Administrators Guide
Red Hat Directory Server
Copyright 2008 Red Hat, Inc
Red Hat Directory Server 8.0 Administrators Guide
Red Hat Directory Server
General Red Hat Directory Server Usage
Creating and Maintaining Databases
Creating and Maintaining Suffixes
Creating and Maintaining Database Links
Creating a New Database Link
Page
Red Hat Directory Server
Page
Red Hat Directory Server
Page
Red Hat Directory Server
Page
Red Hat Directory Server
Page
Xvi
Preface
Directory Server Overview
When shown as below, it indicates computer output
Example and Default References
Document Conventions
Preface
Xix
Document Conventions
Related Information
Chapter
Directory Server File Locations
General Red Hat Directory Server Usage
Red Hat Enterprise Linux 4 and 5
File or Directory Location
HP-UX 11i IA64
Sun Solaris 9 sparc
Ldap Tool Locations
Binaries
Starting and Stopping Servers
Ldap Tool Locations
Platform Directory Location
Opt/dirsrv/bin
Starting and Stopping Directory Server from
Starting and Stopping Directory Server from the Console
Start the Directory Server Console
Solaris uses /etc/init.d
Starting and Stopping Administration Server
Starting the Directory Server Console
On Solaris, the service is init.d
Console
HP-UX has a different location for the script
Login screen
Changing Login Identity
Logging into Directory Server
Click Log on to the Directory Server as a New User
Viewing the Current Console Bind DN
Changing Directory Server Port Numbers
Viewing the Current Console Bind DN
General Red Hat Directory Server Usage
Configuration tab, select the Configuration DS tab
Open the Administration Server Console
Creating a New Directory Server Instance
Creating a New Directory Server Instance
Configuring the Directory Manager
Configuring the Directory Manager
Page
Creating a Root Entry
Managing Entries from the Directory Console
Creating Directory Entries
Directory Server Console, select the Configuration tab
Creating Directory Entries
Template Object Class
Role NsRoleDefinition Class of Service CosSuperDefinition
Creating an Entry Using a Predefined Template
Creating Other Types of Entries
Entry Templates and Corresponding Object Classes
Displaying the Property Editor
Modifying Directory Entries
Removing an Object Class
Adding an Object Class to an Entry
Adding an Attribute to an Entry
Modifying Directory Entries
Adding Very Large Attributes
Removing an Attribute Value
Adding Attribute Values
Language Subtype
Adding an Attribute Subtype
Binary Subtype
Instead, use
Pronunciation Subtype
Deleting Directory Entries
Adding a Subtype to an Attribute
Deleting Directory Entries
Providing Input from the Command-Line
Managing Entries from the Command-Line
Entries, use Ctrl or Shift Select Delete from the Edit menu
See , Ldif Update Statements
Creating a Root Entry from the Command-Line
Creating a Root Entry from
Adding and Modifying Entries Using ldapmodify
Adding Entries Using Ldif
Import the Ldif file from the Directory Server Console
Command-Line
Adding Entries Using ldapmodify
Parameter Name Description
Input from the Command-Line
Modifying Entries Using ldapmodify
Ldapmodify Parameters Used for Adding Entries
Deleting Entries Using ldapdelete
Deleting Entries Using ldapdelete
Ldapmodify Parameters Used for Modifying Entries
Hostname is cyclops Server uses port number
This ldapdelete example has the following values
Are branch points in the directory tree
Using Special Characters
Using Special Characters
Tracking Modifications to Directory Entries
Ldapdelete Parameters Used for Deleting Entries
Select the Track Entry Modification Times checkbox
Ldif Update Statements
Open the Tasks tab, and click Restart Directory Server
General format of Ldif update statements is as follows
Ldif Update Statements
Following sections describe the change types in detail
Adding an Entry Using Ldif
Renaming an Entry Using Ldif
Renaming an Entry Using Ldif
Following command renames Sue Jacobs to Susan Jacobs
Addattribute
Modifying an Entry Using Ldif
Modifying an Entry Using Ldif
Adding Attributes to Existing Entries Using Ldif
Following example adds two telephone numbers to the entry
Changing an Attribute Value Using Ldif
Deleting a Specific Attribute Value Using Ldif
Deleting All Values of an Attribute Using Ldif
Entry is now as follows
Barneys entry then becomes
Deleting an Entry Using Ldif
Modifying an Entry in an Internationalized Directory
Maintaining Referential Integrity
How Referential Integrity Works
Modifying an Entry in an Internationalized
Using Referential Integrity with Replication
You can enable or disable referential integrity as follows
Modifying the Update Interval
Enabling/Disabling Referential Integrity
Directory
Modifying the Attribute List
Modifying the Attribute List
TIP
Page
A Sample Directory Tree with One Root Suffix
Creating and Maintaining Suffixes
Creating Suffixes 1, Using Referrals in a Suffix
Configuring Directory Databases
Creating Suffixes
Creating Suffixes
A Sample Directory Tree with a Sub Suffix
Creating a New Sub Suffix Using the Console
Creating a New Root Suffix Using the Console
Creating Root and Sub Suffixes from the Command-Line
Attribute Name Value
Attribute. See , Creating
Creating and Maintaining Database Links for
Maintaining Databases for more information
Creating and Maintaining Databases for
Maintaining Suffixes
Using Referrals in a Suffix
Suffix Attributes
Disabling a Suffix
Enabling Referrals Only During Update Operations
Maintaining Suffixes
To requests from client applications Click Save
Creating Databases
Creating and Maintaining Databases
Deleting a Suffix
Creating Databases
Configuring Directory Databases
