236 | HP UX Red Hat Direry Server Software instruction

Chapter 6. Managing Access Control

subdomains with the same tree structure (ou=groups, ou=people). This pattern is also repeated across the tree because the example.com directory tree stores the suffixes dc=hostedCompany2, dc=example,dc=com and dc=hostedCompany3,dc=example,dc=com.

The ACIs that apply in the directory tree also have a repeating pattern. For example, the following ACI is located on the dc=hostedCompany1,dc=example,dc=com node:

aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))

(version 3.0; acl "Domain access"; allow (read,search)

groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,dc=example,dc=com";)

This ACI grants read and search rights to the DomainAdmins group to any entry in the

dc=hostedCompany1,dc=example,dc=com tree.

Figure 6.3. Example Directory Tree for Macro ACIs

The following ACI is located on the dc=hostedCompany1,dc=example,dc=com node:

aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain))

(version 3.0; acl "Domain access"; allow (read,search)

groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=hostedCompany1,dc=example,dc=com";)

The following ACI is located on the dc=subdomain1,dc=hostedCompany1,

dc=example,dc=com node:

aci: (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search)

groupdn="ldap:///cn=DomainAdmins,ou=Groups,dc=subdomain1,dc=hostedCompany1,dc=example,dc=com"

236

Image 256

HP UX Red Hat Direry Server Software manual Example Directory Tree for Macro ACIs, 236

