Manuals / HP / Computer Equipment / Software

HP UX Red Hat Direry Server Software manual Macro Matching for $attr.attrName, 240

Models: UX Red Hat Direry Server Software

1 638

Download 638 pages 23.73 Kb

Page 260

Chapter 6. Managing Access Control

For example, consider the following ACI:

aci: (target="ldap:///ou=*, ($dn),dc=example,dc=com") (targetattr="*")(targetfilter=(objectClass=nsManagedDomain)) (version 3.0; acl "Domain access"; allow (read,search) groupdn="ldap:///cn=DomainAdmins,ou=Groups,[$dn],dc=example,dc=com";)

It grants access to the members of cn=DomainAdmins,ou=Groups,

dc=hostedCompany1,dc=example,dc=com to all of the subdomains under dc=hostedCompany1, so an administrator belonging to that group could access a subtree like ou=people, dc=subdomain1.1, dc=subdomain1.

However, at the same time, members of cn=DomainAdmins,ou=Groups, dc=subdomain1.1 would be denied access to the ou=people,dc=hostedCompany1 and

ou=people,dc=hostedCompany1 nodes.

10.2.3. Macro Matching for ($attr.attrName)

The ($attr.attrName) macro is always used in the subject part of a DN. For example, define the following roledn:

roledn = "ldap:///cn=DomainAdmins,($attr.ou)"

Now, assume the server receives an LDAP operation targeted at the following entry:

dn: cn=Jane Doe, ou=People, dc=HostedCompany1, dc=example,dc=com

cn: Jane Doe

sn: Doe

ou: Engineering, dc=HostedCompany1, dc=example,dc=com

...

In order to evaluate the roledn part of the ACI, the server looks at the ou attribute stored in the targeted entry and uses the value of this attribute to expand the macro. Therefore, in the example, the roledn is expanded as follows:

roledn =

"ldap:///cn=DomainAdmins,ou=Engineering,dc=HostedCompany1,dc=example,dc=com"

The Directory Server then evaluates the ACI according to the normal ACI evaluation algorithm.

When an attribute is multi-valued, each value is used to expand the macro, and the first one that provides a successful match is used. For example:

dn: cn=Jane Doe,ou=People,dc=HostedCompany1,dc=example,dc=com

cn: Jane Doe

sn: Doe

ou: Engineering, dc=HostedCompany1,dc=example,dc=com

240

Image 260

HP UX Red Hat Direry Server Software manual Macro Matching for $attr.attrName, For example, consider the following ACI, 240