For example, add a new database to the server example1
Adding Multiple Databases for a Single Suffix
Configuring Directory Databases
Maintaining Directory Databases
Placing a Database in Read-Only Mode
Maintaining Directory Databases
Making a Database Read-Only from the Command Line
Making a Database Read-Only Using the Console
Select the database is read-only checkbox
Change the read-only attribute to on
Deleting a Database
Placing the Entire Directory Server in Read-Only Mode
Select the Make Entire Server Read-Only checkbox
Click Save, and then restart the server
Database Encryption
Configuring Transaction Logs for Frequent Database Updates
Database Encryption
Encryption Keys
Encryption Ciphers
Configuring Database Encryption from the Console
Select the Attribute Encryption tab
Run the ldapmodify command1
Configuring Database Encryption Using the Command-Line
Exporting and Importing an Encrypted Database
See .3, Importing from the Command-Linefor more information
Creating and Maintaining Database Links
Configuring the Chaining Policy
Chaining Component Operations
Creating and Maintaining Database Links
NsActiveChainingComponents Cn=resource
Component Name Description Permissions
NsActiveChainingComponents Cn=certificate-based
Configuring the Chaining Policy
Components Allowed to Chain
Chaining Component Operations Using the Console
Chaining Ldap Controls
Chaining Component Operations from the Command-Line
Plug-in
Chaining Ldap Controls from the Command-Line
Chaining Ldap Controls Using the Console
Creating a New Database Link
Creating a New Database Link Using the Console
Ldap Controls and Their OIDs
Creating a New Database Link
Configuring Directory Databases
Specify the configuration information for the database link
Creating a Database Link from the Command-Line
Providing Bind Credentials
Providing Suffix Information
NsMultiplexorBindDN cannot be that of the Directory Manager
Providing an Ldap URL
Providing a List of Failover Servers
Summary of Database Link Configuration Attributes
File
Attributes Value
Operations
1, Chaining Component
Attributes Value
Run ldapmodify1 to add a database link to server a
Create an administrative user on server B, as follows
Updating Remote Server Authentication Information
Chaining Using SSL
Enable SSL on the server that contains the database link
Maintaining Database Links
Database Links and Access Control
Database Links and Access Control Evaluation
Deleting Database Links
Configuring Directory Databases
Managing Connections to the Remote Server Using the Console
Advanced Feature Tuning Database Link Performance
Managing Connections to the Remote Server
Evaluation
Attribute Name Description
Advanced Feature Tuning Database Link
Detecting Errors During Normal Processing
Database Link Connection Management Attributes
Managing Threaded Operations
Database Link Processing Error Detection Parameters
Overview of Cascading Chaining
Advanced Feature Configuring Cascading Chaining
Performance
Configuring Directory Databases
Advanced Feature Configuring Cascading
Configuring Cascading Chaining Defaults Using the Console
Configuring Cascading Chaining Using the Console
Chaining
Configuring Cascading Chaining from the Command-Line
Configuring Directory Databases
Detecting Loops
Summary of Cascading Chaining Configuration Attributes
Attribute Description
Cascading Chaining Configuration Attributes
Cascading Chaining Configuration Example
Aci This attribute must contain the following ACI
101
Configuring Server One
102
Configuring Server Two
103
Configuring Directory Databases
Allow this
Configuring Server Three
Starting the Server in Referral Mode
Using Referrals
Client on server two
Setting a Default Referral Using the Console
Setting Default Referrals
Setting a Default Referral from the Command-Line
Setting Default Referrals
Creating Smart Referrals
Creating Smart Referrals Using the Directory Server Console
Creating Smart Referrals
Creating Smart Referrals from the Command Line
109
Creating Suffix Referrals
Creating Suffix Referrals Using the Console
Creating Suffix Referrals
Creating Suffix Referrals from the Command-Line
Configuring Directory Databases
Import Method Comparison
Importing Data
Action Import Initialize Database
Populating Directory Databases
Importing a Database from the Console
Following sections describe importing data
Initializing a Database from the Console
Initializing a Database from the Console
Importing Using the ldif2db Command-Line Script
Importing from the Command-Line
Option Description
Importing from the Command-Line
Ldif2db Parameters
Importing Using the ldif2db.pl Perl Script
Run the ldif2db script
Run the ldif2ldap command-line script
Importing Using the ldif2ldap Command-Line Script
Exporting Data
Ldif2db Options
Splitting a Database Contents into Two Databases
Exporting Directory Data to Ldif Using
Exporting Directory Data to Ldif Using the Console
Exporting to Ldif from the Command-Line
Exporting a Single Database to Ldif Using the Console
Ldif file in this case would be
Run the db2ldif command-line script
Directory and is automatically named
With the -noption or 123
Backing up All Databases
Backing up and Restoring Data
Backing up All Databases from the Server Console
Db2ldif Options
Run the db2bak command-line script
Backing up All Databases from the Command-Line
Backing up All Databases
Click Back Up Directory Server
Click Restore Directory Server
Backing up the dse.ldif Configuration File
Restore Directory dialog box is displayed 126
Restoring All Databases
Using the bak2db Command-Line Script
Restoring Your Database from the Command-Line
