Главная
/
Netscape
/
NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR
/
Руководство администратора

Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR, Руководство администратора

Поделиться

Страница: 246 / 578

Netscape NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR Скачать руководство пользователя страница 246

Access Control Usage Examples

246

Netscape Directory Server Administrator’s Guide • August 2002

Granting Conditional Access to a Group or Role

In many cases, when you grant a group or role privileged access to the directory,
you want to ensure that those privileges are protected from intruders trying to
impersonate your privileged users. Therefore, in many cases, access control rules
that grant critical access to a group or role are often associated with a number of
conditions.

example.com

, for example, has created a Directory Administrator role for each of

its hosted companies, HostedCompany1 and HostedCompany2. It wants these
companies to be able to manage their own data and implement their own access
control rules while securing it against intruders. For this reason, HostedCompany1
and HostedCompany2 have full rights on their respective branches of the directory
tree, provided the following conditions are fulfilled:

•

Connection authenticated using SSL,

•

Access requested between 8 am and 6 pm, Monday through Thursday, and

•

Access requested from a specified IP address for each company.

These conditions are illustrated in a single ACI for each company, ACI
“HostedCompany1” and ACI “HostedCompany2”. Because the content of these
ACIs is the same, the examples below illustrate the “HostedCompany1 “ ACI only.

ACI “HostedCompany1”

In LDIF, to grant HostedCompany1 full access to their own branch of the directory
under the conditions stated above, you would write the following statement:

aci:

(target="ou=HostedCompany1,ou=corporate-clients,dc=example,dc=com")

(targetattr= "*") (version 3.0; acl "HostedCompany1";

allow (all) (roledn="ldap:///cn=DirectoryAdmin,ou=HostedCompany1,

ou=corporate-clients, dc=example,dc=com") and (authmethod="ssl") and

(dayofweek="Mon,Tues,Wed,Thu") and (timeofday >= "0800" and

timeofday <= "1800") and (ip="255.255.123.234"); )

This example assumes that the ACI is added to the

ou=HostedCompany1,

ou=corporate-clients,dc=example,dc=com

entry.

From the Console, you can set this permission by doing the following:

1.

On the Directory tab, right click the HostedCompany1 entry under the

example.com

node in the left navigation tree, and choose Set Access

Permissions from the pop-up menu to display the Access Control Manager.

2.

Click New to display the Access Control Editor.

«
...
244
245
246
247
248
...
»

Содержание NETSCAPE DIRECTORY SERVER 6.1 - ADMINISTRATOR

Страница 1: ...Administrator s Guide Netscape Directory Server Version6 1 August 2002...

Страница 2: ...2002 Netscape Communications Corporation All rights reserved Portions of the Software copyright 1995 PEER Networks Inc All rights reserved The Software contains the Taligent International Classes from...

Страница 3: ...ver Console 32 Copying Entry DNs to the Clipboard 33 Configuring the Directory Manager 34 Binding to the Directory From Netscape Console 34 Changing Login Identity 35 Viewing the Current Bind DN From...

Страница 4: ...Attribute Subtype 52 Deleting Directory Entries 54 Managing Entries From the Command Line 54 Providing Input From the Command Line 55 Creating a Root Entry From the Command Line 56 Adding Entries Usin...

Страница 5: ...Update Operations 88 Disabling a Suffix 88 Deleting a Suffix 89 Creating and Maintaining Databases 89 Creating Databases 90 Creating a New Database for an Existing Suffix Using the Console 92 Creating...

Страница 6: ...Creating Smart Referrals 137 Creating Smart Referrals Using the Directory Server Console 138 Creating Smart Referrals From the Command Line 139 Creating Suffix Referrals 140 Creating Suffix Referrals...

Страница 7: ...65 Modifying a Dynamic Group 165 Using Roles 166 About Roles 166 Managing Roles Using the Console 167 Creating a Managed Role 168 Creating a Filtered Role 169 Creating a Nested Role 169 Viewing and Ed...

Страница 8: ...imitations 196 Default ACIs 197 Creating ACIs Manually 198 The ACI Syntax 198 Example ACI 199 Defining Targets 199 Targeting a Directory Entry 201 Targeting Attributes 203 Targeting Both an Entry and...

Страница 9: ...ng an ACI 233 Deleting an ACI 234 Access Control Usage Examples 234 Granting Anonymous Access 235 Granting Write Access to Personal Entries 237 Restricting Access to Key Roles 241 Granting a Group Ful...

Страница 10: ...source Limits Based on the Bind DN 275 Setting Resource Limits Using the Console 276 Setting Resource Limits Using the Command Line 276 Chapter 8 Managing Replication 279 Replication Overview 280 Read...

Страница 11: ...l Consumer Initialization Overview 315 Exporting a Replica to LDIF 316 Importing the LDIF File to the Consumer Server 316 Forcing Replication Updates 316 Forcing Replication Updates From the Console 3...

Страница 12: ...ystem and Standard Indexes 349 Overview of Default Indexes 349 Overview of System Indexes 350 Overview of Standard Indexes 351 Overview of the Searching Algorithm 351 Balancing the Benefits of Indexin...

Страница 13: ...ory Server 381 Enabling SSL Summary of Steps 382 Obtaining and Installing Server Certificates 383 Step 1 Generate a Certificate Request 383 Step 2 Send the Certificate Request 384 Step 3 Install the C...

Страница 14: ...nitors 411 Overview of Database Performance Monitor Information 411 General Information Database 412 Summary Information Table 412 Database Cache Information Table 413 Database File Specific Table 414...

Страница 15: ...7 bit Check Plug In 443 ACL Plug In 444 ACL Preoperation Plug In 445 Binary Syntax Plug In 445 Boolean Syntax Plug In 446 Case Exact String Syntax Plug In 446 Case Ignore String Syntax Plug In 447 Cha...

Страница 16: ...y Server and One Subtree 475 Specifying Multiple Authenticating Directory Servers 475 Specifying One Authenticating Directory Server and Multiple Subtrees 476 Using Non Default Parameter Values 476 Sp...

Страница 17: ...ries 505 Specifying Organizational Person Entries 506 Defining Directories Using LDIF 507 LDIF File Example 509 Storing Information in Multiple Languages 510 Appendix B Finding Directory Entries 513 F...

Страница 18: ...526 Using Wildcards in Matching Rule Filters 528 Supported Search Types 528 International Search Examples 529 Less Than Example 529 Less Than or Equal to Example 530 Equality Example 530 Greater Than...

Страница 19: ...gure 4 1 Splitting a Database Contents into Two Databases 151 Figure 5 1 Sample Pointer CoS 179 Figure 5 2 Sample Indirect CoS 180 Figure 5 3 Sample Classic CoS 181 Figure 6 1 Using Inheritance With t...

Страница 20: ...20 Netscape Directory Server Administrator s Guide August 2002...

Страница 21: ...Error Detection Parameters 120 Table 3 7 Cascading Chaining Configuration Attributes 129 Table 4 1 Import Method Comparison 144 Table 5 1 Object Classses and Attributes for Roles 173 Table 5 2 CoS De...

Страница 22: ...on Plug In 445 Table 15 4 Details of Binary Syntax Plug In 445 Table 15 5 Details of Boolean Syntax Plug In 446 Table 15 6 Details of Case Exact String Syntax Plug In 446 Table 15 7 Details of Case Ig...

Страница 23: ...of UID Uniqueness Plug In 462 Table 15 34 Details of URI Plug In 464 Table 16 1 PTA Plug In Parameters 468 Table 17 1 Attribute Uniqueness Plug In Variables 483 Table 18 1 Attributes for Setting Limit...

Страница 24: ...24 Netscape Directory Server Administrator s Guide August 2002...

Страница 25: ...read and write operations Multi master replication can be combined with simple and cascading replication scenarios to provide a highly flexible and scalable replication environment Chaining and referr...

Страница 26: ...its you to monitor your Directory Server in real time using the Simple Network Management Protocol SNMP Online backup and restore Allows you to create backups and restore from backups while the server...

Страница 27: ...IX On Windows it is c usr netscape servers If you have installed Directory Server in a different location you should adapt the path accordingly serverID is the ID or identifier you assigned to an inst...

Страница 28: ...eference information on the command line scripts configuration attributes and log files shipped with Directory Server Netscape Directory Server Schema Reference Provides reference information about th...

Страница 29: ...reating Directory Entries Chapter 3 Configuring Directory Databases Chapter 4 Populating Directory Databases Chapter 5 Advanced Entry Management Chapter 6 Managing Access Control Chapter 7 User Accoun...

Страница 30: ...tory Server Administrator s Guide August 2002 Chapter 11 Managing SSL Chapter 12 Monitoring Server and Database Activity Chapter 13 Monitoring Directory Server Using SNMP Chapter 14 Tuning Directory S...

Страница 31: ...irectory Server and the most basic tasks you need to start administering a directory service It includes the following sections Overview of Directory Server Management page 32 Using the Directory Serv...

Страница 32: ...r called Netscape Console The Directory Server Console is a part of Netscape Console designed specifically for use with Directory Server You can perform most Directory Server administrative tasks from...

Страница 33: ...he Netscape Console is displayed 5 Navigate through the tree in the left hand pane to find the machine hosting your Directory Server and click on its name or icon to display its general properties 6 T...

Страница 34: ...a different user 2 On the Directory Server Console select the Configuration tab and then select the top entry in the navigation tree in the left pane 3 Select the Manager tab in the right pane 4 Enter...

Страница 35: ...to bind to the server For example if you want to bind as the Directory Manager then enter the following in the Distinguished Name text box cn Directory Manager For more information about the Director...

Страница 36: ...s icon 3 Scroll through the list of services and select the Netscape Directory Server The service name is Netscape Directory Server version serverID where version is the version number and serverID is...

Страница 37: ...hrough the Directory Server Console This section provides information on Changing Directory Server Port Numbers Placing the Entire Directory Server in Read Only Mode Tracking Modifications to Director...

Страница 38: ...ext box The default value is 389 4 Enter the port number you want the server to use for SSL communications in the Encrypted Port text box The encrypted port number that you specify must not be the sam...

Страница 39: ...last modified in GMT format To enable the Directory Server to track this information 1 On the Directory Server Console select the Configuration tab and then select the top entry in the navigation tre...

Страница 40: ...s only on the server s host machine On UNIX you must start the server from the command line Alternatively on either platform you can create a password file to store your certificate password By placin...

Страница 41: ...n of your first Directory Server instance and apply it to the new one Creating a New Directory Server Instance 1 In the Netscape Console window select then right click Server Group in the navigation t...

Страница 42: ...displayed with the list of target servers for cloning 3 In this window select the server to which you want the configuration to apply and click the Clone To button A message is displayed to give you...

Страница 43: ...ver you want to start in referral mode and referral_url is the referral returned to clients For information on the format of an LDAP URL refer to Appendix C LDAP URLs On a Windows machine to start the...

Страница 44: ...Starting the Server in Referral Mode 44 Netscape Directory Server Administrator s Guide August 2002...

Страница 45: ...pter consists of the following sections Managing Entries From the Directory Console page 45 Managing Entries From the Command Line page 54 LDIF Update Statements page 62 Maintaining Referential Integr...

Страница 46: ...tomatically created To create a root entry for a database 1 On the Directory Server Console select the Configuration tab For information on starting the Directory Server Console refer to Using the Dir...

Страница 47: ...e Property Editor for the new entry is displayed You can accept the current values by clicking OK or modify the entry as explained in Modifying Directory Entries on page 49 Creating Directory Entries...

Страница 48: ...anizational Unit Role Class of Service or Other The corresponding Create window is displayed 3 Supply values for all of the mandatory attributes identified by an asterisk and if you want for any of th...

Страница 49: ...ct the naming attribute you want to use to name your new entry To provide values for optional attributes that are not listed refer to Modifying Directory Entries on page 49 6 Click OK to save the new...

Страница 50: ...ntry you want to modify and select Properties from the pop up menu Alternatively you can double click the entry The Property Editor is displayed 2 Select the object class field and click Add Value The...

Страница 51: ...bute dialog box is displayed 3 Select the attribute you want to add from the list and click OK The Add Attribute window is dismissed and the attribute you selected appears in the list of attributes in...

Страница 52: ...ick OK in the Property Editor when you have finished editing the entry The Property Editor is dismissed Adding an Attribute Subtype You can add three different kinds of subtypes to attributes containe...

Страница 53: ...type to an attribute indicates that the attribute value is a phonetic representation The subtype is added to the attribute name as follows attribute phonetic This subtype is commonly used in combinati...

Страница 54: ...e right pane and select Delete from the pop up menu To select multiple entries use Ctrl click or Shift click and then select Delete from the Edit menu The server deletes the entry or entries immediate...

