Manuals / HP / Computer Equipment / Software

HP UX Red Hat Direry Server Software Targeting Entries or Attributes Using Ldap Filters, 178

Models: UX Red Hat Direry Server Software

1 638

Download 638 pages 23.73 Kb

Page 198

Chapter 6. Managing Access Control

The order in which you specify the target and the targetattr keywords is not important.

3.2.4. Targeting Entries or Attributes Using LDAP Filters

You can use LDAP filters to target a group of entries that match certain criteria. To do this, you must use the targetfilter keyword with an LDAP filter. The syntax of the targetfilter keyword is as follows:

(targetfilter = "LDAP_filter")

LDAP_filter is a standard LDAP search filter. For more information on the syntax of LDAP search filters, see Appendix B, Finding Directory Entries.

For example, suppose that all entries in the accounting department include the attribute-value pair ou=accounting, and all entries in the engineering department include the attribute-value pair ou=engineering subtree. The following filter targets all the entries in the accounting and engineering branches of the directory tree:

(targetfilter = "((ou=accounting)(ou=engineering))")

This type of filter targets whole entries. You can associate the targetfilter and the targetattr keywords to create ACIs that apply to a subset of attributes in the targeted entries.

The following LDIF example allows members of the Engineering Admins group to modify the departmentNumber and manager attributes of all entries in the Engineering business category. This example uses LDAP filtering to select all entries with businessCategory attributes set to Engineering:

dn: dc=example,dc=com

objectClass: top

objectClass: organization

aci: (targetattr="departmentNumber manager") (targetfilter="(businessCategory=Engineering)") (version 3.0; acl "eng-admins-write"; allow (write) groupdn ="ldap:///cn=Engineering Admins, dc=example,dc=com";)

TIP

Although using LDAP filters can be useful when you are targeting entries and attributes that are spread across the directory, the results are sometimes unpredictable because filters do not directly name the object for which you are managing access. The set of entries targeted by a filtered ACI is likely to change as attributes are added or deleted. Therefore, if you use LDAP filters in ACIs, you

178

Image 198

HP UX Red Hat Direry Server Software manual Targeting Entries or Attributes Using Ldap Filters, 178