Using bak2db.pl Perl Script
Restoring All Databases
Run the bak2db.pl Perl script
Restoring a Single Database
Restart the Directory Server
Restoring Databases That Include Replicated Entries
Restoring the dse.ldif Configuration File
Restoring Databases That Include
130
About Roles
Using Roles
Managing Entries with Roles, Class of Service, and Views
Managing Roles Using the Console
Managing Roles Using the Console
134
Creating a Managed Role
Follow the steps of .2.1, Creating a Managed Role
Creating a Filtered Role
135
Viewing and Editing an Entrys Roles
Creating a Nested Role
Create a new role, as in .2.1, Creating a Managed Role
136
Making a Role Inactive
Modifying a Role Entry
137
Deleting a Role
Reactivating a Role
Managing Roles Using the Command-Line
Managing Roles Using the Command-Line
Object Classes and Attributes for Roles
Dialog box appears to confirm the deletion. Click Yes
Examples Managed Role Definition
141
Example Filtered Role Definition
Example Nested Role Definition
Using Roles Securely
Assigning Class of Service
Assigning Class of Service
About the CoS Definition Entry
About CoS
How a Pointer CoS Works
About the CoS Template Entry
About CoS
Sample Pointer CoS
How an Indirect CoS Works
Sample Indirect CoS
How a Classic CoS Works
Sample Classic CoS
Searches for CoS-Specified Attributes
Managing CoS Using the Console
Managing CoS Using the Console
Creating a New CoS
150
Property Editor opens
Creating the CoS Template Entry
Deleting a CoS
Editing an Existing CoS
Creating the CoS Definition Entry from the Command-Line
Managing CoS from the Command-Line
Managing CoS from the Command-Line
CoS Type Object Classes Description
CoS Definition Entry Attributes
CoS Definition Entry Object Classes
Attribute Definition
Managing CoS from the Command-Line
CoS Type CoS definition
CoS Definitions
Pointer CoS
Indirect CoS
Be added to any other search filter using or
Creating the CoS Template Entry from the Command-Line
158
Example of a Pointer CoS
Create the template entry
Example of an Indirect CoS
Example of a Classic CoS
Creating Role-Based Attributes
Creating Role-Based Attributes
Classic CoS definition entry looks like
Access Control and CoS
Using Views
Creating Views in the Console
Creating Views in the Console
Deleting Views from the Directory Server Console
Creating Views from the Command Line
Deleting Views from the Command Line
Using Groups
Deleting Views from the Command Line
Managing Static Groups
Modifying a Static Group
Adding a New Static Group
Adding a New Dynamic Group
Managing Dynamic Groups
Modifying a Dynamic Group
Managing Dynamic Groups
168
ACI Structure
Access Control Principles
Managing Access Control
ACI Placement
ACI Evaluation
ACI Limitations
Default ACIs
Default ACIs
Creating ACIs Manually
Defining Targets
ACI Syntax
Defining Targets
Aci attribute uses the following syntax
Keyword Valid Expressions Wildcard Allowed
Ldif Target Keywords
Targetattr
Targetfilter
175
Targeting a Directory Entry
Targeting Attributes
177
Targeting Both an Entry and Attributes
178
Targeting Entries or Attributes Using Ldap Filters
Targeting Attribute Values Using Ldap Filters
Targeting a Single Directory Entry
Defining Permissions
Assigning Rights
Allowing or Denying Access
Defining Permissions
Assigning rights
User Rights
Rights Required for Ldap Operations
Selfwrite to the targeted entry, excluding
Proxy rights
183
Bind Rules
Access Control and the modrdn Operation
Permissions Syntax
Bind Rule Syntax
Bind Rule Syntax
Userdn
Yes, in DN only
Ldif Bind Rule Keywords
Defining User Access userdn Keyword
Groupdn Ldap///DN DN Roledn Userattr
Dns
General Access all Keyword
Anonymous Access anyone Keyword
Self Access self Keyword
Parent Access parent Keyword
Examples
Wildcards
ScenExamplerio Description
Userdn Keyword Examples
Defining Group Access groupdn Keyword
Defining Role Access roledn Keyword
Defining Group Access groupdn Keyword
Groupdn Examples
Using the userattr Keyword
Defining Access Based on Value Matching
Defining Access Based on Value Matching
Example with Groupdn Bind Type
Example with Userdn Bind Type
AttrValue is any string representing an attribute value
Example with Ldapurl Bind Type
Example with Roledn Bind Type
193
Example with Any Attribute Value
Using the userattr Keyword with Inheritance
Granting Add Permission Using the userattr Keyword
Using Inheritance With the userattr Keyword
Defining Access from a Specific IP Address
Defining Access from a Specific Domain
Defining Access from a Specific Domain
Instead, use a fully qualified name
Dns keyword allows wildcards. For example
Defining Access at a Specific Time of Day or Day of Week
Defining Access Based on Authentication
Defining Access Based on Authentication Method
Authmethod = saslmechanism
Authentication bind DN and password over Ldaps
Using Boolean Bind Rules
Method
Creating ACIs from the Console
Displaying the Access Control Editor
Displaying the Access Control Editor
Click New to open the Access Control Editor
Creating a New ACI
Access Control Editor Window
Creating a New ACI
Managing Access Control
Creating a New ACI
Managing Access Control
Editing an ACI
Editing an ACI
Deleting an ACI
Viewing ACIs
Control Manager
Get Effective Rights Control Permissions
Get Effective Rights Control
Get effective rights result looks like the following
Permissions That Can Be Set on Entries
Using Get Effective Rights from the Command-Line
Permissions That Can Be Set on Attributes
Permission Description
Using Get Effective Rights from
214
Get Effective Rights Return Codes
Using Get Effective Rights from the Console
Check the Show effective rights checkbox