Страница 55: ...ollowing depending upon the type of machine you use UNIX Almost always control D D Windows Usually control Z followed by a carriage return Z return For example suppose you want to input some LDIF upda...

Страница 56: ...nds to the server and prepares it to add an entry You create the new root object as follows dn Suffix_Name objectclass newobjectclass The DN corresponds to the DN of the root or sub suffix contained b...

Страница 57: ...he distinguished name and password you supply and modifies the entries based on LDIF update statements contained in a specified file Because ldapmodify uses LDIF update statements ldapmodify can do ev...

Страница 58: ...DIF statements in the new ldif file do not specify a change type They follow the format defined in LDIF File Format on page 499 To add the entries you must enter the following command ldapmodify a D c...

Страница 59: ...with the appropriate LDIF update statements and then enter the following command ldapmodify D cn Directory Manager dc example dc com w King Pin h cyclops p 845 f modify_statements The following table...

Страница 60: ...if there aren t any entries below it If you want to delete ou People dc example dc com you must first delete Paula Simon and Jerry O Connor s entries and all other entries in that subtree Here is a ty...

Страница 61: ...apdelete parameters refer to the Netscape Directory Server Configuration Command and File Reference Using Special Characters When using the Directory Server command line client tools you may need to s...

Страница 62: ...neral LDIF update statements are a series of statements that Specify the distinguished name of the entry to be modified Specify a change type that defines how a specific entry is to be modified add de...

Страница 63: ...tatements are identical dn cn Lisa Jangles ou People dc example dc com dn cn Lisa Jangles ou People dc example dc com The following sections describe the change types in detail Adding an Entry Using L...

Страница 64: ...pminsky dn cn Sue Jacobs ou People dc example dc com changetype add objectclass top objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn Sue Jacobs givenName Sue sn Jacobs...

Страница 65: ...Using LDIF Use changetype modrdn to change an entry s relative distinguished name RDN An entry s RDN is the left most element in the distinguished name Therefore the RDN for cn Barry Nixon ou People d...

Страница 66: ...obs and only cn Susan Jacobs would remain within the entry A Note on Renaming Entries You cannot rename an entry with the modrdn change type such that the entry moves to a completely different subtree...

Страница 67: ...e server returns an error replace attribute The specified values are used to entirely replace the attribute s value s If the attribute does not already exist it is created If no replacement value is s...

Страница 68: ...555 1212 telephonenumber 555 6789 add manager manager cn Sally Nixon ou People dc example dc com The following example adds a jpeg photograph to the directory The jpeg photo can be displayed by Direct...

Страница 69: ...eplace manager manager cn Wally Hensford ou People dc example dc com If the entry has multiple instances of the attribute then to change one of the attribute values you must delete the attribute value...

Страница 70: ...of how many times it appears in the entry dn cn Barney Fife ou People dc example dc com changetype modify delete telephonenumber If you want to delete just a specific instance of the telephonenumber...

Страница 71: ...nal unit For example of the following three entries ou People dc example dc com cn Paula Simon ou People dc example dc com cn Jerry O Connor ou People dc example dc com you can delete only the last tw...

Страница 72: ...y Referential integrity is a database mechanism that ensures relationships between related entries are maintained In the Directory Server referential integrity can be used to ensure that an update to...

Страница 73: ...configure the behavior of the referential integrity plug in to suit your own needs You can Record referential integrity updates in the replication change log Modify the update interval Select the att...

Страница 74: ...ntial Integrity You can enable or disable referential integrity from the Directory Server Console or from the command line From the Directory Server Console 1 On the Directory Server Console select th...

Страница 75: ...ee and select the Referential Integrity Postoperation plug in The settings for the plug in are displayed in the right pane 3 In the arguments list replace the referint filename with the absolute path...

Страница 76: ...interval 4 Click Save to save your changes 5 For your changes to be taken into account go to the Tasks tab and select Restart the Directory Server Modifying the Attribute List By default the referenti...

Страница 77: ...ory Entries 77 5 For your changes to be taken into account go to the Tasks tab and select Restart the Directory Server NOTE For best performance the attributes set for updating should also be indexed...

Страница 78: ...Maintaining Referential Integrity 78 Netscape Directory Server Administrator s Guide August 2002...

Страница 79: ...ks page 96 Using Referrals page 136 For conceptual information on distributing your directory data refer to the Netscape Directory Server Deployment Guide Creating and Maintaining Suffixes You can sto...

Страница 80: ...ining Suffixes Creating Suffixes You can create both root and sub suffixes to organize the contents of your directory tree A root suffix is the parent of a sub suffix It can be part of a larger tree y...

Страница 81: ...e the directory tree looks as illustrated in Figure 3 3 Figure 3 3 A Sample Directory Tree with a Root Suffix Off Limits to Search Operations Searches performed by client applications on the dc exampl...

Страница 82: ...th a database 1 In the Directory Server Console select the Configuration tab 2 Right click Data in the left navigation pane and select New Root Suffix from the pop up menu The Create new root suffix d...

Страница 83: ...New Sub Suffix from the pop up menu The Create new sub suffix dialog box is displayed 3 Enter a unique suffix name in the New suffix field The suffix must be named according to dc naming conventions...

Страница 84: ...rver and prepares it to add an entry to the configuration file Next you create the root suffix entry for example com Corporation as follows dn cn dc example dc com cn mapping tree cn config objectclas...

Страница 85: ...ing the Directory Server Console you will need to respect the same spacing you use to name the root and sub suffixes via the command line For example if you name a root suffix ou groups dc example dc...

Страница 86: ...e nsslapd backend Gives the name of the database or database link used to process requests This attribute can be multi valued with one database or database link per value Refer to Creating and Maintai...

Страница 87: ...ory Server Console select the Configuration tab 2 Under Data in the left pane click the suffix to which you want to add a referral 3 Click the Suffix Settings tab Select the Use Referrals radio button...

Страница 88: ...ferrals only during update operations 1 On the Directory Server Console select the Configuration tab 2 Under Data in the left pane click the suffix to which you want to add a referral 3 Click the Suff...

Страница 89: ...ane select the suffix you want to delete 3 Select Delete from the Object menu You can also right click the suffix and select Delete from the pop up menu 4 Select Delete this suffix and all of its sub...

Страница 90: ...rectory Server supports the use of multiple databases over which you can distribute your directory tree There are two ways you can distribute your data across multiple databases One database per suffi...

Страница 91: ...h of your directory tree is so large that you need two databases to store them In this case the data contained by ou people could be distributed across two databases This is illustrated as follows Dat...

Страница 92: ...atabase example2 5 In the Create database in field enter the path to the directory where you want to store the new database You can also click Browse to locate a directory on your local machine By def...

Страница 93: ...ven in the DN attribute must correspond with the value in the nsslapd backend attribute of the suffix entry Adding Multiple Databases for a Single Suffix You can distribute a single suffix across mult...

Страница 94: ...o which you want to apply your distribution function 3 Select the Databases tab in the right window 4 Click Add to associate additional databases with the suffix The Database List dialog box is displa...

Страница 95: ...Directory Server manages multiple databases you can place all of them into read only mode at the same time by placing your entire server in read only mode For more information see Placing the Entire...

Страница 96: ...the Object menu select Delete You can also right click the database and select Delete from the pop up menu The Deleting Database confirmation dialog box is displayed 4 Click Yes to confirm that you w...

Страница 97: ...policy applies to all database links you create on your Directory Server Chaining Component Operations A component is any functional unit in the server that uses internal operations For example plug i...

Страница 98: ...fig Read search and compare 4 0 plug ins This component name represents all Directory Server 4 0 plug ins The 4 0 plug ins share the same chaining policy Specify the following in the nsActiveChainingC...

Страница 99: ...ig Read write search and compare UID uniqueness plug in This plug in checks that all the values for a specified uid attribute are unique no duplicates If you allow this plug in to chain it confirms th...

Страница 100: ...mponent to chain you must create an ACI in the suffix on the remote server to which the operation will be chained For example you would create the following ACI for the referential integrity plug in a...

Страница 101: ...This control sorts entries according to their attribute values Managed DSA This controls returns smart referrals as entries rather than following the referral This allows you to change or delete the s...

Страница 102: ...database cn plugins cn config entry For example to forward the virtual list view control you add the following to your database link entry in the configuration file nsTransmittedControls 2 16 840 1 1...

Страница 103: ...Creating a New Database Link Using the Console To create a new database link using the Directory Server Console 1 On the Directory Server Console select the Configuration tab 2 Right click Data in th...

Страница 104: ...d for the bind in the Remote server port field The default port number is 389 12 Enter the name of a failover server in the Failover Server s field and specify a port number in the Port field The defa...

Страница 105: ...e Netscape Directory Server Configuration Command and File Reference This section contains the following procedures for configuring a database link from the command line Providing Suffix Information P...

Страница 106: ...ntries on page 45 b Provide proxy access rights for the administrative user created in step 1 on the subtree chained to by the database link For more information on configuring ACI s refer to Managing...

Страница 107: ...sponding to the nsMultiplexorBindDN and you must set the proxy authentication rights for this user To set the proxy authorization right you need to set the proxy ACI as you would any other ACI CAUTION...

Страница 108: ...verURL might appear as follows nsFarmServerURL ldap example com 389 Do not forget to use the trailing slash at the end of the URL If you want to the database link to connect to the remote server using...

Страница 109: ...database link take precedence over the global attribute value Table 3 4 Database Link Configuration Attributes Attributes Value nsTransmittedControls Gives the OID of LDAP controls forwarded by the da...

Страница 110: ...has been restarted The default value is off nsProxiedAuthorization Reserved for advanced use only Allows you to disable proxied authorization A value of off means proxied authorization is disabled Th...

Страница 111: ...us example com Then specify the configuration information for the database link dn cn DBLink1 cn chaining database cn plugins cn config objectclass top objectclass extensibleObject objectclass nsBack...

Страница 112: ...database link The nsslapd parent suffix attribute specifies the parent of this new suffix ou people dc example dc com Next you create an administrative user on server B as follows dn cn proxy admin c...

Страница 113: ...mple com 636 Enable SSL on the server that contains the database link For more information on enabling SSL refer to Enabling SSL Summary of Steps on page 382 When you configure the database link and r...

Страница 114: ...ter a new LDAP URL in the Remote Server URL field Unlike the standard LDAP URL format the URL of the remote server does not specify a suffix It takes the following form ldap servername portnumber 5 Up...

Страница 115: ...ess controls on the subtree contained on the remote server This means that you need to add the usual access controls to the remote server with a few restrictions You cannot use all types of access con...

Страница 116: ...ication When performing a modify operation the database link does not have access to the full entry stored on the remote server If performing a delete operation the database link is only aware of the...

Страница 117: ...that the database link establishes with the remote server The default value is 3 connections Bind timeout Amount of time in seconds before the database link s bind attempt times out The default value...

Страница 118: ...ion management attributes for a specific database link are stored in the following entry cn database_link_name cn chaining database cn plugins cn config where database_link_name is the name of the dat...

Страница 119: ...s set using the nsMaxTestResponseDelay nsBindRetryLimit Number of times a database link attempts to bind to the remote server A value of zero 0 indicates that the database link will try to bind only o...

Страница 120: ...rowing too long However the database link forwards operations to remote servers for processing The database link contacts the remote server forwards the operation waits for the result and then sends t...

Страница 121: ...read number to 50 to improve performance After changing the thread number restart the server to implement your changes Advanced Feature Configuring Cascading Chaining You can configure your database l...

Страница 122: ...ins the data the clients wants to modify in a database Two hops are required to access the piece of data the client want to modify During a normal operation request a client binds to the server and th...

Страница 123: ...s are stored on Server A The l europe dc example dc com and ou groups suffixes are stored in on Server B and the ou people branch of the l europe dc example dc com suffix is stored on Server C With ca...

Страница 124: ...ou people l europe dc example dc com branch Because at least two hops are required for the directory to service the client request this is considered a cascading chain Configuring Cascading Chaining D...

Страница 125: ...g 1 On the Directory Server Console select the Configuration tab 2 Expand the Data folder in the left pane and locate the database link you want to include in a cascading chain Click the database link...

Страница 126: ...abase link must contain the URL of the server containing another database link For example suppose the database link on the server called example1 com points to a database link on the server called af...

Страница 127: ...the administrative user that targets the appropriate suffix This ensures the administrator has access only to the suffix of the database link Add the following ACI to the administrative user s entry a...

Страница 128: ...then need to add any client ACIs to this superior suffix entry For example you might add the following aci targetattr version 3 0 acl Client authentication for database link users allow all userdn lda...

Страница 129: ...onfiguring Server Three Table 3 7 Cascading Chaining Configuration Attributes Attribute Description nsFarmServerURL URL of the server containing the next database link in the cascading chain nsTransmi...

