HP UX Direry Server manuals

Computer Equipment > Software

When we buy new device such as HP UX Direry Server we often through away most of the documentation but the warranty. Very often issues with HP UX Direry Server begin only after the warranty period ends and you may want to find how to repair it or just do some service work. Even oftener it is hard to remember what does each function in Software HP UX Direry Server is responsible for and what options to choose for expected result. Fortunately you can find all manuals for Software on our side using links below.

HP UX Direry Server Manual

68 pages1.59 Mb

1HP-UXDirectory Server Version
3Table of Contents
- 4Glossary
- Index
51 Introduction to HP-UXDirectory Server
- 6SSL
- TLS
- NOTE:
72 Admin Server configuration
- 2.1 Directory Server file locations
- 2.2 Starting and stopping the Admin Server
  - 2.2.1Starting and stopping Admin Server from the console
  - 2.2.2 Starting and stopping Admin Server from the command Line
- 82.3 Opening the Admin Server console
  - 9Figure 2-1Login box
  - TIP:
  - Open
- 102.4 Viewing logs
  - 2.4.1Viewing the logs through the console
  - 112.4.2 Viewing logs in the command line
  - 122.4.3 Changing the log name in the console
  - 2.4.4 Changing the log location in the command line
- 132.5Changing the port number
  - 2.5.1Changing the port number in the console
  - 142.5.2Changing the port number in the command line
- 152.6Setting host restrictions
  - 2.6.1Setting host restrictions in the console
  - 162.6.2 Setting host restrictions in the command line
- 172.7Changing the admin user's name and password
- 182.8Working with SSL
  - 192.8.1 Requesting and installing a server certificate
    - 20•Server Name
    - IMPORTANT:
    - •Organization
    - •Organizational Unit
    - (Optional) A descriptive name for the organization within the company
    - •Locality
    - (Optional) The company's city name
    - •State or Province
    - The full name of the company's state or province (no abbreviations)
    - •Country
    - c.Enter the password that used to protect the private key, and click Next
    - 21Request Submission
    - Copy to Clipboard
    - Save to File
    - 22Install
    - In this local file
    - In the following encoded text block
  - 232.8.2 Installing a CA certificate
    - 24CA Certs
    - 25Next
    - 26•Accepting connections from clients (Client Authentication)
    - •Accepting connections to other servers (Server Authentication)
  - 272.8.3Enabling SSL
    - 284.Select the Enable SSL for this server checkbox
    - 5.Select the Use this cipher family: RSA checkbox
    - Internal
    - (Software-based)
    - Settings
  - 292.8.4 Creating a password file for the Admin Server
- 302.9 Changing Directory Server settings
  - 2.9.1 Changing the configuration directory host or port
  - 312.9.2Changing the user directory host or port
    - 32Use Default User Directory
    - Set User Directory
    - LDAP Host and Port
    - Give the
    - User Directory Subtree
    - . For example:
    - Optionally, enter the
    - Bind DN
    - Bind Password
    - 6.Click Save
333 Admin express
- 3.1 Managing servers in Admin Express
  - 3.1.1Opening Admin Express
  - 3.1.2 Starting and stopping servers
  - 3.1.3 Viewing server logs
  - 343.1.4 Viewing server information
  - 3.1.5 Monitoring replication from Admin Express
    - 35supplier
    - consumer
    - nobody
    - grep \^User /etc/opt/dirsrv/admin-serv/console.conf
    - chmod 0400 filename
    - To view in-progressstatus of replication in Admin Express:
    - 2.In the Admin Server web page, click the Admin Express link, and log in
    - 3.Click the Replication Status link by the supplier server name
    - Type the path to the configuration file in the
    - Configuration file
    - 36Figure 3-4Viewing replication status
    - Figure 3-5Viewing replication status
- 373.2 Configuring Admin Express
  - 3.2.1 Admin Express file locations
  - 3.2.2 Admin Express configuration files
    - 3.2.2.1 Files for the Admin Server welcome page
    - 38Figure 3-6Intro page elements
    - directive
    - The text files themselves have inline formatting for the inserted table rows
    - 393.2.2.2 Files for the replication status appearance
    - 403.2.2.3 Files for the server information page
    - 413.2.2.4 Files for the server logs page
  - 423.2.3 Admin Express directives
    - 43Table 3-2Admin Express directives (continued)
454 Admin Server command-linetools
- 4.1 sec-activate
- 4.2 modutil
  - 46task
  - “Task commands for modutil”
  - option
  - “Options for modutil”
  - Tasks and options
  - Each modutil command can take one task and one option
  - Table
  - “Task commands for modutil”
  - modutil
  - “Options for modutil”
  - Table 4-1Task commands for modutil
  - 47Table 4-1Task commands for modutil (continued)
  - Table 4-2Options for modutil
  - 48Table 4-2Options for modutil (continued)
  - JAR information file
  - JAR (Java Archive) is a
  - platform-independent
  - file format that aggregates many files into one. JAR files are used by
  - to install PKCS #11 modules. When
  - command
  - METAINFO
  - MANIFEST
  - http://docs.sun.com
  - source/816-6164-10/contents.htm
  - pk11install
  - +Pkcs11_install_script: pk11install
  - Examples of using modutil
  - •“Creating database files”
  - •“Displaying module information”
  - •“Setting a default provider”
  - 49•“Enabling a slot”
  - •“Enabling FIPS compliance”
  - •“Adding a cryptographic module”
  - •“Changing the password on a token”
  - Creating database files
  - Displaying module information
  - Setting a default provider
  - Enabling a slot To enable a particular slot in a module:
  - Enabling FIPS compliance
  - 50modutil -fipstrue
  - FIPS mode enabled
  - Adding a cryptographic module
  - Module "Cryptorific Module" added to database
  - Changing the password on a token
515 Support and other resources
- 5.1 Contacting HP
  - 5.1.1 Information to collect before contacting HP
  - 5.1.2How to contact HP technical support
  - 5.1.3HP authorized resellers
  - 5.1.4Documentation feedback
- 5.2 Related information
  - 5.2.1HP-UXDirectory Server documentation set
  - 525.2.2 HP-UXdocumentation set
  - 5.2.3Troubleshooting resources
- 535.3 Typographic conventions
55Glossary
- 56bind
- See bind DN
- bind DN
- bind rule
- branch entry
- An entry that represents the top of a subtree in the directory
- browser
- browsing index
- See also virtual list view index
- See Certificate Authority
- cascading
- replication
- and in turn supplies those updates to the consumer
- Certificate
- Authority
- CGI
- output parsing that is not done by the server itself
- chaining
- then returned to the client
- changelog
- other masters, in the case of multi-masterreplication
- character type
- upper-caseto lower-caseletters
- ciphertext
- information
- class definition
- how the object works in relation to other objects in the directory
- class of service
- See CoS
- CoS
- classic CoS
- entry's attributes
- client
- See LDAP client
- code page
- operating system uses to relate keyboard keys to character font displays
- collation order
- or how to compare letters with accents to letters without accents
- consumer server
- is called a consumer for that replica
- CoS
- 57CoS definition
- entry
- affects
- CoS template
- Contains a list of the shared attribute values
- See also template entry
- daemon
- Daemon processes do not need human intervention to continue functioning
- DAP
- directory
- data master
- The server that is the master source of a particular piece of data
- database link
- storage. Instead, it points to data stored remotely
- default index
- definition entry
- See CoS definition entry
- Directory Access
- See DAP
- DAP
- Protocol
- Directory
- Manager
- does not apply to the Directory Manager
- directory service
- people and resources within an organization
- directory tree
- known as DIT
- String representation of an entry's name and location in an LDAP directory
- DIT
- See directory tree
- See Directory Manager
- See distinguished name
- DNS
- www.example.com
- maintained on their systems
- DNS alias
- called realthing.yourdomain.domain where the server currently exists
- A group of lines in the LDIF file that contains information about an object
- entry distribution
- large numbers of entries
- entry ID list
- the client application's search request
- equality index
- file extension
- index.html
- html
- 58file type
- extension (for example, .GIF or .HTML)
- filter
- filtered role
- role
- general access
- GSS-API
- host name
- machine
- dom
- www
- example
- and com domain
- HTML
- pages
- HTTP
- and clients
- HTTPD
- HTTP protocol. The daemon or service is often called an httpd
- HTTPS
- A secure version of HTTP, implemented using the Secure Sockets Layer, SSL
- hub
- and, in turn, replicates it to a third server
- See also cascading replication
- ID list scan limit
- index key
- lists
- indirect CoS
- international
- Speeds up searches for information in international directories
- International
- See ISO
- ISO
- Standards
- Organization
- IP address
- of a machine on the Internet (for example, 198.93.93.10)
- ISO
- International Standards Organization
- knowledge
- Pointers to directory information stored in different databases
- reference
- 59LDAP
- and across multiple platforms
- LDAP client
- Software used to request and view LDAP entries from an LDAP Directory Server
- See also browser
- browser
- LDAP Data
- See LDAP Data Interchange Format
- Interchange
- Format
- LDAP URL
- LDAP. A sample LDAP URL is ldap://ldap.example.com
- LDAPv3
- LDBM database
- data assigned to it. The primary data store in Directory Server
- LDIF
- leaf entry
- directory tree
- Lightweight
- See LDAP