Code Description
Access Control Usage Examples
Logging Access Control Information
Returned Result Codes
Granting Anonymous Access
Granting Anonymous Access
Click OK in the Access Control Editor window
Click New to display the Access Control Editor
ACI Anonymous example.com
ACI Anonymous World
Granting Write Access to Personal Entries
Granting Write Access to Personal Entries
Filter for subentries field, type the following filter
220
ACI Write example.com
ACI Write Subscribers
Restricting Access to Key Roles
See , Using Roles
Restricting Access to Key Roles
ACI Roles
ACI HR
Granting a Group Full Access to a Suffix
Ldif statement should read as follows
ACI Create Group
Granting Rights to Add and Delete Group Entries
Managing Access Control
ACI Delete Group
Granting Conditional Access to a Group or Role
Entries
228
ACI HostedCompany1
Denying Access
Denying Access
Ldif statement should be similar to the following
ACI Billing Info Read
231
ACI Billing Info Deny
Allowing Users to Add or Remove Themselves from a Group
Setting a Target Using Filtering
Allowing Users to Add or Remove
ACI Group Members
Defining Permissions for DNs That Contain a Comma
Proxied Authorization ACI Example
Macro ACI Example
Advanced Access Control Using Macro ACIs
Themselves from a Group
236
Example Directory Tree for Macro ACIs
Macro ACI Syntax
Macro ACI Syntax
Macros in ACI Keywords
Macro Matching for $dn
Macro ACI Keyword
$dn in the subject is replaced with dc=hostedCompany1
Steps for expanding this ACI are as follows
For example, consider the following ACI
Macro Matching for $attr.attrName
240
Access Control and Replication
Access Control and Replication
Compatibility with Earlier Releases
242
Configuring the Password Policy
Managing the Password Policy
Managing User Accounts and Passwords
Configuring a Global Password Policy Using the Console
Configuring the Password Policy
Check the Enable fine-grained password policy checkbox
Configuring a Subtree/User Password Policy Using the Console
Attribute Name Definition
Configuring a Global Password Policy Using the Command-Line
Given by the passwordMaxAge attribute
Users password will expire after an interval
Making passwords expire helps protect
Directory data because the longer a password
For example, setting the minimum password
Discourage users from reusing old passwords
Changing their passwords during a single
Session to cycle through the password history
Passwords can be two 2 to 512 characters
Shorter passwords are easier to crack
It down. This attribute is set to 8 by default
Attributes, respectively. By default, this
Default method
This attribute is set to 3 by default
Compatibility with Unix passwords
Lowercase letters a to z
Password Policy Attributes
CoS specification entry at the subtree level. For example
254
Password Change Extended Operation
Setting User Passwords
Setting User Passwords
Start the server
Parameter Description
Ldappasswd Options
256
Configuring the Account Lockout Policy Using the Console
Configuring the Account Lockout Policy
Configuring the Account Lockout Policy
Attribute Name Definition
Managing the Password Policy in a
Managing the Password Policy in a Replicated Environment
Account Lockout Policy Attributes
Synchronizing Passwords
Replicated Environment
Inactivating Users and Roles
Inactivating User and Roles Using the Command-Line
Inactivating User and Roles Using the Console
Option Name Description
Activating User and Roles Using the Command-Line
Activating User and Roles Using the Console
Activating User and Roles Using
DN of the user account or role to activate
Setting Resource Limits Using the Console
Setting Resource Limits Based on the Bind DN
Entering a value of -1indicates no limit Click OK
Setting Resource Limits Using the Command-Line
266
What Directory Units Are Replicated
Replication Overview
Read-Write and Read-Only Replicas
Changelog
Suppliers and Consumers
Replication Identity
Managing Replication
Compatibility with Earlier Versions of Directory Server
Replication Agreement
Replication Agreement
Single-Master Replication
Replication Scenarios
Multi-Master Replication
Multi-Master Replication
272
Multi-Master Replication Two Masters
Multi-Master Replication Four Masters
Replication
Cascading Replication
Creating the Supplier Bind DN Entry
Creating the Supplier Bind DN Entry
Configuring Single-Master Replication
Configuring the Read-Write Replica on
Configuring the Read-Write Replica on the Supplier Server
Configuring the Read-Only Replica on the Consumer
Supplier Server
Create the Replication Agreement
Create the Replication Agreement
Managing Replication
Create the Replication Agreement
Replication will not begin until the consumer is initialized
Configuring Multi-Master Replication
Configuring the Read-Write Replicas on the Supplier Servers
Configuring Multi-Master Replication
287
Configuring the Read-Write Replicas on
Managing Replication
Supplier Servers
Configuring the Read-Only Replicas on the Consumer Servers
Managing Replication
Setting up the Replication Agreements
Setting up the Replication Agreements
Managing Replication
Setting up the Replication Agreements
Managing Replication
Setting up the Replication Agreements
Replication will not begin until the consumer is initialized
297
Preventing Monopolization of the Consumer
Configuring Cascading Replication
Configuring the Read-Write Replica on the Supplier Server
Configuring the Read-Only Replica on the Consumer Server
Configuring the Read-Only Replica on
Configuring the Read-Only Replica on the Hub
Consumer Server
Managing Replication
Setting up the Replication Agreements
Managing Replication