Страница 130: ...Configuring Server One First use the ldapmodify command line utility to add a database link to server one To use the utility type the following to change to the directory containing the utility cd ser...

Страница 131: ...The first section creates the entry associated with DBLink1 The second section creates a new suffix allowing the server to direct requests made to the database link to the correct server You do not ne...

Страница 132: ...Next you configure the database link DBLink2 on server two Using ldapmodify specify the configuration information for DBLink2 as follows dn cn DBLink2 cn chaining database cn plugins cn config object...

Страница 133: ...1 1466 29539 12 where nsTransmittedControl 2 16 840 1 113730 3 4 12 is the OID for Proxy Authorization control and nsTransmittedControl 1 3 6 1 4 1 1466 29539 12 is the OID for the loop detection con...

Страница 134: ...etattr target l Zanzibar c africa ou people dc example dc com version 3 0 acl Client authorization for database links allow all userdn ldap uid c us ou people dc example dc com This ACI allows clients...

Страница 135: ...ess to the data contained on the remote server server three within the l Zanzibar ou people dc example dc com subtree only You then need to create an local client ACI on the l Zanzibar ou people dc ex...

Страница 136: ...referrals are returned to client applications that submit operations on a DN not contained within any of the suffixes maintained by your directory The following procedures describes setting a default...

Страница 137: ...zanzibar com Once you have added the default referral to the cn config entry of your directory the directory will return the default referral in response to requests made by client applications You do...

Страница 138: ...log box displays 5 Select referral from the list and click OK 6 Click Add Attribute The Add Attribute dialog box is displayed 7 Scroll down the list of attributes to the ref attribute Select the ref a...

Страница 139: ...e com you would include the following in your LDIF file before importing dn uid ssarette ou people dc example dc com objectclass top objectclass person objectclass organizationalperson objectclass ine...

Страница 140: ...erral will be returned when this suffix receives an update request from a client application This option is used to redirect update and write requests made by client applications to a read only databa...

Страница 141: ...le dc com cn mapping tree cn config objectclass extensibleObject objectclasss nsmappingtree nsslapd state referral nsslapd referral ldap zanzibar com The nsslapd state attribute is set to referral mea...

Страница 142: ...Using Referrals 142 Netscape Directory Server Administrator s Guide August 2002...

Страница 143: ...the Directory Server Console You can use the Directory Server Console to append data to all of your databases including database links Initialize databases You can use the Directory Server Console to...

Страница 144: ...d on remote databases to which your Directory Server has a configured database link You must be logged in as the Directory Manager in order to perform an import Table 4 1 Import Method Comparison Impo...

Страница 145: ...ile may contain modify and delete instructions in addition to the default add instructions If you want the server to ignore operations other than add select the Add only check box Continue on Error Se...

Страница 146: ...the database itself 3 Right click the database and select Initialize Database You can also select Initialize Database from the Object menu 4 In the LDIF file field enter the full path to the LDIF file...

Страница 147: ...ith the import By default the script first saves and then merges any existing o NetscapeRoot configuration information with the o NetscapeRoot configuration information in the files being imported To...

Страница 148: ...ript the ldif2db pl script overwrites the data in a database you specify This script requires the server to be running in order to perform the import 1 From the command line change to the following di...

Страница 149: ...The ldif2ldap script appends the LDIF file through LDAP Using this script you import data to all directory databases at the same time The server must be running in order to import using ldif2ldap To...

Страница 150: ...the absolute path and file name of the LDIF file s to be imported Exporting Data You can use the LDAP Data Interchange Format LDIF to export database entries from your databases LDIF is a standard fo...

Страница 151: ...ng the Console Exporting a Single Database to LDIF Using the Console Exporting to LDIF From the Command Line Note that the export operations do not export the configuration information cn config Expor...

Страница 152: ...onsole on a machine remote to the server two radio buttons are displayed beneath the LDIF file field Select To local machine to indicate that you are exporting to an LDIF file in the machine from whic...

Страница 153: ...he file Exporting to LDIF From the Command Line You can export your database to LDIF using the db2ldif command line script This script exports all of your database contents or a part of their contents...

Страница 154: ...guration File Backing Up All Databases The following procedures describe backing up all of the databases in your directory using the Directory Server Console and from the command line Option Descripti...

Страница 155: ...ault the backup files will be placed in the following location serverRoot slapd serverID bak backup_directory The backup_directory variable names a directory using the name of the backup file By defau...

Страница 156: ...up a single database 1 At the command prompt change to serverRoot slapd serverID 2 If the server is running type the following to stop it stop slapd 3 Change to the directory containing the database y...

Страница 157: ...opping the server and then copying the databases and associated index files from the backup location to the database directory To restore your databases from a previously created backup 1 On the Direc...

Страница 158: ...bout using this script refer to Netscape Directory Server Configuration Command and File Reference Two examples of performing an import using bak2db follow Windows batch file bak2db bat usr netscape s...

Страница 159: ...o shut it down stop slapd 3 Change to the directory containing the backup you want to restore 4 Copy all of the files to the directory containing the database you want to overwrite with your backup Fo...

Страница 160: ...nce Directory Server automatically detects the compatibility between the replica and its change log If a mismatch is detected the server removes the old change log file and creates a new empty one Cha...

Страница 161: ...1 On the Directory Server Console select the Configuration tab and expand the Data folder in the navigation tree 2 Select the database that you want to place in read only mode and click the Database...

Страница 162: ...Enabling and Disabling Read Only Mode 162 Netscape Directory Server Administrator s Guide August 2002...

Страница 163: ...les and class of service in the planning phase of your directory deployment determine your directory topology Refer to the Netscape Directory Server Deployment Guide for more information Using Groups...

Страница 164: ...is required 4 Enter a description of the new group in the Description field 5 Click Members in the left pane In the right pane select the Static Group tab Click Add to add new members to the group The...

Страница 165: ...g and modifying dynamic groups Adding a New Dynamic Group Modifying a Dynamic Group Adding a New Dynamic Group 1 Follow steps 1 4 of Adding a New Static Group on page 164 2 Click Members in the left p...

Страница 166: ...the role of an entry rather than select a group and browse the members list This section contains the following topics About Roles Managing Roles Using the Console Managing Roles Using the Command Li...

Страница 167: ...server side Each role has members or entries that possess the role You can specify members either explicitly or dynamically How you specify role membership depends upon the type of role you are using...

Страница 168: ...and select the parent entry for your new role 3 Go to the Object menu and select New Role You can also right click the entry and select New Role The Create New Role dialog box is displayed 4 Click Ge...

Страница 169: ...le definitions fields a Select the types of entries you want to filter from the For drop down list You can choose between users groups or both b Select an attribute from the Where drop down list The t...

Страница 170: ...the Directory Server Console select the Directory tab 2 In the left navigation pane browse the tree and select the entry for which you want to view or edit a role 3 Select Set Roles from the Object me...

Страница 171: ...king a Role Inactive You can temporarily disable the members of a role by inactivating the role to which they belong Inactivating a role inactivates the entries possessed by the role and not the role...

Страница 172: ...ntries 3 Right click the role and select Delete A dialog box appears asking you to confirm the deletion Click Yes 4 The Deleted Entries dialog box appears to inform you that the role was successfully...

Страница 173: ...Marketing ou people dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsSimpleRoleDefinition objectclass nsManagedRoleDefinition cn Marketing descrip...

Страница 174: ...ers Run the ldapmodify script as follows ldapmodify D cn Directory Manager w secret h host p 389 Specify the filtered role as follows dn cn SalesManagerFilter ou people dc example dc com objectclass t...

Страница 175: ...suitable for use in a security context When creating a new role consider how easily the role can be assigned to and removed from an entry Sometimes it is appropriate for users to be able to easily ad...

Страница 176: ...attribute The user should not be allowed to add delete and modify the attribute used by the filtered role If the value of the filter attribute is computed then all attributes that can modify the value...

Страница 177: ...s to the template entry attribute values are automatically applied to all the entries within the scope of the CoS A single CoS might have more than one template entry associated with it The CoS defini...

Страница 178: ...ribute for which the CoS is generating values by default the CoS supplies the client application with the attribute value in the entry itself However you can use the CoS definition entry to control th...

Страница 179: ...this example the template entry is identified by its DN cn exampleUS cn data in the CoS definition entry Each time the postalCode attribute is queried on the entry cn wholiday ou people dc example dc...

Страница 180: ...Carla Fuentes so the manager attribute contains a pointer to the DN of the template entry cn Carla Fuentes ou people dc example dc com The template entry in turn provides the departmentNumber attribut...

Страница 181: ...mpleUS cn data The template entry then provides the value of the postalCode attribute to the target entry Managing CoS Using the Console This section describes creating and editing CoS through the Dir...

Страница 182: ...n a generated value if there is no corresponding attribute value stored with the entry Select Overrides target entry attribute to make the value of the attribute generated by the CoS override the loca...

Страница 183: ...describes changing the description and attributes generated on the target entry of an existing class of service To edit an existing CoS 1 In the Directory Server Console select the Directory tab 2 Br...

Страница 184: ...res a particular object class to be specified in the definition entry All CoS definition object classes inherit from the LDAPsubentry object class and the cosSuperDefinition object class Table 5 2 lis...

Страница 185: ...rks as if override and operational were specified If you do not indicate a qualifier default is assumed Table 5 3 CoS Definition Entry Attributes Attribute Definition cosAttribute Provides the name of...

Страница 186: ...the attributes refer to the Netscape Directory Server Configuration Command and File Reference Now that you have been introduced to the object classes and attributes used by a CoS definition it is ti...

Страница 187: ...you might have a multi valued cosSpecifier in your CoS definition entry In such a case you can specify a template priority on each template entry to determine which template provides the attribute val...

Страница 188: ...over any other conflicting templates that define a different departmentNumber value The following sections provide examples of template entries along with examples of each type of CoS definition entry...

Страница 189: ...First you add a new indirect CoS definition entry to the dc example dc com suffix using ldapmodify as follows ldapmodify a D cn directory manager w secret h host p 389 The ldapmodify utility binds to...

Страница 190: ...ata dc example dc com The department number is different depending upon the manager Example of a Classic CoS You want to create a classic CoS that automatically generates postal codes using a combinat...

Страница 191: ...g template provides a postal code specific to employees in the marketing department Creating Role Based Attributes You can create classic CoS schemes that generate attribute values for an entry based...

Страница 192: ...CoS template entry The CoS template entry provides the value for the mailboxquota attribute An additional qualifier of override tells the CoS to override any existing mailboxquota attributes values i...

Страница 193: ...Control Usage Examples page 234 Viewing the ACIs for an Entry page 254 Advanced Access Control Using Macro ACIs page 254 Access Control and Replication page 261 Logging Access Control Information page...

Страница 194: ...attributes You can set permissions for a specific user all users belonging to a specific group or role or all users of the directory Finally you can define access for a specific location such as an IP...

Страница 195: ...uld create an ACI that targets entries that include the inetorgperson object class You can use this feature to minimize the number of ACIs in the directory tree by placing general rules at high level...

Страница 196: ...ocated on remote servers ACIs that depend on role definitions roledn keyword must be located on the same server as the role definition entry Every entry that is intended to have the role must also be...

Страница 197: ...tor by default uid admin ou Administrators ou TopologyManagement o NetscapeRoot has all rights except proxy rights All members of the Configuration Administrators group have all rights except proxy ri...

Страница 198: ...for the ACI The name can be any string that identifies the ACI The ACI name is required permission specifically outlines what rights you are either allowing or denying for example read or search righ...

Страница 199: ...all attributes in her own directory entry The following sections describe the syntax of each portion of the ACI in more detail Defining Targets The target identifies what the ACI applies to If the tar...

Страница 200: ...all entries below it For example if you target the entry ou accounting dc example dc com the permissions you set will apply to all entries in the accounting branch of the example com tree As a counte...

Страница 201: ...rgeting a Directory Entry To target a directory entry and the entries below it you must use the target keyword The target keyword can accept a value of the following format target ldap distinguished_n...

Страница 202: ...xample uid andy dc example dc com targets all the directory entries in the entire example com tree with a matching uid attribute and not just the entries that are immediately below the dc example dc c...

Страница 203: ...e targetattr keyword The keyword uses the following syntax targetattr attribute You can target multiple attributes by using the targetattr keyword with the following syntax targetattr attribute1 attri...

Страница 204: ...h certain criteria To do this you must use the targetfilter keyword with an LDAP filter The syntax of the targetfilter keyword is targetfilter LDAP_filter where LDAP_filter is a standard LDAP search f...

Страница 205: ...key roles such as Top Level Administrator LDAP filters are used to check that the conditions on attribute values are satisfied To create a value based ACI you must use the targattrfilters keyword wit...

Страница 206: ...entry except the superAdmin role It also allows users to add a telephone number with a 123 prefix Targeting a Single Directory Entry Targeting a single directory entry is not straightforward because...

