HP UX Identity Security Software 2.2 Accessing and modifying server configuration, 2.2.1 Access control for configuration entries

objectclass: nsSlapdPlugin

objectclass: extensibleObject

cn: Telephone Syntax

nsslapd-pluginType: syntax

nsslapd-pluginEnabled: on

Some of these attributes are common to all plug-ins, and some may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing a search with the ldapsearch utility on the cn=config subtree.

For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart for configuration changes, see Chapter 3 “Plug-in implemented server functionality reference”.

2.1.2.3 Configuration of databases

The cn=NetscapeRoot and cn=UserRoot subtrees under the database plug-in entry contain configuration data for the databases containing the o=NetscapeRoot suffix and the default suffix created during setup, such as dc=example,dc=com.

These entries and their children have many attributes used to configure different database settings, like the cache sizes, the paths to the index files and transaction logs, entries and attributes for monitoring and statistics; and database indexes.

2.1.2.4 Configuration of indexes

Configuration information for indexing is stored as entries in the Directory Server under the following information-tree nodes:

•cn=index,cn=backend_instance,cn=ldbm database,cn=plugins,cn=config

•cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config

For more information about indexes in general, see the HP-UX Directory Server administrator guide. For information about the index configuration attributes, see “Database attributes under cn=config, cn=ldbm database, cn=plugins, cn=config”.

2.2 Accessing and modifying server configuration

This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect.

2.2.1 Access control for configuration entries

When the Directory Server is installed, a default set of access control instructions (ACIs) is implemented for all entries under cn=config. The following code sample is an example of these default ACIs.

aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all)

groupdn = "ldap:///cn=Configuration Administrators,u=Groups, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all)

userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all)

groupdn = "ldap:///ou=Directory Administrators, dc=example,dc=com";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all)

groupdn = "ldap:///cn=slapd-phonebook, cn=HP-UX Directory Server,

cn=Server Group, cn=phonebook.example.com, dc=example,dc=com, o=NetscapeRoot";)

These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:

•Members of the Configuration Administrators group.

•The user acting as the administrator, the admin account that was configured at setup. By default, this is the same user account which is logged into the Console.

20 Core server configuration reference