- locale
- which code page should be used to represent a given language
- managed object
- managed role
- Allows creation of an explicit enumerated list of members
- management
- See MIB
- MIB
- information base
- mapping tree
- master
- See supplier
- master agent
- See SNMP master agent
- matching rule
- MD5
- produce; a piece of data that will produce the same message digest
- MD5 signature
- A message digest produced by the MD5 algorithm
- MIB
- areas
- MIB namespace
- referenced. Also called the directory tree
- monetary format
- its value, and how monetary units are represented
- multi-master
- 60determine which server holds the most recent version
- multiplexor
- n + 1 directory
- problem
- resulting in increased hardware and personnel costs
- name collisions
- Multiple entries with the same distinguished name
- nested role
- Allows the creation of roles that contain other roles
- network
- application
- were received
- See NMS
- NMS
- station
- NIS
- parameters throughout a network of computers
- NMS
- network management station
- ns-slapd
- Directory Server
- See also slapd
- slapd
- object class
- object identifier
- IETF or similar organizations
- See also OID
- OID
- OID
- See object identifier
- operational
- requested
- parent access
- if the bind DN is the parent of the targeted entry
- pass-through
- See PTA
- PTA
- PTA directory server
- subtree
- authenticating directory server
- password file
- It is also known as /etc/passwd because of where it is kept
- password policy
- A set of rules that governs how passwords are used in a given directory
- PDU
- data unit
- permission
- is granted or denied and the level of access that is granted or denied
- See also access rights
- pointer CoS
- A pointer CoS identifies the template entry using the template DN only
- 61presence index
- Allows searches for entries that contain a specific indexed attribute
- protocol
- A set of rules that describes how devices on a network exchange information
- protocol data unit
- See PDU
- PDU
- proxy
- with its own DN but with a proxy DN
- proxy DN
- PTA
- pass-throughauthentication
- PTA directory
- server
- through) bind requests it receives to the authenticating directory server
- PTA LDAP URL
- pass-throughsubtree(s), and optional parameters
- RAM
- stored in RAM is lost when the computer is shut down
- RDN
- to form the full distinguished name. Also relative distinguished name
- read-onlyreplica
- of read-onlyreplicas
- read-writereplica
- can hold any number of read-writereplicas
- referential
- integrity
- referral
- called a referral
- relative
- See RDN
- RDN
- replica
- A database that participates in replication
- replica-initiated
- agreement
- connection is secured
- RFC
- standards
- role
- role-based
- attributes
- CoS template
- root
- privileges to all files on the machine
- root suffix
- 62SASL
- Simple
- Authentication and Security Layer
- schema
- access the directory may be unable to display the proper results
- schema checking
- not conform to the schema
- Secure Sockets
- See SSL
- SSL
- Layer
- self access
- targeted entry
- Server Console
- Server from a GUI
- server daemon
- Server Selector
- Interface that allows you select and configure servers using a browser
- server service
- the SMB server on Windows NT
- service
- Service processes do not need human intervention to continue functioning
- SIE
- Simple
- See SASL
- Authentication
- and Security
- Simple Network
- See SNMP
- Management
- single-master
- supplier server maintains a changelog
- SIR
- See supplier-initiatedreplication
- slapd
- except replication
- See also ns-slapd
- ns-slapd
- SNMP
- about network activity. Also Simple Network Management Protocol
- SNMP master
- Software that exchanges information between the various subagents and the NMS
- agent
- SNMP subagent
- master agent. Also called a subagent
- SSL
- Secure Sockets Layer
- standard index
- index maintained by default
- sub suffix
- A branch underneath a root suffix
- subagent
- See SNMP subagent
- substring index
- to a minimum of two characters for each entry
- suffix
- 63superuser
- privileges to all files on the machine. Also called root
- servers
- supplier server
- called a supplier for that replica
- supplier-initiated
- symmetric
- encryption
- a symmetric encryption algorithm
- system index
- target
- particular ACI applies
- target entry
- The entries within the scope of a CoS
- TCP/IP
- and for enterprise (company) networks
- template entry
- See CoS template entry
- time/date format
- Indicates the customary formatting for times and dates in a specific region
- TLS
- Security
- topology
- one another
- Transport Layer
- See TLS
- TLS
- Security
- uid
- A unique number associated with each user on a Unix system
- URL
- documents. It is often called a location. The format of a URL is
- protocol://machine:port/document. The port number is necessary only on selected
- virtual list view
- See also browsing index
- X.500 standard
- and attributes used by directory server implementation
65Index

160 pages6.11 Mb

1HP-UXDirectory Server Version
3Table of Contents
- 1 Introduction to directory services
- 2 Planning the directory data
- 3 Designing the directory schema
- 44 Designing the directory tree
- 5 Designing the directory topology
- 56 Designing the replication process
- 7 Designing synchronization
- 68 Designing a secure directory
- 79 Directory design examples
- 10 Support and other resources
- 8Index
91 Introduction to directory services
- 1.1 About directory services
- 101.2 Introduction to Directory Server
- NOTE:
- Directory Server runs as a daemon; the process is ns-slapd
- 111.2.2 Server plug-insoverview
  - Directory Server
  - plug-in
  - reference
- 1.2.3 Overview of the basic directory tree
  - Figure 1-1Layout of default Directory Server directory tree
  - “Choosing a suffix”
  - cn=config
  - o=NetscapeRoot
  - Directory Server installation guide
  - cn=monitor
- 121.3 Directory Server data storage
- 1.3.1.1 Performing queries on directory entries
- 131.4 Directory design overview
- 141.4.1Design process outline
  - 1.Chapter 2 “Planning the directory data”
  - 2.Chapter 3 “Designing the directory schema”
  - 3.Chapter 4 “Designing the directory tree”
  - 4.Chapter 5 “Designing the directory topology”
  - 5.Chapter 6 “Designing the replication process”
  - 6.Chapter 7 “Designing synchronization”
  - 7.Chapter 8 “Designing a secure directory”
- 1.4.2Deploying the directory
- 151.5 Other general directory resources
172 Planning the directory data
- 2.1 Introduction to directory data
- 182.2 Defining directory needs
- 2.3Performing a site survey
  - •Determine data ownership
  - •Determine data access
  - •Document the site survey
- 192.3.1 Identifying the applications that use the directory
  - •Directory browser applications, such as online telephone books
  - •Email applications, especially email servers
  - •Directory-enabledhuman resources applications
  - •Microsoft Active Directory
  - Table 2-1Example application data needs
  - •The data required by various legacy applications and users
  - •The ability of legacy applications to communicate with an LDAP directory
- 202.3.2Identifying data sources
  - •Identify organizations that provide information
  - •Identify the tools and processes that are information sources
  - •Determine how centralizing each piece of data affects the management of data
  - Table
  - “ Example information sources”
  - Table 2-2Example information sources
- 2.3.3 Characterizing the directory data
  - •Format
  - •Size
  - •Number of occurrences in various applications
  - •Data owner
  - •Relationship to other directory data
  - “Directory data characteristics”
  - Table 2-3Directory data characteristics
- 212.3.4 Determining level of service
- 2.3.5 Considering a data master
  - •Replication among Directory Servers
  - •Synchronization between Directory Server and Active Directory
  - •Independent client applications which access the Directory Server data
  - There are different ways to implement data mastering:
  - Chapter 6 “Designing the replication process”
- 222.3.6 Determining data ownership
  - Allow
  - •Create roles that give groups of people read or write access privileges
  - “Grouping directory entries”
- 232.3.7 Determining data access
  - For each piece of information stored in the directory, decide the following:
  - •Can the data be read anonymously
  - •Can the data be read widely across the enterprise
  - For more information about access controls, see “Designing access control”
- 242.4 Documenting the site survey
- 252.5Repeating the site survey
273 Designing the directory schema
- 3.1 Schema design process overview
- 3.2 Standard schema
- This schema entry states the object identifier, or OID, for the class
- ), the name of the object class
- ), a description of the class
- ), then lists the required attributes
- , and
- ) and the allowed attributes
- 283.2.2 Standard attributes
  - cn: Babs Jensen
  - In the schema, each attribute definition contains the following information:
  - •A unique name
  - •An object identifier (OID) for the attribute
  - •A text description of the attribute
  - •The OID of the attribute syntax
  - Indications of whether the attribute is
  - For example, the cn attribute definition appears in the schema as follows:
  - Table 3-1Syntaxes support in Directory Server
- 293.2.3 Standard object classes
  - Directory Server Schema Reference
  - Object class definitions contain the following information:
  - •An object identifier (OID) that names the object
  - •A set of mandatory attributes
  - •A set of allowed (or optional) attributes
- 303.3 Mapping the data to the default schema
- 313.4 Customizing the schema
