns entries containing...

Page 504: ...Boolean Operators Boolean operators can be combined and nested together to form complex expressions such as Boolean operator filter Boolean operator filter filter The Boolean operators available for use with search filters include the following Operator Symbol Description AND All specified filters must be true for the statement to be true For example filter filter filter OR At least one specified ...

Page 505: ...iption X 500 The following filter returns all entries whose organizational unit is Marketing and that have Julie Fulmer or Cindy Zwaska as a manager ou Marketing manager cn Julie Fulmer ou Marketing dc example dc com manager cn Cindy Zwaska ou Marketing dc example dc com The following filter returns all entries that do not represent a person objectClass person The following filter returns all entr...

Page 506: ...h as cn or mail matchingRule is a string that identifies either the collation order or the collation order and a relational operator depending on the preferred format For a discussion of matching rule formats see Section B 4 1 1 Matching Rule Formats value is either the attribute value to search for or a relational operator plus the attribute value to search for The syntax of the value portion of ...

Page 507: ...age tag can be used in the matching rule portion of the matching rule filter as follows attr language tag relational_operator value The relational operator is included in the value portion of the string separated from the value by a single space For example to search the directory for all description attributes with a value of estudiante using the Spanish collation order use the following filter c...

Page 508: ... represent zero or more characters For example to search for an attribute value that starts with the letter l and ends with the letter n enter a l n in the value portion of the search filter Similarly to search for all attribute values beginning with the letter u enter a value of u in the value portion of the search filter To search for a value that contains the asterisk character the asterisk mus...

Page 509: ...an Example Performing a locale specific search using the less than operator or suffix 1 searches for all attribute values that come before the given attribute in a specific collation order For example to search for all surnames that come before the surname Marquez in the Spanish collation order any of the following matching rule filters would work sn 2 16 840 1 113730 3 3 2 15 1 Marquez sn es Marq...

Page 510: ...all localities that come at or after Québec in the French collation order any of the following matching rule filters would work locality 2 16 840 1 113730 3 3 2 18 1 Québec locality fr Québec locality 2 16 840 1 113730 3 3 2 18 1 4 Québec locality fr 4 Québec B 4 3 5 Greater Than Example Performing a locale specific search using the greater than operator or suffix 5 searches for all attribute valu...

Page 511: ...e filter contains one or more space characters To work around this problem use the entire DN in the filter instead of a substring or ensure that the DN substring in the filter begins at an RDN boundary that is make sure it starts with the type part of the DN For example this filter should not be used memberof Domain Administrators But either one of these will work correctly memberof cn Domain Admi...

Page 512: ...494 ...

Page 513: ...dap protocol is used to connect to LDAP servers over unsecured connections and the ldaps protocol is used to connect to LDAP servers over TLS SSL connections Table C 1 LDAP URL Components lists the components of an LDAP URL NOTE The LDAP URL format is described in RFC 4516 which is available at http www ietf org rfc rfc4516 txt Component Description hostname Name or IP address in dotted format of ...

Page 514: ...nts are identified by their positions in the URL Even if no attributes are specified the question marks still must be included to delimit that field For example to specify a subtree search starting from dc example dc com that returns all attributes for entries matching sn Jensen use the following LDAP URL ldap ldap example com dc example dc com sub sn Jensen The two consecutive question marks indi...

Page 515: ...le dc com ldap ldap example com dc example dc com Because no port number is specified the standard LDAP port number 389 is used Because no attributes are specified the search returns all attributes Because no search scope is specified the search is restricted to the base entry dc example dc com Because no filter is specified the directory uses the default filter objectclass Example 2 The following...

Page 516: ...dc com ldap ldap example com dc example dc com sub sn Jensen Because no attributes are specified the search returns all attributes Because the search scope is sub the search encompasses the base entry dc example dc com and entries at all levels under the base entry Example 5 The following LDAP URL specifies a search for the object class for all entries one level under dc example dc com ldap ldap e...