Contents

Administrators Guide Red Hat Directory Server Red Hat Directory Server 8.0 Administrators Guide Copyright 2008 Red Hat, IncRed Hat Directory Server General Red Hat Directory Server Usage Creating and Maintaining Suffixes Creating and Maintaining DatabasesCreating and Maintaining Database Links Creating a New Database LinkPage Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Xvi Directory Server Overview PrefaceExample and Default References When shown as below, it indicates computer outputDocument Conventions PrefaceDocument Conventions XixRelated Information Directory Server File Locations ChapterFile or Directory Location Red Hat Enterprise Linux 4 and 5General Red Hat Directory Server Usage Sun Solaris 9 sparc HP-UX 11i IA64Ldap Tool Locations BinariesLdap Tool Locations Starting and Stopping ServersPlatform Directory Location Opt/dirsrv/binStart the Directory Server Console Starting and Stopping Directory Server from the ConsoleStarting and Stopping Directory Server from Starting and Stopping Administration Server Solaris uses /etc/init.dOn Solaris, the service is init.d Starting the Directory Server ConsoleConsole HP-UX has a different location for the scriptChanging Login Identity Login screenLogging into Directory Server Click Log on to the Directory Server as a New UserViewing the Current Console Bind DN Changing Directory Server Port NumbersViewing the Current Console Bind DN General Red Hat Directory Server Usage Open the Administration Server Console Configuration tab, select the Configuration DS tabCreating a New Directory Server Instance Creating a New Directory Server InstanceConfiguring the Directory Manager Configuring the Directory Manager Page Managing Entries from the Directory Console Creating a Root EntryDirectory Server Console, select the Configuration tab Creating Directory EntriesCreating Directory Entries Template Object ClassCreating an Entry Using a Predefined Template Role NsRoleDefinition Class of Service CosSuperDefinitionCreating Other Types of Entries Entry Templates and Corresponding Object ClassesModifying Directory Entries Displaying the Property EditorAdding an Object Class to an Entry Removing an Object ClassAdding an Attribute to an Entry Modifying Directory EntriesAdding Very Large Attributes Adding Attribute Values Removing an Attribute ValueAdding an Attribute Subtype Language SubtypeBinary Subtype Instead, useDeleting Directory Entries Pronunciation SubtypeAdding a Subtype to an Attribute Deleting Directory EntriesEntries, use Ctrl or Shift Select Delete from the Edit menu Managing Entries from the Command-LineProviding Input from the Command-Line Creating a Root Entry from Creating a Root Entry from the Command-LineSee , Ldif Update Statements Import the Ldif file from the Directory Server Console Adding Entries Using LdifAdding and Modifying Entries Using ldapmodify Parameter Name Description Adding Entries Using ldapmodifyCommand-Line Ldapmodify Parameters Used for Adding Entries Modifying Entries Using ldapmodifyInput from the Command-Line Deleting Entries Using ldapdelete Deleting Entries Using ldapdeleteLdapmodify Parameters Used for Modifying Entries Hostname is cyclops Server uses port numberAre branch points in the directory tree This ldapdelete example has the following valuesUsing Special Characters Using Special CharactersTracking Modifications to Directory Entries Ldapdelete Parameters Used for Deleting EntriesOpen the Tasks tab, and click Restart Directory Server Ldif Update StatementsSelect the Track Entry Modification Times checkbox Ldif Update Statements General format of Ldif update statements is as followsAdding an Entry Using Ldif Following sections describe the change types in detailFollowing command renames Sue Jacobs to Susan Jacobs Renaming an Entry Using LdifRenaming an Entry Using Ldif Modifying an Entry Using Ldif AddattributeFollowing example adds two telephone numbers to the entry Adding Attributes to Existing Entries Using LdifModifying an Entry Using Ldif Changing an Attribute Value Using Ldif Entry is now as follows Deleting All Values of an Attribute Using LdifDeleting a Specific Attribute Value Using Ldif Deleting an Entry Using Ldif Barneys entry then becomesMaintaining Referential Integrity Modifying an Entry in an Internationalized DirectoryHow Referential Integrity Works Modifying an Entry in an InternationalizedUsing Referential Integrity with Replication Modifying the Update Interval You can enable or disable referential integrity as followsEnabling/Disabling Referential Integrity DirectoryModifying the Attribute List TIP Modifying the Attribute ListPage Creating and Maintaining Suffixes A Sample Directory Tree with One Root SuffixCreating Suffixes Configuring Directory DatabasesCreating Suffixes 1, Using Referrals in a Suffix A Sample Directory Tree with a Sub Suffix Creating SuffixesCreating a New Root Suffix Using the Console Creating a New Sub Suffix Using the ConsoleCreating Root and Sub Suffixes from the Command-Line Attribute Name Value Creating and Maintaining Database Links for Attribute. See , CreatingMaintaining Databases for more information Creating and Maintaining Databases forSuffix Attributes Using Referrals in a SuffixMaintaining Suffixes Enabling Referrals Only During Update Operations Disabling a SuffixMaintaining Suffixes To requests from client applications Click SaveDeleting a Suffix Creating and Maintaining DatabasesCreating Databases Creating Databases Configuring Directory Databases Adding Multiple Databases for a Single Suffix For example, add a new database to the server example1Configuring Directory Databases Maintaining Directory Databases Placing a Database in Read-Only ModeMaintaining Directory Databases Making a Database Read-Only Using the Console Making a Database Read-Only from the Command LineSelect the database is read-only checkbox Change the read-only attribute to onPlacing the Entire Directory Server in Read-Only Mode Deleting a DatabaseSelect the Make Entire Server Read-Only checkbox Click Save, and then restart the serverConfiguring Transaction Logs for Frequent Database Updates Database EncryptionEncryption Keys Database EncryptionSelect the Attribute Encryption tab Configuring Database Encryption from the ConsoleEncryption