Страница 207: ...ng access Assigning rights Allowing or Denying Access You can either explicitly allow or deny access permissions to your directory tree For more guidelines on when to allow and when to deny access ref...

Страница 208: ...te search delete compare and selfwrite to the targeted entry excluding proxy rights Rights are granted independently of one another This means for example that a user who is granted add rights can cre...

Страница 209: ...Modifying an attribute in an entry Grant write permission on the attribute type Grant write permission on the value of each attribute type This right is granted by default but could be restricted usi...

Страница 210: ...ldap self Permissions Syntax In an ACI statement the syntax for permissions is allow deny rights where rights is a list of 1 to 8 comma separated keywords enclosed within parentheses Valid keywords a...

Страница 211: ...t combine these criteria by using Boolean operators See Using Boolean Bind Rules on page 228 for more information Bind Rule Syntax Whether access is allowed or denied depends on whether an ACI s bind...

Страница 212: ...d Valid Expressions Wildcard Allowed userdn ldap distinguished_name ldap all ldap anyone ldap self ldap parent ldap suffix sub filter yes in DN only groupdn ldap DN DN no roledn ldap DN DN no userattr...

Страница 213: ...one can access it without providing a bind DN or password and regardless of the circumstances of the bind You can limit anonymous access to specific types of access for example access for read or acce...

Страница 214: ...dap suffix sub filter For example all users in the accounting and engineering branches of the example com tree would be granted or denied access to the targeted resource dynamically based on the follo...

Страница 215: ...p uid ou Accounting dc example dc com The bind rule is evaluated to be true if the client is not binding as a UID based distinguished name in the accounting subtree This bind rule only makes sense if...

Страница 216: ...eate the following ACI on the dc example dc com node aci version 3 0 acl anonymous read search allow read search userdn ldap anyone Userdn keyword containing the parent keyword userdn ldap parent The...

Страница 217: ...entire directory tree you would create the following ACI on the dc example dc com node aci version 3 0 acl Administrators write allow write groupdn ldap cn Administrators dc example dc com Groupdn ke...

Страница 218: ...ve access to the entry This example is based on DN matching However you can match any attribute of the entry used in the bind with the targeted entry For example you could create an ACI that allowed a...

Страница 219: ...ttribute in the targeted entry is expressed as a full DN The following example grants a manager full access to his or her employees entries aci target ldap dc example dc com targetattr version 3 0 acl...

Страница 220: ...agers in your company you can use this mechanism to grant managers at all levels access to information about employees that are at a lower grade than themselves The DN of the role can be under any suf...

Страница 221: ...ry used to bind with the target entry the ACI applies only to the target specified and not to the entries below it In some circumstances you might want to extend the application of the ACI several lev...

Страница 222: ...n Profiles entry as well as the first level of child entries which includes cn mail and cn news thus allowing her to search through her own mail and news IDs Figure 6 1 Using Inheritance With the user...

Страница 223: ...the manager attribute is set to their own DN For example disgruntled employee Joe cn Joe ou eng dc example dc com might want to create an entry in the Human Resources branch of the tree to use or mis...

Страница 224: ...wing certain kinds of directory access only from a specific subnet or machine For example you could use a wildcard IP address such as 12 3 45 to specify a specific subnetwork or 123 45 6 255 255 255 1...

Страница 225: ...efining Access From a Specific IP Address on page 224 Defining Access at a Specific Time of Day or Day of Week You can use bind rules to specify that binding can only occur at a certain time of day or...

Страница 226: ...true if the client is accessing the directory at any time other than 1 am timeofday 0800 The bind rule is evaluated to be true if the client is accessing the directory at any time after 8 am timeofday...

Страница 227: ...tablished through a Start TLS operation In both cases a certificate must be provided For information on setting up SSL see Chapter 11 Managing SSL SASL The client must bind to the directory over a Sim...

Страница 228: ...You must create an LDIF statement The LDIF syntax for a Boolean bind rule is as follows bind_rule boolean bind_rule boolean bind_rule For example the following bind rule will be evaluated to be true...

Страница 229: ...ng the Access Control Editor Viewing Current ACIs Creating a New ACI Editing an ACI Deleting an ACI See Access Control Usage Examples on page 234 for a collection of access control rules commonly used...

Страница 230: ...onsole on page 32 2 On the Directory Server Console select the Directory tab 3 Right click the entry in the navigation tree for which you want to set access control and select Set Access Permissions f...

Страница 231: ...he online help Viewing Current ACIs If you want to see what ACIs apply to a particular subtree in your directory follow these steps 1 On the Directory tab right click the top entry in the subtree and...

Страница 232: ...h string in the Search field and click the Search button The search results are displayed in the list below b Highlight the entries you want in the search result list and click the Add button to add t...

Страница 233: ...ry tab right click the top entry in the subtree and choose Set Access Permissions from the pop up menu The Access Control Manager window is displayed It contains the list of ACIs belonging to the entr...

Страница 234: ...vice and internet access Part of example com s web hosting service is to host the directories of client companies example com actually hosts and partially manages the directories of two medium sized c...

Страница 235: ...us access to the world to the individual subscribers subtree except for subscribers who have specifically requested to be unlisted This part of the directory could be a slave server outside of the fir...

Страница 236: ...e other checkboxes are clear 5 On the Targets tab click This Entry to display the dc example dc com suffix in the target directory entry field In the attribute table locate the userPassword attribute...

Страница 237: ...On the Rights tab tick the checkboxes for read and search rights Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the dc subscribers dc example dc com suffix i...

Страница 238: ...the Console you can set this permission by doing the following 1 On the Directory tab right click the example com node in the left navigation tree and choose Set Access Permissions from the pop up me...

Страница 239: ...e Subscribers In LDIF to grant example com subscribers the right to update their password and home telephone number you would write the following statement aci targetattr userPassword homePhone versio...

Страница 240: ...c subscribers dc example dc com suffix in the target directory entry field a In the filter for subentries field type the following filter unlistedSubscriber yes b In the attribute table tick the check...

Страница 241: ...superAdmin role This is illustrated in the ACI Roles example ACI Roles In LDIF to grant example com employees the right to add any role to their own entry except the superAdmin role you would write th...

Страница 242: ...dc example dc com version 3 0 acl Roles allow write userdn ldap self and dns example com 7 Click OK The new ACI is added to the ones listed in the Access Control Manager window Granting a Group Full A...

Страница 243: ...o the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area to Users and Groups and type HRgroup in the Search for field This ex...

Страница 244: ...s objectClass groupOfNames version 3 0 acl Create Group allow add userdn ldap uid ou example people dc example dc com and dns example com This example assumes that the ACI is added to the ou social co...

Страница 245: ...pOfNames The LDIF statement should read as follows targattrfilters add objectClass objectClass groupOfNames targetattr target ldap ou social committee dc example dc com version 3 0 acl Create Group al...

Страница 246: ...day and Access requested from a specified IP address for each company These conditions are illustrated in a single ACI for each company ACI HostedCompany1 and ACI HostedCompany2 Because the content of...

Страница 247: ...ccess permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab click the Check All button 5 On the Targets tab click This Entry to display the ou HostedCompany1 ou corp...

Страница 248: ...cess to it For example example com wants all subscribers to be able to read billing information such as connection time or account balance under their own entries but explicitly wants to deny write ac...

Страница 249: ...he target directory entry field In the attribute table tick the checkboxes for the connectionTime and accountBalance attributes All other checkboxes should be clear This task is made easier if you cli...

Страница 250: ...tton to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write Make sure the other c...

Страница 251: ...tional unit branch points using the directory tab on the Directory Server Console Allowing Users to Add or Remove Themselves From a Group Many directories set ACIs that allow users to add or remove th...

Страница 252: ...suffix in the target directory entry field In the attribute table tick the checkbox for the member attribute All other checkboxes should be clear This task is made easier if you click the Check None...

Страница 253: ...3 0 acl allowAll AcctAdmin allow all userdn ldap uid AcctAdministrator ou Administrators dc example dc com The following ACI granting proxy rights to the client application must exist in the director...

Страница 254: ...at also apply Advanced Access Control Using Macro ACIs In organizations that use repeating directory tree structures it is possible to optimize the number of ACIs used in the directory by using macros...

Страница 255: ...so repeated across the tree because the example com directory tree stores the following suffixes dc hostedCompany2 dc example dc com and dc hostedCompany3 dc example dc com The ACIs that apply in the...

Страница 256: ...Figure 6 4 Example directory tree for Macro ACIs The following ACI is located on the dc hostedCompany1 dc example dc com node aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Do...

Страница 257: ...rsion 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc subdomain1 dc hostedCompany2 dc example dc com In the four ACIs shown above the only differentiator is the DN sp...

Страница 258: ...roupdn userattr you must define a target that contains dn In short you when using any macro you always need a target definition that contains the dn macro You can combine the dn macro and the attr att...

Страница 259: ...ss is granted or not Macro Matching for dn The matching mechanism for dn is slightly different than for dn The DN of the targeted resource is examined several times each time dropping the left most RD...

Страница 260: ...n 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dn dc example dc com It grants access to the members of cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com t...

Страница 261: ...c example dc com ou People dc HostedCompany1 dc example dc com In this case when the Directory Server evaluates the ACI it performs a logical OR on the following expanded expressions roledn ldap cn Do...

Страница 262: ...e value already displayed is 8192 replication debugging you should change the value to 8320 For complete information on error log levels refer to Netscape Directory Server Configuration Command and Fi...

Страница 263: ...the directory and limiting system resources available to users depending upon their bind DNs This chapter contains the following sections Managing the Password Policy page 263 Inactivating Users and R...

Страница 264: ...ithin the directory except for the Directory Manager Your password policy is comprised of the following information Password add and modify information The password information includes password synta...

Страница 265: ...swords to expire select the Password never expires radio button 8 If you want users to have to change their passwords periodically select the Password expires after X days radio button and then enter...

Страница 266: ...discover This attribute is off by default passwordChange When on this attribute indicates that users may change their own password Choosing for users to set their own passwords runs the risk of users...

Страница 267: ...ial word is any value stored in the uid cn sn givenName ou or mail attributes of the user s entry This attribute is off by default passwordMinLength This attribute specifies the minimum number of char...

Страница 268: ...ning users can reuse old passwords passwordInHistory This attribute indicates the number of passwords the directory stores in the history You can store from 2 to 24 passwords in the history This featu...

Страница 269: ...into the directory by repeatedly trying to guess a user s password You can set up your password policy so that a specific user is locked out of the directory after a given number of failed attempts to...

Страница 270: ...out Policy Attributes Attribute Name Definition passwordLockout This attribute indicates whether users are locked out of the directory after a given number of failed bind attempts You set the number o...

Страница 271: ...te specifies the time in seconds after which the password failure counter will be reset Each time an invalid password is sent from the user s account the password failure counter is incremented If the...

Страница 272: ...on for example the server identities need to have passwords that never expire To make sure that these special users have passwords that do not expire add the passwordExpirationTime attribute to the en...

Страница 273: ...view the state of the object by selecting Inactivation State from the View menu The icon of the object then appears in the right pane of the console with a red slash through it Inactivating User and R...

Страница 274: ...pane The right pane states that the role or user is activated Click Activate to activate the user or role 4 If the user or role is a member of another inactivated role the console displays an option...

Страница 275: ...he Bind DN You can control server limits for search operations using special operational attribute values on the client application binding to the directory You can set the following search operation...

Страница 276: ...e navigation tree in the left navigation pane and double click the user or role for which you want to set resource limits The Edit Entry dialog box appears 3 Click Account in the left pane The right p...

Страница 277: ...a search return size limit of 500 entries nsSizeLimit Specifies the maximum number of entries the server returns to a client application in response to a search operation Giving this attribute a valu...

Страница 278: ...Setting Resource Limits Based on the Bind DN 278 Netscape Directory Server Administrator s Guide August 2002...

Страница 279: ...ter includes the following topics Replication Overview page 280 Replication Scenarios page 284 Summary of Steps for Complex Replication Configurations page 289 Detailed Replication Tasks page 290 Conf...

Страница 280: ...ication Replication Identity Replication Agreement Compatibility with Earlier Versions of Directory Server Read Write Replica Read Only Replica A database that participates in replication is defined a...

Страница 281: ...ge log is a record that describes the modifications that have occurred on a replica The supplier server then replays these modifications to the replicas stored on consumer servers or to other supplier...

Страница 282: ...erver that receives updates from another server that is on every hub supplier or a dedicated consumer When you configure a replica that receives updates from another server you must specify this entry...

Страница 283: ...eplication mechanism in this version of Directory Server is different from the mechanism used in earlier versions of Directory Server Compatibility is provided through the Legacy Replication Plug in T...