Contents

Administrators Guide Red Hat Directory Server Red Hat Directory Server 8.0 Administrators Guide Copyright 2008 Red Hat, Inc Red Hat Directory Server General Red Hat Directory Server Usage Creating and Maintaining Suffixes Creating and Maintaining DatabasesCreating and Maintaining Database Links Creating a New Database LinkPage Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Xvi Directory Server Overview Preface Example and Default References When shown as below, it indicates computer outputDocument Conventions Preface Document Conventions Xix Related Information Directory Server File Locations Chapter General Red Hat Directory Server Usage Red Hat Enterprise Linux 4 and 5File or Directory Location Sun Solaris 9 sparc HP-UX 11i IA64Ldap Tool Locations Binaries Ldap Tool Locations Starting and Stopping ServersPlatform Directory Location Opt/dirsrv/bin Starting and Stopping Directory Server from Starting and Stopping Directory Server from the ConsoleStart the Directory Server Console Starting and Stopping Administration Server Solaris uses /etc/init.d On Solaris, the service is init.d Starting the Directory Server ConsoleConsole HP-UX has a different location for the script Changing Login Identity Login screenLogging into Directory Server Click Log on to the Directory Server as a New User Viewing the Current Console Bind DN Changing Directory Server Port NumbersViewing the Current Console Bind DN General Red Hat Directory Server Usage Open the Administration Server Console Configuration tab, select the Configuration DS tabCreating a New Directory Server Instance Creating a New Directory Server Instance Configuring the Directory Manager Configuring the Directory Manager Page Managing Entries from the Directory Console Creating a Root Entry Directory Server Console, select the Configuration tab Creating Directory EntriesCreating Directory Entries Template Object Class Creating an Entry Using a Predefined Template Role NsRoleDefinition Class of Service CosSuperDefinitionCreating Other Types of Entries Entry Templates and Corresponding Object Classes Modifying Directory Entries Displaying the Property Editor Adding an Object Class to an Entry Removing an Object ClassAdding an Attribute to an Entry Modifying Directory Entries Adding Very Large Attributes Adding Attribute Values Removing an Attribute Value Adding an Attribute Subtype Language SubtypeBinary Subtype Instead, use Deleting Directory Entries Pronunciation SubtypeAdding a Subtype to an Attribute Deleting Directory Entries Providing Input from the Command-Line Managing Entries from the Command-LineEntries, use Ctrl or Shift Select Delete from the Edit menu See , Ldif Update Statements Creating a Root Entry from the Command-LineCreating a Root Entry from Adding and Modifying Entries Using ldapmodify Adding Entries Using LdifImport the Ldif file from the Directory Server Console Command-Line Adding Entries Using ldapmodifyParameter Name Description Input from the Command-Line Modifying Entries Using ldapmodifyLdapmodify Parameters Used for Adding Entries Deleting Entries Using ldapdelete Deleting Entries Using ldapdeleteLdapmodify Parameters Used for Modifying Entries Hostname is cyclops Server uses port number Are branch points in the directory tree This ldapdelete example has the following values Using Special Characters Using Special CharactersTracking Modifications to Directory Entries Ldapdelete Parameters Used for Deleting Entries Select the Track Entry Modification Times checkbox Ldif Update StatementsOpen the Tasks tab, and click Restart Directory Server Ldif Update Statements General format of Ldif update statements is as follows Adding an Entry Using Ldif Following sections describe the change types in detail Renaming an Entry Using Ldif Renaming an Entry Using LdifFollowing command renames Sue Jacobs to Susan Jacobs Modifying an Entry Using Ldif Addattribute Modifying an Entry Using Ldif Adding Attributes to Existing Entries Using LdifFollowing example adds two telephone numbers to the entry Changing an Attribute Value Using Ldif Deleting a Specific Attribute Value Using Ldif Deleting All Values of an Attribute Using LdifEntry is now as follows Deleting an Entry Using Ldif Barneys entry then becomes Maintaining Referential Integrity Modifying an Entry in an Internationalized DirectoryHow Referential Integrity Works Modifying an Entry in an Internationalized Using Referential Integrity with Replication Modifying the Update Interval You can enable or disable referential integrity as followsEnabling/Disabling Referential Integrity Directory Modifying the Attribute List TIP Modifying the Attribute ListPage Creating and Maintaining Suffixes A Sample Directory Tree with One Root Suffix Creating Suffixes 1, Using Referrals in a Suffix Configuring Directory DatabasesCreating Suffixes A Sample Directory Tree with a Sub Suffix Creating Suffixes Creating a New Root Suffix Using the Console Creating a New Sub Suffix Using the Console Creating Root and Sub Suffixes from the Command-Line Attribute Name Value Creating and Maintaining Database Links for Attribute. See , CreatingMaintaining Databases for more information Creating and Maintaining Databases for Maintaining Suffixes Using Referrals in a SuffixSuffix Attributes Enabling Referrals Only During Update Operations Disabling a SuffixMaintaining Suffixes To requests from client applications Click Save Creating Databases Creating and Maintaining DatabasesDeleting a Suffix Creating Databases Configuring Directory Databases Adding Multiple Databases for a Single Suffix For example, add a new database to the server example1 Configuring Directory Databases Maintaining Directory Databases Placing a Database in Read-Only ModeMaintaining Directory Databases Making a Database Read-Only Using the Console Making a Database Read-Only from the Command LineSelect the database is read-only checkbox Change the read-only attribute to on Placing the Entire Directory Server in Read-Only Mode Deleting a DatabaseSelect the Make Entire Server Read-Only checkbox Click Save, and then restart the server Configuring Transaction Logs for Frequent Database Updates Database Encryption Encryption Keys Database Encryption Encryption Ciphers Configuring Database Encryption from the ConsoleSelect the Attribute Encryption tab Run the ldapmodify command1 Configuring Database Encryption Using the Command-LineExporting and Importing an Encrypted Database See .3, Importing from the Command-Linefor more information Configuring the Chaining Policy Creating and Maintaining Database LinksChaining Component Operations Creating and Maintaining Database Links Component Name Description Permissions NsActiveChainingComponents Cn=resource Configuring the Chaining Policy NsActiveChainingComponents Cn=certificate-based Chaining Component Operations Using the Console Components Allowed to Chain Chaining Ldap Controls Chaining Component Operations from the Command-LinePlug-in Chaining Ldap Controls Using the Console Chaining Ldap Controls from the Command-Line Creating a New Database Link Using the Console Creating a New Database LinkLdap Controls and Their OIDs Creating a New Database Link Configuring Directory Databases Creating a Database Link from the Command-Line Specify the configuration information for the database link Providing Suffix Information Providing Bind Credentials NsMultiplexorBindDN cannot be that of the Directory Manager Providing an Ldap URL Summary of Database Link Configuration Attributes Providing a List of Failover ServersFile Attributes Value 1, Chaining Component Operations Attributes Value Run ldapmodify1 to add a database link to server a Create an administrative user on server B, as follows Chaining Using SSL Updating Remote Server Authentication InformationEnable SSL on the server that contains the database link Maintaining Database Links Database Links and Access Control Database Links and Access Control EvaluationDeleting Database Links Configuring Directory Databases Advanced Feature Tuning Database Link Performance Managing Connections to the Remote Server Using the ConsoleManaging Connections to the Remote Server Evaluation Attribute Name Description Advanced Feature Tuning Database Link Detecting Errors During Normal ProcessingDatabase Link Connection Management Attributes Database Link Processing Error Detection Parameters Managing Threaded Operations Overview of Cascading Chaining Advanced Feature Configuring Cascading ChainingPerformance Configuring Directory Databases Configuring Cascading Chaining Defaults Using the Console Advanced Feature Configuring Cascading Configuring Cascading Chaining Using the Console Configuring Cascading Chaining from the Command-Line Chaining Configuring Directory Databases Detecting Loops Summary of Cascading Chaining Configuration AttributesAttribute Description Cascading Chaining Configuration Attributes Cascading Chaining Configuration ExampleAci This attribute must contain the following ACI Configuring Server One 101 Configuring Server Two 102 103 Configuring Directory Databases Configuring Server Three Allow this Starting the Server in Referral Mode Using ReferralsClient on server two Setting Default Referrals Setting a Default Referral Using the ConsoleSetting a Default Referral from the Command-Line Setting Default Referrals Creating Smart Referrals Using the Directory Server Console Creating Smart Referrals Creating Smart Referrals Creating Smart Referrals from the Command Line109 Creating Suffix Referrals Using the Console Creating Suffix Referrals Creating Suffix Referrals from the Command-Line Creating Suffix Referrals Configuring Directory Databases Import Method Comparison Importing DataAction Import Initialize Database Populating Directory Databases Importing a Database from the ConsoleFollowing sections describe importing data Initializing a Database from the Console Initializing a Database from the Console Importing from the Command-Line Importing Using the ldif2db Command-Line Script Importing from the Command-Line Option Description Ldif2db Parameters Importing Using the ldif2db.pl Perl ScriptRun the ldif2db script Importing Using the ldif2ldap Command-Line Script Run the ldif2ldap command-line scriptExporting Data Ldif2db Options Splitting a Database Contents into Two Databases Exporting Directory Data to Ldif Using the Console Exporting Directory Data to Ldif Using Exporting a Single Database to Ldif Using the Console Exporting to Ldif from the Command-Line Run the db2ldif command-line script Ldif file in this case would beDirectory and is automatically named With the -noption or 123 Backing up and Restoring Data Backing up All DatabasesBacking up All Databases from the Server Console Db2ldif Options Backing up All Databases from the Command-Line Run the db2bak command-line scriptBacking up All Databases Click Back Up Directory Server Backing up the dse.ldif Configuration File Click Restore Directory ServerRestore Directory dialog box is displayed 126 Restoring All Databases Restoring Your Database from the Command-Line Using the bak2db Command-Line ScriptUsing bak2db.pl Perl Script Restoring All Databases Run the bak2db.pl Perl script Restoring a Single DatabaseRestart the Directory Server Restoring Databases That Include Replicated Entries Restoring the dse.ldif Configuration FileRestoring Databases That Include 130 Using Roles About Roles Managing Entries with Roles, Class of Service, and Views Managing Roles Using the Console Managing Roles Using the Console Creating a Managed Role 134 Follow the steps of .2.1, Creating a Managed Role Creating a Filtered Role135 Creating a Nested Role Viewing and Editing an Entrys RolesCreate a new role, as in .2.1, Creating a Managed Role 136 Making a Role Inactive Modifying a Role Entry137 Reactivating a Role Deleting a Role Managing Roles Using the Command-Line Managing Roles Using the Command-LineObject Classes and Attributes for Roles Dialog box appears to confirm the deletion. Click Yes Examples Managed Role Definition Example Filtered Role Definition 141 Using Roles Securely Example Nested Role Definition Assigning Class of Service Assigning Class of Service About CoS About the CoS Definition Entry How a Pointer CoS Works About the CoS Template EntryAbout CoS How an Indirect CoS Works Sample Pointer CoS How a Classic CoS Works Sample Indirect CoS Searches for CoS-Specified Attributes Sample Classic CoS Managing CoS Using the Console Managing CoS Using the ConsoleCreating a New CoS 150 Creating the CoS Template Entry Property Editor opens Editing an Existing CoS Deleting a CoS Managing CoS from the Command-Line Creating the CoS Definition Entry from the Command-LineManaging CoS from the Command-Line CoS Type Object Classes Description CoS Definition Entry Attributes CoS Definition Entry Object ClassesAttribute Definition Managing CoS from the Command-Line CoS Definitions CoS Type CoS definitionPointer CoS Indirect CoS Creating the CoS Template Entry from the Command-Line Be added to any other search filter using or Example of a Pointer CoS 158 Example of an Indirect CoS Create the template entry Example of a Classic CoS Creating Role-Based Attributes Creating Role-Based AttributesClassic CoS definition entry looks like Using Views Access Control and CoS Creating Views in the Console Creating Views in the Console Creating Views from the Command Line Deleting Views from the Directory Server Console Using Groups Deleting Views from the Command LineDeleting Views from the Command Line Managing Static Groups Adding a New Static Group Modifying a Static Group Managing Dynamic Groups Adding a New Dynamic GroupModifying a Dynamic Group Managing Dynamic Groups 168 Access Control Principles ACI Structure ACI Placement Managing Access ControlACI Evaluation ACI Limitations Default ACIs Default ACIs Creating ACIs Manually ACI Syntax Defining TargetsDefining Targets Aci attribute uses the following syntax Ldif Target Keywords Keyword Valid Expressions Wildcard AllowedTargetattr Targetfilter Targeting a Directory Entry 175 Targeting Attributes Targeting Both an Entry and Attributes 177 Targeting Entries or Attributes Using Ldap Filters 178 Targeting Attribute Values Using Ldap Filters Defining Permissions Targeting a Single Directory Entry Allowing or Denying Access Assigning RightsDefining Permissions Assigning rights Rights Required for Ldap Operations User RightsSelfwrite to the targeted entry, excluding Proxy rights 183 Bind Rules Access Control and the modrdn OperationPermissions Syntax Bind Rule Syntax Bind Rule SyntaxUserdn Yes, in DN only Defining User Access userdn Keyword Ldif Bind Rule KeywordsGroupdn Ldap///DN DN Roledn Userattr Dns Anonymous Access anyone Keyword General Access all KeywordSelf Access self Keyword Parent Access parent Keyword Examples WildcardsScenExamplerio Description Defining Group Access groupdn Keyword Userdn Keyword Examples Defining Role Access roledn Keyword Defining Group Access groupdn KeywordGroupdn Examples Using the userattr Keyword Defining Access Based on Value MatchingDefining Access Based on Value Matching Example with Groupdn Bind Type Example with Userdn Bind TypeAttrValue is any string representing an attribute value Example with Ldapurl Bind Type Example with Roledn Bind Type193 Using the userattr Keyword with Inheritance Example with Any Attribute Value Using Inheritance With the userattr Keyword Granting Add Permission Using the userattr Keyword Defining Access from a Specific IP Address Defining Access from a Specific Domain Defining Access from a Specific DomainInstead, use a fully qualified name Dns keyword allows wildcards. For example Defining Access at a Specific Time of Day or Day of Week Defining Access Based on Authentication Method Defining Access Based on Authentication Authmethod = saslmechanism Authentication bind DN and password over Ldaps Using Boolean Bind RulesMethod Creating ACIs from the Console Displaying the Access Control Editor Displaying the Access Control EditorClick New to open the Access Control Editor Access Control Editor Window Creating a New ACI Creating a New ACI Managing Access Control Creating a New ACI Managing Access Control Editing an ACI Editing an ACI Deleting an ACI Viewing ACIsControl Manager Get Effective Rights Control Permissions Get Effective Rights ControlGet effective rights result looks like the following Using Get Effective Rights from the Command-Line Permissions That Can Be Set on EntriesPermissions That Can Be Set on Attributes Permission Description Using Get Effective Rights from 214 Using Get Effective Rights from the Console Get Effective Rights Return CodesCheck the Show effective rights checkbox Code Description Access Control Usage Examples Logging Access Control InformationReturned Result Codes Granting Anonymous Access Granting Anonymous Access Click New to display the Access Control Editor Click OK in the Access Control Editor windowACI Anonymous example.com ACI Anonymous World Granting Write Access to Personal Entries Granting Write Access to Personal EntriesFilter for subentries field, type the following filter ACI Write example.com 220 ACI Write Subscribers Restricting Access to Key Roles See , Using Roles Restricting Access to Key RolesACI Roles ACI HR Granting a Group Full Access to a SuffixLdif statement should read as follows Granting Rights to Add and Delete Group Entries ACI Create Group Managing Access Control ACI Delete Group Granting Conditional Access to a Group or RoleEntries ACI HostedCompany1 228 Denying Access Denying AccessLdif statement should be similar to the following ACI Billing Info Read ACI Billing Info Deny 231 Setting a Target Using Filtering Allowing Users to Add or Remove Themselves from a Group ACI Group Members Allowing Users to Add or Remove Proxied Authorization ACI Example Defining Permissions for DNs That Contain a Comma Macro ACI Example Advanced Access Control Using Macro ACIsThemselves from a Group Example Directory Tree for Macro ACIs 236 Macro ACI Syntax Macro ACI Syntax Macros in ACI Keywords Macro Matching for $dnMacro ACI Keyword Steps for expanding this ACI are as follows $dn in the subject is replaced with dc=hostedCompany1 For example, consider the following ACI Macro Matching for $attr.attrName240 Access Control and Replication Access Control and ReplicationCompatibility with Earlier Releases 242 Managing the Password Policy Configuring the Password Policy Configuring a Global Password Policy Using the Console Managing User Accounts and Passwords Configuring the Password Policy Configuring a Subtree/User Password Policy Using the Console Check the Enable fine-grained password policy checkbox Configuring a Global Password Policy Using the Command-Line Attribute Name Definition Users password will expire after an interval Given by the passwordMaxAge attributeMaking passwords expire helps protect Directory data because the longer a password Discourage users from reusing old passwords For example, setting the minimum passwordChanging their passwords during a single Session to cycle through the password history Shorter passwords are easier to crack Passwords can be two 2 to 512 charactersIt down. This attribute is set to 8 by default Attributes, respectively. By default, this This attribute is set to 3 by default Default methodCompatibility with Unix passwords Lowercase letters a to z Password Policy Attributes CoS specification entry at the subtree level. For example 254 Setting User Passwords Password Change Extended OperationSetting User Passwords Start the server Parameter Description Ldappasswd Options256 Configuring the Account Lockout Policy Using the Console Configuring the Account Lockout PolicyConfiguring the Account Lockout Policy Attribute Name Definition Managing the Password Policy in a Managing the Password Policy in a Replicated EnvironmentAccount Lockout Policy Attributes Synchronizing Passwords Inactivating Users and Roles Replicated Environment Inactivating User and Roles Using the Command-Line Inactivating User and Roles Using the ConsoleOption Name Description Activating User and Roles Using the Console Activating User and Roles Using the Command-LineActivating User and Roles Using DN of the user account or role to activate Setting Resource Limits Based on the Bind DN Setting Resource Limits Using the Console Setting Resource Limits Using the Command-Line Entering a value of -1indicates no limit Click OK 266 What Directory Units Are Replicated Replication OverviewRead-Write and Read-Only Replicas Suppliers and Consumers ChangelogReplication Identity Managing Replication Compatibility with Earlier Versions of Directory Server Replication AgreementReplication Agreement Replication Scenarios Single-Master Replication Multi-Master Replication Multi-Master Replication Multi-Master Replication Two Masters 272 Multi-Master Replication Four Masters Cascading Replication Replication Creating the Supplier Bind DN Entry Creating the Supplier Bind DN Entry Configuring Single-Master Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Write Replica on Configuring the Read-Only Replica on the Consumer Supplier Server Create the Replication Agreement Create the Replication Agreement Managing Replication Create the Replication Agreement Replication will not begin until the consumer is initialized Configuring Multi-Master Replication Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier Servers Configuring the Read-Write Replicas on 287 Managing Replication Configuring the Read-Only Replicas on the Consumer Servers Supplier Servers Managing Replication Setting up the Replication Agreements Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Preventing Monopolization of the Consumer 297 Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Server Configuring the Read-Only Replica on Configuring the Read-Only Replica on the Hub Consumer Server Managing Replication Setting up the Replication Agreements Managing Replication DN and password Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Configuring Suppliers from the Command Line Configuring Replication from the Command LineConfiguring Replication from the Command 312 Changelog Attributes LineObject Class or Attribute Description Values Changelog, to which Consumer. This is required for 314 Configuring Consumers from the Command Line Configuring Consumers from the CommandForward update requests. By Replica Attributes Configuring Hubs from the Command Line Configuring Replication Agreements from the Command Line Qualified host and domain Parameter to SSL. If TLS/SSL 318 Configuring Replication Agreements from Replication between Servers Nsds5replicabindcredentialsNsds5replicatedattributelist Objectclass=* $ Exclude Attributes will not be Replication Agreement Attributes Midnight and 2359 is PM. For example, the setting320 Initializing Consumers Online from the Command Line Command Line Making a Replica Updatable Deleting the Changelog Initializing Consumers Removing the ChangelogMoving the Changelog to a New Location Moving the Changelog to a New Location When to Initialize a Consumer Online Consumer Initialization Using the Console Initializing Consumers Online Using the Command Line Initializing Consumers Online Using Manual Consumer Initialization Using the Command Line Exporting a Replica to Ldif Filesystem Replica Initialization Importing the Ldif File to the Consumer Server Initializing the Consumer Replica from the Backup Files Forcing Replication Updates Forcing Replication UpdatesStop the destination Directory Server if it is running Restart the destination Directory Server. For example Forcing Replication Updates from the Console Forcing Replication Updates from the Command-Line Replicating Account Lockout Attributes Example 8.1. ReplicateNow Script ExampleReplicateNow Variables Replicating Account Lockout Attributes Replication over SSL Select Simple Authentication Select SSL Client AuthenticationReplicating o=NetscapeRoot for Directory Server Installation Guide Replication with Earlier Releases Administration Server FailoverSee , Enabling and Disabling Plug-ins Using the Retro Changelog Plug-in Enabling the Retro Changelog Plug-in Attributes of a Retro Changelog EntryEnabling the Retro Changelog Plug-in Retro Changelog Entry Trimming the Retro Changelog Retro Changelog and the Access Control Policy Retro Changelog and the Access ControlMonitoring Replication Status Searching and Modifying the Retro Changelog Directory Server Console Replication Status Monitoring Replication Status from Administration ExpressTable Header Description Policy Table header shows the replica ID 341 Solving Common Replication Conflicts Renaming an Entry with a Multi-Valued Naming Attribute Solving Naming ConflictsSolving Naming Conflicts Unique identifier attribute nsuniqueid cannot be deleted 344 Renaming an Entry with a Single-Valued Naming Attribute Solving Potential Interoperability Problems Solving Orphan Entry Conflicts Troubleshooting Replication-Related Problems Troubleshooting Replication-Related Error/Symptom Reason Impact Remedy Problems But some consumers Follows Are way behind Supplier If it has beenReplayed to all Direct consumers Replication Errors See SectionMonitoring Replication Status 352 Overview of Extending Schema Managing AttributesViewing Attributes Create new attributes, as in .2, Creating Attributes Extending the Directory Schema FieldName Syntax Creating Attributes Attributes Tab ReferenceCreating Attributes Field Description Deleting Attributes Editing AttributesOIDs are described in .1, Attributes Tab Reference This procedure is explained in .4, Deleting Attributes Managing Object ClassesViewing Object Classes Managing Object Classes Parent Reference358 Object Classes Tab Reference Creating Object ClassesCreating Object Classes Editing Object Classes Click OK to save the new object class Deleting Object Classes Deleting Object Classes Turning Schema Checking On and Off About Indexes About Index Types About Default, System, and Standard Indexes Overview of Default IndexesManaging Indexes Attribute Pres Sub Purpose About Default, System, and Standard MaintainingReferential Integrity for Overview of System Indexes Default Indexes366 Overview of the Searching Algorithm Overview of Standard IndexesSystem Indexes Attribute Pres Purpose Managing Indexes Balancing the Benefits of Indexing Approximate SearchesApproximate Searches Directory Server is maintaining the following indexes 370 Creating Indexes Creating Indexes Creating Indexes from the Server Console Creating Indexes from the Command-Line Creating Indexes from the Command-LineAdding an Index Entry To create a new index for a particular database, add it to 374 Creating Indexes from the Command-Line Running the db2index.pl Script Db2index.pl OptionsRun the db2index.pl Perl script Db2index Options describes the db2index.pl options Creating Browsing Indexes from the Command-Line Creating Browsing Indexes from the Server ConsoleAdding a Browsing Index Entry Creating Browsing Indexes from Managing Indexes Running the vlvindex Script This first browsing index entry must be added to Setting Access Control for VLV Information Vlvindex OptionsStop the server.3 Run the vlvindex script Deleting Indexes Deleting IndexesA text editor, open the dse.ldif file Change ldap//all to ldap//anyone and save your changes Deleting Indexes from the Command-Line Deleting Indexes from the Server Console Deleting an Index Entry Deleting Indexes from the Command-LineLdapdelete Options describes the ldapdelete options Ldapdelete Options Run the db2index.pl Perl script. For example Deleting Browsing Indexes from the Command-Line Deleting Browsing Indexes from the Server ConsoleDeleting a Browsing Index Entry Db2index Options Option Description Managing Indexes Vlvindex Options describes the vlvindex options Indexing Performance Search Performance Backwards Compatibility and Migration Backwards Compatibility and Migration Attribute Name Quick Reference TableAttribute Primary Name Attribute Alias Attribute Name Quick Reference Table Attribute Name Quick Reference Table391 392 Introduction to TLS/SSL in the Directory Server Enabling SSL Summary of Steps Managing SSL Command-Line Functions for Start TLSTurn on TLS/SSL in the directory Troubleshooting Start TLS Obtaining and Installing Server CertificatesObtaining and Installing Server Certificates Generate a Certificate Request Generate a Certificate Request Managing SSL Send the Certificate Request After generating the certificate request, send it to the CA Install the Certificate Trust the Certificate Authority Trust the Certificate Authority Using certutil Confirm That The New Certificates Are Installed Creating Directory Server Certificates Create a password file for the security token passwordGenerate the Directory Server client certificate 404 Starting the Server with TLS/SSL Enabled Through the Command LineCertutil Usage Certutil Options Enabling TLS/SSL Only in the Directory Server Click Cipher SettingsSelect the certificate to use from the drop-down menu Enabling TLS/SSL Only in the Directory Described in , Starting and Stopping Servers Check the Use SSL in the Console box. Hit Save Server Click Cipher Settings409 Creating a Password File for the Directory Server Creating a Password File for the Administration Server Creating a Password File for Restart the Administration Server Setting Security PreferencesAvailable Ciphers Administration Server TLSv1 Ciphers Selecting the Encryption Cipher Click Cipher SettingSSLv3 Ciphers Using Certificate-Based Authentication Using Certificate-Based AuthenticationEncryption tab, click Save Setting up Certificate-Based Authentication Allowing/Requiring Client Authentication Configuring Ldap Clients to Use SSL Configuring Ldap Clients to Use SSLStop the Directory Server Now start Red Hat Console Client certificate resembles the following Begin Certificate Configuring Ldap Clients to Use SSL Click Set Value 420 Authentication Mechanisms Managing Sasl Sasl Identity Mapping Sasl is configured by entries under a container entry 422Managing Sasl Sasl identity mapping entries are children of this entry Sasl Identity Mapping423 Configuring Sasl Identity Mapping from the Console Configuring Sasl Identity Mapping from Configuring Sasl Identity Mapping from the Command-Line Configuring KerberosSupported Kerberos Systems Operating System Kerberos Version Configuring the KDC Server Realms Example Configuring an Example KDC Server Configuring Sasl Authentication at Directory Server Startup Configuring Sasl Authentication at Managing Sasl Administration Express Viewing and Configuring Log FilesDefining a Log File Rotation Policy Monitoring Server and Database Activity Access Log Viewing the Access LogDefining a Log File Deletion Policy Defining a Log File Deletion Policy Configuring the Access Log Display to refresh automatically every ten seconds Viewing the Error Log Error LogError Log Containing text box, and click Refresh Configuring the Error LogClick Save 436 Configuring the Audit Log Audit LogViewing the Audit Log Audit Log Manual Log File Rotation Monitoring Server Activity Monitoring the Server from the Directory Server Console Monitoring the Server from the Directory General Information Server Resource SummaryResource Usage Since Startup Average Per Minute Resource Current Total Current Resource Usage Server ConsoleConnection can account for multiple Operations, and therefore multiple threads Connection Status Global Database Cache Information Monitoring the Directory Server from the Command LineMonitoring the Directory Server from Attribute Description 444 Server Monitoring Attributes Monitoring Database ActivityTime GMT in UTC format See , Tuning Database Maximum Cache Size setting. See SectionGeneral Information Database Performance Metric Current Total Tuning Database Performance for Cache setting. See , TuningSummary Information Monitoring Database Activity from Database Cache Information Monitoring Databases from the Command Line10. Database File-Specific Directory Server Console Maximum Entries in Cache attribute Monitoring Database Link Activity 11. Directory Server Monitoring AttributesMonitoring Database Link Activity Lower the number of page evicts the better 12. Database Link Monitoring Attributes 452 Snmp About Snmp Configuring the Master Agent Configuring the Subagent Subagent Configuration FileMonitoring Directory Server Using Snmp Agentx-master Starting the Subagent Agent-logdirServer Starting the Subagent Configuring Snmp Traps Testing the Subagent Using the Management Information Base Configuring the Directory Server for SnmpConfiguring the Directory Server for Snmp Operations Table Managed Object Description Operations Table Managed Objects and Descriptions Entries Table Entity Table Entries TableEntries Table Managed Objects and Descriptions Entity Table Managed Objects and Descriptions Interaction TableInteraction Table Interaction Table Managed Objects and Descriptions Management subsystem was initialized, thisObject will contain a value of zero 462 Tuning Directory Server Performance Tuning Server Performance Tuning Directory Server Performance Tuning Database PerformanceOptimizing Search Performance Optimizing Search Performance Tuning Transaction Logging Changing the Location of the Database Transaction Log Changing the Database Checkpoint Interval Changing the Database Checkpoint Interval Disabling Durable Transactions Miscellaneous Tuning TipsSpecifying Transaction Batching Avoid Creating Entries Under the cn=config 470 Server Plug-in Functionality Reference Bit Check Plug-inACL Plug-in Details of 7-Bit Check Plug-in Administering Directory Server Plug-ins ACL Preoperation Plug-inBinary Syntax Plug-in Details of ACI Plug-in Boolean Syntax Plug-in Case Exact String Syntax Plug-inDetails of Binary Syntax Plug-in Details of Boolean Syntax Plug-in Case Ignore String Syntax Plug-in Chaining Database Plug-inDetails of Case Exact String Syntax Plug-in Details of Case Ignore String Syntax Plug-in Class of Service Plug-in Details of Class of Service Plug-inClass of Service Plug-in Country String Syntax Plug-in Distinguished Name Syntax Plug-in Generalized Time Syntax Plug-in10. Details of Country String Plug-in 11. Details of Distinguished Name Syntax Plug-in Integer Syntax Plug-in Internationalization Plug-in12. Details of Generalized Time Syntax Plug-in 13. Details of Integer Syntax Plug-in Ldbm Database Plug-in Legacy Replication Plug-in14. Details of Internationalization Plug-in 15. Details of ldbm Database Plug-in Multi-Master Replication Plug-in Octet String Syntax Plug-in16. Details of Legacy Replication Plug-in 17. Details of Multi-Master Replication Plug-in Clear Password Storage Plug-in Crypt Password Storage Plug-in19. Details of Clear Password Storage Plug-in 18. Details of Octet String Syntax Plug-in NS-MTA-MD5 Password Storage Plug-in 20. Details of Crypt Password Storage Plug-in21. Details of NS-MTA-MD5 Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in Ssha Password Storage Plug-in SHA Password Storage Plug-in22. Details of SHA Password Storage Plug-in 23. Details of Ssha Password Storage Plug-in Postal Address String Syntax Plug-inPTA Plug-in 24. Details of Postal Address String Syntax Plug-in Using the Pass-through Authentication Plug-inSee , Using the Pass-through Referential Integrity Postoperation Plug-in Retro Changelog Plug-in 26. Details of Referential Integrity Post-Operation Plug-inRetro Changelog Plug-in See , Managing Indexes for Roles Plug-in Space Insensitive String Syntax Plug-in27. Details of Retro Changelog Plug-in 28. Details of Roles Plug-in State Change Plug-in 29. Details of Space Insensitive String Syntax Plug-inState Change Plug-in See Appendix B, Finding Directory Entries Telephone Syntax Plug-in UID Uniqueness Plug-in30. Details of State Change Plug-in 31. Details of Telephone Syntax Plug-in See , Using the Attribute URI Plug-in32. Details of UID Uniqueness Plug-in URI Plug-in Enabling and Disabling Plug-ins 33. Details of URI Plug-in Using the Pass-through Authentication Plug-in How Directory Server Uses PTA Using the Pass-through Authentication Plug-in PTA Plug-in Syntax PTA Plug-in Syntax Variable Definition See .5, Configuring the Optional Configuring the Optional Parameters forSpecifying the Pass-through Subtree for Configuring the PTA Plug-in Configuring the PTA Plug-inPTA Plug-in Parameters Specifying the Authenticating Directory Server Configuring the Servers to Use a Secure ConnectionTurning the Plug-in On or Off Specifying the Pass-through Subtree Specifying the Pass-through Subtree Configuring the Optional Parameters PTA Plug-in Syntax Examples PTA Plug-in Syntax Examples Specifying Multiple Authenticating Directory Servers Using Non-Default Parameter Values Specifying Different Optional Parameters 502 Using the Attribute Uniqueness Plug-in Overview of the Attribute Uniqueness Plug-in Using the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in Syntax See .3.1, Turning the Plug-in On or Attribute Uniqueness Plug-in Syntax505 Creating an Instance of the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in Variables Viewing Plug-in Configuration Information Configuring Attribute Uniqueness Plug-insConfiguring Attribute Uniqueness Plug-ins From the Configuration tab From the Property Editor Specifying a Suffix or Subtree Turning the Plug-in On or Off509 Using the markerObjectClass and requiredObjectClass Keywords From the Command-Line Attribute Uniqueness Plug-in Syntax ExamplesSpecifying One Attribute and One Subtree Specifying One Attribute and Multiple Subtrees Replication and the Attribute Uniqueness Plug-in Simple Replication Scenario Multi-Master Replication Scenario Multi-Master Replication Scenario 514 About Windows Sync Active Directory Directory Server Synchronization Process About Windows Sync 517 Configuring Windows Sync Configure SSL on Directory Server Configure the Active Directory Configure the Active Directory DomainSelect the Enterprise Root CA option Select or Create the Sync Identity Iv. Accept the certificate request. For example Install and Configure the Password Sync Service Domain Hit Next, then Finish to install Password Sync Reboot the Windows machine to start Password Sync Install and Configure the Password 523 Configure the Directory Server Database for Synchronization Give trusted peer status to the server Sync Service Create the Synchronization Agreement Setting up the Sync Agreement Using Windows Sync Begin SynchronizationBegin Synchronization Synchronizing Users Synchronizing Groups Deleting Entries Synchronizing Users Directory Server Active Directory Synchronizing Users529 Synchronizing Groups PhysicalDeliveryOfficeName Deleting Entries Deleting EntriesNtGroupAttributes NtGroupId Name SamAccountName NtGroupType Description Member SeeAlso Resurrecting Entries Manually Updating and Resynchronizing Entries Modifying the Sync Agreement Checking Synchronization StatusChecking Synchronization Status Schema Differences Password PoliciesGroups Values for street and streetAddress Password Sync Service Modifying Password SyncStarting and Stopping the Password Sync Service Contraints on the initials attribute Troubleshooting Uninstalling Password Sync ServiceTo uninstall the Password Sync service, do the following Open the Add/Remove Programs utility Troubleshooting 537 538 Appendix A. Ldap Data Interchange Format About the Ldif File Format Continuing Lines in Ldif Table A.1. Ldif FieldsAppendix A. Ldap Data Interchange Format Field Definition Representing Binary Data Standard Ldif NotationBase-64 Encoding Representing Binary Data Specifying Directory Entries Using Ldif Specifying Domain Entries Table A.2. Ldif Elements in Domain Entries Specifying Organizational Unit EntriesDomain Entries Ldif Element Description Specifying Organizational Unit Entries Table A.3. Ldif Elements in Organizational Unit Entries Specifying Organizational Person EntriesSpecifying Organizational Person Entries Defining Directories Using Ldif Table A.4. Ldif Elements in Person Entries Defining Directories Using Ldif 547 Ldif File Example Storing Information in Multiple Languages Storing Information in Multiple Languages File contents are then converted to UTF-8 550 Finding Entries Using the Directory Server Console Figure B.1. Browsing Entries in the Directory Tab Using ldapsearch Appendix B. Finding Directory Entries Ldapsearch Command-Line Format Ldapsearch command must use the following format Commonly Used ldapsearch Options Commonly Used ldapsearch Options Ldapsearch Examples Returning All Entries Specifying Search Filters on the Command Line Searching the Schema EntryUsing Ldapbasedn Searching the Root DSE Entry Displaying Subsets of Attributes Specifying Search Filters Using a FileThis example assumes the search base is set with Ldapbasedn Using Client Authentication When Searching Ldap Search FiltersSpecifying DNs That Contain Commas in Search Filters Ldap Search Filters Using Attributes in Search Filters Using Operators in Search FiltersSearch Filter Syntax Basic syntax of a search filter is Using Compound Search Filters Table B.1. Search Filter OperatorsSearch Filter Syntax Search Type Operator Description Search Filter Examples Operator Symbol DescriptionTable B.2. Search Filter Boolean Operators Searching an Internationalized Directory Searching an Internationalized Directory Matching Rule Filter Syntax Matching Rule Formats Using an OID for the Matching Rule Using a Language Tag for the Matching RuleMatching Rule Filter Syntax 565 Using Wildcards in Matching Rule Filters Using an OID and Suffix for the Matching RuleUsing a Language Tag and Suffix for the Matching Rule Table B.3, Search Types, Operators, and Suffixes Supported Search Types Supported Search TypesSearch Type Operator Suffix International Search Examples Less-Than ExampleLess-Than or Equal-to Example Equality Example Greater-Than or Equal-to Example Greater-Than ExampleSubstring Example International Search Examples But either one of these will work correctly 570 Components of an Ldap URL Ldap URLs have the following syntaxComponent Hostname Port Appendix C. Ldap URLs Table C.1. Ldap URL ComponentsComponent Description Escaping Unsafe Characters Examples of Ldap URLsEscaping Unsafe Characters Unsafe Character Escape Characters Example Examples of Ldap URLs 575 576 Appendix D. Internationalization About Locales Appendix D. Internationalization Identifying Supported LocalesLocale Language Tag Collation Order Object Identifiers OIDs Supported Language Subtypes Table D.1. Supported Locales579 Supported Language Subtypes Troubleshooting Matching Rules Troubleshooting Matching RulesTable D.2. Supported Language Subtypes 582 See Also access control list See Also access control instructionSee Also ID list scan limit Glossary ValueSee base DN See bind DN See Also virtual list view index See Certificate Authority Directory Access Protocol. The ISO X.500 standard protocol That provides client access to the directorySee Ldap client See Also template entry See CoS definition entry See directory treeSee distinguished name See Directory Manager See Directory Server Gateway See Also cascading replication See Ldap Data Interchange Format See supplier See Snmp master agent Directory tree See Also access rights See object identifierEncoded messages which form the basis of data exchanges Between Snmp devices. Also protocol data unit Authenticating directory server, pass-through subtrees, Receives to the authenticating directory serverName. Also relative distinguished name Request for Comments. Procedures or standards documents Process is called a referralSubmitted to the Internet community. People can send Comments on the technologies before they become accepted Server Instance Entry. The ID assigned to an instance Directory Server during installationSee supplier-initiated replication Subagent Simple Network Management ProtocolSee Snmp subagent Protocol. Also Transport Layer Security See CoS template entrySee Also browsing index Page 600 Index Index Page Index Page Index Ldapbasedn Index Ldif Index MIB Index Page Index Page MIB Page Index