DN and password
Managing Replication
Setting up the Replication Agreements
Replication will not begin until the consumer is initialized
Configuring Suppliers from the Command Line
Configuring Replication from the Command Line
Configuring Replication from the Command
312
Line
Changelog Attributes
Object Class or Attribute Description Values
Changelog, to which
314
Consumer. This is required for
Configuring Consumers from the Command
Configuring Consumers from the Command Line
Forward update requests. By
Replica Attributes
Configuring Hubs from the Command Line
Configuring Replication Agreements from the Command Line
Parameter to SSL. If TLS/SSL 318
Qualified host and domain
Replication between Servers Nsds5replicabindcredentials
Configuring Replication Agreements from
Nsds5replicatedattributelist
Objectclass=* $ Exclude Attributes will not be
Replication Agreement Attributes
Midnight and 2359 is PM. For example, the setting
320
Command Line
Initializing Consumers Online from the Command Line
Deleting the Changelog
Making a Replica Updatable
Removing the Changelog
Initializing Consumers
Moving the Changelog to a New Location
Moving the Changelog to a New Location
Online Consumer Initialization Using the Console
When to Initialize a Consumer
Initializing Consumers Online Using
Initializing Consumers Online Using the Command Line
Exporting a Replica to Ldif
Manual Consumer Initialization Using the Command Line
Importing the Ldif File to the Consumer Server
Filesystem Replica Initialization
Initializing the Consumer Replica from the Backup Files
Forcing Replication Updates
Forcing Replication Updates
Stop the destination Directory Server if it is running
Restart the destination Directory Server. For example
Forcing Replication Updates from the Command-Line
Forcing Replication Updates from the Console
Example 8.1. ReplicateNow Script Example
Replicating Account Lockout Attributes
ReplicateNow Variables
Replicating Account Lockout Attributes
Replication over SSL
Select Simple Authentication
Select SSL Client Authentication
Replicating o=NetscapeRoot for
Directory Server Installation Guide
Replication with Earlier Releases
Administration Server Failover
See , Enabling and Disabling Plug-ins
Using the Retro Changelog Plug-in
Attributes of a Retro Changelog Entry
Enabling the Retro Changelog Plug-in
Enabling the Retro Changelog Plug-in
Retro Changelog Entry
Trimming the Retro Changelog
Retro Changelog and the Access Control
Retro Changelog and the Access Control Policy
Monitoring Replication Status
Searching and Modifying the Retro Changelog
Directory Server Console Replication Status
Monitoring Replication Status from Administration Express
Table Header Description
Table header shows the replica ID 341
Policy
Solving Common Replication Conflicts
Renaming an Entry with a Multi-Valued Naming Attribute
Solving Naming Conflicts
Solving Naming Conflicts
344
Unique identifier attribute nsuniqueid cannot be deleted
Renaming an Entry with a Single-Valued Naming Attribute
Solving Orphan Entry Conflicts
Solving Potential Interoperability Problems
Troubleshooting Replication-Related
Troubleshooting Replication-Related Problems
Error/Symptom Reason Impact Remedy
Problems
If it has been
But some consumers Follows Are way behind Supplier
Replayed to all
Direct consumers
See Section
Replication Errors
Monitoring
Replication Status
352
Managing Attributes
Overview of Extending Schema
Viewing Attributes
Create new attributes, as in .2, Creating Attributes
Field
Extending the Directory Schema
Name
Syntax
Attributes Tab Reference
Creating Attributes
Creating Attributes
Field Description
Deleting Attributes
Editing Attributes
OIDs are described in .1, Attributes Tab Reference
Managing Object Classes
This procedure is explained in .4, Deleting Attributes
Viewing Object Classes
Managing Object Classes
Parent
Reference
358
Object Classes Tab Reference
Creating Object Classes
Creating Object Classes
Click OK to save the new object class
Editing Object Classes
Deleting Object Classes
Deleting Object Classes
Turning Schema Checking On and Off
About Index Types
About Indexes
Overview of Default Indexes
About Default, System, and Standard Indexes
Managing Indexes
Attribute Pres Sub Purpose
Maintaining
About Default, System, and Standard
Referential
Integrity for
Overview of System Indexes
Default Indexes
366
Overview of Standard Indexes
Overview of the Searching Algorithm
System Indexes
Attribute Pres Purpose
Managing Indexes
Balancing the Benefits of Indexing
Approximate Searches
Approximate Searches
Directory Server is maintaining the following indexes 370
Creating Indexes
Creating Indexes
Creating Indexes from the Server Console
Creating Indexes from the Command-Line
Creating Indexes from the Command-Line
Adding an Index Entry
374
To create a new index for a particular database, add it to
Creating Indexes from the Command-Line
Db2index.pl Options
Running the db2index.pl Script
Run the db2index.pl Perl script
Db2index Options describes the db2index.pl options
Creating Browsing Indexes from the Server Console
Creating Browsing Indexes from the Command-Line
Adding a Browsing Index Entry
Creating Browsing Indexes from
Managing Indexes
This first browsing index entry must be added to
Running the vlvindex Script
Vlvindex Options
Setting Access Control for VLV Information
Stop the server.3
Run the vlvindex script
Deleting Indexes
Deleting Indexes
A text editor, open the dse.ldif file
Change ldap//all to ldap//anyone and save your changes
Deleting Indexes from the Server Console
Deleting Indexes from the Command-Line
Deleting an Index Entry