Page 517: ...es four things Collation order The collation order provides language and cultural specific information about how the characters of a given language are to be sorted It identifies things like the sequence of the letters in the alphabet how to compare letters with accents to letters without accents and if there are any characters that can be ignored when comparing strings The collation order also ta...

Page 518: ...ectory identify specific collation orders supported by the Directory Server For example the OID 2 16 840 1 113730 3 3 2 17 1 identifies the Finnish collation order When performing an international search in the directory use either the language tag or the OID to identify the collation order to use However when setting up an international index the OIDs must be used For more information on indexing...

Page 519: ... 2 45 1 Serbian Latin sh 2 16 840 1 113730 3 3 2 41 1 Slovakian sk 2 16 840 1 113730 3 3 2 42 1 Slovenian sl 2 16 840 1 113730 3 3 2 43 1 Spanish es or es ES 2 16 840 1 113730 3 3 2 15 1 Swedish sv 2 16 840 1 113730 3 3 2 46 1 Turkish tr 2 16 840 1 113730 3 3 2 47 1 Ukrainian uk 2 16 840 1 113730 3 3 2 48 1 Table D 1 Supported Locales D 3 Supported Language Subtypes Language subtypes can be used b...

Page 520: ... Supported Language Subtypes D 4 Troubleshooting Matching Rules International collation order matching rules may not behave consistently Some forms of matching rule invocation do not work correctly producing incorrect search results For example the following rules do not work ldapsearch p 389 D uid userID ou people dc example dc com w password b dc example dc com sn 2 16 840 1 113730 3 3 2 7 1 pas...

Page 521: ...3 ldapsearch p 389 D uid userID ou people dc example dc com w password b dc example dc com sn 2 16 840 1 113730 3 3 2 7 1 3 passin ldapsearch p 389 D uid userID ou people dc example dc com w password b dc example dc com sn de 3 passin ...

Page 522: ...504 ...

Page 523: ...st reaches this limit the server replaces that ID list with an All IDs token See Also ID list scan limit All IDs token A mechanism which causes the server to assume that all directory entries match the index key In effect the All IDs token causes the server to behave as if no index was available for the search request anonymous access When granted allows anyone to access directory information with...

Page 524: ...base DN bind DN Distinguished name used to authenticate to Directory Server when performing an operation bind distinguished name See bind DN bind rule In the context of access control the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information branch entry An entry that represents the top of a subtree in the d...

Page 525: ...ication character type Distinguishes alphabetic characters from numeric or other characters and the mapping of upper case to lower case letters ciphertext Encrypted information that cannot be read by anyone without the proper key to decrypt the information class definition Specifies the information needed to create an instance of a particular object and determines how the object works in relation ...

Page 526: ... per database instance Default indexes can be modified although care should be taken before removing them as certain plug ins may depend on them definition entry See CoS definition entry Directory Access Protocol See DAP directory tree The logical representation of the information stored in the directory It mirrors the tree model used by most filesystems with the tree s root point appearing at the...

Page 527: ...earch request equality index Allows you to search efficiently for entries containing a specific attribute value F file extension The section of a filename after the period or dot that typically defines the type of file for example GIF and HTML In the filename index html the file extension is html file type The format of a given file For example graphics files are often saved in GIF format while a ...

Page 528: ...hub In the context of replication a server that holds a replica that is copied from a different server and in turn replicates it to a third server See Also cascading replication I ID list scan limit A size limit which is globally applied to any indexed search operation When the size of an individual ID list reaches this limit the server replaces that ID list with an all IDs token index key Each in...

Page 529: ...at used to represent Directory Server entries in text form leaf entry An entry under which there are no other entries A leaf entry cannot be a branch point in a directory tree Lightweight Directory Access Protocol See LDAP locale Identifies the collation order character type monetary format and time date format used to present data for users of a specific region culture and or custom This includes...

Page 530: ...a to be named and referenced Also called the directory tree monetary format Specifies the monetary symbol used by specific region whether the symbol goes before or after its value and how monetary units are represented multi master replication An advanced replication scenario in which two servers each hold a copy of the same read write replica Each server maintains a changelog for the replica Modi...