Страница 284: ...ad write replica on one server called the supplier server The supplier server also maintains change log for this replica On another server called the consumer server you have as many read only replica...

Страница 285: ...eplicated to two read only replicas located on Server B and Server C For information on setting up a single master replication environment refer to Configuring Single Master Replication on page 296 Mu...

Страница 286: ...te requests that they receive Such scenarios are called multi master configurations Figure 8 2 shows an example of multi master replication scenario Figure 8 2 Multi Master Replication Multi master co...

Страница 287: ...for a particular replica It holds a read only replica and maintains a change log It receives updates from the supplier server that holds the master copy of the data and in turn supplies those updates...

Страница 288: ...n on setting up cascading replication refer to Configuring Cascading Replication on page 305 NOTE You can combine multi master and cascading replication For example in the multi master scenario illust...

Страница 289: ...supplier DN entry Specify the supplier settings for replication includes change log configuration Specify the replica settings for a read write replica 3 On all suppliers Create the replica databases...

Страница 290: ...ntry that the suppliers will use to bind to the consumer servers to perform replication updates The supplier bind DN must meet the following criteria It must be unique It must be created on the consum...

Страница 291: ...passwords expiring To disable the password expiration policy on the userPassword attribute add the passwordExpirationTime attribute with a value of 20380119031407Z which means that the password will n...

Страница 292: ...click Browse to display a file selector 6 Set the change log number and age parameters You must clear the unlimited checkboxes to specify different values 7 Click Save to save the supplier settings Co...

Страница 293: ...e Using the Directory Server Console on page 32 2 In the left navigation tree expand the Replication folder and highlight the replica database The Replica Settings tab is displayed in the right naviga...

Страница 294: ...rm ldap servername port If you want clients to bind to the supplier using SSL you can use this field to specify a referral of the form ldaps servername port where the s in ldaps indicates secure conne...

Страница 295: ...red to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replication agreement that includes the current replica You can choose to...

Страница 296: ...ion agreement icon indicates that your replication agreement is set up Configuring Single Master Replication This section provides information on configuring single master replication The steps descri...

Страница 297: ...ication settings required for a read only replica a In the Directory Server Console click the Configuration tab b In the navigation tree expand the Replication folder and highlight the replica databas...

Страница 298: ...udes the current replica Automatic referrals assume that clients will bind over a regular connection and therefore are of the form ldap servername port If you want clients to bind to the supplier usin...

Страница 299: ...he IDs used for read write replicas on this server and on other servers e In the Common Settings section specify a purge delay in the Purge delay field This option indicates how often the state inform...

Страница 300: ...to the detailed task descriptions are provided at each step To set up multi master replication such as the configuration shown in Figure 8 2 on page 286 between two suppliers Server A and Server B tha...

Страница 301: ...tab is displayed in the right hand side of the window c Check the Enable Replica checkbox d In the Replica Role section select the Dedicated Consumer radio button e In the Common Settings section spec...

Страница 302: ...re of the form ldap servername port If you want clients to bind to the supplier using SSL you can use this field to specify a referral of the form ldaps servername port where the s in ldaps indicates...

Страница 303: ...member to disable it to prevent replication from failing due to passwords expiring To disable the password expiration policy on the userPassword attribute add the passwordExpirationTime attribute with...

Страница 304: ...to save the replication settings for the database 4 On Server A set up the following replication agreements One with supplier Server B where B is configured as a consumer for the replica One for each...

Страница 305: ...ication In the case of multi master replication you should initialize replicas in the following order 1 Ensure one master has the complete set of data to replicate Use this master to initialize the re...

Страница 306: ...rver 1 On the consumer server create the database for the replica if it does not exist For instructions refer to Creating Suffixes on page 80 2 On the consumer server create the entry corresponding to...

Страница 307: ...eferred to the supplier servers that you specify here If you specify none updates are referred to the supplier servers that have a replication agreement that includes the current replica In the case o...

Страница 308: ...t exist This is the special entry that the supplier will use to bind a In the Directory Server Console click the Directory tab and create an entry For example you could use cn Replication Manager cn c...

Страница 309: ...entry DN field Click Add You supplier bind DN will appear in the Current Supplier DNs or entry DNs to which the supplier s certificate is mapped field directly above Repeat the operation for every sup...

Страница 310: ...Default button or click the Browse button to display a file selector f Set the change log parameters number and age You must clear the unlimited checkboxes if you want to specify different values g Cl...

Страница 311: ...e following order 1 Use the supplier server to initialize the replica on the hub supplier 2 From the hub supplier initialize the replica on the consumer For information on initializing replicas refer...

Страница 312: ...cess afresh To delete the change log you can either remove it or move it to a new location This section contains the information for the following procedures Removing the Change Log Moving the Change...

Страница 313: ...umers This section is divided into the following parts When to Initialize a Consumer Online Consumer Initialization Using the Console Manual Consumer Initialization Using the Command Line When to Init...

Страница 314: ...er online 1 Create a replication agreement See Creating a Replication Agreement on page 295 2 On the supplier server on the Directory Server Console select the Configuration tab 3 Expand the Replicati...

Страница 315: ...consumer initialization process is more complex than the online consumer initialization process We suggest you use the manual process whenever you find that the online process is inappropriate due to...

Страница 316: ...s in the Directory Server Console or by using either the ldif2db script or ldif2db pl script Both import methods are described in Importing From the Command Line on page 147 If you use the ldif2db scr...

Страница 317: ...the Console To ensure that replication updates are sent immediately when a consumer or a supplier in a multi master replication configuration comes back online after a period of time you can perform t...

Страница 318: ...bin sh SUP_HOST supplier_hostname SUP_PORT supplier_portnumber SUP_MGRDN supplier_directoryManager SUP_MGRPW supplier_directoryManager_passwd MY_HOST consumer_hostname MY_PORT consumer_portnumber ldap...

Страница 319: ...SUP_MGRPW f tmp ldif Table 8 1 Replicate_Now Variables Variable Definition supplier_hostname Hostname of the supplier to contact for information on replication agreements with the current consumer su...

Страница 320: ...SSL Configure your consumer server to recognize your supplier server s certificate as the supplier DN You do this only if you want to use SSL client authentication rather than simple authentication Th...

Страница 321: ...on If you select SSL Client Authentication the supplier and consumer servers will use certificates to authenticate to each other If you select Simple Authentication the supplier and consumer servers w...

Страница 322: ...ory Server can be involved in replication scenarios with earlier releases of Directory Server providing the following conditions are met Directory Server is defined as a consumer in the replication ag...

Страница 323: ...t contain at least 8 characters 5 Click Save You must now configure legacy consumer settings for each replica that will receive updates from a legacy supplier 6 In the navigation tree expand the Repli...

Страница 324: ...e level of entries Each entry in the change log has the object class changeLogEntry and can include the attributes listed in Table 8 2 NOTE The Directory Server Console will not prevent you from confi...

Страница 325: ...etro Changelog Plugin cn plugins cn config cn Retro Changelog Plugin changetype modify replace nsslapd pluginenabled nsslapd pluginenabled on 2 Use the ldapmodify command to import the LDIF file into...

Страница 326: ...ich entries are automatically deleted from the change log you must set the nsslapd changelogmaxage configuration attribute in the cn Retro Changelog Plugin cn plugins cn config entry The nsslapd chang...

Страница 327: ...not granted except implicitly to the Directory Manager You should not grant read access to anonymous users because the change log entries can contain modifications to sensitive information such as pa...

Страница 328: ...tus Table Header Description Agreement Contains the name you provided when you set up the replication agreement Replica suffix Contains the suffix that is replicated Supplier Specifies the supplier se...

Страница 329: ...the MM DD YYYY HH MI Seq SubSeq format where Seq and SubSeq are omitted if they are zero Shows the output result in the HTML format The script writes the output to an HTML file which can be configured...

Страница 330: ...r there are some cases where change conflicts require manual intervention in order to reach a resolution Entries that have a change conflict that cannot be resolved automatically by the replication pr...

Страница 331: ...ss ou people dc example dc com created at time t1 nsuniqueid 66446001 1dd211b2 uid adamss dc example dc com created at time t2 The second entry needs to be renamed in such a way that it has a unique D...

Страница 332: ...1 Rename the entry using a different naming attribute and keep the old RDN For example prompt ldapmodify D adminDN w passwd dn nsuniqueid 66446001 1dd211b2 dc pubs dc example dc com changetype modrdn...

Страница 333: ...o avoid having orphaned entries in the directory In the same way when an add operation is replicated and the consumer server cannot find the parent entry the conflict resolution procedure creates a gl...

Страница 334: ...ify the default ACI that grants anonymous read access using the following command ldapmodify h hostname D cn Directory Manager w passwd dn dc example dc com changetype modify delete aci aci target lda...

Страница 335: ...ation Command and File Reference enables you to troubleshoot replication related problems Depending on the usage options the script can selectively dump a particular replica Dump the contents of a rep...

Страница 336: ...Troubleshooting Replication Related Problems 336 Netscape Directory Server Administrator s Guide August 2002...

Страница 337: ...to your schema you must create a new object class to contain them Although it may seem convenient to just add the attributes you need to an existing object class that already contains most of the att...

Страница 338: ...lowing sections describe how to manage attributes Viewing Attributes Creating Attributes Editing Attributes Deleting Attributes For information on managing object classes see Managing Object Classes o...

Страница 339: ...your enterprise send mail to the IANA Internet Assigned Number Authority at iana iana org or visit the IANA website at http www iana org Syntax The attribute syntax Case Ignore String Indicates that v...

Страница 340: ...one instance of a multi valued attribute per entry 7 Click OK Editing Attributes You can edit only attributes you have created You cannot edit standard attributes To edit an attribute 1 Display the At...

Страница 341: ...n Viewing Attributes on page 338 2 In the User Defined Attributes table select the attribute and click Delete 3 If prompted confirm the delete The server immediately deletes the attribute There is no...

Страница 342: ...ationalPerson Typically if you want to add new attributes for user entries the parent would be the inetOrgPerson object class If you want to add new attributes for corporate entries the parent is usua...

Страница 343: ...the Parent drop down menu You can choose from any existing object class See Table 9 2 on page 342 for more information on parent object classes 6 To add an attribute that must be present in entries t...

Страница 344: ...you want to edit from the Object Classes list and click Edit The Edit Object Class dialog box is displayed 3 To change the name of the object class enter the new name in the Name text box 4 To change...

Страница 345: ...move and click Delete 3 If prompted confirm the delete The server immediately deletes the object class There is no undo Turning Schema Checking On and Off When schema checking is on the Directory Serv...

Страница 346: ...on tree then select the Settings tab in the right pane 3 To enable schema checking check the Enable Schema Checking checkbox clear it to turn off schema checking 4 Click Save You can also turn schema...

Страница 347: ...dexing mechanism in context and then describes how to create delete and manage indexes This chapter contains the following sections About Indexes page 347 Creating Indexes page 356 Deleting Indexes pa...

Страница 348: ...he presence index is not used for base object searches Equality index eq The equality index allows you to search efficiently for entries containing a specific attribute value For example an equality i...

Страница 349: ...ins hundreds of entries for example the ou people branch You can create a browsing index on any branchpoint in the directory tree to improve display performance You do this through the Directory Serve...

Страница 350: ...plug in See Netscape Directory Server Administrator s Guide for more information seeAlso X Improves Netscape server performance This index is also used by the referential integrity plug in See Maintai...

Страница 351: ...umber Overview of the Searching Algorithm Indexes are used to speed up searches To understand how the directory uses indexes it helps to understand the searching algorithm Each index contains a list o...

Страница 352: ...rectory consults multiple indexes and then combines the resulting lists of candidate entries 4 If there is an index for the attribute the directory takes the candidate matches from the index files in...

Страница 353: ...d in the entry string All of the query string codes are in the same order as the entry string codes For example NOTE The metaphone phonetic algorithm in Directory Server supports only US ASCII letters...

Страница 354: ...lthough the search performance may be degraded significantly depending on the type of search Keep in mind that the more indexes you maintain the more disk space you will require The following example...

Страница 355: ...entry for John and John Doe 2 Create the appropriate common name approximate index entries for John and John Doe 3 Create the appropriate common name substring index entries for John and John Doe 4 C...

Страница 356: ...equality approximate substring and international indexes for specific attributes To create indexes 1 In the Directory Server Console select the Configuration tab NOTE Given that this version of Direc...

Страница 357: ...ng multiple languages by listing multiple OIDs separated by commas but no whitespace For a list of languages their associated OIDs and further information regarding collation orders see Appendix D Int...

Страница 358: ...corresponds to the name of the database For information on the LDIF update statements required to add entries see LDIF Update Statements on page 62 For example assume you want to create presence equal...