Deleting Indexes from the Command-Line
Ldapdelete Options describes the ldapdelete options
Run the db2index.pl Perl script. For example
Ldapdelete Options
Deleting Browsing Indexes from the Server Console
Deleting Browsing Indexes from the Command-Line
Deleting a Browsing Index Entry
Db2index Options
Option Description
Vlvindex Options describes the vlvindex options
Managing Indexes
Search Performance
Indexing Performance
Backwards Compatibility and Migration
Backwards Compatibility and Migration
Attribute Name Quick Reference Table
Attribute Primary Name Attribute Alias
Attribute Name Quick Reference Table
Attribute Name Quick Reference Table
391
392
Enabling SSL Summary of Steps
Introduction to TLS/SSL in the Directory Server
Managing SSL
Command-Line Functions for Start TLS
Turn on TLS/SSL in the directory
Troubleshooting Start TLS
Obtaining and Installing Server Certificates
Obtaining and Installing Server Certificates
Generate a Certificate Request
Generate a Certificate Request
Managing SSL
After generating the certificate request, send it to the CA
Send the Certificate Request
Install the Certificate
Trust the Certificate Authority
Trust the Certificate Authority
Confirm That The New Certificates Are Installed
Using certutil
Creating Directory Server Certificates
Create a password file for the security token password
Generate the Directory Server client certificate
404
Through the Command Line
Starting the Server with TLS/SSL Enabled
Certutil Usage
Certutil Options
Enabling TLS/SSL Only in the Directory Server
Click Cipher Settings
Select the certificate to use from the drop-down menu
Enabling TLS/SSL Only in the Directory
Described in , Starting and Stopping Servers
Check the Use SSL in the Console box. Hit Save
Server Click Cipher Settings
409
Creating a Password File for the Directory Server
Creating a Password File for
Creating a Password File for the Administration Server
Restart the Administration Server
Setting Security Preferences
Available Ciphers
TLSv1 Ciphers
Administration Server
Selecting the Encryption Cipher
Click Cipher Setting
SSLv3 Ciphers
Using Certificate-Based Authentication
Using Certificate-Based Authentication
Encryption tab, click Save
Allowing/Requiring Client Authentication
Setting up Certificate-Based Authentication
Configuring Ldap Clients to Use SSL
Configuring Ldap Clients to Use SSL
Stop the Directory Server
Now start Red Hat Console
Begin Certificate
Client certificate resembles the following
Configuring Ldap Clients to Use SSL Click Set Value
420
Managing Sasl
Authentication Mechanisms
Sasl Identity Mapping
Sasl is configured by entries under a container entry 422
Managing Sasl
Sasl identity mapping entries are children of this entry
Sasl Identity Mapping
423
Configuring Sasl Identity Mapping from the Console
Configuring Sasl Identity Mapping from
Configuring Kerberos
Configuring Sasl Identity Mapping from the Command-Line
Supported Kerberos Systems
Operating System Kerberos Version
Realms
Configuring the KDC Server
Example Configuring an Example KDC Server
Configuring Sasl Authentication at
Configuring Sasl Authentication at Directory Server Startup
Managing Sasl
Administration Express
Viewing and Configuring Log Files
Defining a Log File Rotation Policy
Monitoring Server and Database Activity
Viewing the Access Log
Access Log
Defining a Log File Deletion Policy
Defining a Log File Deletion Policy
Display to refresh automatically every ten seconds
Configuring the Access Log
Viewing the Error Log
Error Log
Error Log
Containing text box, and click Refresh
Configuring the Error Log
Click Save 436
Audit Log
Configuring the Audit Log
Viewing the Audit Log
Audit Log
Monitoring Server Activity
Manual Log File Rotation
Monitoring the Server from the Directory
Monitoring the Server from the Directory Server Console
Resource Summary
General Information Server
Resource Usage Since Startup Average Per Minute
Resource Current Total
Server Console
Current Resource Usage
Connection can account for multiple
Operations, and therefore multiple threads
Connection Status
Global Database Cache Information
Monitoring the Directory Server from the Command Line
Monitoring the Directory Server from
444
Attribute Description
Server Monitoring Attributes
Monitoring Database Activity
Time GMT in UTC format
Maximum Cache Size setting. See Section
See , Tuning Database
General Information Database
Performance Metric Current Total
Cache setting. See , Tuning
Tuning Database Performance for
Summary Information
Monitoring Database Activity from
Database Cache Information
Monitoring Databases from the Command Line
10. Database File-Specific
Directory Server Console
Maximum Entries in Cache attribute
11. Directory Server Monitoring Attributes
Monitoring Database Link Activity
Monitoring Database Link Activity
Lower the number of page evicts the better
452
12. Database Link Monitoring Attributes
About Snmp
Snmp
Subagent Configuration File
Configuring the Master Agent Configuring the Subagent
Monitoring Directory Server Using Snmp
Agentx-master
Agent-logdir
Starting the Subagent
Server
Starting the Subagent
Testing the Subagent
Configuring Snmp Traps
Using the Management Information Base
Configuring the Directory Server for Snmp
Configuring the Directory Server for Snmp
Managed Object Description
Operations Table
Entries Table
Operations Table Managed Objects and Descriptions
Entity Table
Entries Table
Entries Table Managed Objects and Descriptions
Entity Table Managed Objects and Descriptions
Interaction Table
Interaction Table
Management subsystem was initialized, this
Interaction Table Managed Objects and Descriptions