Page 531: ...identifier operational attribute Contains information used internally by the directory to keep track of modifications and subtree properties Operational attributes are not returned in response to a search unless explicitly requested P parent access When granted indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry pass ...

Page 532: ...er In pass through authentication PTA the PTA Directory Server is the server that sends passes through bind requests it receives to the authenticating directory server PTA LDAP URL In pass through authentication the URL that defines the authenticating directory server pass through subtree s and optional parameters R RAM Random access memory The physical semiconductor based memory in a computer Inf...

Page 533: ...replica servers to which the data is pushed the times during which replication can occur the DN and credentials used by the supplier to bind to the consumer and how the connection is secured RFC Request for Comments Procedures or standards documents submitted to the Internet community People can send comments on the technologies before they become accepted standards role An entry grouping mechanis...

Page 534: ...ible for a particular system task Service processes do not need human intervention to continue functioning SIE Server Instance Entry The ID assigned to an instance of Directory Server during installation Simple Authentication and Security Layer See SASL Simple Network Management Protocol See SNMP single master replication The most basic replication scenario in which multiple servers up to four eac...

Page 535: ...d to replica servers supplier server In the context of replication a server that holds a replica that is copied to a different server is called a supplier for that replica supplier initiated replication Replication configuration where supplier servers replicate directory data to any replica servers symmetric encryption Encryption that uses the same key for both encrypting and decrypting DES is an ...

Page 536: ... a URL is protocol machine port document The port number is necessary only on selected servers and it is often assigned by the server freeing the user of having to place it in the URL V virtual list view index Speeds up the display of entries in the Directory Server Console Virtual list view indexes can be created on any branch point in the directory tree to improve display performance See Also br...

Page 537: ...ol Editor 179 get effective rights 180 Access Control Editor displaying 171 access control instruction ACI See ACI 143 access log configuring 375 manually rotating 379 turning off 375 turning on 375 viewing 375 account inactivation 222 from command line 223 from console 223 account lockout 219 configuration attributes 220 configuring 219 using command line 220 using console 219 disabling 219 enabl...

Page 538: ...le values 18 adding to entry 17 creating 309 312 deleting 31 310 deleting from object class 313 deleting using LDIF update statements 33 editing 309 multi valued 309 nsslapd schemacheck 314 OID 309 passwordChange 211 passwordExp 211 passwordGraceLimit 210 passwordInHistory 212 passwordMaxRepeats 213 passwordMin8bit 214 passwordMinAlphas 213 passwordMinCategories 213 passwordMinDigits 213 passwordM...

Page 539: ...access 160 group access example 191 groupdn keyword 160 ip keyword 166 LDAP URLs 158 LDIF keywords 157 overview 156 parent keyword 158 role access 161 roledn keyword 161 self keyword 158 timeofday keyword 167 user access LDIF example 159 parent 158 self 158 user access example 187 userattr keyword 161 userdn keyword 157 Boolean bind rules example 170 overview 170 Boolean operators in search filter...

Page 540: ...order international index 325 overview 499 search filters and 487 command line providing input from 21 command line scripts db2bak 105 command line utilities certificate based authentication and 360 ldapdelete 25 ldapmodify 22 ldapsearch 484 ldif 469 ldif2db 327 commas in DNs 26 148 using ldapsearch with 483 compare right 153 compatibility ACIs 205 replication 229 compound search filters 486 confi...

Page 541: ... viewing backend information 385 database encryption 54 importing and exporting 56 database link cascading configuring defaults 79 configuring from command line 80 configuring from console 80 overview 77 chaining with SSL 71 configuration 62 configuration attributes 67 configuration example 67 configuring bind credentials 65 configuring failover servers 67 configuring LDAP URL 67 configuring suffi...

Page 542: ...93 overview 1 performance counters 379 plug ins 409 starting and stopping 5 starting the Console 6 suffixes 39 supported languages 500 Directory Server Console starting 6 directory trees finding entries in 478 disabling suffixes 46 disk space access log and 375 log files and 379 distribution function 49 dn field LDIF 467 dns keyword 167 dse ldif PTA plugin 431 dse ldif file backing up 106 PTA synt...