Страница 359: ...index in this example the sn attribute The entry is a member of the nsIndex object class The nsSystemIndex attribute is false indicating that the index is not essential to Directory Server operations...

Страница 360: ...ctory Server Configuration Command and File Reference Running the db2index pl Script Once you have created an indexing entry or added additional index types to an existing indexing entry run the db2in...

Страница 361: ...File Reference Creating Browsing Indexes From the Server Console To create a browsing index or virtual list view VLV index using the Directory Server Console 1 In the Directory Server Console select t...

Страница 362: ...ines dn oid 2 16 840 1 113730 3 4 9 cn features cn config objectClass top objectClass directoryServerFeature oid 2 16 840 1 113730 3 4 9 cn VLV Request Control aci targetattr aci version 3 0 acl VLV R...

Страница 363: ...tes you want to sort The filter of the search For more information on specifying filters for searches see Appendix B Finding Directory Entries The ldbm database to which the entry that forms the base...

Страница 364: ...s example the dc example dc com entry that is the browsing index identifier The vlvscope attribute is one indicating that the base for the search you want to accelerate is one A search base of one mea...

Страница 365: ...Server Configuration Command and File Reference Two examples of generating browsing indexes using the vlvindex script follow Windows batch file you need to run the script from the bin slapd admin bin...

Страница 366: ...V Request Control aci targetattr aci version 3 0 acl VLV Request Control allow read search compare proxy userdn ldap all creatorsName cn server cn plugins cn config modifiersName cn server cn plugins...

Страница 367: ...ndex 3 Locate the attribute containing the index you want to delete Clear the checkbox under the index If you want to delete all indexes maintained for a particular attribute select the attribute s ce...

Страница 368: ...escribe the steps involved in deleting an index Deleting an Index Entry Use the ldapdelete command line utility to delete either the entire indexing entry or the unwanted index types from an existing...

Страница 369: ...ning the db2index pl Script Once you have deleted an indexing entry or deleted some of the index types from an indexing entry run the db2index pl script to generate the new set of indexes to be mainta...

Страница 370: ...er w password n Example1 UNIX shell script db2index pl D cn Directory Manager w password n Example1 The following table describes the db2index pl options used in the examples For more information abou...

Страница 371: ...dex entries or edit existing browsing index entries Running the vlvindex script to generate the new set of browsing indexes to be maintained by the server The following sections describe the steps inv...

Страница 372: ...type the following to change to the directory containing the utility cd serverRoot shared bin Perform the ldapdelete as follows ldapdelete D cn Directory Manager w password h ExampleServer p 845 cn d...

Страница 373: ...e new set of browsing indexes to be maintained by the Directory Server Once you run the script the new set of browsing indexes is active for any new data you add to your directory and any existing dat...

Страница 374: ...ndex key In effect the All IDs token causes the server to behave as if no index was available for that type of search The directory assumes that some other aspect of the search request will allow the...

Страница 375: ...mined when servicing the search request However over time your directory may continue to grow As it does more and more James may be added but at the same relatively small proportion of total directory...

Страница 376: ...eshold is as little as 0 5 percent of your current database size or as great as 50 percent of your current database size However we nevertheless recommend you aim to stay as close to the 5 percent rul...

Страница 377: ...ou to increase your directory size If your directory takes years to grow then plan to do a database rebuild If in a few months your directory increases in size by an order of magnitude or greater cons...

Страница 378: ...IDs being returned will contain the notes U flag The notes U flag will be returned for Searches for which you are not maintaining an index Searches for which an ID list is not maintained because the...

Страница 379: ...e increased in memory requirements will differ depending on the number and types of indexes that you are maintaining but the requirements will never be larger than the factor by which you increased th...

Страница 380: ...e Quick Reference Table Attribute Primary Name Attribute Alias dn distinguishedName cn commonName sn surName c countryName l localityName st stateOrProvinceName street streetAddress o organization ou...

Страница 381: ...erver page 381 Obtaining and Installing Server Certificates page 383 Activating SSL page 387 Setting Security Preferences page 389 Using Certificate Based Authentication page 391 Configuring LDAP Clie...

Страница 382: ...s means that you do not have to choose between SSL or non SSL communications for your Directory Server you can use both at the same time Enabling SSL Summary of Steps To configure your Directory Serve...

Страница 383: ...nerate a Certificate Request Step 2 Send the Certificate Request to the Certificate Authority Step 3 Install the Certificate Step 4 Trust the Certificate Authority Step 5 Confirm That Your New Certifi...

Страница 384: ...o character abbreviation for your country s name ISO format The country code for the United States is US The Netscape Schema Reference Guide contains a complete list of ISO Country Codes 5 Enter the p...

Страница 385: ...pany it could take several weeks to respond to your request When the CA sends a response be sure to save the information in a text file You will need the data when you install the certificate You shou...

Страница 386: ...Authority from which you obtained the server s certificate Step 4 Trust the Certificate Authority Configuring your Directory Server to trust the certificate authority consists of obtaining your CA s c...

Страница 387: ...r you should first make sure that the certificates have been installed correctly Step 5 Confirm That Your New Certificates Are Installed 1 On the Directory Server Console select the Tasks tab and clic...

Страница 388: ...6 Select the certificate that you want to use from the drop down menu 7 Click Cipher Settings The Cipher Preference dialog box is displayed 8 Select the checkbox next to the cipher you want to use an...

Страница 389: ...inds that the peer server s hostname doesn t match the name specified in its certificate DATE SSL alert ldap_sasl_bind LDAP_SASL_EXTERNAL 81 Netscape runtime error 12276 Unable to communicate securely...

Страница 390: ...ation FIPS DES with 56 bit encryption and SHA message authentication This cipher meets the FIPS 140 1 U S government standard for implementations of cryptographic modules FIPS Triple DES with 168 bit...

Страница 391: ...uthentication can occur between An LDAP client connecting to the Directory Server A Directory Server connecting to another Directory Server replication or chaining Setting up Certificate Based Authent...

Страница 392: ...ers You will have to use the appropriate command line utilities instead However if at a later date you wish to change your directory configuration to no longer require but allow client authentication...

Страница 393: ...If it does not already exist the certificate database will be created 2 Use Communicator to connect to your Certificate Authority If you are using an internally deployed Netscape Certificate Managemen...

Страница 394: ...BhbG9va2FWaWxsZSBXaWRnZXRzLCBJbmMuMR0wGwYDVQQLExRX aWRnZXQgTWFrZXJzICdSJyBVczEpMCcGA1UEAxMgVGVzdCBUZXN0IFRlc3QgVGVz dCBUZXN0IFRlc3QgQ0EwHhcNOTgwMzEyMDIzMzU3WhcNOTgwMzI2MDIzMzU3WjBP MQswCQYDVQQGEwJVUzE...

Страница 395: ...ng Directory Entries on page 49 You can now use SSL with your LDAP clients For information on how to use SSL with ldapmodify ldapdelete and ldapsearch refer to Netscape Directory Server Configuration...

Страница 396: ...Configuring LDAP Clients to Use SSL 396 Netscape Directory Server Administrator s Guide August 2002...

Страница 397: ...abase Activity page 411 Monitoring Database Link Activity page 416 For information on using SNMP to monitor your Directory Server see Chapter 13 Monitoring Directory Server Using SNMP Viewing and Conf...

Страница 398: ...r the maximum age defined in the next step the directory archives the file and starts a new one If you set the maximum number of logs to 1 the directory ignores this attribute How often the directory...

Страница 399: ...ter is ignored in the number of log files is set to 1 Access Log The access log contains detailed information about client connections to the directory This section contains the following procedures V...

Страница 400: ...beneficial troubleshooting information To configure the access log for your directory 1 In the Directory Server Console select the Configuration tab Then in the navigation tree expand the Logs folder...

Страница 401: ...m the Select Log pull down menu 4 To specify a different number of messages enter the number you want to view in the Lines to show text box and click Refresh 5 You can display messages containing a st...

Страница 402: ...evel options see Log Level in the Netscape Directory Server Configuration Command and File Reference Changing these values from the defaults may cause your error log to grow very rapidly so it is reco...

Страница 403: ...igure audit logging 1 On the Directory Server Console select the Configuration tab Then in the navigation tree expand the Logs folder and select the Audit Log icon The audit log configuration attribut...

Страница 404: ...og file you are rotating in case you need the old log file for future reference 3 Restart the server See Starting and Stopping the Directory Server on page 35 for instructions Monitoring Server Activi...

Страница 405: ...rview of Server Performance Monitor Information The server provides monitoring information as described in the following sections General Information Server Resource Summary Current Resource Usage Con...

Страница 406: ...2 1 Server Performance Monitoring Resource Summary Resource Usage since startup Average per minute Connections Total number of connections to this server since server startup Average number of connect...

Страница 407: ...available to a task On Windows NT and IBM AIX the number of allowed concurrent connections is generated by the operating system but is not based on file descriptors Refer to your operating system docu...

Страница 408: ...rver is trying to send data to the client or read data from the client but cannot The probable cause is a slow network or client Table 12 4 Server Performance Monitoring Global Database Cache Table He...

Страница 409: ...ersion number threads Current number of active threads used for handling requests Additional threads may be created by internal server tasks such as replication or chaining connection fd opentime opsi...

Страница 410: ...ne file descriptor one for every open index one for log file management and one for ns slapd itself Essentially this value lets you know about how many more concurrent connections can be serviced by t...

Страница 411: ...mance monitors and what sort of information the performance monitors provide Viewing Database Performance Monitors To monitor your database s activities 1 On the Directory Server Console select the St...

Страница 412: ...equest by obtaining data from the cache rather than by going to disk Entry cache tries Indicates the total number of entry cache lookups since the directory was last started That is the total number o...

Страница 413: ...Indicates the number of times the database cache was asked for a page Hit ratio Indicates the ratio of database cache hits to database cache tries The closer this value is to 100 the better Whenever...

Страница 414: ...mber of read write pages discarded from the cache to make room for new pages This value differs from Pages Written Out in that these are discarded read write pages that have not been modified Table 12...

Страница 415: ...cachehitratio Provides the same information as described in Entry cache hit ratio on page 412 in Table 12 5 currententrycachesize Provides the same information as described in Current entry cache size...

Страница 416: ...14 Monitoring Database Link Activity You can monitor the activity of your database links from the command line using the monitoring attributes Use the ldapsearch command line utility to return the att...

Страница 417: ...of modify operations received nsRenameCount Number of rename operations received nsSearchBaseCount Number of base level searches received nsSearchOneLevelCount Number of one level searches received n...

Страница 418: ...Monitoring Database Link Activity 418 Netscape Directory Server Administrator s Guide August 2002...

Страница 419: ...ad popularity It is this interoperability combined with the fact that SNMP can take on numerous jobs specific to a whole range of different device classes that make SNMP the ideal standard mechanism f...

Страница 420: ...chine For example if you have Directory Server Netscape Enterprise Server and Netscape Messaging Server all installed on the same host the subagents for each of these servers communicates with the sam...

Страница 421: ...col data unit from the NMS is a request for information about variables the subagent gives information to the master agent and the master agent sends it back to the NMS in the form of another protocol...

Страница 422: ...ldap nsldapd OBJECT IDENTIFIER 1 3 6 1 4 1 1450 7 The object identifier is located in the serverRoot plugins snmp directory You can see administrative information about your directory and monitor the...

Страница 423: ...number of read operations serviced by this directory since application start The value of this object will always be 0 because LDAP implements read operations indirectly via the search operation dsCom...

Страница 424: ...nd service errors Partially serviced requests will not be counted as an error Table 13 2 Entries Table Managed Objects and Descriptions Managed Object Description dsMasterEntries The number of directo...

Страница 425: ...y containing interaction details of a Directory Server with a peer Directory Server dsIntIndex Together with applIndex it forms the unique key to identify the conceptual row which contains useful info...

Страница 426: ...2 Enable Directory Server statistics collection See Configuring SNMP for the Directory Server on page 429 for information 3 Restart the Windows NT SNMP service See Starting and Stopping the SNMP Serv...

Страница 427: ...agent See Configuring SNMP for the Directory Server on page 429 for information 4 Start the directory subagent See Starting and Stopping the SNMP Subagent on UNIX on page 428 for information Configuri...

Страница 428: ...t to stop the subagent you must do so from this tab Starting and Stopping the SNMP Service on Windows NT It is important to note that the master agent on Windows NT is the SNMP Service and not the SNM...

Страница 429: ...ble Statistics Collection checkbox to enable Directory Server statistics collection Clear the checkbox to disable it 5 For UNIX servers enter the hostname on which the master agent resides and the por...

Страница 430: ...inistrator s Guide August 2002 10 Click Save 11 Restart the subagent UNIX or restart the SNMP service Windows NT See Starting and Stopping the SNMP Subagent on UNIX on page 428 or Starting and Stoppin...