Object will contain a value of zero
462
Tuning Server Performance
Tuning Directory Server Performance
Tuning Directory Server Performance
Tuning Database Performance
Optimizing Search Performance
Optimizing Search Performance
Changing the Location of the Database Transaction Log
Tuning Transaction Logging
Changing the Database Checkpoint Interval
Changing the Database Checkpoint Interval
Disabling Durable Transactions
Miscellaneous Tuning Tips
Specifying Transaction Batching
Avoid Creating Entries Under the cn=config
470
Bit Check Plug-in
Server Plug-in Functionality Reference
ACL Plug-in
Details of 7-Bit Check Plug-in
ACL Preoperation Plug-in
Administering Directory Server Plug-ins
Binary Syntax Plug-in
Details of ACI Plug-in
Case Exact String Syntax Plug-in
Boolean Syntax Plug-in
Details of Binary Syntax Plug-in
Details of Boolean Syntax Plug-in
Chaining Database Plug-in
Case Ignore String Syntax Plug-in
Details of Case Exact String Syntax Plug-in
Details of Case Ignore String Syntax Plug-in
Details of Class of Service Plug-in
Class of Service Plug-in
Class of Service Plug-in
Country String Syntax Plug-in
Generalized Time Syntax Plug-in
Distinguished Name Syntax Plug-in
10. Details of Country String Plug-in
11. Details of Distinguished Name Syntax Plug-in
Internationalization Plug-in
Integer Syntax Plug-in
12. Details of Generalized Time Syntax Plug-in
13. Details of Integer Syntax Plug-in
Legacy Replication Plug-in
Ldbm Database Plug-in
14. Details of Internationalization Plug-in
15. Details of ldbm Database Plug-in
Octet String Syntax Plug-in
Multi-Master Replication Plug-in
16. Details of Legacy Replication Plug-in
17. Details of Multi-Master Replication Plug-in
Crypt Password Storage Plug-in
Clear Password Storage Plug-in
19. Details of Clear Password Storage Plug-in
18. Details of Octet String Syntax Plug-in
20. Details of Crypt Password Storage Plug-in
NS-MTA-MD5 Password Storage Plug-in
21. Details of NS-MTA-MD5 Password Storage Plug-in
NS-MTA-MD5 Password Storage Plug-in
Ssha Password Storage Plug-in
SHA Password Storage Plug-in
22. Details of SHA Password Storage Plug-in
Postal Address String Syntax Plug-in
23. Details of Ssha Password Storage Plug-in
PTA Plug-in
24. Details of Postal Address String Syntax Plug-in
Authentication Plug-in
Using the Pass-through
See , Using the Pass-through
Referential Integrity Postoperation Plug-in
26. Details of Referential Integrity Post-Operation Plug-in
Retro Changelog Plug-in
Retro Changelog Plug-in
See , Managing Indexes for
Space Insensitive String Syntax Plug-in
Roles Plug-in
27. Details of Retro Changelog Plug-in
28. Details of Roles Plug-in
29. Details of Space Insensitive String Syntax Plug-in
State Change Plug-in
State Change Plug-in
See Appendix B, Finding Directory Entries
UID Uniqueness Plug-in
Telephone Syntax Plug-in
30. Details of State Change Plug-in
31. Details of Telephone Syntax Plug-in
URI Plug-in
See , Using the Attribute
32. Details of UID Uniqueness Plug-in
URI Plug-in
33. Details of URI Plug-in
Enabling and Disabling Plug-ins
How Directory Server Uses PTA
Using the Pass-through Authentication Plug-in
PTA Plug-in Syntax
Using the Pass-through Authentication Plug-in
Variable Definition
PTA Plug-in Syntax
See .5, Configuring the Optional
Configuring the Optional Parameters for
Specifying the Pass-through Subtree for
Configuring the PTA Plug-in
Configuring the PTA Plug-in
PTA Plug-in Parameters
Specifying the Authenticating Directory Server
Configuring the Servers to Use a Secure Connection
Turning the Plug-in On or Off
Specifying the Pass-through Subtree
Specifying the Pass-through Subtree
Configuring the Optional Parameters
PTA Plug-in Syntax Examples
PTA Plug-in Syntax Examples
Using Non-Default Parameter Values
Specifying Multiple Authenticating Directory Servers
Specifying Different Optional Parameters
502
Overview of the Attribute Uniqueness Plug-in
Using the Attribute Uniqueness Plug-in
Attribute Uniqueness Plug-in Syntax
Using the Attribute Uniqueness Plug-in
See .3.1, Turning the Plug-in On or
Attribute Uniqueness Plug-in Syntax
505
Attribute Uniqueness Plug-in Variables
Creating an Instance of the Attribute Uniqueness Plug-in
Viewing Plug-in Configuration Information
Configuring Attribute Uniqueness Plug-ins
Configuring Attribute Uniqueness Plug-ins
From the Property Editor
From the Configuration tab
Specifying a Suffix or Subtree
Turning the Plug-in On or Off
509
Using the markerObjectClass and requiredObjectClass Keywords
Attribute Uniqueness Plug-in Syntax Examples
From the Command-Line
Specifying One Attribute and One Subtree
Specifying One Attribute and Multiple Subtrees
Simple Replication Scenario
Replication and the Attribute Uniqueness Plug-in
Multi-Master Replication Scenario
Multi-Master Replication Scenario
514
About Windows Sync
Active Directory Directory Server Synchronization Process
517
About Windows Sync
Configure SSL on Directory Server
Configuring Windows Sync
Configure the Active Directory
Configure the Active Directory Domain
Select the Enterprise Root CA option
Iv. Accept the certificate request. For example
Select or Create the Sync Identity
Domain
Install and Configure the Password Sync Service
Reboot the Windows machine to start Password Sync
Hit Next, then Finish to install Password Sync
523
Install and Configure the Password
Give trusted peer status to the server
Configure the Directory Server Database for Synchronization
Create the Synchronization Agreement
Sync Service
Setting up the Sync Agreement
Begin Synchronization
Using Windows Sync
Begin Synchronization
Synchronizing Users Synchronizing Groups Deleting Entries