Contents

Administrators Guide Red Hat Directory Server Red Hat Directory Server 8.0 Administrators Guide Copyright 2008 Red Hat, IncRed Hat Directory Server General Red Hat Directory Server Usage Creating and Maintaining Database Links Creating and Maintaining SuffixesCreating and Maintaining Databases Creating a New Database LinkPage Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Xvi Directory Server Overview PrefaceDocument Conventions Example and Default ReferencesWhen shown as below, it indicates computer output PrefaceDocument Conventions XixRelated Information Directory Server File Locations ChapterRed Hat Enterprise Linux 4 and 5 General Red Hat Directory Server UsageFile or Directory Location Ldap Tool Locations Sun Solaris 9 sparcHP-UX 11i IA64 BinariesPlatform Directory Location Ldap Tool LocationsStarting and Stopping Servers Opt/dirsrv/binStarting and Stopping Directory Server from the Console Starting and Stopping Directory Server fromStart the Directory Server Console Starting and Stopping Administration Server Solaris uses /etc/init.dConsole On Solaris, the service is init.dStarting the Directory Server Console HP-UX has a different location for the scriptLogging into Directory Server Changing Login IdentityLogin screen Click Log on to the Directory Server as a New UserChanging Directory Server Port Numbers Viewing the Current Console Bind DNViewing the Current Console Bind DN General Red Hat Directory Server Usage Creating a New Directory Server Instance Open the Administration Server ConsoleConfiguration tab, select the Configuration DS tab Creating a New Directory Server InstanceConfiguring the Directory Manager Configuring the Directory Manager Page Managing Entries from the Directory Console Creating a Root EntryCreating Directory Entries Directory Server Console, select the Configuration tabCreating Directory Entries Template Object ClassCreating Other Types of Entries Creating an Entry Using a Predefined TemplateRole NsRoleDefinition Class of Service CosSuperDefinition Entry Templates and Corresponding Object ClassesModifying Directory Entries Displaying the Property EditorAdding an Attribute to an Entry Adding an Object Class to an EntryRemoving an Object Class Modifying Directory EntriesAdding Very Large Attributes Adding Attribute Values Removing an Attribute ValueBinary Subtype Adding an Attribute SubtypeLanguage Subtype Instead, useAdding a Subtype to an Attribute Deleting Directory EntriesPronunciation Subtype Deleting Directory EntriesManaging Entries from the Command-Line Providing Input from the Command-LineEntries, use Ctrl or Shift Select Delete from the Edit menu Creating a Root Entry from the Command-Line See , Ldif Update StatementsCreating a Root Entry from Adding Entries Using Ldif Adding and Modifying Entries Using ldapmodifyImport the Ldif file from the Directory Server Console Adding Entries Using ldapmodify Command-LineParameter Name Description Modifying Entries Using ldapmodify Input from the Command-LineLdapmodify Parameters Used for Adding Entries Ldapmodify Parameters Used for Modifying Entries Deleting Entries Using ldapdeleteDeleting Entries Using ldapdelete Hostname is cyclops Server uses port numberAre branch points in the directory tree This ldapdelete example has the following valuesTracking Modifications to Directory Entries Using Special CharactersUsing Special Characters Ldapdelete Parameters Used for Deleting EntriesLdif Update Statements Select the Track Entry Modification Times checkboxOpen the Tasks tab, and click Restart Directory Server Ldif Update Statements General format of Ldif update statements is as followsAdding an Entry Using Ldif Following sections describe the change types in detailRenaming an Entry Using Ldif Renaming an Entry Using LdifFollowing command renames Sue Jacobs to Susan Jacobs Modifying an Entry Using Ldif AddattributeAdding Attributes to Existing Entries Using Ldif Modifying an Entry Using LdifFollowing example adds two telephone numbers to the entry Changing an Attribute Value Using Ldif Deleting All Values of an Attribute Using Ldif Deleting a Specific Attribute Value Using LdifEntry is now as follows Deleting an Entry Using Ldif Barneys entry then becomesHow Referential Integrity Works Maintaining Referential IntegrityModifying an Entry in an Internationalized Directory Modifying an Entry in an InternationalizedUsing Referential Integrity with Replication Enabling/Disabling Referential Integrity Modifying the Update IntervalYou can enable or disable referential integrity as follows DirectoryModifying the Attribute List TIP Modifying the Attribute ListPage Creating and Maintaining Suffixes A Sample Directory Tree with One Root SuffixConfiguring Directory Databases Creating Suffixes 1, Using Referrals in a SuffixCreating Suffixes A Sample Directory Tree with a Sub Suffix Creating SuffixesCreating a New Root Suffix Using the Console Creating a New Sub Suffix Using the ConsoleCreating Root and Sub Suffixes from the Command-Line Attribute Name Value Maintaining Databases for more information Creating and Maintaining Database Links forAttribute. See , Creating Creating and Maintaining Databases forUsing Referrals in a Suffix Maintaining SuffixesSuffix Attributes Maintaining Suffixes Enabling Referrals Only During Update OperationsDisabling a Suffix To requests from client applications Click SaveCreating and Maintaining Databases Creating DatabasesDeleting a Suffix Creating Databases Configuring Directory Databases Adding Multiple Databases for a Single Suffix For example, add a new database to the server example1Configuring Directory Databases Placing a Database in Read-Only Mode Maintaining Directory DatabasesMaintaining Directory Databases Select the database is read-only checkbox Making a Database Read-Only Using the ConsoleMaking a Database Read-Only from the Command Line Change the read-only attribute to onSelect the Make Entire Server Read-Only checkbox Placing the Entire Directory Server in Read-Only ModeDeleting a Database Click Save, and then restart the serverConfiguring Transaction Logs for Frequent Database Updates Database EncryptionEncryption Keys Database EncryptionConfiguring Database Encryption from the Console Encryption CiphersSelect the Attribute Encryption tab Configuring Database Encryption Using the Command-Line Run the ldapmodify command1Exporting and Importing an Encrypted Database See .3, Importing from the Command-Linefor more information Chaining Component Operations Configuring the Chaining PolicyCreating and Maintaining Database Links Creating and Maintaining Database LinksComponent Name Description Permissions NsActiveChainingComponents Cn=resourceConfiguring the Chaining Policy NsActiveChainingComponents Cn=certificate-basedChaining Component Operations Using the Console Components Allowed to ChainChaining Component Operations from the Command-Line Chaining Ldap ControlsPlug-in Chaining Ldap Controls Using the Console Chaining Ldap Controls from the Command-LineLdap Controls and Their OIDs Creating a New Database Link Using the ConsoleCreating a New Database Link Creating a New Database LinkConfiguring Directory Databases Creating a Database Link from the Command-Line Specify the configuration information for the database linkProviding Suffix Information Providing Bind CredentialsNsMultiplexorBindDN cannot be that of the Directory Manager Providing an Ldap URL File Summary of Database Link Configuration AttributesProviding a List of Failover Servers Attributes Value1, Chaining Component OperationsAttributes Value Run ldapmodify1 to add a database link to server a Create an administrative user on server B, as follows Enable SSL on the server that contains the database link Chaining Using SSLUpdating Remote Server Authentication Information Maintaining Database LinksDatabase Links and Access Control Evaluation Database Links and Access ControlDeleting Database Links Configuring Directory Databases Managing Connections to the Remote Server Advanced Feature Tuning Database Link PerformanceManaging Connections to the Remote Server Using the Console EvaluationAttribute Name Description Detecting Errors During Normal Processing Advanced Feature Tuning Database LinkDatabase Link Connection Management Attributes Database Link Processing Error Detection Parameters Managing Threaded OperationsAdvanced Feature Configuring Cascading Chaining Overview of Cascading ChainingPerformance Configuring Directory Databases Configuring Cascading Chaining Defaults Using the Console Advanced Feature Configuring CascadingConfiguring Cascading Chaining Using the Console Configuring Cascading Chaining from the Command-Line ChainingConfiguring Directory Databases Summary of Cascading Chaining Configuration Attributes Detecting LoopsAttribute Description Cascading Chaining Configuration Example Cascading Chaining Configuration AttributesAci This attribute must contain the following ACI Configuring Server One 101Configuring Server Two 102103 Configuring Directory Databases Configuring Server Three Allow thisUsing Referrals Starting the Server in Referral ModeClient on server two Setting a Default Referral from the Command-Line Setting Default ReferralsSetting a Default Referral Using the Console Setting Default ReferralsCreating Smart Referrals Using the Directory Server Console Creating Smart ReferralsCreating Smart Referrals from the Command Line Creating Smart Referrals109 Creating Suffix Referrals Using the Console Creating Suffix ReferralsCreating Suffix Referrals from the Command-Line Creating Suffix ReferralsConfiguring Directory Databases Importing Data Import Method ComparisonAction Import Initialize Database Importing a Database from the Console Populating Directory DatabasesFollowing sections describe importing data Initializing a Database from the Console Initializing a Database from the ConsoleImporting from the Command-Line Importing Using the ldif2db Command-Line ScriptImporting from the Command-Line Option DescriptionImporting Using the ldif2db.pl Perl Script Ldif2db ParametersRun the ldif2db script Exporting Data Importing Using the ldif2ldap Command-Line ScriptRun the ldif2ldap command-line script Ldif2db OptionsSplitting a Database Contents into Two Databases Exporting Directory Data to Ldif Using the Console Exporting Directory Data to Ldif UsingExporting a Single Database to Ldif Using the Console Exporting to Ldif from the Command-LineDirectory and is automatically named Run the db2ldif command-line scriptLdif file in this case would be With the -noption or 123Backing up All Databases from the Server Console Backing up and Restoring DataBacking up All Databases Db2ldif OptionsBacking up All Databases Backing up All Databases from the Command-LineRun the db2bak command-line script Click Back Up Directory ServerRestore Directory dialog box is displayed 126 Backing up the dse.ldif Configuration FileClick Restore Directory Server Restoring All DatabasesUsing bak2db.pl Perl Script Restoring Your Database from the Command-LineUsing the bak2db Command-Line Script Restoring All DatabasesRestoring a Single Database Run the bak2db.pl Perl scriptRestart the Directory Server Restoring the dse.ldif Configuration File Restoring Databases That Include Replicated EntriesRestoring Databases That Include 130 Using Roles About RolesManaging Entries with Roles, Class of Service, and Views Managing Roles Using the Console Managing Roles Using the ConsoleCreating a Managed Role 134Creating a Filtered Role Follow the steps of .2.1, Creating a Managed Role135 Create a new role, as in .2.1, Creating a Managed Role Creating a Nested RoleViewing and Editing an Entrys Roles 136Modifying a Role Entry Making a Role Inactive137 Reactivating a Role Deleting a RoleObject Classes and Attributes for Roles Managing Roles Using the Command-LineManaging Roles Using the Command-Line Dialog box appears to confirm the deletion. Click YesExamples Managed Role Definition Example Filtered Role Definition 141Using Roles Securely Example Nested Role DefinitionAssigning Class of Service Assigning Class of ServiceAbout CoS About the CoS Definition EntryAbout the CoS Template Entry How a Pointer CoS WorksAbout CoS How an Indirect CoS Works Sample Pointer CoSHow a Classic CoS Works Sample Indirect CoSSearches for CoS-Specified Attributes Sample Classic CoSManaging CoS Using the Console Managing CoS Using the ConsoleCreating a New CoS 150 Creating the CoS Template Entry Property Editor opensEditing an Existing CoS Deleting a CoSManaging CoS from the Command-Line Managing CoS from the Command-LineCreating the CoS Definition Entry from the Command-Line CoS Type Object Classes DescriptionCoS Definition Entry Object Classes CoS Definition Entry AttributesAttribute Definition Managing CoS from the Command-Line Pointer CoS CoS DefinitionsCoS Type CoS definition Indirect CoSCreating the CoS Template Entry from the Command-Line Be added to any other search filter using orExample of a Pointer CoS 158Example of an Indirect CoS Create the template entryExample of a Classic CoS Creating Role-Based Attributes Creating Role-Based AttributesClassic CoS definition entry looks like Using Views Access Control and CoSCreating Views in the Console Creating Views in the ConsoleCreating Views from the Command Line Deleting Views from the Directory Server ConsoleDeleting Views from the Command Line Using GroupsDeleting Views from the Command Line Managing Static GroupsAdding a New Static Group Modifying a Static GroupModifying a Dynamic Group Managing Dynamic GroupsAdding a New Dynamic Group Managing Dynamic Groups168 Access Control Principles ACI StructureACI Evaluation ACI PlacementManaging Access Control ACI LimitationsDefault ACIs Default ACIsCreating ACIs Manually Defining Targets ACI SyntaxDefining Targets Aci attribute uses the following syntaxTargetattr Ldif Target KeywordsKeyword Valid Expressions Wildcard Allowed TargetfilterTargeting a Directory Entry 175Targeting Attributes Targeting Both an Entry and Attributes 177Targeting Entries or Attributes Using Ldap Filters 178Targeting Attribute Values Using Ldap Filters Defining Permissions Targeting a Single Directory EntryDefining Permissions Allowing or Denying AccessAssigning Rights Assigning rightsSelfwrite to the targeted entry, excluding Rights Required for Ldap OperationsUser Rights Proxy rights183 Access Control and the modrdn Operation Bind RulesPermissions Syntax Userdn Bind Rule SyntaxBind Rule Syntax Yes, in DN onlyGroupdn Ldap///DN DN Roledn Userattr Defining User Access userdn KeywordLdif Bind Rule Keywords DnsSelf Access self Keyword Anonymous Access anyone KeywordGeneral Access all Keyword Parent Access parent KeywordWildcards ExamplesScenExamplerio Description Defining Group Access groupdn Keyword Userdn Keyword ExamplesDefining Group Access groupdn Keyword Defining Role Access roledn KeywordGroupdn Examples Defining Access Based on Value Matching Using the userattr KeywordDefining Access Based on Value Matching Example with Userdn Bind Type Example with Groupdn Bind TypeAttrValue is any string representing an attribute value Example with Roledn Bind Type Example with Ldapurl Bind Type193 Using the userattr Keyword with Inheritance Example with Any Attribute ValueUsing Inheritance With the userattr Keyword Granting Add Permission Using the userattr KeywordDefining Access from a Specific IP Address Instead, use a fully qualified name Defining Access from a Specific DomainDefining Access from a Specific Domain Dns keyword allows wildcards. For exampleDefining Access at a Specific Time of Day or Day of Week Defining Access Based on Authentication Method Defining Access Based on AuthenticationAuthmethod = saslmechanism Using Boolean Bind Rules Authentication bind DN and password over LdapsMethod Creating ACIs from the Console Displaying the Access Control Editor Displaying the Access Control EditorClick New to open the Access Control Editor Access Control Editor Window Creating a New ACICreating a New ACI Managing Access Control Creating a New ACI Managing Access Control Editing an ACI Editing an ACIViewing ACIs Deleting an ACIControl Manager Get Effective Rights Control Get Effective Rights Control PermissionsGet effective rights result looks like the following Permissions That Can Be Set on Attributes Using Get Effective Rights from the Command-LinePermissions That Can Be Set on Entries Permission DescriptionUsing Get Effective Rights from 214 Check the Show effective rights checkbox Using Get Effective Rights from the ConsoleGet Effective Rights Return Codes Code DescriptionLogging Access Control Information Access Control Usage ExamplesReturned Result Codes Granting Anonymous Access Granting Anonymous AccessACI Anonymous example.com Click New to display the Access Control EditorClick OK in the Access Control Editor window ACI Anonymous WorldGranting Write Access to Personal Entries Granting Write Access to Personal EntriesFilter for subentries field, type the following filter ACI Write example.com 220ACI Write Subscribers Restricting Access to Key Roles Restricting Access to Key Roles See , Using RolesACI Roles Granting a Group Full Access to a Suffix ACI HRLdif statement should read as follows Granting Rights to Add and Delete Group Entries ACI Create GroupManaging Access Control Granting Conditional Access to a Group or Role ACI Delete GroupEntries ACI HostedCompany1 228Denying Access Denying AccessLdif statement should be similar to the following ACI Billing Info Read ACI Billing Info Deny 231Setting a Target Using Filtering Allowing Users to Add or Remove Themselves from a GroupACI Group Members Allowing Users to Add or RemoveProxied Authorization ACI Example Defining Permissions for DNs That Contain a CommaAdvanced Access Control Using Macro ACIs Macro ACI ExampleThemselves from a Group Example Directory Tree for Macro ACIs 236Macro ACI Syntax Macro ACI SyntaxMacro Matching for $dn Macros in ACI KeywordsMacro ACI Keyword Steps for expanding this ACI are as follows $dn in the subject is replaced with dc=hostedCompany1Macro Matching for $attr.attrName For example, consider the following ACI240 Access Control and Replication Access Control and ReplicationCompatibility with Earlier Releases 242 Managing the Password Policy Configuring the Password PolicyConfiguring a Global Password Policy Using the Console Managing User Accounts and PasswordsConfiguring the Password Policy Configuring a Subtree/User Password Policy Using the Console Check the Enable fine-grained password policy checkboxConfiguring a Global Password Policy Using the Command-Line Attribute Name DefinitionMaking passwords expire helps protect Users password will expire after an intervalGiven by the passwordMaxAge attribute Directory data because the longer a passwordChanging their passwords during a single Discourage users from reusing old passwordsFor example, setting the minimum password Session to cycle through the password historyIt down. This attribute is set to 8 by default Shorter passwords are easier to crackPasswords can be two 2 to 512 characters Attributes, respectively. By default, thisCompatibility with Unix passwords This attribute is set to 3 by defaultDefault method Lowercase letters a to zPassword Policy Attributes CoS specification entry at the subtree level. For example 254 Setting User Passwords Setting User PasswordsPassword Change Extended Operation Start the serverLdappasswd Options Parameter Description256 Configuring the Account Lockout Policy Configuring the Account Lockout Policy Using the ConsoleConfiguring the Account Lockout Policy Attribute Name Definition Managing the Password Policy in a Replicated Environment Managing the Password Policy in aAccount Lockout Policy Attributes Synchronizing Passwords Inactivating Users and Roles Replicated EnvironmentInactivating User and Roles Using the Console Inactivating User and Roles Using the Command-LineOption Name Description Activating User and Roles Using Activating User and Roles Using the ConsoleActivating User and Roles Using the Command-Line DN of the user account or role to activateSetting Resource Limits Based on the Bind DN Setting Resource Limits Using the ConsoleSetting Resource Limits Using the Command-Line Entering a value of -1indicates no limit Click OK266 Replication Overview What Directory Units Are ReplicatedRead-Write and Read-Only Replicas Replication Identity Suppliers and ConsumersChangelog Managing ReplicationReplication Agreement Compatibility with Earlier Versions of Directory ServerReplication Agreement Replication Scenarios Single-Master ReplicationMulti-Master Replication Multi-Master ReplicationMulti-Master Replication Two Masters 272Multi-Master Replication Four Masters Cascading Replication ReplicationCreating the Supplier Bind DN Entry Creating the Supplier Bind DN EntryConfiguring Single-Master Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Write Replica onConfiguring the Read-Only Replica on the Consumer Supplier Server Create the Replication Agreement Create the Replication Agreement Managing Replication Create the Replication Agreement Replication will not begin until the consumer is initialized Configuring Multi-Master Replication Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier ServersConfiguring the Read-Write Replicas on 287Managing Replication Configuring the Read-Only Replicas on the Consumer Servers Supplier ServersManaging Replication Setting up the Replication Agreements Setting up the Replication AgreementsManaging Replication Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Preventing Monopolization of the Consumer 297Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Server Configuring the Read-Only Replica on Configuring the Read-Only Replica on the Hub Consumer Server Managing Replication Setting up the Replication Agreements Managing Replication DN and password Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Configuring Replication from the Command Line Configuring Suppliers from the Command LineConfiguring Replication from the Command 312 Object Class or Attribute Description Values Changelog AttributesLine Changelog, to whichConsumer. This is required for 314Forward update requests. By Configuring Consumers from the Command LineConfiguring Consumers from the Command Replica AttributesConfiguring Hubs from the Command Line Configuring Replication Agreements from the Command Line Qualified host and domain Parameter to SSL. If TLS/SSL 318Nsds5replicatedattributelist Configuring Replication Agreements fromReplication between Servers Nsds5replicabindcredentials Objectclass=* $ Exclude Attributes will not beMidnight and 2359 is PM. For example, the setting Replication Agreement Attributes320 Initializing Consumers Online from the Command Line Command LineMaking a Replica Updatable Deleting the ChangelogMoving the Changelog to a New Location Initializing ConsumersRemoving the Changelog Moving the Changelog to a New LocationWhen to Initialize a Consumer Online Consumer Initialization Using the ConsoleInitializing Consumers Online Using the Command Line Initializing Consumers Online UsingManual Consumer Initialization Using the Command Line Exporting a Replica to LdifFilesystem Replica Initialization Importing the Ldif File to the Consumer ServerInitializing the Consumer Replica from the Backup Files Stop the destination Directory Server if it is running Forcing Replication UpdatesForcing Replication Updates Restart the destination Directory Server. For exampleForcing Replication Updates from the Console Forcing Replication Updates from the Command-LineReplicateNow Variables Replicating Account Lockout AttributesExample 8.1. ReplicateNow Script Example Replicating Account Lockout AttributesReplication over SSL Select SSL Client Authentication Select Simple AuthenticationReplicating o=NetscapeRoot for Directory Server Installation Guide Administration Server Failover Replication with Earlier ReleasesSee , Enabling and Disabling Plug-ins Using the Retro Changelog Plug-in Enabling the Retro Changelog Plug-in Enabling the Retro Changelog Plug-inAttributes of a Retro Changelog Entry Retro Changelog EntryTrimming the Retro Changelog Monitoring Replication Status Retro Changelog and the Access Control PolicyRetro Changelog and the Access Control Searching and Modifying the Retro ChangelogMonitoring Replication Status from Administration Express Directory Server Console Replication StatusTable Header Description Policy Table header shows the replica ID 341Solving Common Replication Conflicts Solving Naming Conflicts Renaming an Entry with a Multi-Valued Naming AttributeSolving Naming Conflicts Unique identifier attribute nsuniqueid cannot be deleted 344Renaming an Entry with a Single-Valued Naming Attribute Solving Potential Interoperability Problems Solving Orphan Entry ConflictsTroubleshooting Replication-Related Problems Troubleshooting Replication-RelatedError/Symptom Reason Impact Remedy Problems Replayed to all But some consumers Follows Are way behind SupplierIf it has been Direct consumersMonitoring Replication ErrorsSee Section Replication Status352 Viewing Attributes Overview of Extending SchemaManaging Attributes Create new attributes, as in .2, Creating AttributesName Extending the Directory SchemaField SyntaxCreating Attributes Creating AttributesAttributes Tab Reference Field DescriptionEditing Attributes Deleting AttributesOIDs are described in .1, Attributes Tab Reference Viewing Object Classes This procedure is explained in .4, Deleting AttributesManaging Object Classes Managing Object ClassesReference Parent358 Creating Object Classes Object Classes Tab ReferenceCreating Object Classes Editing Object Classes Click OK to save the new object classDeleting Object Classes Deleting Object ClassesTurning Schema Checking On and Off About Indexes About Index TypesManaging Indexes About Default, System, and Standard IndexesOverview of Default Indexes Attribute Pres Sub PurposeReferential About Default, System, and StandardMaintaining Integrity forDefault Indexes Overview of System Indexes366 System Indexes Overview of the Searching AlgorithmOverview of Standard Indexes Attribute Pres PurposeManaging Indexes Approximate Searches Balancing the Benefits of IndexingApproximate Searches Directory Server is maintaining the following indexes 370 Creating Indexes Creating IndexesCreating Indexes from the Server Console Creating Indexes from the Command-Line Creating Indexes from the Command-LineAdding an Index Entry To create a new index for a particular database, add it to 374Creating Indexes from the Command-Line Run the db2index.pl Perl script Running the db2index.pl ScriptDb2index.pl Options Db2index Options describes the db2index.pl optionsAdding a Browsing Index Entry Creating Browsing Indexes from the Command-LineCreating Browsing Indexes from the Server Console Creating Browsing Indexes fromManaging Indexes Running the vlvindex Script This first browsing index entry must be added toStop the server.3 Setting Access Control for VLV InformationVlvindex Options Run the vlvindex scriptA text editor, open the dse.ldif file Deleting IndexesDeleting Indexes Change ldap//all to ldap//anyone and save your changesDeleting Indexes from the Command-Line Deleting Indexes from the Server ConsoleDeleting Indexes from the Command-Line Deleting an Index EntryLdapdelete Options describes the ldapdelete options Ldapdelete Options Run the db2index.pl Perl script. For exampleDeleting a Browsing Index Entry Deleting Browsing Indexes from the Command-LineDeleting Browsing Indexes from the Server Console Db2index OptionsOption Description Managing Indexes Vlvindex Options describes the vlvindex optionsIndexing Performance Search PerformanceBackwards Compatibility and Migration Attribute Name Quick Reference Table Backwards Compatibility and MigrationAttribute Primary Name Attribute Alias Attribute Name Quick Reference Table Attribute Name Quick Reference Table391 392 Introduction to TLS/SSL in the Directory Server Enabling SSL Summary of StepsCommand-Line Functions for Start TLS Managing SSLTurn on TLS/SSL in the directory Obtaining and Installing Server Certificates Troubleshooting Start TLSObtaining and Installing Server Certificates Generate a Certificate Request Generate a Certificate Request Managing SSL Send the Certificate Request After generating the certificate request, send it to the CAInstall the Certificate Trust the Certificate Authority Trust the Certificate AuthorityUsing certutil Confirm That The New Certificates Are InstalledCreate a password file for the security token password Creating Directory Server CertificatesGenerate the Directory Server client certificate 404 Certutil Usage Starting the Server with TLS/SSL EnabledThrough the Command Line Certutil OptionsClick Cipher Settings Enabling TLS/SSL Only in the Directory ServerSelect the certificate to use from the drop-down menu Enabling TLS/SSL Only in the Directory Described in , Starting and Stopping Servers Server Click Cipher Settings Check the Use SSL in the Console box. Hit Save409 Creating a Password File for the Directory Server Creating a Password File for the Administration Server Creating a Password File forSetting Security Preferences Restart the Administration ServerAvailable Ciphers Administration Server TLSv1 CiphersClick Cipher Setting Selecting the Encryption CipherSSLv3 Ciphers Using Certificate-Based Authentication Using Certificate-Based AuthenticationEncryption tab, click Save Setting up Certificate-Based Authentication Allowing/Requiring Client AuthenticationStop the Directory Server Configuring Ldap Clients to Use SSLConfiguring Ldap Clients to Use SSL Now start Red Hat ConsoleClient certificate resembles the following Begin CertificateConfiguring Ldap Clients to Use SSL Click Set Value 420 Authentication Mechanisms Managing SaslSasl is configured by entries under a container entry 422 Sasl Identity MappingManaging Sasl Sasl Identity Mapping Sasl identity mapping entries are children of this entry423 Configuring Sasl Identity Mapping from the Console Configuring Sasl Identity Mapping from Supported Kerberos Systems Configuring Sasl Identity Mapping from the Command-LineConfiguring Kerberos Operating System Kerberos VersionConfiguring the KDC Server RealmsExample Configuring an Example KDC Server Configuring Sasl Authentication at Directory Server Startup Configuring Sasl Authentication atManaging Sasl Viewing and Configuring Log Files Administration ExpressDefining a Log File Rotation Policy Monitoring Server and Database Activity Defining a Log File Deletion Policy Access LogViewing the Access Log Defining a Log File Deletion PolicyConfiguring the Access Log Display to refresh automatically every ten secondsError Log Viewing the Error LogError Log Configuring the Error Log Containing text box, and click RefreshClick Save 436 Viewing the Audit Log Configuring the Audit LogAudit Log Audit LogManual Log File Rotation Monitoring Server ActivityMonitoring the Server from the Directory Server Console Monitoring the Server from the DirectoryResource Usage Since Startup Average Per Minute General Information ServerResource Summary Resource Current TotalConnection can account for multiple Current Resource UsageServer Console Operations, and therefore multiple threadsConnection Status Monitoring the Directory Server from the Command Line Global Database Cache InformationMonitoring the Directory Server from Attribute Description 444Monitoring Database Activity Server Monitoring AttributesTime GMT in UTC format General Information Database See , Tuning DatabaseMaximum Cache Size setting. See Section Performance Metric Current TotalSummary Information Tuning Database Performance forCache setting. See , Tuning Monitoring Database Activity fromMonitoring Databases from the Command Line Database Cache Information10. Database File-Specific Directory Server Console Maximum Entries in Cache attribute Monitoring Database Link Activity Monitoring Database Link Activity11. Directory Server Monitoring Attributes Lower the number of page evicts the better12. Database Link Monitoring Attributes 452Snmp About SnmpMonitoring Directory Server Using Snmp Configuring the Master Agent Configuring the SubagentSubagent Configuration File Agentx-masterServer Starting the SubagentAgent-logdir Starting the SubagentConfiguring Snmp Traps Testing the SubagentConfiguring the Directory Server for Snmp Using the Management Information BaseConfiguring the Directory Server for Snmp Operations Table Managed Object DescriptionOperations Table Managed Objects and Descriptions Entries TableEntries Table Entity TableEntries Table Managed Objects and Descriptions Interaction Table Entity Table Managed Objects and DescriptionsInteraction Table Object will contain a value of zero Interaction Table Managed Objects and DescriptionsManagement subsystem was initialized, this 462Tuning Directory Server Performance Tuning Server PerformanceTuning Database Performance Tuning Directory Server PerformanceOptimizing Search Performance Optimizing Search Performance Tuning Transaction Logging Changing the Location of the Database Transaction LogChanging the Database Checkpoint Interval Changing the Database Checkpoint IntervalMiscellaneous Tuning Tips Disabling Durable TransactionsSpecifying Transaction Batching Avoid Creating Entries Under the cn=config 470 ACL Plug-in Server Plug-in Functionality ReferenceBit Check Plug-in Details of 7-Bit Check Plug-inBinary Syntax Plug-in Administering Directory Server Plug-insACL Preoperation Plug-in Details of ACI Plug-inDetails of Binary Syntax Plug-in Boolean Syntax Plug-inCase Exact String Syntax Plug-in Details of Boolean Syntax Plug-inDetails of Case Exact String Syntax Plug-in Case Ignore String Syntax Plug-inChaining Database Plug-in Details of Case Ignore String Syntax Plug-inClass of Service Plug-in Class of Service Plug-inDetails of Class of Service Plug-in Country String Syntax Plug-in10. Details of Country String Plug-in Distinguished Name Syntax Plug-inGeneralized Time Syntax Plug-in 11. Details of Distinguished Name Syntax Plug-in12. Details of Generalized Time Syntax Plug-in Integer Syntax Plug-inInternationalization Plug-in 13. Details of Integer Syntax Plug-in14. Details of Internationalization Plug-in Ldbm Database Plug-inLegacy Replication Plug-in 15. Details of ldbm Database Plug-in16. Details of Legacy Replication Plug-in Multi-Master Replication Plug-inOctet String Syntax Plug-in 17. Details of Multi-Master Replication Plug-in19. Details of Clear Password Storage Plug-in Clear Password Storage Plug-inCrypt Password Storage Plug-in 18. Details of Octet String Syntax Plug-in21. Details of NS-MTA-MD5 Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in20. Details of Crypt Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-inSHA Password Storage Plug-in Ssha Password Storage Plug-in22. Details of SHA Password Storage Plug-in PTA Plug-in 23. Details of Ssha Password Storage Plug-inPostal Address String Syntax Plug-in 24. Details of Postal Address String Syntax Plug-inSee , Using the Pass-through Using the Pass-throughAuthentication Plug-in Referential Integrity Postoperation Plug-inRetro Changelog Plug-in Retro Changelog Plug-in26. Details of Referential Integrity Post-Operation Plug-in See , Managing Indexes for27. Details of Retro Changelog Plug-in Roles Plug-inSpace Insensitive String Syntax Plug-in 28. Details of Roles Plug-inState Change Plug-in State Change Plug-in29. Details of Space Insensitive String Syntax Plug-in See Appendix B, Finding Directory Entries30. Details of State Change Plug-in Telephone Syntax Plug-inUID Uniqueness Plug-in 31. Details of Telephone Syntax Plug-in32. Details of UID Uniqueness Plug-in See , Using the AttributeURI Plug-in URI Plug-inEnabling and Disabling Plug-ins 33. Details of URI Plug-inUsing the Pass-through Authentication Plug-in How Directory Server Uses PTAUsing the Pass-through Authentication Plug-in PTA Plug-in SyntaxPTA Plug-in Syntax Variable DefinitionConfiguring the Optional Parameters for See .5, Configuring the OptionalSpecifying the Pass-through Subtree for Configuring the PTA Plug-in Configuring the PTA Plug-inPTA Plug-in Parameters Configuring the Servers to Use a Secure Connection Specifying the Authenticating Directory ServerTurning the Plug-in On or Off Specifying the Pass-through Subtree Specifying the Pass-through SubtreeConfiguring the Optional Parameters PTA Plug-in Syntax Examples PTA Plug-in Syntax ExamplesSpecifying Multiple Authenticating Directory Servers Using Non-Default Parameter ValuesSpecifying Different Optional Parameters 502 Using the Attribute Uniqueness Plug-in Overview of the Attribute Uniqueness Plug-inUsing the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in SyntaxAttribute Uniqueness Plug-in Syntax See .3.1, Turning the Plug-in On or505 Creating an Instance of the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in VariablesConfiguring Attribute Uniqueness Plug-ins Viewing Plug-in Configuration InformationConfiguring Attribute Uniqueness Plug-ins From the Configuration tab From the Property EditorTurning the Plug-in On or Off Specifying a Suffix or Subtree509 Using the markerObjectClass and requiredObjectClass Keywords Specifying One Attribute and One Subtree From the Command-LineAttribute Uniqueness Plug-in Syntax Examples Specifying One Attribute and Multiple SubtreesReplication and the Attribute Uniqueness Plug-in Simple Replication ScenarioMulti-Master Replication Scenario Multi-Master Replication Scenario514 About Windows Sync Active Directory Directory Server Synchronization Process About Windows Sync 517Configuring Windows Sync Configure SSL on Directory ServerConfigure the Active Directory Domain Configure the Active DirectorySelect the Enterprise Root CA option Select or Create the Sync Identity Iv. Accept the certificate request. For exampleInstall and Configure the Password Sync Service DomainHit Next, then Finish to install Password Sync Reboot the Windows machine to start Password SyncInstall and Configure the Password 523Configure the Directory Server Database for Synchronization Give trusted peer status to the serverSync Service Create the Synchronization AgreementSetting up the Sync Agreement Begin Synchronization Using Windows SyncBegin Synchronization Synchronizing Users Synchronizing Groups Deleting EntriesSynchronizing Users Synchronizing Users Directory Server Active Directory529 Synchronizing Groups PhysicalDeliveryOfficeNameNtGroupAttributes NtGroupId Name SamAccountName NtGroupType Deleting EntriesDeleting Entries Description Member SeeAlsoResurrecting Entries Manually Updating and Resynchronizing EntriesChecking Synchronization Status Modifying the Sync AgreementChecking Synchronization Status Groups Schema DifferencesPassword Policies Values for street and streetAddressStarting and Stopping the Password Sync Service Password Sync ServiceModifying Password Sync Contraints on the initials attributeTo uninstall the Password Sync service, do the following TroubleshootingUninstalling Password Sync Service Open the Add/Remove Programs utilityTroubleshooting 537538 Appendix A. Ldap Data Interchange Format About the Ldif File FormatAppendix A. Ldap Data Interchange Format Continuing Lines in LdifTable A.1. Ldif Fields Field DefinitionBase-64 Encoding Representing Binary DataStandard Ldif Notation Representing Binary DataSpecifying Directory Entries Using Ldif Specifying Domain EntriesDomain Entries Table A.2. Ldif Elements in Domain EntriesSpecifying Organizational Unit Entries Ldif Element DescriptionSpecifying Organizational Unit Entries Specifying Organizational Person Entries Table A.3. Ldif Elements in Organizational Unit EntriesSpecifying Organizational Person Entries Defining Directories Using Ldif Table A.4. Ldif Elements in Person EntriesDefining Directories Using Ldif 547Ldif File Example Storing Information in Multiple Languages Storing Information in Multiple LanguagesFile contents are then converted to UTF-8 550Finding Entries Using the Directory Server Console Figure B.1. Browsing Entries in the Directory TabUsing ldapsearch Appendix B. Finding Directory EntriesLdapsearch Command-Line Format Ldapsearch command must use the following formatCommonly Used ldapsearch Options Commonly Used ldapsearch Options Ldapsearch Examples Returning All EntriesUsing Ldapbasedn Specifying Search Filters on the Command LineSearching the Schema Entry Searching the Root DSE EntrySpecifying Search Filters Using a File Displaying Subsets of AttributesThis example assumes the search base is set with Ldapbasedn Specifying DNs That Contain Commas in Search Filters Using Client Authentication When SearchingLdap Search Filters Ldap Search FiltersSearch Filter Syntax Using Attributes in Search FiltersUsing Operators in Search Filters Basic syntax of a search filter isSearch Filter Syntax Using Compound Search FiltersTable B.1. Search Filter Operators Search Type Operator DescriptionOperator Symbol Description Search Filter ExamplesTable B.2. Search Filter Boolean Operators Searching an Internationalized Directory Searching an Internationalized DirectoryMatching Rule Filter Syntax Matching Rule FormatsMatching Rule Filter Syntax Using an OID for the Matching RuleUsing a Language Tag for the Matching Rule 565Using a Language Tag and Suffix for the Matching Rule Using Wildcards in Matching Rule FiltersUsing an OID and Suffix for the Matching Rule Table B.3, Search Types, Operators, and SuffixesSupported Search Types Supported Search TypesSearch Type Operator Suffix Less-Than or Equal-to Example International Search ExamplesLess-Than Example Equality ExampleSubstring Example Greater-Than or Equal-to ExampleGreater-Than Example International Search ExamplesBut either one of these will work correctly 570Component Components of an Ldap URLLdap URLs have the following syntax Hostname PortTable C.1. Ldap URL Components Appendix C. Ldap URLsComponent Description Escaping Unsafe Characters Escaping Unsafe CharactersExamples of Ldap URLs Unsafe Character Escape CharactersExample Examples of Ldap URLs 575576 Appendix D. Internationalization About LocalesIdentifying Supported Locales Appendix D. InternationalizationLocale Language Tag Collation Order Object Identifiers OIDs Table D.1. Supported Locales Supported Language Subtypes579 Supported Language Subtypes Troubleshooting Matching Rules Troubleshooting Matching RulesTable D.2. Supported Language Subtypes 582 See Also access control instruction See Also access control listSee Also ID list scan limit See base DN GlossaryValue See bind DNSee Also virtual list view index See Certificate AuthoritySee Ldap client Directory Access Protocol. The ISO X.500 standard protocolThat provides client access to the directory See Also template entrySee distinguished name See CoS definition entrySee directory tree See Directory ManagerSee Directory Server Gateway See Also cascading replication See Ldap Data Interchange Format See supplier See Snmp master agentDirectory tree Encoded messages which form the basis of data exchanges See Also access rightsSee object identifier Between Snmp devices. Also protocol data unitReceives to the authenticating directory server Authenticating directory server, pass-through subtrees,Name. Also relative distinguished name Submitted to the Internet community. People can send Request for Comments. Procedures or standards documentsProcess is called a referral Comments on the technologies before they become acceptedDirectory Server during installation Server Instance Entry. The ID assigned to an instanceSee supplier-initiated replication Simple Network Management Protocol SubagentSee Snmp subagent See CoS template entry Protocol. Also Transport Layer SecuritySee Also browsing index Page 600 Index Index Page Index Page Index Ldapbasedn Index Ldif Index MIB Index Page Index Page MIB Page Index