Ciphers Exporting and Importing an Encrypted Database Configuring Database Encryption Using the Command-LineRun the ldapmodify command1 See .3, Importing from the Command-Linefor more information Configuring the Chaining Policy Creating and Maintaining Database LinksChaining Component Operations Creating and Maintaining Database LinksComponent Name Description Permissions NsActiveChainingComponents Cn=resourceConfiguring the Chaining Policy NsActiveChainingComponents Cn=certificate-basedChaining Component Operations Using the Console Components Allowed to ChainPlug-in Chaining Component Operations from the Command-LineChaining Ldap Controls Chaining Ldap Controls Using the Console Chaining Ldap Controls from the Command-LineCreating a New Database Link Using the Console Creating a New Database LinkLdap Controls and Their OIDs Creating a New Database LinkConfiguring Directory Databases Creating a Database Link from the Command-Line Specify the configuration information for the database linkProviding Suffix Information Providing Bind CredentialsNsMultiplexorBindDN cannot be that of the Directory Manager Providing an Ldap URL Summary of Database Link Configuration Attributes Providing a List of Failover ServersFile Attributes Value1, Chaining Component OperationsAttributes Value Run ldapmodify1 to add a database link to server a Create an administrative user on server B, as follows Chaining Using SSL Updating Remote Server Authentication InformationEnable SSL on the server that contains the database link Maintaining Database LinksDeleting Database Links Database Links and Access Control EvaluationDatabase Links and Access Control Configuring Directory Databases Advanced Feature Tuning Database Link Performance Managing Connections to the Remote Server Using the ConsoleManaging Connections to the Remote Server EvaluationAttribute Name Description Database Link Connection Management Attributes Detecting Errors During Normal ProcessingAdvanced Feature Tuning Database Link Database Link Processing Error Detection Parameters Managing Threaded OperationsPerformance Advanced Feature Configuring Cascading ChainingOverview of Cascading Chaining Configuring Directory Databases Configuring Cascading Chaining Defaults Using the Console Advanced Feature Configuring CascadingConfiguring Cascading Chaining Using the Console Configuring Cascading Chaining from the Command-Line ChainingConfiguring Directory Databases Attribute Description Summary of Cascading Chaining Configuration AttributesDetecting Loops Aci This attribute must contain the following ACI Cascading Chaining Configuration ExampleCascading Chaining Configuration Attributes Configuring Server One 101Configuring Server Two 102103 Configuring Directory Databases Configuring Server Three Allow thisClient on server two Using ReferralsStarting the Server in Referral Mode Setting Default Referrals Setting a Default Referral Using the ConsoleSetting a Default Referral from the Command-Line Setting Default ReferralsCreating Smart Referrals Using the Directory Server Console Creating Smart Referrals109 Creating Smart Referrals from the Command LineCreating Smart Referrals Creating Suffix Referrals Using the Console Creating Suffix ReferralsCreating Suffix Referrals from the Command-Line Creating Suffix ReferralsConfiguring Directory Databases Action Import Initialize Database Importing DataImport Method Comparison Following sections describe importing data Importing a Database from the ConsolePopulating Directory Databases Initializing a Database from the Console Initializing a Database from the ConsoleImporting from the Command-Line Importing Using the ldif2db Command-Line ScriptImporting from the Command-Line Option DescriptionRun the ldif2db script Importing Using the ldif2db.pl Perl ScriptLdif2db Parameters Importing Using the ldif2ldap Command-Line Script Run the ldif2ldap command-line scriptExporting Data Ldif2db OptionsSplitting a Database Contents into Two Databases Exporting Directory Data to Ldif Using the Console Exporting Directory Data to Ldif UsingExporting a Single Database to Ldif Using the Console Exporting to Ldif from the Command-LineRun the db2ldif command-line script Ldif file in this case would beDirectory and is automatically named With the -noption or 123Backing up and Restoring Data Backing up All DatabasesBacking up All Databases from the Server Console Db2ldif OptionsBacking up All Databases from the Command-Line Run the db2bak command-line scriptBacking up All Databases Click Back Up Directory ServerBacking up the dse.ldif Configuration File Click Restore Directory ServerRestore Directory dialog box is displayed 126 Restoring All DatabasesRestoring Your Database from the Command-Line Using the bak2db Command-Line ScriptUsing bak2db.pl Perl Script Restoring All DatabasesRestart the Directory Server Restoring a Single DatabaseRun the bak2db.pl Perl script Restoring Databases That Include Restoring the dse.ldif Configuration FileRestoring Databases That Include Replicated Entries 130 Using Roles About RolesManaging Entries with Roles, Class of Service, and Views Managing Roles Using the Console Managing Roles Using the ConsoleCreating a Managed Role 134135 Creating a Filtered RoleFollow the steps of .2.1, Creating a Managed Role Creating a Nested Role Viewing and Editing an Entrys RolesCreate a new role, as in .2.1, Creating a Managed Role 136137 Modifying a Role EntryMaking a Role Inactive Reactivating a Role Deleting a RoleManaging Roles Using the Command-Line Managing Roles Using the Command-LineObject Classes and Attributes for Roles Dialog box appears to confirm the deletion. Click YesExamples Managed Role Definition Example Filtered Role Definition 141Using Roles Securely Example Nested Role DefinitionAssigning Class of Service Assigning Class of ServiceAbout CoS About the CoS Definition EntryAbout CoS About the CoS Template EntryHow a Pointer CoS Works How an Indirect CoS Works Sample Pointer CoSHow a Classic CoS Works Sample Indirect CoSSearches for CoS-Specified Attributes Sample Classic CoSCreating a New CoS Managing CoS Using the ConsoleManaging CoS Using the Console 150 Creating the CoS Template Entry Property Editor opensEditing an Existing CoS Deleting a CoSManaging CoS from the Command-Line