Страница 431: ...e You can manage your server s performance by limiting the amount of resources the server uses to proces client search requests You can define The maximum number of entries the server returns to the c...

Страница 432: ...rch request in the Time Limit text box If you do not want to set a limit type zero 1 in this text box 5 Enter the time in seconds during which you want the server to maintain an idle connection before...

Страница 433: ...ributes Your ability to improve server performance with these attributes depends on the size of your database the amount of physical memory available on your machine and whether directory searches are...

Страница 434: ...ne This tab contains the database attributes for all databases stored on this server 3 In the Maximum Cache Size field enter a value corresponding to the amount of memory that you want to make availab...

Страница 435: ...directory does not perform the operation immediately Instead the operation is stored in a temporary memory cache on the Directory Server until the operation is completed If the server experiences a fa...

Страница 436: ...attribute to the cn config cn ldbm database cn plugins cn config entry Provide the full path to the log directory in the attribute For information on the nsslapd db logdirectory attribute syntax see...

Страница 437: ...to Adding and Modifying Entries Using ldapmodify on page 57 Disabling Durable Transactions Durable transaction logging means that the temporary database transaction log is in fact physically written t...

Страница 438: ...attribute to a value of greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value For transaction batching to be valid...

Страница 439: ...r entries As a result if many entries and particularly entries that are likely to be updated frequently are stored under cn config performance will probably suffer However although we recommend you do...

Страница 440: ...Miscellaneous Tuning Tips 440 Netscape Directory Server Administrator s Guide August 2002...

Страница 441: ...ns Reference Chapter 15 Administering Directory Server Plug Ins Chapter 16 Using the Pass Through Authentication Plug In Chapter 17 Using the Attribute Uniqueness Plug In Chapter 18 Configuring IM Pre...

Страница 442: ...442 Netscape Directory Server Administrator s Guide August 2002...

Страница 443: ...Console page 464 Server Plug in Functionality Reference The following tables provide you with a quick overview of the plug ins provided with Directory Server along with their configurable options conf...

Страница 444: ...ies None Performance Related Information None Further Information If your Directory Server uses non ASCII characters for example Japanese turn this plug in off Table 15 2 Details of ACI Plug In Plug i...

Страница 445: ...Configurable Arguments None Dependencies database Performance Related Information None Further Information Chapter 6 Managing Access Control Table 15 4 Details of Binary Syntax Plug In Plug in Name B...

Страница 446: ...s None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 6 Details of Case Exact String Sy...

Страница 447: ...ents None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 8 Details of...

Страница 448: ...ncies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter 5 Advanced Entry Management Ta...

Страница 449: ...ments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Table 15 12 Details...

Страница 450: ...15 13 Details of Integer Syntax Plug In Plug in Name Integer Syntax DN of Configuration Entry cn Integer Syntax cn plugins cn config Description Syntax for handling integers Configurable Options on o...

Страница 451: ...of this plug in You should leave this plug in running at all times Further Information See Appendix D Internationalization Table 15 15 Details of ldbm Database Plug In Plug in Name ldbm database Plug...

Страница 452: ...s on off Default Setting on Configurable Arguments None This plug in can be disabled if the server is not and never will be a consumer of a 4 1 server Dependencies database Performance Related Informa...

Страница 453: ...cription Syntax for handling octet strings Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration...

Страница 454: ...s cn plugins cn config Description CRYPT password storage scheme used for password encryption Configurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance R...

Страница 455: ...with earlier versions of Directory Server See Chapter 7 User Account Management Table 15 22 Details of SHA Password Storage Plug In Plug in Name SHA DN of Configuration Entry cn SHA cn Password Storag...

Страница 456: ...pendencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in running at all times Further Information Chapter 7 User Account Management...

Страница 457: ...Further Information Chapter 18 Configuring IM Presence Information in the Netscape Directory Server Administrator s Guide Table 15 26 Details of PTA Plug In Plug in Name Pass Through Authentication P...

Страница 458: ...he post operation Referential Integrity plug in performs integrity updates on the member uniquemember owner and seeAlso attributes immediately after a delete or rename operation You can reconfigure th...

Страница 459: ...tro Changelog Plugin cn plugins cn config Description Used by LDAP clients for maintaining application compatibility with Directory Server 4 x versions Maintains a log of all changes occuring in the D...

Страница 460: ...plug in You should leave this plug in running at all times Further Information Chapter 5 Advanced Entry Management Table 15 30 Details of Space Insensitive String Syntax Plug In Plug in Name Space Ins...

Страница 461: ...llowing Screen Name values johndoe john doe and John Doe For more information about finding directory entries see Appendix B Finding Directory Entries Note that the nsAIMID attribute type which is a p...

Страница 462: ...figurable Options on off Default Setting on Configurable Arguments None Dependencies None Performance Related Information Do not modify the configuration of this plug in You should leave this plug in...

Страница 463: ...Uniqueness plug in will not work at all and should therefore not be enabled If you try to add a new entry to a server where the UID Uniqueness plug in is enabled and a referral has been created in a...

Страница 464: ...gins list 4 To disable the plug in clear the Enabled checkbox To enable the plug in check this checkbox 5 Click Save 6 Restart the Directory Server Table 15 34 Details of URI Plug In Plug in Name URI...

Страница 465: ...Directory Server Uses PTA page 465 PTA Plug In Syntax page 467 Configuring the PTA Plug In page 469 PTA Plug In Syntax Examples page 475 How Directory Server Uses PTA If you install the configuration...

Страница 466: ...Machine A Server Name configdir example com Suffix o NetscapeRoot 2 You install the user directory server PTA directory on Machine B Server Name userdir example com Suffix dc example dc com 3 During t...

Страница 467: ...y as defined by the PTA plug in configuration 7 The configuration directory authenticates the user s credentials and sends the information back to the user directory 8 The user directory allows the ad...

Страница 468: ...ing the Plug in On or Off on page 470 for more information extension File extension for the plug in The extension is always sl on HP UX so on all other UNIX platforms and dll on Windows NT ldap ldaps...

Страница 469: ...ry server If this timeout is exceeded the server returns an error to the client The default is 300 seconds five minutes Specify zero 0 to indicate no time limit should be enforced See Configuring the...

Страница 470: ...arameters Turning the Plug in On or Off To turn the PTA plug in on from the command line 1 Create an LDIF file that contains the following LDIF update statements dn cn Pass Through Authentication cn p...

Страница 471: ...he nsslapd pluginenabled on statement and add the nsslapd pluginenabled off statement Whenever you enable or disable the PTA plug in from the command line you must restart the server Configuring the S...

Страница 472: ...ile that contains the following LDIF update statements dn cn Pass Through Authentication cn plugins cn config cn Pass Through Authentication changetype add add nsslapd pluginarg0 nsslapd pluginarg0 ld...

Страница 473: ...0 ldap authDS subtree optional_parameters For example you could set the value of the nsslapd pluginarg0 attribute to ldap dirserver example com o NetscapeRoot Parameters For information on the variabl...

Страница 474: ...enticating directory server is listed in the authDS parameter no time limit will be enforced If two or more hosts are listed the default is 300 seconds five minutes In the PTA syntax this parameter is...

Страница 475: ...ot subtree The hostname of the authenticating Directory Server is config dir example com dn cn Pass Through Authentication cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass ex...

Страница 476: ...PTA directory server to pass through bind requests for more than one subtree using parameter defaults dn cn Pass Through Authentication cn plugins cn config objectClass top objectClass nsSlapdPlugin...

Страница 477: ...ng Directory Servers If you want to specify a different pass through subtree and optional parameter values for each authenticating directory server you must specify more than one LDAP URL optional par...

Страница 478: ...PTA Plug In Syntax Examples 478 Netscape Directory Server Administrator s Guide August 2002...

Страница 479: ...he following sections Overview of the Attribute Uniqueness Plug In page 479 Overview of the UID Uniqueness Plug in page 481 Attribute Uniqueness Plug In Syntax page 481 Creating an Instance of the Att...

Страница 480: ...This configuration option is explained in more detail in Specifying a Suffix or Subtree on page 487 You can specify an object class pertaining to an entry in the DN of the updated entry and perform t...

Страница 481: ...eness plug in is disabled because it affects the operation of multi master replication For information on using the attribute uniqueness plug in in a replicated environment refer to Replication and th...

Страница 482: ...in Table 17 1 Use the following syntax to specify to perform the uniqueness check below an entry containing a specified object class dn cn descriptive_plugin_name cn plugins cn config objectClass top...

Страница 483: ...are on or off See Turning the Plug in On or Off on page 487 for more information attribute_name The name of the attribute for which you want to ensure unique values You can specify one attribute name...

Страница 484: ...ntiate the attribute uniqueness plug in for the mail attribute you would perform the following steps 1 In the dse ldif file locate the entry for the uid uniqueness plug in cn uid uniqueness cn plugins...

Страница 485: ...ns folder The list of plug ins is displayed in the right navigation window You should see the uid uniqueness plug in and any other attribute uniqueness plug ins that you created following the example...

Страница 486: ...rd If you use this syntax you can click Add again to specify a requiredObjectClass as described in Attribute Uniqueness Plug In Syntax on page 481 4 To delete an item from the list place the cursor in...

Страница 487: ...ry Server on page 35 Specifying a Suffix or Subtree You specify the suffix or subtrees under which you want the plug in to ensure attribute uniqueness by using the nsslapd pluginarg attribute in the e...

Страница 488: ...d on nsslapd pluginarg0 attribute mail nsslapd pluginarg1 markerObjectClass ou nsslapd plugin depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 6 1 nsslapd pluginVendor Nets...

Страница 489: ...chines Specifying One Attribute and One Subtree Specifying One Attribute and Multiple Subtrees Specifying One Attribute and One Subtree This example configures the plug in to ensure the uniqueness of...

Страница 490: ...plugin depends on type database nsslapd pluginId NSUniqueAttr nsslapd pluginVersion 6 1 nsslapd pluginVendor Netscape Communications Corporation nsslapd pluginDescription Enforce unique attribute val...

Страница 491: ...plier It is unnecessary to enable it on the consumer server Enabling the attribute uniqueness plug in on the consumer will not prevent Directory Server from operating correctly but is likely to cause...

Страница 492: ...s Guide August 2002 When these conditions are met attribute uniqueness conflicts are reported as naming conflicts at replication time Naming conflicts require manual resolution For information on how...

Страница 493: ...emented as a Directory Server plug in giving you the flexibility to turn this feature on off The plug in enables you to configure Directory Server to provide instantaneous knowledge of an IM user s on...

Страница 494: ...s ready to use All you have to do is add the default presence attributes to a user s entry Once this is done when queried the plug in will serve the presence information for that user The online statu...

Страница 495: ...directoryOperation attributeTypes nsYIMStatusText syntax DirectoryString NO USER MODIFICATION USAGE directoryOperation You can create your own schema and modify the plug in configuration parameters ac...

Страница 496: ...er loads similar to your expected usage pattern before deployment Troubleshooting The plug in makes HTTP requests for each queried IM Status attribute Make sure that the machine in which the presence...

Страница 497: ...497 Part 3 Appendixes Appendix A LDAP Data Interchange Format Appendix B Finding Directory Entries Appendix C LDAP URLs Appendix D Internationalization...

Страница 498: ...498 Netscape Directory Server Administrator s Guide August 2002...

Страница 499: ...ta is stored using the UTF 8 encoding of Unicode Therefore the LDIF files you create must also be UTF 8 encoded This chapter provides information about LDIF in the following sections LDIF File Format...

Страница 500: ...e A 1 LDIF Fields Field Definition id Optional A positive decimal number representing the entry ID The database creation tools generate this ID for you Never add or edit this value yourself dn disting...

Страница 501: ...lines However doing so may improve the readability of your LDIF file Representing Binary Data You can represent binary data such as a JPEG image in LDIF using one of the following methods The standar...

Страница 502: ...including new lines Use the ldif command line utility with the b parameter to convert binary data to LDIF format ldif b attribute_name where attribute_name is the name of the attribute to which you a...

Страница 503: ...rectory and a list of the most commonly used attributes see the Netscape Directory Server Schema Reference Specifying Organization Entries Directories often have at least one organization entry Typica...

Страница 504: ...ganization object class This line defines the entry as an organization See the Netscape Directory Server Schema Reference for a list of the attributes you can use with this object class o organization...

Страница 505: ...ar as follows dn distinguished_name objectClass top objectClass organizationalUnit ou organizational_unit_name list_of_optional_attributes The following is a sample organizational unit entry in LDIF f...

Страница 506: ...ople dc example dc com objectclass top objectclass person objectclass organizationalPerson objectclass inetOrgPerson cn Babs Jensen sn Jensen givenname Babs uid bjensen ou Marketing ou people descript...