Synchronizing Users
Directory Server Active Directory
Synchronizing Users
529
PhysicalDeliveryOfficeName
Synchronizing Groups
Deleting Entries
Deleting Entries
NtGroupAttributes NtGroupId Name SamAccountName NtGroupType
Description Member SeeAlso
Manually Updating and Resynchronizing Entries
Resurrecting Entries
Modifying the Sync Agreement
Checking Synchronization Status
Checking Synchronization Status
Password Policies
Schema Differences
Groups
Values for street and streetAddress
Modifying Password Sync
Password Sync Service
Starting and Stopping the Password Sync Service
Contraints on the initials attribute
Uninstalling Password Sync Service
Troubleshooting
To uninstall the Password Sync service, do the following
Open the Add/Remove Programs utility
537
Troubleshooting
538
About the Ldif File Format
Appendix A. Ldap Data Interchange Format
Table A.1. Ldif Fields
Continuing Lines in Ldif
Appendix A. Ldap Data Interchange Format
Field Definition
Standard Ldif Notation
Representing Binary Data
Base-64 Encoding
Representing Binary Data
Specifying Domain Entries
Specifying Directory Entries Using Ldif
Specifying Organizational Unit Entries
Table A.2. Ldif Elements in Domain Entries
Domain Entries
Ldif Element Description
Specifying Organizational Unit Entries
Table A.3. Ldif Elements in Organizational Unit Entries
Specifying Organizational Person Entries
Specifying Organizational Person Entries
Table A.4. Ldif Elements in Person Entries
Defining Directories Using Ldif
547
Defining Directories Using Ldif
Ldif File Example
Storing Information in Multiple Languages
Storing Information in Multiple Languages
550
File contents are then converted to UTF-8
Figure B.1. Browsing Entries in the Directory Tab
Finding Entries Using the Directory Server Console
Appendix B. Finding Directory Entries
Using ldapsearch
Ldapsearch command must use the following format
Ldapsearch Command-Line Format
Commonly Used ldapsearch Options
Commonly Used ldapsearch Options
Returning All Entries
Ldapsearch Examples
Searching the Schema Entry
Specifying Search Filters on the Command Line
Using Ldapbasedn
Searching the Root DSE Entry
Displaying Subsets of Attributes
Specifying Search Filters Using a File
This example assumes the search base is set with Ldapbasedn
Ldap Search Filters
Using Client Authentication When Searching
Specifying DNs That Contain Commas in Search Filters
Ldap Search Filters
Using Operators in Search Filters
Using Attributes in Search Filters
Search Filter Syntax
Basic syntax of a search filter is
Table B.1. Search Filter Operators
Using Compound Search Filters
Search Filter Syntax
Search Type Operator Description
Search Filter Examples
Operator Symbol Description
Table B.2. Search Filter Boolean Operators
Searching an Internationalized Directory
Searching an Internationalized Directory
Matching Rule Formats
Matching Rule Filter Syntax
Using a Language Tag for the Matching Rule
Using an OID for the Matching Rule
Matching Rule Filter Syntax
565
Using an OID and Suffix for the Matching Rule
Using Wildcards in Matching Rule Filters
Using a Language Tag and Suffix for the Matching Rule
Table B.3, Search Types, Operators, and Suffixes
Supported Search Types
Supported Search Types
Search Type Operator Suffix
Less-Than Example
International Search Examples
Less-Than or Equal-to Example
Equality Example
Greater-Than Example
Greater-Than or Equal-to Example
Substring Example
International Search Examples
570
But either one of these will work correctly
Ldap URLs have the following syntax
Components of an Ldap URL
Component
Hostname Port
Appendix C. Ldap URLs
Table C.1. Ldap URL Components
Component Description
Examples of Ldap URLs
Escaping Unsafe Characters
Escaping Unsafe Characters
Unsafe Character Escape Characters
Example
575
Examples of Ldap URLs
576
About Locales
Appendix D. Internationalization
Appendix D. Internationalization
Identifying Supported Locales
Locale Language Tag Collation Order Object Identifiers OIDs
Supported Language Subtypes
Table D.1. Supported Locales
579
Supported Language Subtypes
Troubleshooting Matching Rules
Troubleshooting Matching Rules
Table D.2. Supported Language Subtypes
582
See Also access control list
See Also access control instruction
See Also ID list scan limit
Value
Glossary
See base DN
See bind DN
See Certificate Authority
See Also virtual list view index
That provides client access to the directory
Directory Access Protocol. The ISO X.500 standard protocol
See Ldap client
See Also template entry
See directory tree
See CoS definition entry
See distinguished name
See Directory Manager
See Directory Server Gateway
See Also cascading replication
See Ldap Data Interchange Format
See Snmp master agent
See supplier
Directory tree
See object identifier
See Also access rights
Encoded messages which form the basis of data exchanges
Between Snmp devices. Also protocol data unit
Authenticating directory server, pass-through subtrees,
Receives to the authenticating directory server
Name. Also relative distinguished name
Process is called a referral
Request for Comments. Procedures or standards documents
Submitted to the Internet community. People can send
Comments on the technologies before they become accepted
Server Instance Entry. The ID assigned to an instance
Directory Server during installation
See supplier-initiated replication
Subagent
Simple Network Management Protocol
See Snmp subagent
Protocol. Also Transport Layer Security
See CoS template entry
See Also browsing index
Page
600
Index
Index
Page
Index
Page
Index
Ldapbasedn
Index
Ldif
Index
MIB
Index
Page
Index
Page
MIB
Page
Index