Creating the CoS Definition Entry from the Command-LineManaging CoS from the Command-Line CoS Type Object Classes DescriptionAttribute Definition CoS Definition Entry Object ClassesCoS Definition Entry Attributes Managing CoS from the Command-Line CoS Definitions CoS Type CoS definitionPointer CoS Indirect CoSCreating the CoS Template Entry from the Command-Line Be added to any other search filter using orExample of a Pointer CoS 158Example of an Indirect CoS Create the template entryExample of a Classic CoS Classic CoS definition entry looks like Creating Role-Based AttributesCreating Role-Based Attributes Using Views Access Control and CoSCreating Views in the Console Creating Views in the ConsoleCreating Views from the Command Line Deleting Views from the Directory Server ConsoleUsing Groups Deleting Views from the Command LineDeleting Views from the Command Line Managing Static GroupsAdding a New Static Group Modifying a Static GroupManaging Dynamic Groups Adding a New Dynamic GroupModifying a Dynamic Group Managing Dynamic Groups168 Access Control Principles ACI StructureACI Placement Managing Access ControlACI Evaluation ACI LimitationsDefault ACIs Default ACIsCreating ACIs Manually ACI Syntax Defining TargetsDefining Targets Aci attribute uses the following syntaxLdif Target Keywords Keyword Valid Expressions Wildcard AllowedTargetattr TargetfilterTargeting a Directory Entry 175Targeting Attributes Targeting Both an Entry and Attributes 177Targeting Entries or Attributes Using Ldap Filters 178Targeting Attribute Values Using Ldap Filters Defining Permissions Targeting a Single Directory EntryAllowing or Denying Access Assigning RightsDefining Permissions Assigning rightsRights Required for Ldap Operations User RightsSelfwrite to the targeted entry, excluding Proxy rights183 Permissions Syntax Access Control and the modrdn OperationBind Rules Bind Rule Syntax Bind Rule SyntaxUserdn Yes, in DN onlyDefining User Access userdn Keyword Ldif Bind Rule KeywordsGroupdn Ldap///DN DN Roledn Userattr DnsAnonymous Access anyone Keyword General Access all KeywordSelf Access self Keyword Parent Access parent KeywordScenExamplerio Description WildcardsExamples Defining Group Access groupdn Keyword Userdn Keyword ExamplesGroupdn Examples Defining Group Access groupdn KeywordDefining Role Access roledn Keyword Defining Access Based on Value Matching Defining Access Based on Value MatchingUsing the userattr Keyword AttrValue is any string representing an attribute value Example with Userdn Bind TypeExample with Groupdn Bind Type 193 Example with Roledn Bind TypeExample with Ldapurl Bind Type Using the userattr Keyword with Inheritance Example with Any Attribute ValueUsing Inheritance With the userattr Keyword Granting Add Permission Using the userattr KeywordDefining Access from a Specific IP Address Defining Access from a Specific Domain Defining Access from a Specific DomainInstead, use a fully qualified name Dns keyword allows wildcards. For exampleDefining Access at a Specific Time of Day or Day of Week Defining Access Based on Authentication Method Defining Access Based on AuthenticationAuthmethod = saslmechanism Method Using Boolean Bind RulesAuthentication bind DN and password over Ldaps Creating ACIs from the Console Click New to open the Access Control Editor Displaying the Access Control EditorDisplaying the Access Control Editor Access Control Editor Window Creating a New ACICreating a New ACI Managing Access Control Creating a New ACI Managing Access Control Editing an ACI Editing an ACIControl Manager Viewing ACIsDeleting an ACI Get effective rights result looks like the following Get Effective Rights ControlGet Effective Rights Control Permissions Using Get Effective Rights from the Command-Line Permissions That Can Be Set on EntriesPermissions That Can Be Set on Attributes Permission DescriptionUsing Get Effective Rights from 214 Using Get Effective Rights from the Console Get Effective Rights Return CodesCheck the Show effective rights checkbox Code DescriptionReturned Result Codes Logging Access Control InformationAccess Control Usage Examples Granting Anonymous Access Granting Anonymous AccessClick New to display the Access Control Editor Click OK in the Access Control Editor windowACI Anonymous example.com ACI Anonymous WorldFilter for subentries field, type the following filter Granting Write Access to Personal EntriesGranting Write Access to Personal Entries ACI Write example.com 220ACI Write Subscribers Restricting Access to Key Roles ACI Roles Restricting Access to Key RolesSee , Using Roles Ldif statement should read as follows Granting a Group Full Access to a SuffixACI HR Granting Rights to Add and Delete Group Entries ACI Create GroupManaging Access Control Entries Granting Conditional Access to a Group or RoleACI Delete Group ACI HostedCompany1 228Ldif statement should be similar to the following Denying AccessDenying Access ACI Billing Info Read ACI Billing Info Deny 231Setting a Target Using Filtering Allowing Users to Add or Remove Themselves from a GroupACI Group Members Allowing Users to Add or RemoveProxied Authorization ACI Example Defining Permissions for DNs That Contain a CommaThemselves from a Group Advanced Access Control Using Macro ACIsMacro ACI Example Example Directory Tree for Macro ACIs 236Macro ACI Syntax Macro ACI SyntaxMacro ACI Keyword Macro Matching for $dnMacros in ACI Keywords Steps for expanding this ACI are as follows $dn in the subject is replaced with dc=hostedCompany1240 Macro Matching for $attr.attrNameFor example, consider the following ACI Compatibility with Earlier Releases Access Control and ReplicationAccess Control and Replication 242 Managing the Password Policy Configuring the Password PolicyConfiguring a Global Password Policy Using the Console Managing User Accounts and PasswordsConfiguring the Password Policy Configuring a Subtree/User Password Policy Using the Console Check the Enable fine-grained password policy checkboxConfiguring a Global Password Policy Using the Command-Line Attribute Name DefinitionUsers password will expire after an interval Given by the passwordMaxAge attributeMaking passwords expire helps protect Directory data because the longer a passwordDiscourage users from reusing old passwords