- 323.4.1 When to extend the schema
- 3.4.2 Getting and assigning object identifiers
- 3.4.3Naming attributes and object classes
- 3.4.4 Strategies for defining new object classes
  - 33For example, suppose an administrator wants to create the attributes
  - , and
  - One object class
  - , is created and allows
  - and
  - . The parent of
  - A second object class
  - , allows
  - is the
  - object class
  - The new object classes appear in LDAPv3 schema format as follows:
  - exampleEntry
  - AUXILIARY
  - “Getting and assigning object identifiers”
  - •Multiple object classes result in more schema elements to create and maintain
  - •Multiple object classes require a more careful and rigid data design
  - preferredOS
  - •Avoid required attributes for new object classes
  - require
  - allow
- 343.4.5 Strategies for defining new attributes
  - Directory Server Schema Guide
  - dateOfBirth
- 3.4.6 Deleting schema elements
- 3.4.7 Creating custom schema files
- 353.4.8.1 Naming schema files
- 3.4.8.2Using 'user defined' as the origin
- 3.4.8.3Defining attributes before object classes
- 3.4.8.4Defining schema in a single file
- 363.5 Maintaining consistent schema
- 373.5.1 Schema checking
  - For example, if an entry is defined to use the
  - object class, then the common name
  - ) and surname
- 3.5.2 Selecting consistent data formats
  - ITU-TRecommendation E.123
  - ITU-T
  - postalAddress
- 3.5.3 Maintaining consistency in replicated schema
- 383.6Other schema resources
394 Designing the directory tree
- 4.1 Introduction to the directory tree
- 4.2 Designing the directory tree
- 404.2.1.1 Suffix naming conventions
- 4.2.1.2 Naming multiple suffixes
- 414.2.2.1Branching the directory
- 424.2.2.2 Identifying branch points
- 43Figure 4-5Directory tree for example isp
- o=example, c=US
- Consider the following when choosing attributes for the branch points:
- •Be consistent
- Try to use only the traditional attributes (shown in
- Table 4-1Traditional DN branch point attributes
- 444.2.2.3 Replication considerations
- 454.2.2.4 Access control considerations
- 464.2.3.1Naming person entries
- 474.2.3.2Naming group entries
- 4.2.3.3 Naming organization entries
- 4.2.3.4Naming other kinds of entries
- 484.3 Grouping directory entries
- nsRoleDN
- 494.3.2Deciding between roles and groups
- 4.3.3 About class of service
  - facsimileTelephoneNumber
  - Each CoS is comprised of the several entries in the directory:
  - •A service class attribute value stored with the entry
  - The absence of a service class attribute can imply a specific default CoS
- 504.4 Virtual directory information tree views
- 51Figure 4-10Examples of a flat and an organizationally-basedDIT
- nsview
- nsviewfilter
- Figure 4-12A DIT with a virtual DIT view hierarchy
- •The sub-tree ou=People contains the real Entry A and Entry B entries
- •The sub-tree ou=Location Views is a view hierarchy
- The leaf nodes
- ou=Sunnyvale
- ou=Mountain View
- 534.4.2Advantages of using virtual DIT views
  - The deployment decisions become easier with virtual DIT views because:
  - Virtual DIT view hierarchies can be created as a kind of
- 544.4.3Example of virtual DIT views
  - A subtree search based at
  - would return all entries below
  - which match the filters
  - , or
  - . Conversely, a
  - one-level
  - ou=Location Views, dc=example, dc=com
  - attribute to
  - with the filter value
  - with both
  - (see
  - “A DIT with a virtual DIT view hierarchy”
  - ), add the
  - value to the location attribute, and the entry appears in both views
- 554.4.4 Views and other directory features
- 4.4.5 Effects of virtual views on performance
- 4.4.6 Compatibility with existing applications
- 564.5Directory tree design examples
- 574.6 Other directory tree resources
595 Designing the directory topology
- 5.1 Topology overview
- 5.2 Distributing the directory data
- 605.2.1 About using multiple databases
- 615.2.2 About suffixes
- 625.3 About knowledge references
- 635.3.1.1 The structure of an LDAP referral
- 5.3.1.2 About default referrals
- 645.3.1.3 Smart referrals
- 665.3.1.4 Tips for designing smart referrals
- 675.3.2 Using chaining
  - Database links provide the following features:
  - •Invisible access to remote data
  - •Dynamic management
  - •Access control
- 5.3.3Deciding between referrals and chaining
  - 685.3.3.1 Usage differences
  - 5.3.3.2 Evaluating access controls
  - 69Figure 5-12Sending a client request to a server using chaining
  - In the illustration above, the following steps are performed:
  - 3.Server B sends an acceptance response to Server A
  - Figure 5-13Authenticating a client and retrieving data using different servers
  - In this illustration, the following steps are performed:
- 705.4Using indexes to improve database performance
- •International index
- •Browsing index or virtual list view (VLV) index
- 715.4.2Evaluating the costs of indexing
  - •Indexes increase the time it takes to modify entries
  - •Index files use disk space
  - •Index files use memory
  - •Index files take time to create
736 Designing the replication process
- 6.1 Introduction to replication
- 6.1.1.1 Unit of replication
- 746.1.1.2 Read-writeand read-onlyreplicas
- 6.1.1.3 Suppliers and consumers
- 6.1.1.4 Replication and changelogs
- 6.1.1.5 Replication agreement
- 756.2Common replication scenarios
  - •“Single-masterreplication”
  - •“Multi-masterreplication”
  - •“Cascading replication”
  - •“Mixed environments”
- 766.2.1Single-masterreplication
  - Figure 6-1 Single-masterreplication
- 6.2.2 Multi-masterreplication
  - 78Figure 6-4 Multi-masterreplication configuration B (four suppliers)
- 796.2.3 Cascading replication
- 816.2.4 Mixed environments
- 826.3 Defining a replication strategy
  - See “Using replication for local availability” for more information
  - See “Using replication for load balancing” for more information
- 836.3.1 Conducting a replication survey
  - •The number and size of the entries stored in the directory service
- 6.3.2 Replicated selected attributes with fractional replication
  - Fractional replication is particularly useful in the following situations:
- 846.3.3 Replication resource requirements
- 6.3.4Managing disk space required for multi-masterreplication
  - cn=replica
  - suffixDN
  - nsDS5ReplicaTombstonePurgeInterval
  - Configuration, Command, and File Reference
- 856.3.5 Replication across a wide-areanetwork
  - •Use a T-1or faster Internet connection for the network
  - When creating agreements for replication over a
- 6.3.6Using replication for high availability
- 866.3.7 Using replication for local availability
  - Use replication for local availability for the following reasons:
  - •To keep a local master copy of the data
  - •To mitigate unreliable or intermittently available network connections
- 6.3.8Using replication for load balancing
  - Replication can balance the load on the Directory Servers in several ways:
  - •By spreading the users' search activities across several servers
  - By dedicating servers to
  - 876.3.8.1 Example of network load balancing
  - 886.3.8.2Example of load balancing for improved performance
  - 896.3.8.3Example replication strategy for a small site
  - 6.3.8.4Example replication strategy for a large site
- 906.4 Using replication with other Directory Server features
- Figure 6-10Replicating chained databases
- 916.4.4 Schema replication
  - WARNING
  - See “Creating custom schema files” for more information
- 926.4.5 Replication and synchronization
937 Designing synchronization
- 7.1 Windows synchronization overview
- 947.2 Planning windows synchronization
- •The number and size of the entries stored in the directory
- 957.2.2 Managing disk space for the changelog
  - cn=changelog5
  - The other two attributes are under the synchronization agreement entry in
  - sync_agreement
- 7.2.3 Defining the connection type
- 7.2.4 Considering a data master
  - data master
- 967.2.5 Determining the subtree to synchronize
- 7.2.6 Interaction with a replicated environment
  - Figure 7-1 Multi-masterDirectory Server — Windows domain synchronization
- 977.2.7 Identifying the directory data to synchronize
  - •Contact information for trading partners, clients, and customers
  - •User’s software preferences or software configuration information
  - •Group information and group membership
- 987.3Schema elements sycnhronized between Active Directory and Directory Server
  - 99ntDomainUser
  - samAccountName
  - User entries only
  - “User schema that are the same in Directory Server and Windows servers”
  - “User schema mapped between Directory Server and Active Directory”
  - “User schema differences between Directory Server and Active Directory”
  - Table 7-1User schema mapped between Directory Server and Active Directory
- 1007.3.2.1 Values for cn attributes
- 7.3.2.2 Password policies
- 1017.3.2.3 Values for street and streetAddress
- 7.3.2.4Contraints on the initials attribute
- 1027.3.4 Group schema differences between Directory Server and Active Directory
1038 Designing a secure directory
- 8.1 About security threats
- 1048.2 Analyzing security needs
- 1058.3Overview of security methods
- 1068.4 Selecting appropriate authentication methods
- command
- 1078.4.2 Simple password
  - 1.The user enters a unique identifier, such as a user ID (for example, fchen)
- 1088.4.3 Certificate-basedauthentication
  - For more information about certificates and SSL, see the Administrator's Guide
- 8.4.4 Simple password over SSL/TLS
- 8.4.5 Simple authentication and security layer
- 8.4.6 Proxy authentication
  - cn=Directory Manager
  - cn=joe
  - mods.ldif
- 1098.5 Preventing authentication by account deactivation
- 8.6 Designing a password policy
- 110nsslapd-pwpolicy-local
- ns-newpwpolicy.pl
- To determine whether the
- off
- 1138.6.2.1 Password change after reset
- 8.6.2.2User-definedpasswords
- 1148.6.2.3Password expiration
- 8.6.2.4Expiration warning
- 8.6.2.5Grace login limit
- 8.6.2.6Password syntax checking
- 1158.6.2.7Password length
- 8.6.2.8Password minimum age
- 8.6.2.9Password history
- 1168.6.2.10 Password storage schemes
- 1178.7 Designing access control
- 1188.7.1.1 Targets
- 8.7.1.2 Permissions
- 1198.7.1.3 Bind rules
- 8.7.2.1 The precedence rule
- 8.7.2.2 Allowing or denying access
- 1208.7.2.3 When to deny access
- 8.7.2.4Where to place access control rules
- 8.7.2.5 Using filtered access control rules
- Create an attribute on every user's directory entry called
- publishHomeContactInfo
- Set an access control rule that grants read access to the
- attributes only for entries whose
- attribute is set to
- Allow the directory users to change the value of their own
- false
- 1218.7.3 Viewing ACIs: Get effective rights
  - ldapsearch
  - title
  - salary
  - homePostalAddress
  - title
  - salary
  - entryLevelRights
  - attributeLevelRights
  - street: rsc
  - Advanced Properties
  - Show effective rights
- 1228.7.4 Using ACIs: Some hints and tricks
  - •Minimize the number of ACIs in the directory
- 1238.8Database encryption
- 1248.9 Securing server to server connections
- 8.10 Other security resources
1259 Directory design examples
- 9.1 Design example: A local enterprise
- 1269.1.3 Local enterprise directory tree design
- 1279.1.4.1 Database topology
- 1289.1.5.1 Supplier architecture
- 1299.1.5.2 Supplier consumer architecture
- Figure 9-5Supplier and consumer architecture for Example Corp
- 1309.1.6 Local enterprise security design
  - •They create an ACI that allows employees to modify their own entries
  - manager
  - department
  - This ACI denies anonymous write access to password information
- 1319.2 Design example: A multinational enterprise and its extranet
- 1329.2.1 Multinational enterprise data design
- 9.2.2Multinational enterprise schema design
  - exampleSupplier
  - examplePartner
  - exampleSupplierID
- 9.2.3 Multinational enterprise directory tree design
  - The root of the directory tree is the
  - dc=com
  - dc=exampleCorp, dc=com
  - dc=exampleNet,dc=com
  - The directory tree for the intranet (under
  - dc=exampleCorp, dc=com)
- 1349.2.4.1 Database topology
- 1359.2.4.2 Server topology
- 1379.2.5.1 Supplier architecture
- 1399.2.6 Multinational enterprise security design
14110 Support and other resources
- 10.1 Contacting HP
- 10.2 Related information
- •HP-UXDirectory Server administration server guide
- •HP-UXDirectory Server configuration, command, and file reference
- •HP-UXDirectory Server console guide
- •HP-UXDirectory Server deployment guide
- •HP-UXDirectory Server installation guide
- •HP-UXDirectory Server plug-inreference
- •HP-UXDirectory Server schema reference
- http://docs.hp.com/en/internet.html
- 14210.2.2 HP-UXdocumentation set
  - •HP-UX11i v3 Operating Environments: http://docs.hp.com/en/oshpux11iv3.html
  - •HP-UX11i v2 Operating Environments: http://docs.hp.com/en/oshpux11iv2.html
- 14310.3 Typographic conventions
145Glossary
- 146bind
- See bind DN
- bind DN
- bind rule
- branch entry
- An entry that represents the top of a subtree in the directory
- browser
- browsing index
- See also virtual list view index
- See Certificate Authority
- cascading
- replication
- and in turn supplies those updates to the consumer
- Certificate
- Authority
- CGI
- output parsing that is not done by the server itself
- chaining
- then returned to the client
- changelog
- other masters, in the case of multi-masterreplication
- character type
- upper-caseto lower-caseletters
- ciphertext
- information
- class definition
- how the object works in relation to other objects in the directory
- class of service
- See CoS
- CoS
- classic CoS
- entry's attributes
- client
- See LDAP client
- code page
- collation order
- or how to compare letters with accents to letters without accents
- consumer
- consumer server
- is called a consumer for that replica
- CoS
- 147CoS definition
- entry
- affects
- CoS template
- Contains a list of the shared attribute values
- See also template entry
- daemon
- Daemon processes do not need human intervention to continue functioning
- DAP
- directory
- data master
- The server that is the master source of a particular piece of data
- database link
- storage. Instead, it points to data stored remotely
- default index
- definition entry
- See CoS definition entry
- Directory Access
- See DAP
- DAP
- Protocol
- Directory
- Manager
- does not apply to the Directory Manager
- directory service
- people and resources within an organization
- directory tree
- known as DIT
- String representation of an entry's name and location in an LDAP directory
- DIT
- See directory tree
- See Directory Manager
- See distinguished name
- DNS
- www.example.com
- maintained on their systems
- DNS alias
- called realthing.yourdomain.domain where the server currently exists
- A group of lines in the LDIF file that contains information about an object
- entry distribution
- large numbers of entries
- entry ID list
- the client application's search request
- equality index
- file extension
- index.html
- html
- 148file type
- extension (for example, .GIF or .HTML)
- filter
- filtered role
- role
- general access
- GSS-API
- host name
- www
- example
- com
- domain
- HTML
- pages
- HTTP
- and clients
- HTTPD
- HTTP protocol. The daemon or service is often called an httpd
- HTTPS
- A secure version of HTTP, implemented using the Secure Sockets Layer, SSL
- hub
- and, in turn, replicates it to a third server
- See also cascading replication
- ID list scan limit
- index key
- lists
- indirect CoS
- international
- Speeds up searches for information in international directories
- International
- See ISO
- ISO
- Standards
- Organization
- IP address
- Also Internet Protocol address
- location of a machine on the Internet (for example, 198.93.93.10)
- ISO
- International Standards Organization
- knowledge
- Pointers to directory information stored in different databases
- reference
- 149LDAP
- and across multiple platforms
- LDAP client
- Software used to request and view LDAP entries from an LDAP Directory Server
- See also browser
- browser
- LDAP Data
- See LDAP Data Interchange Format
- Interchange
- Format
- LDAP URL
- LDAP. A sample LDAP URL is ldap://ldap.example.com
- LDAPv3
- LDBM database
- data assigned to it. The primary data store in Directory Server
- LDIF
- leaf entry
- directory tree
- Lightweight
- See LDAP
- locale
- which code page should be used to represent a given language
- managed object
- managed role
- Allows creation of an explicit enumerated list of members
- management
- See MIB
- MIB
- information base
- mapping tree
- master
- See supplier
- master agent
- See SNMP master agent
- matching rule
- MD5
- produce; a piece of data that will produce the same message digest
- MD5 signature
- A message digest produced by the MD5 algorithm
- MIB
- areas
- MIB namespace
- referenced. Also called the directory tree
- monetary format
- its value, and how monetary units are represented
- multi-master
- 150determine which server holds the most recent version
- multiplexor
- n+1 directory
- problem
- resulting in increased hardware and personnel costs
- name collisions
- Multiple entries with the same distinguished name
- nested role
- Allows the creation of roles that contain other roles
- network
- application
- were received
- See NMS
- NMS
- station
- NIS
- parameters throughout a network of computers
- NMS
- network management station
- ns-slapd
- Directory Server
- See also slapd
- slapd
- object class
- object identifier
- IETF or similar organizations
- See also OID
- OID
- OID
- See object identifier
- operational
- requested
- parent access
- if the bind DN is the parent of the targeted entry
- pass-through
- See PTA
- PTA
- PTA directory server
- subtree
- authenticating directory server
- password file
- It is also known as /etc/passwd because of where it is kept
- password policy
- A set of rules that governs how passwords are used in a given directory
- PDU
- data unit
- permission
- is granted or denied and the level of access that is granted or denied
- See also access rights
- pointer CoS
- A pointer CoS identifies the template entry using the template DN only
- 151presence index
- Allows searches for entries that contain a specific indexed attribute
- protocol
- A set of rules that describes how devices on a network exchange information
- protocol data unit
- See PDU
- PDU
- proxy
- with its own DN but with a proxy DN
- proxy DN
- PTA
- pass-throughauthentication
- PTA directory
- server
- through) bind requests it receives to the authenticating directory server
- PTA LDAP URL
- pass-throughsubtree(s), and optional parameters
- RAM
- stored in RAM is lost when the computer is shut down
- RDN
- to form the full distinguished name. Also relative distinguished name
- read-onlyreplica
- of read-onlyreplicas
- read-writereplica
- can hold any number of read-writereplicas
- referential
- integrity
- referral
- called a referral
- relative
- See RDN
- RDN
- replica
- A database that participates in replication
- replica-initiated
- agreement
- connection is secured
- RFC
- standards
- role
- role-based
- attributes
- CoS template
- root
- privileges to all files on the machine
- root suffix
- 152SASL
- Simple
- Authentication and Security Layer
- schema
- access the directory may be unable to display the proper results
- schema checking
- not conform to the schema
- Secure Sockets
- See SSL
- SSL
- Layer
- self access
- targeted entry
- Server Console
- Server from a GUI
- server daemon
- Server Selector
- Interface that allows you select and configure servers using a browser
- server service
- the SMB server on Windows NT
- service
- Service processes do not need human intervention to continue functioning
- SIE
- Simple
- See SASL
- Authentication
- and Security
- Simple Network
- See SNMP
- Management
- single-master
- supplier server maintains a changelog
- SIR
- See supplier-initiatedreplication
- slapd
- except replication
- See also ns-slapd
- ns-slapd
- SNMP
- about network activity. Also Simple Network Management Protocol
- SNMP master
- Software that exchanges information between the various subagents and the NMS
- agent
- SNMP subagent
- master agent. Also called a subagent
- SSL
- Secure Sockets Layer
- standard index
- index maintained by default
- sub suffix
- A branch underneath a root suffix
- subagent
- See SNMP subagent
- substring index
- to a minimum of two characters for each entry
- suffix
- 153superuser
- privileges to all files on the machine. Also called root
- supplier
- servers
- supplier server
- called a supplier for that replica
- supplier-initiated
- symmetric
- encryption
- a symmetric encryption algorithm
- system index
- target
- particular ACI applies
- target entry
- The entries within the scope of a CoS
- TCP/IP
- and for enterprise (company) networks
- template entry
- See CoS template entry
- time/date format
- Indicates the customary formatting for times and dates in a specific region
- TLS
- Security
- topology
- one another
- Transport Layer
- See TLS
- TLS
- Security
- uid
- A unique number associated with each user on a Unix system
- URL
- documents. It is often called a location. The format of a URL is
- protocol://machine:port/document. The port number is necessary only on selected
- virtual list view
- See also browsing index
- X.500 standard
- and attributes used by directory server implementation
155Index

18 pages259.79 Kb

72 pages846.95 Kb

31 Preparing for a Directory Server installation
2 System requirements
3 Setting up HP-UXDirectory Server
3 Setting up
HP-UX
45 General usage information
6 Migrating or upgrading to HP-UXDirectory Server from Netscape or Red Hat
Migrating from Netscape Directory Server 6.x, or from Red Hat Directory Server
Upgrading from Red Hat Directory Server
6.2.2 Performing the upgrade to HP-UXDirectory Server
7 Support and other resources
Glossary
5Index
7Directory Server administrator guide
Directory Server 8.1 is comprised of several components, which work in tandem:
•Directory Server
•Directory Server Console
•Administration Server
1.2.1 Port numbers
8NOTE:
netstat
setup-ds-admin.pl
init
setuid
(2)
“Directory Server user and group” (page 8)
1.2.2 Directory Server user and group
Even though port numbers less than
are restricted, the LDAP server can listen to port
(and any port number less than
), as long as the server is started by the
root
user or by
init
, then immediately drops privileges to the
non-root
server UID. For more detailed technical information, see the
setuid
(2)
manpage
For more information on port numbers, see “Port numbers” (page 7)
1.2.3 Directory manager
91.2.4 Directory administrator
ldapadd
Password policies do apply to the administrator, but you can set a
1.2.5 Administration Server user
1.2.6 Directory suffix
dc=example,dc=com
10setup file (see
1.2.7 Configuration directory
o=NetscapeRoot
o=NetscapeRoot
•Always back up the configuration directory after setting up a new instance
Do not modify the configuration directory tree; only the
setup
1.2.8Administration domain
When setting up the administration domain, consider the following:
11•DNS must be properly configured on the target system
•The host server must have a static IP address
Table 2-1detailsthe hardware requirements for HP-UXDirectory Server:
Table 2-1Hardware requirements
12Table 2-1Hardware requirements (continued)
Directory Server runs on a 64-bit HP-UX11i environment as a 64-bitprocess
“HP-UX
system configuration” (page 13)
•http://www.software.hp.com/SUPPORT_PLUS/qpk.html
•http://welcome.hp.com/country/us/eng/support.htm
The following list describes patch and OS patch recommendations:
•HP-UX11i
PHCO_37940
13http://itrc.hp.com/service/home/home.do
Select patch database under maintenance and support (hp products)
Select
under
•“Perl prerequisites”
•“Kernel parameters” (page 13)
•“TIME_WAIT setting” (page 14)
•“Large file support” (page 14)
2.4.1Perl prerequisites
/opt/ perl_64/bin/perl
2.4.2 Kernel parameters
sysdef
142.4.3 TIME_WAIT setting
TIME_WAIT
#ndd -set /dev/tcptcp_time_wait_interval
This limits the socket TIME_WAIT state to 60 seconds
2.4.4 Large file support
/var/opt/dirsrv
fsadm
/var/opt/ dirsrv
/var
#fsadm -Fvxfs -olargefiles /var
15Installing and configuring HP-UXDirectory Server on HP-UXhas four major steps:
Ensure that you have the required version of
2.Install the required version of the Java® Runtime Environment (JRE)
4.Install the Directory Server package
CAUTION:
Chapter 6 (page 47)
Chapter 2 (page 11)
The HP-UX Apache-basedWeb Server is available for download at:
http://www.hp.com/go/softwaredepot
HP-UX
Apache-based
Web Server
swinstall
16To download and install JRE for Java 2 platform
1.Go to the following web site: http://www.hp.com/go/java
•Itanium® JRE 5.0.11 - Nov
•PA-RISCJRE 5.0.11 - Nov
2.Complete the form and choose Download
3.Install the depot on your machine
Install the Directory Server package from the following location:
3.6.1 Setup overview
/opt/dirsrv/sbin/setup-ds-admin.pl
•Express
•Typical
•Custom
17Responding to prompts and navigating between screen prompts
18Specifying parameter values or a setup file at the command line
19Setup script command line options
20Table 3-1 setup-ds-adminoptions (continued)
3.6.3 Interactive setup modes
only, not for production deployments. Also, express setups can fail if default
The default and most common setup mode. This prompts you to supply more
The most detailed setup mode. This provides more control over Administration
setup, so that entries are already populated in the databases when the setup is
complete
TIP:
“Setup file directives” (page 31)
21Table 3-2Comparison of setup types
22Table 3-2Comparison of setup types (continued)
3.6.4Performing express setup
Chapter 6 “Migrating or upgrading to
Directory Server from Netscape or Red Hat Directory Server”
/etc/resolv.conf
/etc/hosts
ldap.example.com
1.Launch the setup-ds-admin.pl script using the following command
Run the setup-ds-admin.pl script as root
Run the
script as
# /opt/dirsrv/sbin/setup-ds-admin.pl
2.When asked to choose the setup type, enter 1 to perform an express setup
23yes
ldap://ldap.example.com:389/o=NetscapeRoot
To use TLS/SSL, set the protocol as ldaps:// instead of ldap:
The Configuration Directory Server administrator's user DN; by default, this is
•The administrator user's password
•The Configuration Directory Server Admin domain, such as example.com
Set the administrator user name. The default is admin
5.Set the administrator password and confirm it
Set the Directory Manager user name (DN). The default is
7.Set the Directory Manager password and confirm it
The last prompt asks if you are ready to set up your servers. Answer
dc=example, dc=com
24Get the Administration Server port number from the
Listen
console.conf
2.Using the Administration Server port number, launch the Console
hpds-idm-console
3.6.5 Performing typical setup
The typical setup has the following steps:
1.Launch the setup-ds-admin.pl script:
When asked to choose the setup type, accept the default (option
/etc/resolv.conf
/etc/ hosts
/etc/ resolv.conf
www:other
257.Set the administrator password and confirm it
Set the administration domain. This defaults to the host's domain. For example:
Administration Domain [example.com]:
Enter the Directory Server port number. The default is
Directory server network port [30860]:
10.Enter the Directory Server identifier; this defaults to the host name
Directory server identifier [example]:
Enter the directory suffix. This defaults to
dc
domain name
Suffix [dc=example, dc=com]:
2613.Set the Directory Manager password and confirm it
Enter the Administration Server port number. The default is
Administration port [9830]:
3.6.6 Performing custom setup
27The custom setup has the following steps:
2.When asked to choose the setup type, enter 3 to perform a custom setup
/etc/ hosts
/etc/ resolv.conf
28SchemaFile
.inf
The default option is none, which does not import any data
29Set the user that the Administration Server process will run as. The default is
Run Administration Server as [www]:
3.6.7 Performing silent setup
setup.inf
1.Install the Directory Server package
2.Create the setup file. It must specify the following directives:
303.6.7.1 Setup file structure
313.6.7.2 Setup file directives
32Table 3-3[General] directives (continued)
Table 3-4 describes the directives for the [slapd] section of the .setup file
Table 3-4[slapd] directives
33Table 3-4[slapd] directives (continued)
Table 3-5 describes the directives for the [admin] section of the .setup file
Table 3-5[admin] directives
343.6.7.3 Sample setup files
35Example 3-2Example of setup file for a typical setup
ConfigDirectoryLdapURL= ldap://dir.example.com:25389/o=NetscapeRoot
3.6.8 Sending parameters in the command line
•General (host server)
•slapd (LDAP server)
•admin (Administration Server)
section.parameter=value
36ConfigDirectoryLdapURL
ServerIdentifier
#/opt/dirsrv/sbin/setup-ds-admin.pl -s
The ConfigFile parameter is set in the [slapd] section of the setup file
replica.ldif
For more information on LDIF, see the
374.1.1 Configuring IP authorization on the Administration Server
Edit
IP Addresses
38This allows all IP addresses to access the Administration Server
6.Restart the Administration Server
4.1.2Configuring proxy servers for the Administration Server
394.2.1 Creating a new Directory Server instance interactively
Chapter 3 “Setting up
Directory Server ”
itsasecret
4.2.2Creating a new Directory Server instance silently
To run a silent setup of a Directory Server instance, do the following:
1.Create the setup file. It must specify the following directives:
FullMachineName= dir.example.com SuiteSpotUserID= www SuiteSpotGroup= other
[Admin]
2.Run the setup-ds-admin.pl script with the -s and -f options
In this command example, the
option runs the script in silent mode, and the
option specifies the setup file
40/opt/dirsrv/sbin/setup-ds.pl
setup-ds-admin
setup-ds
register-ds-admin
#/opt/dirsrv/sbin/register-ds-admin.pl
register-ds-admin
4.4.1 Removing a single Directory Server instance
#/opt/dirsrv/sbin/ds_removal -s server_id -w admin_password
ds_removal
key
cert
instance-name
.removed
414.4.2 Uninstalling the HP-UXDirectory Server
To uninstall HP-UXDirectory Server entirely, perform the following steps:
and actual Directory Server instances (for
o=netscapeRoot
cd /opt/dirsrv/ ADMINPASS="admin-password
#Specify the instance names here. Important, if one of these
#servers holds the o=netscapeRoot suffix, make sure it is the
#last one on the list, and that no other servers
on other hosts are managed by this configuration directory. instanceNames
instance1 instance2 instance3
for instanceName in $instanceNames do
done
2.Stop the Administration Server
#/opt/dirsrv/sbin/stop-ds-admin
3.Use swremove to uninstall the product bundle:
#/usr/sbin/swremove HPDirSvr
Use the following script to clean up any remaining
for path in /opt/dirsrv /var/opt/dirsrv /etc/opt/dirsrv do
find $path -typef | xargs ll -ddone
#WARNING: Validate no unexpected files exist before
#running the rm command below
cd
rm -rf /opt/dirsrv /var/opt/dirsrv /etc/opt/dirsrv
43Table 5-1File and directory locations
•/opt/dirsrv/bin/ldapsearch
•/opt/dirsrv/bin/ldapmodify
•/opt/dirsrv/bin/ldapdelete
44To launch the Directory Server Console, use the hpds-idm-console script :
#/opt/dirsrv/bin/hpds-idm-console
http://hostname:9830
If the Administration Server is using TLS/SSL, the URL begins with https://)
“Getting the Administration Server port number” (page 44)
#grep \^Listen /etc/opt/dirsrv/admin-serv/console.conf Listen 0.0.0.0:port
The command displays the port
port
) after the colon in the Administration Server URL. .If the
command reveals that the port is
, the Administration Server URL would be
5.5.1 Starting and stopping the Directory Server
•/opt/dirsrv/slapd-instance/start-slapd
•/opt/dirsrv/slapd-instance/restart-slapd
•/opt/dirsrv/slapd-instance/stop-slapd
start-slapd
stop-slapd
restart-slapd
5.5.2 Starting and stopping the Administration Server
Use the following scripts to start, stop, or restart the Administration Server:
•/opt/dirsrv/sbin/start-ds-admin
•/opt/dirsrv/sbin/stop-ds-admin
•/opt/dirsrv/sbin/restart-ds-admin
ldapmodify
451.Stop the Directory Server
#/opt/dirsrv/slapd-instance/stop-slapd
Generate a new, hashed password using
pwdhash
/opt/dirsrv/bin
/opt/dirsrv/bin/pwdhash newpassword
{SSHA}nbR/ZeVTwZLw6aJH6oE4obbDbL0OaeleUoT21w
In the configuration directory, open the
dse.ldif
#cd /etc/opt/dirsrv/slapd-instance
#vi dse.ldif
4.Locate the nsslapd-rootpw parameter
nsslapd-rootpw: {SSHA}x03lZLMyOPaGH5VB8fcys1IV+TVNbBIOwZEYoQ
Delete the old password, and enter in the new hashed password, for example:
5.Save the change
6.Start the Directory Server. For example:
#/opt/dirsrv/slapd-instance/start-slapd
5.7.1 Problem: Clients cannot locate the server
Solution
www.domain.com
5.7.2 Problem: The port is in use
Solution
5.7.3 Problem: Forgotten directory manager DN and password
Solution
By default, the Directory Manager DN is
. If you forget the Directory Manager DN, you can determine it by checking the
attribute in the
file, in
the
instance_name
directory
476.1.1.1 Configuring the Directory Server Console
481.Shut down the Administration Server and Directory Server
Change the
adm.conf
ldapurl: ldap://server2.example.com:389/o=NetscapeRoot
serverRoot
serverID
Turn off the
nsslapd-pluginEnabled
serverRoot/slapd-serverID/config/dse.ldif
dn: cn=Pass Through Authentication,cn=plugins,cn=config
nsslapd-pluginEnabled: off
5.Restart the Directory Server and Administration Server
6.1.2Migration script
/opt/dirsrv/sbin/migrate-ds-admin.pl
Table 6-1 migrate-ds-adminOptions and Argument
49Table 6-1 migrate-ds-adminOptions and Argument (continued)
oldsroot
General.ConfigDirectoryAdminPwd
The following is an example using the required option and argument:
#/opt/dirsrv/sbin/migrate-ds-admin.pl
--oldsroot /var/opt/netscape/server7General.\ ConfigDirectoryAdminPwd=password
migrate-ds-admin.pl
--file
.inf
The .inf file would have the following two lines:
[General] ConfigDirectoryAdminPwd=password
--oldsroot
inf
6.1.3 Migration scenarios
506.1.3.1Migrating a server or single instance
6.1.3.2Migrating replicated servers
516.1.3.3Migrating a Directory Server from one machine to another
526.1.3.4Migrating a Directory Server from one platform to another
53.ldif
Run the migration script as
--actualsroot option
option
/etc/opt/ dirsrv
#/opt/dirsrv/slapd-instance_name/stop-slapd
#cd /etc/opt/dirsrv
#tar cvf /home/files/rhds80cfg.tar
db2bak
54/etc/opt/dirsrv
bak2db
#/opt/dirsrv/slapd-instance_name/stop-slapd
#cd /etc/opt/dirsrv
#tar xvf /home/files/rhds80cfg.tar
#/opt/dirsrv/slapd-instance_name/bak2db \ /home/files/bak/slapd-instance_name
/home/files/bak/slapd
6.2.2Performing the upgrade to HP-UXDirectory Server
To perform the upgrade to HP-UXDirectory Server 8.1, perform these steps:
2.Use swinstall to install the HP-UXDirectory Server 8.1 depot
557.1.1 Information to collect before contacting HP
7.1.2How to contact HP technical support
7.1.3HP authorized resellers
7.1.4Documentation feedback
docsfeedback@hp.com
7.2.1HP-UXDirectory Server documentation set
56•HP-UXDirectory Server administration server guide
•HP-UXDirectory Server configuration, command, and file reference
•HP-UXDirectory Server console guide
•HP-UXDirectory Server deployment guide
•HP-UXDirectory Server installation guide
•HP-UXDirectory Server plug-inreference
•HP-UXDirectory Server schema reference
•HP-UXDirectory Server web applications guide
http://docs.hp.com/en/internet.html
7.2.2 HP-UXdocumentation set
•HP-UX11i v3 Operating Environments: http://docs.hp.com/en/oshpux11iv3.html
•HP-UX11i v2 Operating Environments: http://docs.hp.com/en/oshpux11iv2.html
577.2.3Troubleshooting resources
http://itrc.hp.com
Areas of peer problem solving
http://forums.itrc.hp.com
•“Troubleshooting” (page 45)
This document uses the following typographical conventions:
Book title
The title of a book. On the web, this can be a hyperlink to the
book itself
Command
A command name or command phrase, for example ls -a
Computer output
Information displayed by the computer
Ctrl+x or Ctrl-x
key labeled Ctrl while you press the letter
ENVIRONMENT VARIABLE
The name of an environment variable, for example, PATH
Key
same key
Term
not in a glossary
User input
Indicates commands and text that you type exactly as shown
Replaceable
content
The character that separates items in a linear list of choices
times
WARNING
understood or followed, results in personal injury
CAUTION
damage to hardware or software
IMPORTANT
An alert that calls attention to essential information
NOTE
TIP
An alert that provides helpful information
59access control
See ACI
ACI
instruction
access control list
See ACL
ACL
access rights
account
inactivation
attempts are automatically rejected
ACI
An instruction that grants or denies permissions to entries in the directory
See also access control instruction
ACL
The mechanism for controlling access to your directory
See also access control list
All IDs Threshold
A size limit which is globally
this limit, the server replaces that ID list with an All IDs token
See also ID list scan limit
All IDs token
request
anonymous
access
and regardless of the conditions of the bind
approximate
Allows for efficient approximate or "sounds-like"searches
index
attribute
value
attribute list
authenticating
directory server
host sends PTA requests it receives from clients to the host
authentication
client
certificate
the other party
base
See base DN
distinguished
base DN
and all entries below it in the directory tree
60bind
See bind DN
bind DN
bind rule
branch entry
An entry that represents the top of a subtree in the directory
browser
browsing index
See also virtual list view index
See Certificate Authority
cascading
replication
and in turn supplies those updates to the consumer
Certificate
Authority
CGI
output parsing that is not done by the server itself
chaining
and then returned to the client
changelog
other masters, in the case of multi-masterreplication
character type
upper-caseto lower-caseletters
ciphertext
information
class definition
how the object works in relation to other objects in the directory
class of service
See CoS
CoS
classic CoS
entry's attributes
client
See LDAP client
code page
collation order
or how to compare letters with accents to letters without accents
consumer
consumer server
is called a consumer for that replica
CoS
61CoS definition
entry
affects
CoS template
Contains a list of the shared attribute values
See also template entry
daemon
Daemon processes do not need human intervention to continue functioning
DAP
directory
data master
The server that is the master source of a particular piece of data
database link
storage. Instead, it points to data stored remotely
default index
definition entry
See CoS definition entry
Directory Access
See DAP
DAP
Protocol
Directory
Manager
does not apply to the Directory Manager
directory service
people and resources within an organization
directory tree
known as DIT
String representation of an entry's name and location in an LDAP directory
DIT
See directory tree
See Directory Manager
See distinguished name
DNS
on their systems
DNS alias
www
yourdomain
domain
called realthing.yourdomain.domain where the server currently exists
A group of lines in the LDIF file that contains information about an object
entry distribution
large numbers of entries
entry ID list
the client application's search request
equality index
file extension
index.html
html
62file type
extension (for example, .GIF or .HTML)
filter
filtered role
role
general access
GSS-API
host name
machine
domain
dom
com domain
HTML
pages
HTTP
and clients
HTTPD
HTTP protocol. The daemon or service is often called an httpd
HTTPS
A secure version of HTTP, implemented using the Secure Sockets Layer, SSL
hub
and, in turn, replicates it to a third server
See also cascading replication
ID list scan limit
index key
lists
indirect CoS
international
Speeds up searches for information in international directories
International
See ISO
ISO
Standards
Organization
IP address
Also Internet Protocol address
location of a machine on the Internet (for example, 192.0.2.10)
ISO
International Standards Organization
knowledge
Pointers to directory information stored in different databases
reference
63LDAP
and across multiple platforms
LDAP client
Software used to request and view LDAP entries from an LDAP Directory Server
See also browser
browser
LDAP Data
See LDAP Data Interchange Format
Interchange
Format
LDAP URL
via LDAP. A sample LDAP URL is ldap://ldap.example.com
LDAPv3
LDBM database
data assigned to it. The primary data store in Directory Server
LDIF
leaf entry
directory tree
Lightweight
See LDAP
locale
which code page should be used to represent a given language
managed object
managed role
Allows creation of an explicit enumerated list of members
management
See MIB
MIB
information base
mapping tree
master
See supplier
master agent
See SNMP master agent
matching rule
MD5
produce; a piece of data that will produce the same message digest
MD5 signature
A message digest produced by the MD5 algorithm
MIB
areas
MIB namespace
referenced. Also called the directory tree
monetary format
its value, and how monetary units are represented
multi-master
64determine which server holds the most recent version
multiplexor
n + 1 directory
problem
resulting in increased hardware and personnel costs
name collisions
Multiple entries with the same distinguished name
nested role
Allows the creation of roles that contain other roles
network
application
were received
See NMS
NMS
station
NIS
parameters throughout a network of computers
NMS
network management station
ns-slapd
Server
See also slapd
slapd
object class
object identifier
IETF or similar organizations
See also OID
OID
OID
See object identifier
operational
requested
parent access
if the bind DN is the parent of the targeted entry
pass-through
See PTA
PTA
PTA directory server
subtree
authenticating directory server
password file
It is also known as /etc/passwd because of where it is kept
password policy
A set of rules that governs how passwords are used in a given directory
PDU
data unit
permission
is granted or denied and the level of access that is granted or denied
See also access rights
pointer CoS
A pointer CoS identifies the template entry using the template DN only
65presence index
Allows searches for entries that contain a specific indexed attribute
protocol
A set of rules that describes how devices on a network exchange information
protocol data unit
See PDU
PDU
proxy
with its own DN but with a proxy DN
proxy DN
PTA
pass-throughauthentication
PTA directory
server
through) bind requests it receives to the authenticating directory server
PTA LDAP URL
pass-throughsubtree(s), and optional parameters
RAM
stored in RAM is lost when the computer is shut down
RDN
to form the full distinguished name. Also relative distinguished name
read-onlyreplica
of read-onlyreplicas
read-writereplica
can hold any number of read-writereplicas
referential
integrity
referral
called a referral
relative
See RDN
RDN
replica
A database that participates in replication
replica-initiated
agreement
connection is secured
RFC
standards
role
members
role-based
attributes
CoS template
root
privileges to all files on the machine
root suffix
66SASL
Simple
Authentication and Security Layer
schema
access the directory may be unable to display the proper results
schema checking
not conform to the schema
Secure Sockets
See SSL
SSL
Layer
self access
targeted entry
Server Console
Server from a GUI
server daemon
Server Selector
Interface that allows you select and configure servers using a browser
server service
the SMB server on Windows NT
service
Service processes do not need human intervention to continue functioning
SIE
Simple
See SASL
Authentication
and Security
Simple Network
See SNMP
Management
single-master
supplier server maintains a changelog
SIR
See supplier-initiatedreplication
slapd
except replication
See also ns-slapd
ns-slapd
SNMP
about network activity. Also Simple Network Management Protocol
SNMP master
Software that exchanges information between the various subagents and the NMS
agent
SNMP subagent
master agent. Also called a subagent
SSL
Secure Sockets Layer
standard index
index maintained by default
sub suffix
A branch underneath a root suffix
subagent
See SNMP subagent
substring index
to a minimum of two characters for each entry
suffix
67superuser
privileges to all files on the machine. Also called root
supplier
servers
supplier server
called a supplier for that replica
supplier-initiated
symmetric
encryption
a symmetric encryption algorithm
system index
target
particular ACI applies
target entry
The entries within the scope of a CoS
TCP/IP
and for enterprise (company) networks
template entry
See CoS template entry
time/date format
Indicates the customary formatting for times and dates in a specific region
TLS
Security
topology
one another
Transport Layer
See TLS
TLS
Security
uid
A unique number associated with each user on a Unix system
URL
protocol
machine
port
document
freeing the user of having to place it in the URL
virtual list view
See also browsing index
X.500 standard
and attributes used by directory server implementation
69Symbols

96 pages2.34 Mb

1HP-UXDirectory Server Version
3Table of Contents
- 4Glossary
- Index
51 Overview of the console
- configuration directory
- user directory
- 71.2 Console menus
- 81.3.1The Servers and Applications tab
- 91.3.2 The Users and Groups tab
- 101.4.1 The Directory Server Console
- 111.4.2 The Administration Server console
132 Basic Console tasks
- 142.2 Opening a directory or Administration Server window
  - 1.Open the Console
  - Servers and Applications
  - 3.In the navigation tree, click a server to select it
  - 4.In the right-handpanel, click Open
  - Alternatively, double-clickthe server icon in the navigation tree
- 2.3 Changing the Console appearance
  - Chapter 5 “Setting access controls”
  - •“Changing profile locations”
  - •“Restoring default font settings”
  - •“Changing console fonts”
- 152.3.1Changing profile locations
- 162.3.2Restoring default font settings
- 172.3.3 Changing console fonts
  - 18Font
  - Preference
- 192.3.4 Reordering table columns
- 222.3.5 Customizing the main window
- 232.3.6 Working with custom views
  - 2.3.6.1 Creating custom views
  - 24Edit View
  - Default View
  - Copy
  - 252.3.6.2 Switching to a custom view
  - 2.3.6.3Setting access permissions for a public view
293 Managing server instances
- 303.2.1 Creating and editing an admin domain
- 313.2.2 Removing an admin domain
- 323.3 Creating a new Directory Server instance
  - Object
  - Create Instance Of
- 333.4Deleting a Directory Server instance
  - Remove Server
354 Managing Directory Server users and groups
- 36User
- Change Directory
- 374.2.1 Directory and administrative users
  - 38Create > User
  - 39Create User
  - Common Name
  - User ID
  - First Name
  - Last Name
  - Optionally, click the
  - Languages
- 404.2.2Groups
  - 41Group
  - Create > Group
  - 42Members
  - Static
  - Dynamic
  - Certificate
- 434.2.3 Organizational units
  - 44Organizational Unit
  - Alias
- 454.3.1Editing entries
- 464.3.2Allowing sync attributes for entries
- 474.3.3Changing administrator entries
- 524.3.4Removing an entry from the directory
535 Setting access controls
- 555.2 Setting access permissions on console elements
  - Permissions
  - 56ACI Manager
  - 57ACI Name
  - Users/Groups tab
  - 58Rights
  - 59Check None
  - Edit Manually
  - 60Check syntax
616 Using SSL/TLS with the Console
- •A list of acceptable compression methods
- •A randomly-generatednumber
- 2.The server responds to the client:
- •A randomly-generatednumber of its own
- •The validity period (the expiration date of the server certificate)
- •Verifying the digital signature of the issuing CA for the server certificate
- Using the key material sent by the client, the
- 626.2 Installing certificates
  - Obtaining and installing certificates consists of the following steps:
  - 1.Generate a certificate request
  - 2.Send the certificate request to a certificate authority
  - 3.Install the server certificate
  - 4.Set the Directory Server to trust the certificate authority
- 636.2.1Generating a certificate request
  - 64•Organization
  - •Organizational Unit (optional)
  - locality
  - •State/Province
  - •Country/region
  - Request Submission
  - Copy to Clipboard
  - Save to File
- 656.2.2Installing the certificate
  - 66Server Certs
  - Install
  - •In this local file
  - •In the following encoded text block
- 676.2.3 Trusting a certificate authority or adding a certificate chain
  - 68CA Certs
  - 69Next
  - •Accepting connections from clients (Client Authentication)
  - •Making connections to other servers (Server Authentication)
  - Done
  - CA Certificates
  - Server Certificates
- 716.3 Enabling TLS/SSL
  - 72Encryption
  - Enable SSL
  - 6.Check the Use this Cipher Family checkbox
  - Cipher Settings
  - 73•Do not allow client authentication
  - •Allow client authentication
  - •Require client authentication
  - 74To verify the authenticity of requests, select the
  - Check hostname against name in certificate for outbound SSL connections
  - 11.Check the Use SSL in the Console box
  - box
  - 12.Click Save
  - Configuration
  - Encryption
  - Enable SSL
  - 75User DS
  - Set User Directory
  - Secure Connection
  - Configuration DS
- 766.4.1 Creating a password file for the Directory Server
- 776.4.2 Creating a password file for the Administration Server
797 Support and other resources
- 7.1.1 Information to collect before contacting HP
- 7.1.2How to contact HP technical support
- 7.1.3HP authorized resellers
- 7.1.4Documentation feedback
- 7.2.1HP-UXDirectory Server documentation set
- 807.2.2 HP-UXdocumentation set
- 817.2.3Troubleshooting resources
83Glossary
- 84bind
- See bind DN
- bind DN
- bind rule
- branch entry
- An entry that represents the top of a subtree in the directory
- browser
- browsing index
- See also virtual list view index
- See Certificate Authority
- cascading
- replication
- and in turn supplies those updates to the consumer
- Certificate
- Authority
- CGI
- output parsing that is not done by the server itself
- chaining
- then returned to the client
- changelog
- other masters, in the case of multi-masterreplication
- character type
- upper-caseto lower-caseletters
- ciphertext
- information
- class definition
- how the object works in relation to other objects in the directory
- class of service
- See CoS
- CoS
- classic CoS
- entry's attributes
- client
- See LDAP client
- code page
- collation order
- or how to compare letters with accents to letters without accents
- consumer
- consumer server
- is called a consumer for that replica
- CoS
- 85CoS definition
- entry
- affects
- CoS template
- Contains a list of the shared attribute values
- See also template entry
- daemon
- Daemon processes do not need human intervention to continue functioning
- DAP
- directory
- data master
- The server that is the master source of a particular piece of data
- database link
- storage. Instead, it points to data stored remotely
- default index
- definition entry
- See CoS definition entry
- Directory Access
- See DAP
- DAP
- Protocol
- Directory
- Manager
- does not apply to the Directory Manager
- directory service
- people and resources within an organization
- directory tree
- known as DIT
- String representation of an entry's name and location in an LDAP directory
- DIT
- See directory tree
- See Directory Manager
- See distinguished name
- DNS
- www.example.com
- maintained on their systems
- DNS alias
- called realthing.yourdomain.domain where the server currently exists
- A group of lines in the LDIF file that contains information about an object
- entry distribution
- large numbers of entries
- entry ID list
- the client application's search request
- equality index
- file extension
- index.html
- html
- 86file type
- extension (for example, .GIF or .HTML)
- filter
- filtered role
- role
- general access
- GSS-API
- host name
- www
- example
- com
- domain
- HTML
- pages
- HTTP
- and clients
- HTTPD
- HTTP protocol. The daemon or service is often called an httpd
- HTTPS
- A secure version of HTTP, implemented using the Secure Sockets Layer, SSL
- hub
- and, in turn, replicates it to a third server
- See also cascading replication
- ID list scan limit
- index key
- lists
- indirect CoS
- international
- Speeds up searches for information in international directories
- International
- See ISO
- ISO
- Standards
- Organization
- IP address
- location of a machine on the Internet (for example, 198.93.93.10)
- ISO
- International Standards Organization
- knowledge
- Pointers to directory information stored in different databases
- reference
- 87LDAP
- and across multiple platforms
- LDAP client
- Software used to request and view LDAP entries from an LDAP Directory Server
- See also browser
- browser
- LDAP Data
- See LDAP Data Interchange Format
- Interchange
- Format
- LDAP URL
- LDAP. A sample LDAP URL is ldap://ldap.example.com
- LDAPv3
- LDBM database
- data assigned to it. The primary data store in Directory Server
- LDIF
- leaf entry
- directory tree
- Lightweight
- See LDAP
- locale
- which code page should be used to represent a given language
- managed object
- managed role
- Allows creation of an explicit enumerated list of members
- management
- See MIB
- MIB
- information base
- mapping tree
- master
- See supplier
- master agent
- See SNMP master agent
- matching rule
- MD5
- produce; a piece of data that will produce the same message digest
- MD5 signature
- A message digest produced by the MD5 algorithm
- MIB
- areas
- MIB namespace
- referenced. Also called the directory tree
- monetary format
- its value, and how monetary units are represented
- multi-master
- 88determine which server holds the most recent version
- multiplexor
- n + 1 directory
- problem
- resulting in increased hardware and personnel costs
- name collisions
- Multiple entries with the same distinguished name
- nested role
- Allows the creation of roles that contain other roles
- network
- application
- were received
- See NMS
- NMS
- station
- NIS
- parameters throughout a network of computers
- NMS
- network management station
- ns-slapd
- Server
- See also slapd
- slapd
- object class
- object identifier
- IETF or similar organizations
- See also OID
- OID
- OID
- See object identifier
- operational
- requested
- parent access
- if the bind DN is the parent of the targeted entry
- pass-through
- See PTA
- PTA
- PTA directory server
- subtree
- authenticating directory server
- password file
- It is also known as /etc/passwd because of where it is kept
- password policy
- A set of rules that governs how passwords are used in a given directory
- PDU
- data unit
- permission
- is granted or denied and the level of access that is granted or denied
- See also access rights
- pointer CoS
- A pointer CoS identifies the template entry using the template DN only
- 89presence index
- Allows searches for entries that contain a specific indexed attribute
- protocol
- A set of rules that describes how devices on a network exchange information
- protocol data unit
- See PDU
- PDU
- proxy
- with its own DN but with a proxy DN
- proxy DN
- PTA
- pass-throughauthentication
- PTA directory
- server
- through) bind requests it receives to the authenticating directory server
- PTA LDAP URL
- pass-throughsubtree(s), and optional parameters
- RAM
- stored in RAM is lost when the computer is shut down
- RDN
- to form the full distinguished name. Also relative distinguished name
- read-onlyreplica
- of read-onlyreplicas
- read-writereplica
- can hold any number of read-writereplicas
- referential
- integrity
- referral
- called a referral
- relative
- See RDN
- RDN
- replica
- A database that participates in replication
- replica-initiated
- agreement
- connection is secured
- RFC
- standards
- role
- role-based
- attributes
- CoS template
- root
- privileges to all files on the machine
- root suffix
- 90SASL
- Simple
- Authentication and Security Layer
- schema
- access the directory may be unable to display the proper results
- schema checking
- not conform to the schema
- Secure Sockets
- See SSL
- SSL
- Layer
- self access
- targeted entry
- Server Console
- Server from a GUI
- server daemon
- Server Selector
- Interface that allows you select and configure servers using a browser
- server service
- the SMB server on Windows NT
- service
- Service processes do not need human intervention to continue functioning
- SIE
- Simple
- See SASL
- Authentication
- and Security
- Simple Network
- See SNMP
- Management
- single-master
- supplier server maintains a changelog
- SIR
- See supplier-initiatedreplication
- slapd
- except replication
- See also ns-slapd
- ns-slapd
- SNMP
- about network activity. Also Simple Network Management Protocol
- SNMP master
- Software that exchanges information between the various subagents and the NMS
- agent
- SNMP subagent
- master agent. Also called a subagent
- SSL
- Secure Sockets Layer
- standard index
- index maintained by default
- sub suffix
- A branch underneath a root suffix
- subagent
- See SNMP subagent
- substring index
- to a minimum of two characters for each entry
- suffix
- 91superuser
- privileges to all files on the machine. Also called root
- supplier
- servers
- supplier server
- called a supplier for that replica
- supplier-initiated
- symmetric
- encryption
- a symmetric encryption algorithm
- system index
- target
- particular ACI applies
- target entry
- The entries within the scope of a CoS
- TCP/IP
- and for enterprise (company) networks
- template entry
- See CoS template entry
- time/date format
- Indicates the customary formatting for times and dates in a specific region
- TLS
- Security
- topology
- one another
- Transport Layer
- See TLS
- TLS
- Security
- uid
- A unique number associated with each user on a Unix system
- URL
- documents. It is often called a location. The format of a URL is
- protocol://machine:port/document. The port number is necessary only on selected
- virtual list view
- See also browsing index
- X.500 standard
- and attributes used by directory server implementation
93Index

Also you can find more HP manuals or manuals for other Computer Equipment.