Page 543: ... creating 114 example 119 finding attributes 485 entries 478 format LDIF 467 fractional replication 229 G general access example 159 overview 158 get effective rights 180 return codes 183 global password policy 207 glue entries 300 greater than or equal to search international example 492 overview 485 groupdn keyword 160 LDIF examples 160 groupdnattr keyword 161 groups access control 157 access co...

Page 544: ... 500 matching rule filters 488 modifying entries 34 monetary format 499 object identifiers and 500 of LDIF files 475 search filters and 487 supported locales 500 time format 499 ip keyword 166 J jpeg images 468 K Kerberos 365 configuring 369 realms 369 L language code in LDIF entries 476 list of supported 500 language subtype 19 language support language tag 500 searching and 487 specifying using ...

Page 545: ...internationalization and 475 LDIF files continued lines 468 creating directory using 473 creating multiple entries 22 example 474 importing from Server Console 22 internationalization and 475 LDIF format 467 LDIF update statements 27 adding attributes 31 adding entries 28 continued lines 28 deleting attribute values 33 deleting attributes 33 deleting entries 34 modifying attribute values 32 modify...

Page 546: ... from console 379 moving entries 30 multi master replication introduction 231 preventing monopolization of the consumer 257 setting up 246 multiple search filters 486 N naming conflicts in replication 298 nested role creating 115 example 120 nsds5ReplicaBusyWaitTime 257 nsds5ReplicaSessionPauseTime 257 nsRole 111 nsslapd db checkpoint interval 407 nsslapd db durable transactions 407 nsslapd db log...

Page 547: ...11 passwordGraceLimit attribute 210 passwordInHistory attribute 212 passwordMaxRepeats attribute 213 passwordMin8bit attribute 214 passwordMinAlphas attribute 213 passwordMinCategories attribute 213 passwordMinDigits attribute 213 passwordMinLowers attribute 213 passwordMinSpecials attribute 213 passwordMinTokenLength attribute 214 passwordMinUppers attribute 214 passwordMustChange attribute 210 p...

Page 548: ... the consumer in multi master replication 257 pronunciation subtype 19 Property Editor displaying 16 protocol data units See PDUs 393 proxy authorization ACI example 199 with cascading chaining 81 proxy DN 200 proxy right 153 PTA plug in configuring 430 examples 433 syntax 428 use in Directory Server 427 Q quotation marks in parameter values 26 R read right 153 read only mode 385 database 51 read ...

Page 549: ...ummary viewing 380 resource use connections 382 monitoring 381 restoring data 104 bak2db 107 bak2db pl 107 dse ldif 109 from console 106 replicated entries 108 restoring the database 405 retro changelog and access control 294 attributes 293 object class 293 searching 294 trimming 294 retro changelog plug in enabling 293 overview 230 rights list of 153 roledn keyword 161 roles 111 access control 12...

Page 550: ...lity 485 example 481 greater than or equal to 485 international 487 international examples 491 less than 491 less than or equal to 485 of directory tree 478 presence 485 specifying scope 480 substring 485 searching algorithm overview 321 Secure Sockets Layer see SSL 353 security certificate based authentication 360 LDAP URLs 498 setting preferences 358 self access 158 LDIF example 159 self keyword...

Page 551: ...sociated database 39 configuration attributes 43 creating 13 creating from command line 42 creating root suffix 41 creating sub suffix 42 custom distribution function 50 custom distribution logic 50 disabling 46 in Directory Server 39 using referrals 45 on update only 45 with multiple databases 49 suffix referrals creating 91 creating from command line 92 creating from console 92 supplier bind DN ...

Page 552: ...asses 311 userattr keyword 161 restriction on add 165 userdn keyword 157 users activating 224 inactivating 222 UTF 8 499 V value based ACI 151 viewing access control get effective rights 180 attributes 307 object classes 310 virtual list view index 318 vlvindex command line tool 318 W wildcard in LDAP URL 159 in target 148 wildcards in international searches 490 in matching rule filters 490 WinSyn...

Reviews:

No comments