For example, setting the minimum passwordChanging their passwords during a single Session to cycle through the password historyShorter passwords are easier to crack Passwords can be two 2 to 512 charactersIt down. This attribute is set to 8 by default Attributes, respectively. By default, thisThis attribute is set to 3 by default Default methodCompatibility with Unix passwords Lowercase letters a to zPassword Policy Attributes CoS specification entry at the subtree level. For example 254 Setting User Passwords Password Change Extended OperationSetting User Passwords Start the server256 Ldappasswd OptionsParameter Description Configuring the Account Lockout Policy Configuring the Account Lockout PolicyConfiguring the Account Lockout Policy Using the Console Attribute Name Definition Account Lockout Policy Attributes Managing the Password Policy in a Replicated EnvironmentManaging the Password Policy in a Synchronizing Passwords Inactivating Users and Roles Replicated EnvironmentOption Name Description Inactivating User and Roles Using the ConsoleInactivating User and Roles Using the Command-Line Activating User and Roles Using the Console Activating User and Roles Using the Command-LineActivating User and Roles Using DN of the user account or role to activateSetting Resource Limits Based on the Bind DN Setting Resource Limits Using the ConsoleSetting Resource Limits Using the Command-Line Entering a value of -1indicates no limit Click OK266 Read-Write and Read-Only Replicas Replication OverviewWhat Directory Units Are Replicated Suppliers and Consumers ChangelogReplication Identity Managing ReplicationReplication Agreement Replication AgreementCompatibility with Earlier Versions of Directory Server Replication Scenarios Single-Master ReplicationMulti-Master Replication Multi-Master ReplicationMulti-Master Replication Two Masters 272Multi-Master Replication Four Masters Cascading Replication ReplicationCreating the Supplier Bind DN Entry Creating the Supplier Bind DN EntryConfiguring Single-Master Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Write Replica onConfiguring the Read-Only Replica on the Consumer Supplier Server Create the Replication Agreement Create the Replication Agreement Managing Replication Create the Replication Agreement Replication will not begin until the consumer is initialized Configuring Multi-Master Replication Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier ServersConfiguring the Read-Write Replicas on 287Managing Replication Configuring the Read-Only Replicas on the Consumer Servers Supplier ServersManaging Replication Setting up the Replication Agreements Setting up the Replication AgreementsManaging Replication Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Preventing Monopolization of the Consumer 297Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Server Configuring the Read-Only Replica on Configuring the Read-Only Replica on the Hub Consumer Server Managing Replication Setting up the Replication Agreements Managing Replication DN and password Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Configuring Replication from the Command Configuring Replication from the Command LineConfiguring Suppliers from the Command Line 312 Changelog Attributes LineObject Class or Attribute Description Values Changelog, to whichConsumer. This is required for 314Configuring Consumers from the Command Line Configuring Consumers from the CommandForward update requests. By Replica AttributesConfiguring Hubs from the Command Line Configuring Replication Agreements from the Command Line Qualified host and domain Parameter to SSL. If TLS/SSL 318Configuring Replication Agreements from Replication between Servers Nsds5replicabindcredentialsNsds5replicatedattributelist Objectclass=* $ Exclude Attributes will not be320 Midnight and 2359 is PM. For example, the settingReplication Agreement Attributes Initializing Consumers Online from the Command Line Command LineMaking a Replica Updatable Deleting the ChangelogInitializing Consumers Removing the ChangelogMoving the Changelog to a New Location Moving the Changelog to a New LocationWhen to Initialize a Consumer Online Consumer Initialization Using the ConsoleInitializing Consumers Online Using the Command Line Initializing Consumers Online UsingManual Consumer Initialization Using the Command Line Exporting a Replica to LdifFilesystem Replica Initialization Importing the Ldif File to the Consumer ServerInitializing the Consumer Replica from the Backup Files Forcing Replication Updates Forcing Replication UpdatesStop the destination Directory Server if it is running Restart the destination Directory Server. For exampleForcing Replication Updates from the Console Forcing Replication Updates from the Command-LineReplicating Account Lockout Attributes Example 8.1. ReplicateNow Script ExampleReplicateNow Variables Replicating Account Lockout AttributesReplication over SSL Replicating o=NetscapeRoot for Select SSL Client AuthenticationSelect Simple Authentication Directory Server Installation Guide See , Enabling and Disabling Plug-ins Administration Server FailoverReplication with Earlier Releases Using the Retro Changelog Plug-in Enabling the Retro Changelog Plug-in Attributes of a Retro Changelog EntryEnabling the Retro Changelog Plug-in Retro Changelog EntryTrimming the Retro Changelog Retro Changelog and the Access Control Policy Retro Changelog and the Access ControlMonitoring Replication Status Searching and Modifying the Retro ChangelogTable Header Description Monitoring Replication Status from Administration ExpressDirectory Server Console Replication Status Policy Table header shows the replica ID 341Solving Common Replication Conflicts Solving Naming Conflicts Solving Naming ConflictsRenaming an Entry with a Multi-Valued Naming Attribute Unique identifier attribute nsuniqueid cannot be deleted 344Renaming an Entry with a Single-Valued Naming Attribute Solving Potential Interoperability Problems Solving Orphan Entry ConflictsTroubleshooting Replication-Related Problems Troubleshooting Replication-RelatedError/Symptom Reason Impact Remedy Problems But some consumers Follows Are way behind Supplier If it has beenReplayed to all Direct consumersReplication Errors See SectionMonitoring