Страница 507: ...s This object class specification should be included because some LDAP clients require it during search operations for an organizational person objectClass inetOrgPerson Specifies the inetOrgPerson ob...

Страница 508: ...rence 3 Make sure that an entry representing a branch point in the LDIF file is placed before the entries that you want to create under that branch For example if you want to place an entry in a peopl...

Страница 509: ...ion Fictional organizational unit for example purposes tel 555 5559 dn cn June Rossi ou People o example com Corp dc example dc com objectClass top objectClass person objectClass organizationalPerson...

Страница 510: ...to add a new entry to the directory However if your organization is multinational you may find it necessary to store information in multiple languages so that users in different locales can view direc...

Страница 511: ...ensen the administrator creates the following LDIF entry dn uid bjensen ou people dc example dc com objectclass top objectclass person objectclass organizationalPerson name Babs Jensen cn Babs Jensen...

Страница 512: ...Storing Information in Multiple Languages 512 Netscape Directory Server Administrator s Guide August 2002...

Страница 513: ...g an Internationalized Directory page 525 Finding Entries Using the Server Console Use the Directory tab of the Directory Server Console to browse the contents of the directory tree and search for spe...

Страница 514: ...an entry s immediate subentries or an entire tree or subtree Search results are returned in LDIF format This section contains information about the following topics Using Special Characters ldapsearch...

Страница 515: ...ttributes returned in the search results This list of attributes must appear after the search filter For an example see Displaying Subsets of Attributes on page 519 If you do not specify a list of att...

Страница 516: ...is optional if anonymous access is supported by your server If specified this value must be a DN recognized by the Directory Server and it must also have the authority to search for the entries For ex...

Страница 517: ...e password associated with the distinguished name that is specified in the D option If you do not specify this option anonymous access is used For example w diner892 x Specifies that the search result...

Страница 518: ...er The suffix under which all data is stored is dc example dc com Returning All Entries Given the previous information the following call will return all entries in the directory ldapsearch h mozilla...

Страница 519: ...your directory use the following command line call ldapsearch h mozilla cn babs jensen In this example the default scope of sub is used because the s option was not used to specify the scope Displayi...

Страница 520: ...the entries that match either search filter ldapsearch h mozilla f searchdb You can limit the set of attributes returned here by specifying the attribute names that you want at the end of the search l...

Страница 521: ...on name values are not case sensitive When the common name attribute has values associated with a language tag all of the values are returned Thus the following two attribute values both match this fi...

Страница 522: ...of the attributes associated with types of entries see the Netscape Directory Server Schema Reference Using Operators in Search Filters The operators that you can use in search filters are listed in T...

Страница 523: ...ude the following Greater than or equal to Returns entries containing attributes that are greater than or equal to the specified value For example buildingname alpha Less than or equal to Returns entr...

Страница 524: ...do not contain the common name Ray Kultgen cn Ray Kultgen The following filter returns all entries that contain a description attribute that contains the substring X 500 description X 500 The followin...

Страница 525: ...u can request that the directory sort the results based on any language for which the server has a supporting collation order For a listing of the collation orders supported by the directory see Ident...

Страница 526: ...ussion of matching rule formats see Matching Rule Formats on page 526 value is either the attribute value you want to search for or a relational operator plus the attribute value you want to search fo...

Страница 527: ...associated language tag For a list of locales supported by the directory server and their associated language tags see Table D 1 on page 541 You can use the language tag in the matching rule portion o...

Страница 528: ...see Table D 1 on page 541 For a list of relational operators and their equivalent suffixes see Table B 3 on page 529 Using Wildcards in Matching Rule Filters When performing a substring search using...

Страница 529: ...hing rule portion of the filter Table B 3 summarizes each type of search the operator and the equivalent suffix International Search Examples The following sections show examples of how to perform int...

Страница 530: ...tching rule filters roomNumber 2 16 840 1 113730 3 3 2 23 1 CZ422 roomNumber hu CZ422 roomNumber 2 16 840 1 113730 3 3 2 23 1 2 CZ422 roomNumber hu 2 CZ422 Equality Example When you perform a locale s...

Страница 531: ...ibute in a specific collation order For example to search for all mail hosts that come after host schranka4 in the Czechoslovakian collation order you could use any of the following matching rule filt...

Страница 532: ...Searching an Internationalized Directory 532 Netscape Directory Server Administrator s Guide August 2002...

Страница 533: ...amples of LDAP URLs page 536 Components of an LDAP URL LDAP URLs have the following syntax ldap s hostname port base_dn attributes scope filter The ldap protocol is used to connect to LDAP servers ove...

Страница 534: ...se DN is specified the search starts at the root of the directory tree attributes The attributes to be returned To specify more than one attribute use commas to separate the attributes for example cn...

Страница 535: ...space is an unsafe character that must be represented as 20 within the URL Thus the distinguished name o example com corporation must be encoded as o example com 20corporation The following table list...

Страница 536: ...ult filter objectclass Example 2 The following LDAP URL retrieves the postalAddress attribute of the entry with the DN dc example dc com ldap ldap example com dc example dc com postalAddress Because n...

Страница 537: ...a search for the object class for all entries one level under dc example dc com ldap ldap example com dc example dc com objectClass one Because the search scope is one the search encompasses all entri...

Страница 538: ...Examples of LDAP URLs 538 Netscape Directory Server Administrator s Guide August 2002...

Страница 539: ...preferences in search operations This appendix contains the following sections About Locales page 539 Identifying Supported Locales page 540 Supported Language Subtypes page 542 About Locales Director...

Страница 540: ...mat specifies the monetary symbol used by a specific region whether the symbol goes before or after its value and how monetary units are represented Time date format The time and date format indicates...

Страница 541: ...rforming an international search in the directory use either the language tag or the OID to identify the collation order you want to use However when setting up an international index you must use the...

Страница 542: ...3 2 28 1 Korean ko 2 16 840 1 113730 3 3 2 29 1 Latvian Lettish lv 2 16 840 1 113730 3 3 2 31 1 Lithuanian lt 2 16 840 1 113730 3 3 2 30 1 Macedonian mk 2 16 840 1 113730 3 3 2 32 1 Norwegian no 2 16...

Страница 543: ...Afrikaans be Byelorussian bg Bulgarian ca Catalan cs Czechoslovakian da Danish de German el Greek en English es Spanish eu Basque fi Finnish fo Faroese fr French ga Irish gl Galician hr Croatian hu H...

Страница 544: ...tscape Directory Server Administrator s Guide August 2002 ru Russian sk Slovakian sl Slovenian sq Albanian sr Serbian sv Swedish tr Turkish uk Ukrainian zh Chinese Table D 2 Supported Language Subtype...

Страница 545: ...isables a user account group of accounts or an entire domain so that all authentication attempts are automatically rejected All IDs Threshold A size limit which is globally applied to every index key...

Страница 546: ...tions or access files and directories based on the permissions granted to that user by the directory administrator 2 Allows a client to make sure they are connected to a secure server preventing anoth...

Страница 547: ...ct attributes Certificate Authority Company or organization that sells and issues authentication certificates You may purchase an authentication certificate from a Certification Authority that you tru...

Страница 548: ...sorted This information might include the sequence of letters in the alphabet or how to compare letters with accents to letters without accents consumer Server containing replicated directory trees o...

Страница 549: ...ree s root point appearing at the top of the hierarchy Also known as DIT Directory Manager The privileged database administrator comparable to the root user in UNIX Access control does not apply to th...

Страница 550: ...index Allows you to search efficiently for entries containing a specific attribute value file extension The section of a filename after the period or dot that typically defines the type of file for ex...

Страница 551: ...of replication a server that holds a replica that is copied from a different server and in turn replicates it to a third server See also cascading replication index key Each index that the directory u...

Страница 552: ...form leaf entry An entry under which there are no other entries A leaf entry cannot be a branch point in a directory tree Lightweight Directory Access Protocol See LDAP locale Identifies the collatio...

Страница 553: ...named and referenced Also called the directory tree monetary format Specifies the monetary symbol used by specific region whether the symbol goes before or after its value and how monetary units are...

Страница 554: ...attribute in an object oriented system Object identifiers are assigned by ANSI IETF or similar organizations OID See object identifier operational attribute Operational attributes contain information...

Страница 555: ...th a proxy DN proxy DN Used with proxied authorization The proxy DN is the DN of an entry that has access permissions to the target on which the client application is attempting to perform an operatio...

Страница 556: ...e replicas A server can hold any number of read only replicas read write replica A replica that contains a master copy of directory information and can be updated A server can hold any number of read...

Страница 557: ...have access to their own entries that is if the bind DN matches the targeted entry Server Console Java based application that allows you to perform administrative management of your Directory Server f...

Страница 558: ...on about the managed device and passes the information to the master agent SSL Secure Sockets Layer A software library establishing a secure connection between two parties client and server used to im...

Страница 559: ...IP Transmission Control Protocol Internet Protocol The main network protocol for the Internet and for enterprise company networks template entry See CoS template entry time date format Indicates the...

Страница 560: ...up the display of entries in the Directory Server Console Virtual list view indexes can be created on any branchpoint in the directory tree to improve display performance X 500 standard The set of ISO...

Страница 561: ...on 227 SSL authentication structure of ACIs target DN containing comma 252 target DN containing comma and 201 targeting 199 targeting attribute values 205 targeting attributes 203 targeting entries 20...

Страница 562: ...ACI attribute default index for 350 overview 194 ACI placement 195 ACL See ACI activating accounts from command line 275 from console 274 add right 207 adding directory entries 58 Administration Serve...

Страница 563: ...387 authmethod keyword 227 B backing up data 154 all 154 db2bak 155 dse ldif 156 bak2db script 158 bak2db pl perl script 158 base 64 encoding 501 base DN ldapsearch and 519 binary data LDIF and 501 bi...

Страница 564: ...87 setting up 305 certificate mapping to a DN 392 password 40 certificate database password 382 certificate based authentication 391 setting up 391 chaining cascading 121 component operations from con...

Страница 565: ...cy 266 suffix 85 connections monitoring 407 409 411 viewing number of 406 console starting 32 consumer initialization manual consumer creation 315 online consumer creation 314 consumer server 280 cont...

Страница 566: ...g 114 maintaining remote server info 114 overview 96 database server parameters read only 412 database transaction logging described 435 durable transactions 437 log file location 436 databases in dir...

Страница 567: ...00 dn db2 file 351 dn2id db2 file 351 dns keyword 224 dse ldif PTA plugin 470 dse ldif file backing up 156 PTA syntax 470 restoring 160 durable transactions 437 dynamic groups 165 creating 165 modifyi...

Страница 568: ...FIPS Triple DES cipher 390 format LDIF 499 G general access example 216 overview 213 glossary of terms 545 greater than or equal to search international example 530 531 overview 523 groupdn keyword 2...

Страница 569: ...tion order 540 country code 541 date format 540 language tag 541 locales and 539 location of files 540 matching rule filters 526 modifying entries 72 monetary format 540 object identifiers and 541 of...

Страница 570: ...d 510 line continuation 501 Server Console and 57 specifying entries organization 503 organizational person 506 organizational unit 505 update statements 62 using to create directory 507 LDIF entries...

Страница 571: ...chingRule format 526 using language tag 527 using language tag and suffix 528 using OID 527 using OID and suffix 527 MD5 message authentication 391 metaphone phonetic algorithm 353 MIB directory serve...

Страница 572: ...e object identifier operations table 422 operations defined 406 operators Boolean 523 international searches and 528 search filters and 522 suffix 529 optional attributes creating 343 deleting 344 345...

Страница 573: ...rd storage plug in 454 octet string syntax plug in 453 postal address string syntax plug in 456 presence plug in 457 493 PTA plug in 457 reference 443 referential integrity plug in 458 retro change lo...

Страница 574: ...SSL 320 cascading 305 change log 281 compatibility with earlier versions 283 322 configuration tips 289 configuring a hub supplier 294 configuring a read only replica 293 configuring a read write repl...

Страница 575: ...ication 227 schema checking 345 creating new attributes 339 creating new object classes 343 deleting attributes 341 deleting object classes 345 editing object classes 344 extending 337 nsslapd schemac...

Страница 576: ...n 427 configuring 426 managed device 420 421 managed objects 420 master agent overview 420 Unix 420 Windows NT 420 MIB entries table 424 interaction table 425 location of 422 operations table 422 moni...

Страница 577: ...er server 280 symbols in change operation 63 in LDIF statements 502 in LDIF statements 501 in ldapmodify commands 61 in ldapsearch 514 syntax ACI statements 198 attribute value 340 LDAP URLs 533 ldaps...

Страница 578: ...s 214 to own entry 214 LDIF example 215 user and group management referential integrity 72 user passwords 268 userattr keyword 218 restriction on add 223 user defined attributes 338 user defined objec...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды