HP UX Red Hat Direry Server Software guide

Chapter 6. Managing Access Control

The new ACI is added to the ones listed in the Access Control Manager window.

9.10. Defining Permissions for DNs That Contain a Comma

DNs that contain commas require special treatment within your LDIF ACI statements. In the target and bind rule portions of the ACI statement, commas must be escaped by a single backslash (\). For example:

dn: dc=example.com Bolivia\, S.A.,dc=com

objectClass: top

objectClass: organization

aci: (target="ldap:///dc=example.com Bolivia\,S.A.,dc=com")(targetattr=*) (version 3.0; acl "aci 2"; allow (all)

groupdn = "ldap:///cn=Directory Administrators,dc=example.com Bolivia\, S.A.,dc=com";)

9.11. Proxied Authorization ACI Example

Proxied authorization allows one user to bind and perform operation as another user. For example, example.com has an accounting program which must be able to bind to the directory as an accounting administrator in order to write data. This authorization assumes three things:

•The client application's bind DN is"uid=MoneyWizAcctSoftware, ou=Applications,dc=example,dc=com".

•The targeted subtree to which the client application is requesting access is ou=Accounting,dc=example,dc=com.

•An accounting administrator with access permissions to the ou=Accounting,dc=example,dc=com subtree exists in the directory.

In order for the client application to gain access to the accounting subtree, using the same access permissions as the accounting administrator, two ACIs must be set:

•The accounting administrator must have access permissions to the ou=Accounting,dc=example,dc=com subtree, so the following ACI grants all rights to the accounting administrator entry:

aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")

(version 3.0; acl "allowAll-AcctAdmin"; allow (all)

userdn="ldap://uid=AcctAdministrator,ou=Administrators,dc=example,dc=com")

• There must be an ACI granting proxy rights to the client application in the directory:

aci: (target="ldap:///ou=Accounting,dc=example,dc=com") (targetattr="*")

(version 3.0; acl "allow proxy-accounting software"; allow (proxy)

234

Image 254

HP UX Red Hat Direry Server Software Defining Permissions for DNs That Contain a Comma, Proxied Authorization ACI Example

Contents

Administrators Guide Red Hat Directory Server Red Hat Directory Server 8.0 Administrators Guide Copyright 2008 Red Hat, Inc Red Hat Directory Server General Red Hat Directory Server Usage Creating and Maintaining Database Links Creating and Maintaining SuffixesCreating and Maintaining Databases Creating a New Database LinkPage Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Xvi Directory Server Overview Preface Document Conventions Example and Default ReferencesWhen shown as below, it indicates computer output Preface Document Conventions Xix Related Information Directory Server File Locations Chapter File or Directory Location Red Hat Enterprise Linux 4 and 5General Red Hat Directory Server Usage Ldap Tool Locations Sun Solaris 9 sparcHP-UX 11i IA64 Binaries Platform Directory Location Ldap Tool LocationsStarting and Stopping Servers Opt/dirsrv/bin Start the Directory Server Console Starting and Stopping Directory Server from the ConsoleStarting and Stopping Directory Server from Starting and Stopping Administration Server Solaris uses /etc/init.d Console On Solaris, the service is init.dStarting the Directory Server Console HP-UX has a different location for the script Logging into Directory Server Changing Login IdentityLogin screen Click Log on to the Directory Server as a New User Viewing the Current Console Bind DN Changing Directory Server Port NumbersViewing the Current Console Bind DN General Red Hat Directory Server Usage Creating a New Directory Server Instance Open the Administration Server ConsoleConfiguration tab, select the Configuration DS tab Creating a New Directory Server Instance Configuring the Directory Manager Configuring the Directory Manager Page Managing Entries from the Directory Console Creating a Root Entry Creating Directory Entries Directory Server Console, select the Configuration tabCreating Directory Entries Template Object Class Creating Other Types of Entries Creating an Entry Using a Predefined TemplateRole NsRoleDefinition Class of Service CosSuperDefinition Entry Templates and Corresponding Object Classes Modifying Directory Entries Displaying the Property Editor Adding an Attribute to an Entry Adding an Object Class to an EntryRemoving an Object Class Modifying Directory Entries Adding Very Large Attributes Adding Attribute Values Removing an Attribute Value Binary Subtype Adding an Attribute SubtypeLanguage Subtype Instead, use Adding a Subtype to an Attribute Deleting Directory EntriesPronunciation Subtype Deleting Directory Entries Entries, use Ctrl or Shift Select Delete from the Edit menu Managing Entries from the Command-LineProviding Input from the Command-Line Creating a Root Entry from Creating a Root Entry from the Command-LineSee , Ldif Update Statements Import the Ldif file from the Directory Server Console Adding Entries Using LdifAdding and Modifying Entries Using ldapmodify Parameter Name Description Adding Entries Using ldapmodifyCommand-Line Ldapmodify Parameters Used for Adding Entries Modifying Entries Using ldapmodifyInput from the Command-Line Ldapmodify Parameters Used for Modifying Entries Deleting Entries Using ldapdeleteDeleting Entries Using ldapdelete Hostname is cyclops Server uses port number Are branch points in the directory tree This ldapdelete example has the following values Tracking Modifications to Directory Entries Using Special CharactersUsing Special Characters Ldapdelete Parameters Used for Deleting Entries Open the Tasks tab, and click Restart Directory Server Ldif Update StatementsSelect the Track Entry Modification Times checkbox Ldif Update Statements General format of Ldif update statements is as follows Adding an Entry Using Ldif Following sections describe the change types in detail Following command renames Sue Jacobs to Susan Jacobs Renaming an Entry Using LdifRenaming an Entry Using Ldif Modifying an Entry Using Ldif Addattribute Following example adds two telephone numbers to the entry Adding Attributes to Existing Entries Using LdifModifying an Entry Using Ldif Changing an Attribute Value Using Ldif Entry is now as follows Deleting All Values of an Attribute Using LdifDeleting a Specific Attribute Value Using Ldif Deleting an Entry Using Ldif Barneys entry then becomes How Referential Integrity Works Maintaining Referential IntegrityModifying an Entry in an Internationalized Directory Modifying an Entry in an Internationalized Using Referential Integrity with Replication Enabling/Disabling Referential Integrity Modifying the Update IntervalYou can enable or disable referential integrity as follows Directory Modifying the Attribute List TIP Modifying the Attribute ListPage Creating and Maintaining Suffixes A Sample Directory Tree with One Root Suffix Creating Suffixes Configuring Directory DatabasesCreating Suffixes 1, Using Referrals in a Suffix A Sample Directory Tree with a Sub Suffix Creating Suffixes Creating a New Root Suffix Using the Console Creating a New Sub Suffix Using the Console Creating Root and Sub Suffixes from the Command-Line Attribute Name Value Maintaining Databases for more information Creating and Maintaining Database Links forAttribute. See , Creating Creating and Maintaining Databases for Suffix Attributes Using Referrals in a SuffixMaintaining Suffixes Maintaining Suffixes Enabling Referrals Only During Update OperationsDisabling a Suffix To requests from client applications Click Save Deleting a Suffix Creating and Maintaining DatabasesCreating Databases Creating Databases Configuring Directory Databases Adding Multiple Databases for a Single Suffix For example, add a new database to the server example1 Configuring Directory Databases Maintaining Directory Databases Placing a Database in Read-Only ModeMaintaining Directory Databases Select the database is read-only checkbox Making a Database Read-Only Using the ConsoleMaking a Database Read-Only from the Command Line Change the read-only attribute to on Select the Make Entire Server Read-Only checkbox Placing the Entire Directory Server in Read-Only ModeDeleting a Database Click Save, and then restart the server Configuring Transaction Logs for Frequent Database Updates Database Encryption Encryption Keys Database Encryption Select the Attribute Encryption tab Configuring Database Encryption from the ConsoleEncryption Ciphers Exporting and Importing an Encrypted Database Configuring Database Encryption Using the Command-LineRun the ldapmodify command1 See .3, Importing from the Command-Linefor more information Chaining Component Operations Configuring the Chaining PolicyCreating and Maintaining Database Links Creating and Maintaining Database Links Component Name Description Permissions NsActiveChainingComponents Cn=resource Configuring the Chaining Policy NsActiveChainingComponents Cn=certificate-based Chaining Component Operations Using the Console Components Allowed to Chain Plug-in Chaining Component Operations from the Command-LineChaining Ldap Controls Chaining Ldap Controls Using the Console Chaining Ldap Controls from the Command-Line Ldap Controls and Their OIDs Creating a New Database Link Using the ConsoleCreating a New Database Link Creating a New Database Link Configuring Directory Databases Creating a Database Link from the Command-Line Specify the configuration information for the database link Providing Suffix Information Providing Bind Credentials NsMultiplexorBindDN cannot be that of the Directory Manager Providing an Ldap URL File Summary of Database Link Configuration AttributesProviding a List of Failover Servers Attributes Value 1, Chaining Component Operations Attributes Value Run ldapmodify1 to add a database link to server a Create an administrative user on server B, as follows Enable SSL on the server that contains the database link Chaining Using SSLUpdating Remote Server Authentication Information Maintaining Database Links Deleting Database Links Database Links and Access Control EvaluationDatabase Links and Access Control Configuring Directory Databases Managing Connections to the Remote Server Advanced Feature Tuning Database Link PerformanceManaging Connections to the Remote Server Using the Console Evaluation Attribute Name Description Database Link Connection Management Attributes Detecting Errors During Normal ProcessingAdvanced Feature Tuning Database Link Database Link Processing Error Detection Parameters Managing Threaded Operations Performance Advanced Feature Configuring Cascading ChainingOverview of Cascading Chaining Configuring Directory Databases Configuring Cascading Chaining Defaults Using the Console Advanced Feature Configuring Cascading Configuring Cascading Chaining Using the Console Configuring Cascading Chaining from the Command-Line Chaining Configuring Directory Databases Attribute Description Summary of Cascading Chaining Configuration AttributesDetecting Loops Aci This attribute must contain the following ACI Cascading Chaining Configuration ExampleCascading Chaining Configuration Attributes Configuring Server One 101 Configuring Server Two 102 103 Configuring Directory Databases Configuring Server Three Allow this Client on server two Using ReferralsStarting the Server in Referral Mode Setting a Default Referral from the Command-Line Setting Default ReferralsSetting a Default Referral Using the Console Setting Default Referrals Creating Smart Referrals Using the Directory Server Console Creating Smart Referrals 109 Creating Smart Referrals from the Command LineCreating Smart Referrals Creating Suffix Referrals Using the Console Creating Suffix Referrals Creating Suffix Referrals from the Command-Line Creating Suffix Referrals Configuring Directory Databases Action Import Initialize Database Importing DataImport Method Comparison Following sections describe importing data Importing a Database from the ConsolePopulating Directory Databases Initializing a Database from the Console Initializing a Database from the Console Importing from the Command-Line Importing Using the ldif2db Command-Line Script Importing from the Command-Line Option Description Run the ldif2db script Importing Using the ldif2db.pl Perl ScriptLdif2db Parameters Exporting Data Importing Using the ldif2ldap Command-Line ScriptRun the ldif2ldap command-line script Ldif2db Options Splitting a Database Contents into Two Databases Exporting Directory Data to Ldif Using the Console Exporting Directory Data to Ldif Using Exporting a Single Database to Ldif Using the Console Exporting to Ldif from the Command-Line Directory and is automatically named Run the db2ldif command-line scriptLdif file in this case would be With the -noption or 123 Backing up All Databases from the Server Console Backing up and Restoring DataBacking up All Databases Db2ldif Options Backing up All Databases Backing up All Databases from the Command-LineRun the db2bak command-line script Click Back Up Directory Server Restore Directory dialog box is displayed 126 Backing up the dse.ldif Configuration FileClick Restore Directory Server Restoring All Databases Using bak2db.pl Perl Script Restoring Your Database from the Command-LineUsing the bak2db Command-Line Script Restoring All Databases Restart the Directory Server Restoring a Single DatabaseRun the bak2db.pl Perl script Restoring Databases That Include Restoring the dse.ldif Configuration FileRestoring Databases That Include Replicated Entries 130 Using Roles About Roles Managing Entries with Roles, Class of Service, and Views Managing Roles Using the Console Managing Roles Using the Console Creating a Managed Role 134 135 Creating a Filtered RoleFollow the steps of .2.1, Creating a Managed Role Create a new role, as in .2.1, Creating a Managed Role Creating a Nested RoleViewing and Editing an Entrys Roles 136 137 Modifying a Role EntryMaking a Role Inactive Reactivating a Role Deleting a Role Object Classes and Attributes for Roles Managing Roles Using the Command-LineManaging Roles Using the Command-Line Dialog box appears to confirm the deletion. Click Yes Examples Managed Role Definition Example Filtered Role Definition 141 Using Roles Securely Example Nested Role Definition Assigning Class of Service Assigning Class of Service About CoS About the CoS Definition Entry About CoS About the CoS Template EntryHow a Pointer CoS Works How an Indirect CoS Works Sample Pointer CoS How a Classic CoS Works Sample Indirect CoS Searches for CoS-Specified Attributes Sample Classic CoS Creating a New CoS Managing CoS Using the ConsoleManaging CoS Using the Console 150 Creating the CoS Template Entry Property Editor opens Editing an Existing CoS Deleting a CoS Managing CoS from the Command-Line Managing CoS from the Command-LineCreating the CoS Definition Entry from the Command-Line CoS Type Object Classes Description Attribute Definition CoS Definition Entry Object ClassesCoS Definition Entry Attributes Managing CoS from the Command-Line Pointer CoS CoS DefinitionsCoS Type CoS definition Indirect CoS Creating the CoS Template Entry from the Command-Line Be added to any other search filter using or Example of a Pointer CoS 158 Example of an Indirect CoS Create the template entry Example of a Classic CoS Classic CoS definition entry looks like Creating Role-Based AttributesCreating Role-Based Attributes Using Views Access Control and CoS Creating Views in the Console Creating Views in the Console Creating Views from the Command Line Deleting Views from the Directory Server Console Deleting Views from the Command Line Using GroupsDeleting Views from the Command Line Managing Static Groups Adding a New Static Group Modifying a Static Group Modifying a Dynamic Group Managing Dynamic GroupsAdding a New Dynamic Group Managing Dynamic Groups 168 Access Control Principles ACI Structure ACI Evaluation ACI PlacementManaging Access Control ACI Limitations Default ACIs Default ACIs Creating ACIs Manually Defining Targets ACI SyntaxDefining Targets Aci attribute uses the following syntax Targetattr Ldif Target KeywordsKeyword Valid Expressions Wildcard Allowed Targetfilter Targeting a Directory Entry 175 Targeting Attributes Targeting Both an Entry and Attributes 177 Targeting Entries or Attributes Using Ldap Filters 178 Targeting Attribute Values Using Ldap Filters Defining Permissions Targeting a Single Directory Entry Defining Permissions Allowing or Denying AccessAssigning Rights Assigning rights Selfwrite to the targeted entry, excluding Rights Required for Ldap OperationsUser Rights Proxy rights 183 Permissions Syntax Access Control and the modrdn OperationBind Rules Userdn Bind Rule SyntaxBind Rule Syntax Yes, in DN only Groupdn Ldap///DN DN Roledn Userattr Defining User Access userdn KeywordLdif Bind Rule Keywords Dns Self Access self Keyword Anonymous Access anyone KeywordGeneral Access all Keyword Parent Access parent Keyword ScenExamplerio Description WildcardsExamples Defining Group Access groupdn Keyword Userdn Keyword Examples Groupdn Examples Defining Group Access groupdn KeywordDefining Role Access roledn Keyword Defining Access Based on Value Matching Defining Access Based on Value MatchingUsing the userattr Keyword AttrValue is any string representing an attribute value Example with Userdn Bind TypeExample with Groupdn Bind Type 193 Example with Roledn Bind TypeExample with Ldapurl Bind Type Using the userattr Keyword with Inheritance Example with Any Attribute Value Using Inheritance With the userattr Keyword Granting Add Permission Using the userattr Keyword Defining Access from a Specific IP Address Instead, use a fully qualified name Defining Access from a Specific DomainDefining Access from a Specific Domain Dns keyword allows wildcards. For example Defining Access at a Specific Time of Day or Day of Week Defining Access Based on Authentication Method Defining Access Based on Authentication Authmethod = saslmechanism Method Using Boolean Bind RulesAuthentication bind DN and password over Ldaps Creating ACIs from the Console Click New to open the Access Control Editor Displaying the Access Control EditorDisplaying the Access Control Editor Access Control Editor Window Creating a New ACI Creating a New ACI Managing Access Control Creating a New ACI Managing Access Control Editing an ACI Editing an ACI Control Manager Viewing ACIsDeleting an ACI Get effective rights result looks like the following Get Effective Rights ControlGet Effective Rights Control Permissions Permissions That Can Be Set on Attributes Using Get Effective Rights from the Command-LinePermissions That Can Be Set on Entries Permission Description Using Get Effective Rights from 214 Check the Show effective rights checkbox Using Get Effective Rights from the ConsoleGet Effective Rights Return Codes Code Description Returned Result Codes Logging Access Control InformationAccess Control Usage Examples Granting Anonymous Access Granting Anonymous Access ACI Anonymous example.com Click New to display the Access Control EditorClick OK in the Access Control Editor window ACI Anonymous World Filter for subentries field, type the following filter Granting Write Access to Personal EntriesGranting Write Access to Personal Entries ACI Write example.com 220 ACI Write Subscribers Restricting Access to Key Roles ACI Roles Restricting Access to Key RolesSee , Using Roles Ldif statement should read as follows Granting a Group Full Access to a SuffixACI HR Granting Rights to Add and Delete Group Entries ACI Create Group Managing Access Control Entries Granting Conditional Access to a Group or RoleACI Delete Group ACI HostedCompany1 228 Ldif statement should be similar to the following Denying AccessDenying Access ACI Billing Info Read ACI Billing Info Deny 231 Setting a Target Using Filtering Allowing Users to Add or Remove Themselves from a Group ACI Group Members Allowing Users to Add or Remove Proxied Authorization ACI Example Defining Permissions for DNs That Contain a Comma Themselves from a Group Advanced Access Control Using Macro ACIsMacro ACI Example Example Directory Tree for Macro ACIs 236 Macro ACI Syntax Macro ACI Syntax Macro ACI Keyword Macro Matching for $dnMacros in ACI Keywords Steps for expanding this ACI are as follows $dn in the subject is replaced with dc=hostedCompany1 240 Macro Matching for $attr.attrNameFor example, consider the following ACI Compatibility with Earlier Releases Access Control and ReplicationAccess Control and Replication 242 Managing the Password Policy Configuring the Password Policy Configuring a Global Password Policy Using the Console Managing User Accounts and Passwords Configuring the Password Policy Configuring a Subtree/User Password Policy Using the Console Check the Enable fine-grained password policy checkbox Configuring a Global Password Policy Using the Command-Line Attribute Name Definition Making passwords expire helps protect Users password will expire after an intervalGiven by the passwordMaxAge attribute Directory data because the longer a password Changing their passwords during a single Discourage users from reusing old passwordsFor example, setting the minimum password Session to cycle through the password history It down. This attribute is set to 8 by default Shorter passwords are easier to crackPasswords can be two 2 to 512 characters Attributes, respectively. By default, this Compatibility with Unix passwords This attribute is set to 3 by defaultDefault method Lowercase letters a to z Password Policy Attributes CoS specification entry at the subtree level. For example 254 Setting User Passwords Setting User PasswordsPassword Change Extended Operation Start the server 256 Ldappasswd OptionsParameter Description Configuring the Account Lockout Policy Configuring the Account Lockout PolicyConfiguring the Account Lockout Policy Using the Console Attribute Name Definition Account Lockout Policy Attributes Managing the Password Policy in a Replicated EnvironmentManaging the Password Policy in a Synchronizing Passwords Inactivating Users and Roles Replicated Environment Option Name Description Inactivating User and Roles Using the ConsoleInactivating User and Roles Using the Command-Line Activating User and Roles Using Activating User and Roles Using the ConsoleActivating User and Roles Using the Command-Line DN of the user account or role to activate Setting Resource Limits Based on the Bind DN Setting Resource Limits Using the Console Setting Resource Limits Using the Command-Line Entering a value of -1indicates no limit Click OK 266 Read-Write and Read-Only Replicas Replication OverviewWhat Directory Units Are Replicated Replication Identity Suppliers and ConsumersChangelog Managing Replication Replication Agreement Replication AgreementCompatibility with Earlier Versions of Directory Server Replication Scenarios Single-Master Replication Multi-Master Replication Multi-Master Replication Multi-Master Replication Two Masters 272 Multi-Master Replication Four Masters Cascading Replication Replication Creating the Supplier Bind DN Entry Creating the Supplier Bind DN Entry Configuring Single-Master Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Write Replica on Configuring the Read-Only Replica on the Consumer Supplier Server Create the Replication Agreement Create the Replication Agreement Managing Replication Create the Replication Agreement Replication will not begin until the consumer is initialized Configuring Multi-Master Replication Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier Servers Configuring the Read-Write Replicas on 287 Managing Replication Configuring the Read-Only Replicas on the Consumer Servers Supplier Servers Managing Replication Setting up the Replication Agreements Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Preventing Monopolization of the Consumer 297 Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Server Configuring the Read-Only Replica on Configuring the Read-Only Replica on the Hub Consumer Server Managing Replication Setting up the Replication Agreements Managing Replication DN and password Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Configuring Replication from the Command Configuring Replication from the Command LineConfiguring Suppliers from the Command Line 312 Object Class or Attribute Description Values Changelog AttributesLine Changelog, to which Consumer. This is required for 314 Forward update requests. By Configuring Consumers from the Command LineConfiguring Consumers from the Command Replica Attributes Configuring Hubs from the Command Line Configuring Replication Agreements from the Command Line Qualified host and domain Parameter to SSL. If TLS/SSL 318 Nsds5replicatedattributelist Configuring Replication Agreements fromReplication between Servers Nsds5replicabindcredentials Objectclass=* $ Exclude Attributes will not be 320 Midnight and 2359 is PM. For example, the settingReplication Agreement Attributes Initializing Consumers Online from the Command Line Command Line Making a Replica Updatable Deleting the Changelog Moving the Changelog to a New Location Initializing ConsumersRemoving the Changelog Moving the Changelog to a New Location When to Initialize a Consumer Online Consumer Initialization Using the Console Initializing Consumers Online Using the Command Line Initializing Consumers Online Using Manual Consumer Initialization Using the Command Line Exporting a Replica to Ldif Filesystem Replica Initialization Importing the Ldif File to the Consumer Server Initializing the Consumer Replica from the Backup Files Stop the destination Directory Server if it is running Forcing Replication UpdatesForcing Replication Updates Restart the destination Directory Server. For example Forcing Replication Updates from the Console Forcing Replication Updates from the Command-Line ReplicateNow Variables Replicating Account Lockout AttributesExample 8.1. ReplicateNow Script Example Replicating Account Lockout Attributes Replication over SSL Replicating o=NetscapeRoot for Select SSL Client AuthenticationSelect Simple Authentication Directory Server Installation Guide See , Enabling and Disabling Plug-ins Administration Server FailoverReplication with Earlier Releases Using the Retro Changelog Plug-in Enabling the Retro Changelog Plug-in Enabling the Retro Changelog Plug-inAttributes of a Retro Changelog Entry Retro Changelog Entry Trimming the Retro Changelog Monitoring Replication Status Retro Changelog and the Access Control PolicyRetro Changelog and the Access Control Searching and Modifying the Retro Changelog Table Header Description Monitoring Replication Status from Administration ExpressDirectory Server Console Replication Status Policy Table header shows the replica ID 341 Solving Common Replication Conflicts Solving Naming Conflicts Solving Naming ConflictsRenaming an Entry with a Multi-Valued Naming Attribute Unique identifier attribute nsuniqueid cannot be deleted 344 Renaming an Entry with a Single-Valued Naming Attribute Solving Potential Interoperability Problems Solving Orphan Entry Conflicts Troubleshooting Replication-Related Problems Troubleshooting Replication-Related Error/Symptom Reason Impact Remedy Problems Replayed to all But some consumers Follows Are way behind SupplierIf it has been Direct consumers Monitoring Replication ErrorsSee Section Replication Status 352 Viewing Attributes Overview of Extending SchemaManaging Attributes Create new attributes, as in .2, Creating Attributes Name Extending the Directory SchemaField Syntax Creating Attributes Creating AttributesAttributes Tab Reference Field Description OIDs are described in .1, Attributes Tab Reference Editing AttributesDeleting Attributes Viewing Object Classes This procedure is explained in .4, Deleting AttributesManaging Object Classes Managing Object Classes 358 ReferenceParent Creating Object Classes Creating Object ClassesObject Classes Tab Reference Editing Object Classes Click OK to save the new object class Deleting Object Classes Deleting Object Classes Turning Schema Checking On and Off About Indexes About Index Types Managing Indexes About Default, System, and Standard IndexesOverview of Default Indexes Attribute Pres Sub Purpose Referential About Default, System, and StandardMaintaining Integrity for 366 Default IndexesOverview of System Indexes System Indexes Overview of the Searching AlgorithmOverview of Standard Indexes Attribute Pres Purpose Managing Indexes Approximate Searches Approximate SearchesBalancing the Benefits of Indexing Directory Server is maintaining the following indexes 370 Creating Indexes Creating Indexes Creating Indexes from the Server Console Adding an Index Entry Creating Indexes from the Command-LineCreating Indexes from the Command-Line To create a new index for a particular database, add it to 374 Creating Indexes from the Command-Line Run the db2index.pl Perl script Running the db2index.pl ScriptDb2index.pl Options Db2index Options describes the db2index.pl options Adding a Browsing Index Entry Creating Browsing Indexes from the Command-LineCreating Browsing Indexes from the Server Console Creating Browsing Indexes from Managing Indexes Running the vlvindex Script This first browsing index entry must be added to Stop the server.3 Setting Access Control for VLV InformationVlvindex Options Run the vlvindex script A text editor, open the dse.ldif file Deleting IndexesDeleting Indexes Change ldap//all to ldap//anyone and save your changes Deleting Indexes from the Command-Line Deleting Indexes from the Server Console Ldapdelete Options describes the ldapdelete options Deleting Indexes from the Command-LineDeleting an Index Entry Ldapdelete Options Run the db2index.pl Perl script. For example Deleting a Browsing Index Entry Deleting Browsing Indexes from the Command-LineDeleting Browsing Indexes from the Server Console Db2index Options Option Description Managing Indexes Vlvindex Options describes the vlvindex options Indexing Performance Search Performance Backwards Compatibility and Migration Attribute Primary Name Attribute Alias Attribute Name Quick Reference TableBackwards Compatibility and Migration 391 Attribute Name Quick Reference TableAttribute Name Quick Reference Table 392 Introduction to TLS/SSL in the Directory Server Enabling SSL Summary of Steps Turn on TLS/SSL in the directory Command-Line Functions for Start TLSManaging SSL Obtaining and Installing Server Certificates Obtaining and Installing Server CertificatesTroubleshooting Start TLS Generate a Certificate Request Generate a Certificate Request Managing SSL Send the Certificate Request After generating the certificate request, send it to the CA Install the Certificate Trust the Certificate Authority Trust the Certificate Authority Using certutil Confirm That The New Certificates Are Installed Generate the Directory Server client certificate Create a password file for the security token passwordCreating Directory Server Certificates 404 Certutil Usage Starting the Server with TLS/SSL EnabledThrough the Command Line Certutil Options Select the certificate to use from the drop-down menu Click Cipher SettingsEnabling TLS/SSL Only in the Directory Server Enabling TLS/SSL Only in the Directory Described in , Starting and Stopping Servers 409 Server Click Cipher SettingsCheck the Use SSL in the Console box. Hit Save Creating a Password File for the Directory Server Creating a Password File for the Administration Server Creating a Password File for Available Ciphers Setting Security PreferencesRestart the Administration Server Administration Server TLSv1 Ciphers SSLv3 Ciphers Click Cipher SettingSelecting the Encryption Cipher Encryption tab, click Save Using Certificate-Based AuthenticationUsing Certificate-Based Authentication Setting up Certificate-Based Authentication Allowing/Requiring Client Authentication Stop the Directory Server Configuring Ldap Clients to Use SSLConfiguring Ldap Clients to Use SSL Now start Red Hat Console Client certificate resembles the following Begin Certificate Configuring Ldap Clients to Use SSL Click Set Value 420 Authentication Mechanisms Managing Sasl Managing Sasl Sasl is configured by entries under a container entry 422Sasl Identity Mapping 423 Sasl Identity MappingSasl identity mapping entries are children of this entry Configuring Sasl Identity Mapping from the Console Configuring Sasl Identity Mapping from Supported Kerberos Systems Configuring Sasl Identity Mapping from the Command-LineConfiguring Kerberos Operating System Kerberos Version Configuring the KDC Server Realms Example Configuring an Example KDC Server Configuring Sasl Authentication at Directory Server Startup Configuring Sasl Authentication at Managing Sasl Defining a Log File Rotation Policy Viewing and Configuring Log FilesAdministration Express Monitoring Server and Database Activity Defining a Log File Deletion Policy Access LogViewing the Access Log Defining a Log File Deletion Policy Configuring the Access Log Display to refresh automatically every ten seconds Error Log Error LogViewing the Error Log Click Save 436 Configuring the Error LogContaining text box, and click Refresh Viewing the Audit Log Configuring the Audit LogAudit Log Audit Log Manual Log File Rotation Monitoring Server Activity Monitoring the Server from the Directory Server Console Monitoring the Server from the Directory Resource Usage Since Startup Average Per Minute General Information ServerResource Summary Resource Current Total Connection can account for multiple Current Resource UsageServer Console Operations, and therefore multiple threads Connection Status Monitoring the Directory Server from Monitoring the Directory Server from the Command LineGlobal Database Cache Information Attribute Description 444 Time GMT in UTC format Monitoring Database ActivityServer Monitoring Attributes General Information Database See , Tuning DatabaseMaximum Cache Size setting. See Section Performance Metric Current Total Summary Information Tuning Database Performance forCache setting. See , Tuning Monitoring Database Activity from 10. Database File-Specific Monitoring Databases from the Command LineDatabase Cache Information Directory Server Console Maximum Entries in Cache attribute Monitoring Database Link Activity Monitoring Database Link Activity11. Directory Server Monitoring Attributes Lower the number of page evicts the better 12. Database Link Monitoring Attributes 452 Snmp About Snmp Monitoring Directory Server Using Snmp Configuring the Master Agent Configuring the SubagentSubagent Configuration File Agentx-master Server Starting the SubagentAgent-logdir Starting the Subagent Configuring Snmp Traps Testing the Subagent Configuring the Directory Server for Snmp Configuring the Directory Server for SnmpUsing the Management Information Base Operations Table Managed Object Description Operations Table Managed Objects and Descriptions Entries Table Entries Table Managed Objects and Descriptions Entries TableEntity Table Interaction Table Interaction TableEntity Table Managed Objects and Descriptions Object will contain a value of zero Interaction Table Managed Objects and DescriptionsManagement subsystem was initialized, this 462 Tuning Directory Server Performance Tuning Server Performance Optimizing Search Performance Tuning Database PerformanceTuning Directory Server Performance Optimizing Search Performance Tuning Transaction Logging Changing the Location of the Database Transaction Log Changing the Database Checkpoint Interval Changing the Database Checkpoint Interval Specifying Transaction Batching Miscellaneous Tuning TipsDisabling Durable Transactions Avoid Creating Entries Under the cn=config 470 ACL Plug-in Server Plug-in Functionality ReferenceBit Check Plug-in Details of 7-Bit Check Plug-in Binary Syntax Plug-in Administering Directory Server Plug-insACL Preoperation Plug-in Details of ACI Plug-in Details of Binary Syntax Plug-in Boolean Syntax Plug-inCase Exact String Syntax Plug-in Details of Boolean Syntax Plug-in Details of Case Exact String Syntax Plug-in Case Ignore String Syntax Plug-inChaining Database Plug-in Details of Case Ignore String Syntax Plug-in Class of Service Plug-in Class of Service Plug-inDetails of Class of Service Plug-in Country String Syntax Plug-in 10. Details of Country String Plug-in Distinguished Name Syntax Plug-inGeneralized Time Syntax Plug-in 11. Details of Distinguished Name Syntax Plug-in 12. Details of Generalized Time Syntax Plug-in Integer Syntax Plug-inInternationalization Plug-in 13. Details of Integer Syntax Plug-in 14. Details of Internationalization Plug-in Ldbm Database Plug-inLegacy Replication Plug-in 15. Details of ldbm Database Plug-in 16. Details of Legacy Replication Plug-in Multi-Master Replication Plug-inOctet String Syntax Plug-in 17. Details of Multi-Master Replication Plug-in 19. Details of Clear Password Storage Plug-in Clear Password Storage Plug-inCrypt Password Storage Plug-in 18. Details of Octet String Syntax Plug-in 21. Details of NS-MTA-MD5 Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in20. Details of Crypt Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in 22. Details of SHA Password Storage Plug-in SHA Password Storage Plug-inSsha Password Storage Plug-in PTA Plug-in 23. Details of Ssha Password Storage Plug-inPostal Address String Syntax Plug-in 24. Details of Postal Address String Syntax Plug-in See , Using the Pass-through Using the Pass-throughAuthentication Plug-in Referential Integrity Postoperation Plug-in Retro Changelog Plug-in Retro Changelog Plug-in26. Details of Referential Integrity Post-Operation Plug-in See , Managing Indexes for 27. Details of Retro Changelog Plug-in Roles Plug-inSpace Insensitive String Syntax Plug-in 28. Details of Roles Plug-in State Change Plug-in State Change Plug-in29. Details of Space Insensitive String Syntax Plug-in See Appendix B, Finding Directory Entries 30. Details of State Change Plug-in Telephone Syntax Plug-inUID Uniqueness Plug-in 31. Details of Telephone Syntax Plug-in 32. Details of UID Uniqueness Plug-in See , Using the AttributeURI Plug-in URI Plug-in Enabling and Disabling Plug-ins 33. Details of URI Plug-in Using the Pass-through Authentication Plug-in How Directory Server Uses PTA Using the Pass-through Authentication Plug-in PTA Plug-in Syntax PTA Plug-in Syntax Variable Definition Specifying the Pass-through Subtree for Configuring the Optional Parameters forSee .5, Configuring the Optional PTA Plug-in Parameters Configuring the PTA Plug-inConfiguring the PTA Plug-in Turning the Plug-in On or Off Configuring the Servers to Use a Secure ConnectionSpecifying the Authenticating Directory Server Specifying the Pass-through Subtree Specifying the Pass-through Subtree Configuring the Optional Parameters PTA Plug-in Syntax Examples PTA Plug-in Syntax Examples Specifying Multiple Authenticating Directory Servers Using Non-Default Parameter Values Specifying Different Optional Parameters 502 Using the Attribute Uniqueness Plug-in Overview of the Attribute Uniqueness Plug-in Using the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in Syntax 505 Attribute Uniqueness Plug-in SyntaxSee .3.1, Turning the Plug-in On or Creating an Instance of the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in Variables Configuring Attribute Uniqueness Plug-ins Configuring Attribute Uniqueness Plug-insViewing Plug-in Configuration Information From the Configuration tab From the Property Editor 509 Turning the Plug-in On or OffSpecifying a Suffix or Subtree Using the markerObjectClass and requiredObjectClass Keywords Specifying One Attribute and One Subtree From the Command-LineAttribute Uniqueness Plug-in Syntax Examples Specifying One Attribute and Multiple Subtrees Replication and the Attribute Uniqueness Plug-in Simple Replication Scenario Multi-Master Replication Scenario Multi-Master Replication Scenario 514 About Windows Sync Active Directory Directory Server Synchronization Process About Windows Sync 517 Configuring Windows Sync Configure SSL on Directory Server Select the Enterprise Root CA option Configure the Active Directory DomainConfigure the Active Directory Select or Create the Sync Identity Iv. Accept the certificate request. For example Install and Configure the Password Sync Service Domain Hit Next, then Finish to install Password Sync Reboot the Windows machine to start Password Sync Install and Configure the Password 523 Configure the Directory Server Database for Synchronization Give trusted peer status to the server Sync Service Create the Synchronization Agreement Setting up the Sync Agreement Begin Synchronization Using Windows SyncBegin Synchronization Synchronizing Users Synchronizing Groups Deleting Entries Synchronizing Users 529 Synchronizing UsersDirectory Server Active Directory Synchronizing Groups PhysicalDeliveryOfficeName NtGroupAttributes NtGroupId Name SamAccountName NtGroupType Deleting EntriesDeleting Entries Description Member SeeAlso Resurrecting Entries Manually Updating and Resynchronizing Entries Checking Synchronization Status Checking Synchronization StatusModifying the Sync Agreement Groups Schema DifferencesPassword Policies Values for street and streetAddress Starting and Stopping the Password Sync Service Password Sync ServiceModifying Password Sync Contraints on the initials attribute To uninstall the Password Sync service, do the following TroubleshootingUninstalling Password Sync Service Open the Add/Remove Programs utility Troubleshooting 537 538 Appendix A. Ldap Data Interchange Format About the Ldif File Format Appendix A. Ldap Data Interchange Format Continuing Lines in LdifTable A.1. Ldif Fields Field Definition Base-64 Encoding Representing Binary DataStandard Ldif Notation Representing Binary Data Specifying Directory Entries Using Ldif Specifying Domain Entries Domain Entries Table A.2. Ldif Elements in Domain EntriesSpecifying Organizational Unit Entries Ldif Element Description Specifying Organizational Unit Entries Specifying Organizational Person Entries Specifying Organizational Person EntriesTable A.3. Ldif Elements in Organizational Unit Entries Defining Directories Using Ldif Table A.4. Ldif Elements in Person Entries Defining Directories Using Ldif 547 Ldif File Example Storing Information in Multiple Languages Storing Information in Multiple Languages File contents are then converted to UTF-8 550 Finding Entries Using the Directory Server Console Figure B.1. Browsing Entries in the Directory Tab Using ldapsearch Appendix B. Finding Directory Entries Ldapsearch Command-Line Format Ldapsearch command must use the following format Commonly Used ldapsearch Options Commonly Used ldapsearch Options Ldapsearch Examples Returning All Entries Using Ldapbasedn Specifying Search Filters on the Command LineSearching the Schema Entry Searching the Root DSE Entry This example assumes the search base is set with Ldapbasedn Specifying Search Filters Using a FileDisplaying Subsets of Attributes Specifying DNs That Contain Commas in Search Filters Using Client Authentication When SearchingLdap Search Filters Ldap Search Filters Search Filter Syntax Using Attributes in Search FiltersUsing Operators in Search Filters Basic syntax of a search filter is Search Filter Syntax Using Compound Search FiltersTable B.1. Search Filter Operators Search Type Operator Description Table B.2. Search Filter Boolean Operators Operator Symbol DescriptionSearch Filter Examples Searching an Internationalized Directory Searching an Internationalized Directory Matching Rule Filter Syntax Matching Rule Formats Matching Rule Filter Syntax Using an OID for the Matching RuleUsing a Language Tag for the Matching Rule 565 Using a Language Tag and Suffix for the Matching Rule Using Wildcards in Matching Rule FiltersUsing an OID and Suffix for the Matching Rule Table B.3, Search Types, Operators, and Suffixes Search Type Operator Suffix Supported Search TypesSupported Search Types Less-Than or Equal-to Example International Search ExamplesLess-Than Example Equality Example Substring Example Greater-Than or Equal-to ExampleGreater-Than Example International Search Examples But either one of these will work correctly 570 Component Components of an Ldap URLLdap URLs have the following syntax Hostname Port Component Description Table C.1. Ldap URL ComponentsAppendix C. Ldap URLs Escaping Unsafe Characters Escaping Unsafe CharactersExamples of Ldap URLs Unsafe Character Escape Characters Example Examples of Ldap URLs 575 576 Appendix D. Internationalization About Locales Locale Language Tag Collation Order Object Identifiers OIDs Identifying Supported LocalesAppendix D. Internationalization 579 Table D.1. Supported LocalesSupported Language Subtypes Supported Language Subtypes Table D.2. Supported Language Subtypes Troubleshooting Matching RulesTroubleshooting Matching Rules 582 See Also ID list scan limit See Also access control instructionSee Also access control list See base DN GlossaryValue See bind DN See Also virtual list view index See Certificate Authority See Ldap client Directory Access Protocol. The ISO X.500 standard protocolThat provides client access to the directory See Also template entry See distinguished name See CoS definition entrySee directory tree See Directory Manager See Directory Server Gateway See Also cascading replication See Ldap Data Interchange Format See supplier See Snmp master agent Directory tree Encoded messages which form the basis of data exchanges See Also access rightsSee object identifier Between Snmp devices. Also protocol data unit Name. Also relative distinguished name Receives to the authenticating directory serverAuthenticating directory server, pass-through subtrees, Submitted to the Internet community. People can send Request for Comments. Procedures or standards documentsProcess is called a referral Comments on the technologies before they become accepted See supplier-initiated replication Directory Server during installationServer Instance Entry. The ID assigned to an instance See Snmp subagent Simple Network Management ProtocolSubagent See Also browsing index See CoS template entryProtocol. Also Transport Layer Security Page 600 Index Index Page Index Page Index Ldapbasedn Index Ldif Index MIB Index Page Index Page MIB Page Index