Replication Status352 Overview of Extending Schema Managing AttributesViewing Attributes Create new attributes, as in .2, Creating AttributesExtending the Directory Schema FieldName SyntaxCreating Attributes Attributes Tab ReferenceCreating Attributes Field DescriptionOIDs are described in .1, Attributes Tab Reference Editing AttributesDeleting Attributes This procedure is explained in .4, Deleting Attributes Managing Object ClassesViewing Object Classes Managing Object Classes358 ReferenceParent Creating Object Classes Creating Object ClassesObject Classes Tab Reference Editing Object Classes Click OK to save the new object classDeleting Object Classes Deleting Object ClassesTurning Schema Checking On and Off About Indexes About Index TypesAbout Default, System, and Standard Indexes Overview of Default IndexesManaging Indexes Attribute Pres Sub PurposeAbout Default, System, and Standard MaintainingReferential Integrity for366 Default IndexesOverview of System Indexes Overview of the Searching Algorithm Overview of Standard IndexesSystem Indexes Attribute Pres PurposeManaging Indexes Approximate Searches Approximate SearchesBalancing the Benefits of Indexing Directory Server is maintaining the following indexes 370 Creating Indexes Creating IndexesCreating Indexes from the Server Console Adding an Index Entry Creating Indexes from the Command-LineCreating Indexes from the Command-Line To create a new index for a particular database, add it to 374Creating Indexes from the Command-Line Running the db2index.pl Script Db2index.pl OptionsRun the db2index.pl Perl script Db2index Options describes the db2index.pl optionsCreating Browsing Indexes from the Command-Line Creating Browsing Indexes from the Server ConsoleAdding a Browsing Index Entry Creating Browsing Indexes fromManaging Indexes Running the vlvindex Script This first browsing index entry must be added toSetting Access Control for VLV Information Vlvindex OptionsStop the server.3 Run the vlvindex scriptDeleting Indexes Deleting IndexesA text editor, open the dse.ldif file Change ldap//all to ldap//anyone and save your changesDeleting Indexes from the Command-Line Deleting Indexes from the Server ConsoleLdapdelete Options describes the ldapdelete options Deleting Indexes from the Command-LineDeleting an Index Entry Ldapdelete Options Run the db2index.pl Perl script. For exampleDeleting Browsing Indexes from the Command-Line Deleting Browsing Indexes from the Server ConsoleDeleting a Browsing Index Entry Db2index OptionsOption Description Managing Indexes Vlvindex Options describes the vlvindex optionsIndexing Performance Search PerformanceBackwards Compatibility and Migration Attribute Primary Name Attribute Alias Attribute Name Quick Reference TableBackwards Compatibility and Migration 391 Attribute Name Quick Reference TableAttribute Name Quick Reference Table 392 Introduction to TLS/SSL in the Directory Server Enabling SSL Summary of StepsTurn on TLS/SSL in the directory Command-Line Functions for Start TLSManaging SSL Obtaining and Installing Server Certificates Obtaining and Installing Server CertificatesTroubleshooting Start TLS Generate a Certificate Request Generate a Certificate Request Managing SSL Send the Certificate Request After generating the certificate request, send it to the CAInstall the Certificate Trust the Certificate Authority Trust the Certificate AuthorityUsing certutil Confirm That The New Certificates Are InstalledGenerate the Directory Server client certificate Create a password file for the security token passwordCreating Directory Server Certificates 404 Starting the Server with TLS/SSL Enabled Through the Command LineCertutil Usage Certutil OptionsSelect the certificate to use from the drop-down menu Click Cipher SettingsEnabling TLS/SSL Only in the Directory Server Enabling TLS/SSL Only in the Directory Described in , Starting and Stopping Servers 409 Server Click Cipher SettingsCheck the Use SSL in the Console box. Hit Save Creating a Password File for the Directory Server Creating a Password File for the Administration Server Creating a Password File forAvailable Ciphers Setting Security PreferencesRestart the Administration Server Administration Server TLSv1 CiphersSSLv3 Ciphers Click Cipher SettingSelecting the Encryption Cipher Encryption tab, click Save Using Certificate-Based AuthenticationUsing Certificate-Based Authentication Setting up Certificate-Based Authentication Allowing/Requiring Client AuthenticationConfiguring Ldap Clients to Use SSL Configuring Ldap Clients to Use SSLStop the Directory Server Now start Red Hat ConsoleClient certificate resembles the following Begin CertificateConfiguring Ldap Clients to Use SSL Click Set Value 420 Authentication Mechanisms Managing SaslManaging Sasl Sasl is configured by entries under a container entry 422Sasl Identity Mapping 423 Sasl Identity MappingSasl identity mapping entries are children of this entry Configuring Sasl Identity Mapping from the Console Configuring Sasl Identity Mapping from Configuring Sasl Identity Mapping from the Command-Line Configuring KerberosSupported Kerberos Systems Operating System Kerberos VersionConfiguring the KDC Server RealmsExample Configuring an Example KDC Server Configuring Sasl Authentication at Directory Server Startup Configuring Sasl Authentication atManaging Sasl Defining a Log File Rotation Policy Viewing and Configuring Log FilesAdministration Express Monitoring Server and Database Activity Access Log Viewing the Access LogDefining a Log File Deletion Policy Defining a Log File Deletion PolicyConfiguring the Access Log Display to refresh automatically every ten secondsError Log Error LogViewing the Error Log Click Save 436 Configuring the Error LogContaining text box, and click Refresh Configuring the Audit Log Audit LogViewing the Audit Log Audit LogManual Log File Rotation Monitoring Server ActivityMonitoring the Server from the Directory Server Console Monitoring the Server from the DirectoryGeneral Information Server Resource SummaryResource Usage Since Startup Average Per Minute Resource Current TotalCurrent Resource Usage Server ConsoleConnection can account for multiple Operations, and therefore multiple threadsConnection Status Monitoring the Directory Server from Monitoring the Directory Server from the Command LineGlobal Database Cache Information Attribute Description 444Time GMT in UTC format Monitoring Database ActivityServer Monitoring Attributes See , Tuning Database Maximum Cache Size setting. See SectionGeneral Information Database Performance Metric Current TotalTuning Database Performance for Cache setting. See , TuningSummary Information Monitoring Database Activity from10. Database File-Specific Monitoring Databases from the Command LineDatabase Cache Information Directory Server Console Maximum Entries in Cache attribute Monitoring Database Link Activity 11. Directory Server Monitoring AttributesMonitoring Database Link Activity Lower the number of page evicts the better12. Database Link Monitoring Attributes 452Snmp About SnmpConfiguring the Master Agent Configuring the Subagent Subagent Configuration FileMonitoring Directory Server Using Snmp Agentx-masterStarting the Subagent Agent-logdirServer Starting the SubagentConfiguring Snmp Traps Testing the SubagentConfiguring the Directory Server for Snmp Configuring the Directory Server for SnmpUsing the Management Information Base Operations Table Managed Object DescriptionOperations Table Managed Objects and Descriptions Entries TableEntries Table Managed Objects and Descriptions Entries TableEntity Table Interaction Table Interaction TableEntity Table Managed Objects and Descriptions Interaction Table Managed Objects and Descriptions Management subsystem was initialized, thisObject will contain a value of zero 462Tuning Directory Server Performance Tuning Server PerformanceOptimizing Search Performance Tuning Database PerformanceTuning Directory Server Performance Optimizing Search Performance Tuning Transaction Logging Changing the Location of the Database Transaction LogChanging the Database Checkpoint Interval Changing the Database Checkpoint IntervalSpecifying Transaction Batching Miscellaneous Tuning TipsDisabling Durable Transactions Avoid Creating Entries Under the cn=config 470 Server Plug-in Functionality Reference Bit Check Plug-inACL Plug-in Details of 7-Bit Check Plug-inAdministering Directory Server Plug-ins ACL Preoperation Plug-inBinary Syntax Plug-in Details of ACI Plug-inBoolean Syntax Plug-in Case Exact String Syntax Plug-inDetails of Binary Syntax Plug-in Details of Boolean Syntax Plug-inCase Ignore String Syntax Plug-in Chaining Database Plug-inDetails of Case Exact String Syntax Plug-in Details of Case Ignore String Syntax Plug-inClass of Service Plug-in Details of Class of Service Plug-inClass of Service Plug-in Country String Syntax Plug-inDistinguished Name Syntax Plug-in Generalized Time Syntax Plug-in10. Details of Country String Plug-in 11. Details of Distinguished Name Syntax Plug-inInteger Syntax Plug-in Internationalization Plug-in12. Details of Generalized Time Syntax Plug-in 13. Details of Integer Syntax Plug-inLdbm Database Plug-in Legacy Replication Plug-in14. Details of Internationalization Plug-in 15. Details of ldbm Database Plug-inMulti-Master Replication Plug-in Octet String Syntax Plug-in16. Details of Legacy Replication Plug-in 17. Details of Multi-Master Replication Plug-inClear Password Storage Plug-in Crypt Password Storage Plug-in19. Details of Clear Password Storage Plug-in 18. Details of Octet String Syntax Plug-inNS-MTA-MD5 Password Storage Plug-in 20. Details of Crypt Password Storage Plug-in21. Details of NS-MTA-MD5 Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in22. Details of SHA Password Storage Plug-in SHA Password Storage Plug-inSsha Password Storage Plug-in 23. Details of Ssha Password Storage Plug-in Postal Address String Syntax Plug-inPTA Plug-in 24. Details of Postal Address String Syntax Plug-inUsing the Pass-through Authentication Plug-inSee , Using the Pass-through Referential Integrity Postoperation Plug-inRetro Changelog Plug-in 26. Details of Referential Integrity Post-Operation Plug-inRetro Changelog Plug-in See , Managing Indexes forRoles Plug-in Space Insensitive String Syntax Plug-in27. Details of Retro Changelog Plug-in 28. Details of Roles Plug-inState Change Plug-in 29. Details of Space Insensitive String Syntax Plug-inState Change Plug-in See Appendix B, Finding Directory EntriesTelephone Syntax Plug-in UID Uniqueness Plug-in30. Details of State Change Plug-in 31. Details of Telephone Syntax Plug-inSee , Using the Attribute URI Plug-in32. Details of UID Uniqueness Plug-in URI Plug-inEnabling and Disabling Plug-ins 33. Details of URI Plug-inUsing the Pass-through Authentication Plug-in How Directory Server Uses PTAUsing the Pass-through Authentication Plug-in PTA Plug-in SyntaxPTA Plug-in Syntax Variable DefinitionSpecifying the Pass-through Subtree for Configuring the Optional Parameters forSee .5, Configuring the Optional PTA Plug-in Parameters Configuring the PTA Plug-inConfiguring the PTA Plug-in Turning the Plug-in On or Off Configuring the Servers to Use a Secure ConnectionSpecifying the Authenticating Directory Server Specifying the Pass-through Subtree Specifying the Pass-through SubtreeConfiguring the Optional Parameters PTA Plug-in Syntax Examples PTA Plug-in Syntax ExamplesSpecifying Multiple Authenticating Directory Servers Using Non-Default Parameter ValuesSpecifying Different Optional Parameters 502 Using the Attribute Uniqueness Plug-in Overview of the Attribute Uniqueness Plug-inUsing the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in Syntax505 Attribute Uniqueness Plug-in SyntaxSee .3.1, Turning the Plug-in On or Creating an Instance of the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in VariablesConfiguring Attribute Uniqueness Plug-ins Configuring Attribute Uniqueness Plug-insViewing Plug-in Configuration Information From the Configuration tab From the Property Editor509 Turning the Plug-in On or OffSpecifying a Suffix or Subtree Using the markerObjectClass and requiredObjectClass Keywords From the Command-Line Attribute Uniqueness Plug-in Syntax ExamplesSpecifying One Attribute and One Subtree Specifying One Attribute and Multiple SubtreesReplication and the Attribute Uniqueness Plug-in Simple Replication ScenarioMulti-Master Replication Scenario Multi-Master Replication Scenario514 About Windows Sync Active Directory Directory Server Synchronization Process About Windows Sync 517Configuring Windows Sync Configure SSL on Directory ServerSelect the Enterprise Root CA option Configure the Active Directory DomainConfigure the Active Directory Select or Create the Sync Identity Iv. Accept the certificate request. For exampleInstall and Configure the Password Sync Service DomainHit Next, then Finish to install Password Sync Reboot the Windows machine to start Password SyncInstall and Configure the Password 523Configure the Directory Server Database for Synchronization Give trusted peer status to the serverSync Service Create the Synchronization AgreementSetting up the Sync Agreement Using Windows Sync Begin SynchronizationBegin Synchronization Synchronizing Users Synchronizing Groups Deleting EntriesSynchronizing Users 529 Synchronizing UsersDirectory Server Active Directory Synchronizing Groups PhysicalDeliveryOfficeNameDeleting Entries Deleting EntriesNtGroupAttributes NtGroupId Name SamAccountName NtGroupType Description Member SeeAlsoResurrecting Entries Manually Updating and Resynchronizing EntriesChecking Synchronization Status Checking Synchronization StatusModifying the Sync Agreement Schema Differences Password PoliciesGroups Values for street and streetAddressPassword Sync Service Modifying Password SyncStarting and Stopping the Password Sync Service Contraints on the initials attributeTroubleshooting Uninstalling Password Sync ServiceTo uninstall the Password Sync service, do the following Open the Add/Remove Programs utilityTroubleshooting 537538 Appendix A. Ldap Data Interchange Format About the Ldif File FormatContinuing Lines in Ldif Table A.1. Ldif FieldsAppendix A. Ldap Data Interchange Format Field DefinitionRepresenting Binary Data Standard Ldif NotationBase-64 Encoding Representing Binary DataSpecifying Directory Entries Using Ldif Specifying Domain EntriesTable A.2. Ldif Elements in Domain Entries Specifying Organizational Unit EntriesDomain Entries Ldif Element DescriptionSpecifying Organizational Unit Entries Specifying Organizational Person Entries Specifying Organizational Person EntriesTable A.3. Ldif Elements in Organizational Unit Entries Defining Directories Using Ldif Table A.4. Ldif Elements in Person EntriesDefining Directories Using Ldif 547Ldif File Example Storing Information in Multiple Languages Storing Information in Multiple LanguagesFile contents are then converted to UTF-8 550Finding Entries Using the Directory Server Console Figure B.1. Browsing Entries in the Directory TabUsing ldapsearch Appendix B. Finding Directory EntriesLdapsearch Command-Line Format Ldapsearch command must use the following formatCommonly Used ldapsearch Options Commonly Used ldapsearch Options Ldapsearch Examples Returning All EntriesSpecifying Search Filters on the Command Line Searching the Schema EntryUsing Ldapbasedn Searching the Root DSE EntryThis example assumes the search base is set with Ldapbasedn Specifying Search Filters Using a FileDisplaying Subsets of Attributes Using Client Authentication When Searching Ldap Search FiltersSpecifying DNs That Contain Commas in Search Filters Ldap Search FiltersUsing Attributes in Search Filters Using Operators in Search FiltersSearch Filter Syntax Basic syntax of a search filter isUsing Compound Search Filters Table B.1. Search Filter OperatorsSearch Filter Syntax Search Type Operator DescriptionTable B.2. Search Filter Boolean Operators Operator Symbol DescriptionSearch Filter Examples Searching an Internationalized Directory Searching an Internationalized DirectoryMatching Rule Filter Syntax Matching Rule FormatsUsing an OID for the Matching Rule Using a Language Tag for the Matching RuleMatching Rule Filter Syntax 565Using Wildcards in Matching Rule Filters Using an OID and Suffix for the Matching RuleUsing a Language Tag and Suffix for the Matching Rule Table B.3, Search Types, Operators, and SuffixesSearch Type Operator Suffix Supported Search TypesSupported Search Types International Search Examples Less-Than ExampleLess-Than or Equal-to Example Equality ExampleGreater-Than or Equal-to Example Greater-Than ExampleSubstring Example International Search ExamplesBut either one of these will work correctly 570Components of an Ldap URL Ldap URLs have the following syntaxComponent Hostname PortComponent Description Table C.1. Ldap URL ComponentsAppendix C. Ldap URLs Escaping Unsafe Characters Examples of Ldap URLsEscaping Unsafe Characters Unsafe Character Escape CharactersExample Examples of Ldap URLs 575576 Appendix D. Internationalization About LocalesLocale Language Tag Collation Order Object Identifiers OIDs Identifying Supported LocalesAppendix D. Internationalization 579 Table D.1. Supported LocalesSupported Language Subtypes Supported Language Subtypes Table D.2. Supported Language Subtypes Troubleshooting Matching RulesTroubleshooting Matching Rules 582 See Also ID list scan limit See Also access control instructionSee Also access control list Glossary ValueSee base DN See bind DNSee Also virtual list view index See Certificate AuthorityDirectory Access Protocol. The ISO X.500 standard protocol That provides client access to the directorySee Ldap client See Also template entrySee CoS definition entry See directory treeSee distinguished name See Directory ManagerSee Directory Server Gateway See Also cascading replication See Ldap Data Interchange Format See supplier See Snmp master agentDirectory tree See Also access rights See object identifierEncoded messages which form the basis of data exchanges Between Snmp devices. Also protocol data unitName. Also relative distinguished name Receives to the authenticating directory serverAuthenticating directory server, pass-through subtrees, Request for Comments. Procedures or standards documents Process is called a referralSubmitted to the Internet community. People can send Comments on the technologies before they become acceptedSee supplier-initiated replication Directory Server during installationServer Instance Entry. The ID assigned to an instance See Snmp subagent Simple Network Management ProtocolSubagent See Also browsing index See CoS template entryProtocol. Also Transport Layer Security Page 600 Index Index Page Index Page Index Ldapbasedn Index Ldif Index MIB Index Page Index Page MIB Page Index