HP UX Red Hat Direry Server Software guide

Retro Changelog and the Access Control

16.3. Searching and Modifying the Retro Changelog

The changelog supports search operations and is optimized for searches that include filters of the form (&(changeNumber>=X)(changeNumber<=Y)).

As a general rule, do not perform add or modify operations on the retro changelog entries, although entries can be deleted to trim the size of the changelog. Only modify the retro changelog entry to modify the default access control policy.

16.4. Retro Changelog and the Access Control Policy

When the retro changelog is created, the following access control rules apply by default:

•Read, search, and compare rights are granted to all authenticated users (userdn=anyone, not to be confused with anonymous access where userdn=all) to the retro changelog top entry cn=changelog.

•Write and delete access are not granted, except implicitly to the Directory Manager.

Do not grant read access to anonymous users because the changelog entries can contain modifications to sensitive information, such as passwords. Only authenticated applications and users should be allowed to access this information.

To modify the default access control policy which applies to the retro changelog, modify the aci attribute of the cn=changelog entry.

17. Monitoring Replication Status

The replication status can be viewed in the Directory Server Console or Red Hat Administration Express.

•Section 17.1, “Monitoring Replication Status from the Directory Server Console”

•Section 17.2, “Monitoring Replication Status from Administration Express”

17.1.Monitoring Replication Status from the Directory Server Console

To view a summary of replication status in the Directory Server Console. do the following:

1.Open the Directory Server Console.

2.Select the Status tab, and then, in the left navigation tree, select Replication Status.

In the right pane, a table appears that contains information about each of the replication agreements configured for this server.

339

Page 359

Image 359

HP UX Red Hat Direry Server Software manual Monitoring Replication Status, Searching and Modifying the Retro Changelog

Contents

Administrators Guide Red Hat Directory Server Copyright 2008 Red Hat, Inc Red Hat Directory Server 8.0 Administrators Guide Red Hat Directory Server General Red Hat Directory Server Usage Creating a New Database Link Creating and Maintaining SuffixesCreating and Maintaining Databases Creating and Maintaining Database LinksPage Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Xvi Preface Directory Server Overview Preface Example and Default ReferencesWhen shown as below, it indicates computer output Document Conventions Xix Document Conventions Related Information Chapter Directory Server File Locations File or Directory Location Red Hat Enterprise Linux 4 and 5General Red Hat Directory Server Usage Binaries Sun Solaris 9 sparcHP-UX 11i IA64 Ldap Tool Locations Opt/dirsrv/bin Ldap Tool LocationsStarting and Stopping Servers Platform Directory Location Start the Directory Server Console Starting and Stopping Directory Server from the ConsoleStarting and Stopping Directory Server from Solaris uses /etc/init.d Starting and Stopping Administration Server HP-UX has a different location for the script On Solaris, the service is init.dStarting the Directory Server Console Console Click Log on to the Directory Server as a New User Changing Login IdentityLogin screen Logging into Directory Server Viewing the Current Console Bind DN Changing Directory Server Port NumbersViewing the Current Console Bind DN General Red Hat Directory Server Usage Creating a New Directory Server Instance Open the Administration Server ConsoleConfiguration tab, select the Configuration DS tab Creating a New Directory Server Instance Configuring the Directory Manager Configuring the Directory Manager Page Creating a Root Entry Managing Entries from the Directory Console Template Object Class Directory Server Console, select the Configuration tabCreating Directory Entries Creating Directory Entries Entry Templates and Corresponding Object Classes Creating an Entry Using a Predefined TemplateRole NsRoleDefinition Class of Service CosSuperDefinition Creating Other Types of Entries Displaying the Property Editor Modifying Directory Entries Modifying Directory Entries Adding an Object Class to an EntryRemoving an Object Class Adding an Attribute to an Entry Adding Very Large Attributes Removing an Attribute Value Adding Attribute Values Instead, use Adding an Attribute SubtypeLanguage Subtype Binary Subtype Deleting Directory Entries Deleting Directory EntriesPronunciation Subtype Adding a Subtype to an Attribute Entries, use Ctrl or Shift Select Delete from the Edit menu Managing Entries from the Command-LineProviding Input from the Command-Line Creating a Root Entry from Creating a Root Entry from the Command-LineSee , Ldif Update Statements Import the Ldif file from the Directory Server Console Adding Entries Using LdifAdding and Modifying Entries Using ldapmodify Parameter Name Description Adding Entries Using ldapmodifyCommand-Line Ldapmodify Parameters Used for Adding Entries Modifying Entries Using ldapmodifyInput from the Command-Line Hostname is cyclops Server uses port number Deleting Entries Using ldapdeleteDeleting Entries Using ldapdelete Ldapmodify Parameters Used for Modifying Entries This ldapdelete example has the following values Are branch points in the directory tree Ldapdelete Parameters Used for Deleting Entries Using Special CharactersUsing Special Characters Tracking Modifications to Directory Entries Open the Tasks tab, and click Restart Directory Server Ldif Update StatementsSelect the Track Entry Modification Times checkbox General format of Ldif update statements is as follows Ldif Update Statements Following sections describe the change types in detail Adding an Entry Using Ldif Following command renames Sue Jacobs to Susan Jacobs Renaming an Entry Using LdifRenaming an Entry Using Ldif Addattribute Modifying an Entry Using Ldif Following example adds two telephone numbers to the entry Adding Attributes to Existing Entries Using LdifModifying an Entry Using Ldif Changing an Attribute Value Using Ldif Entry is now as follows Deleting All Values of an Attribute Using LdifDeleting a Specific Attribute Value Using Ldif Barneys entry then becomes Deleting an Entry Using Ldif Modifying an Entry in an Internationalized Maintaining Referential IntegrityModifying an Entry in an Internationalized Directory How Referential Integrity Works Using Referential Integrity with Replication Directory Modifying the Update IntervalYou can enable or disable referential integrity as follows Enabling/Disabling Referential Integrity Modifying the Attribute List Modifying the Attribute List TIPPage A Sample Directory Tree with One Root Suffix Creating and Maintaining Suffixes Creating Suffixes Configuring Directory DatabasesCreating Suffixes 1, Using Referrals in a Suffix Creating Suffixes A Sample Directory Tree with a Sub Suffix Creating a New Sub Suffix Using the Console Creating a New Root Suffix Using the Console Creating Root and Sub Suffixes from the Command-Line Attribute Name Value Creating and Maintaining Databases for Creating and Maintaining Database Links forAttribute. See , Creating Maintaining Databases for more information Suffix Attributes Using Referrals in a SuffixMaintaining Suffixes To requests from client applications Click Save Enabling Referrals Only During Update OperationsDisabling a Suffix Maintaining Suffixes Deleting a Suffix Creating and Maintaining DatabasesCreating Databases Creating Databases Configuring Directory Databases For example, add a new database to the server example1 Adding Multiple Databases for a Single Suffix Configuring Directory Databases Maintaining Directory Databases Placing a Database in Read-Only ModeMaintaining Directory Databases Change the read-only attribute to on Making a Database Read-Only Using the ConsoleMaking a Database Read-Only from the Command Line Select the database is read-only checkbox Click Save, and then restart the server Placing the Entire Directory Server in Read-Only ModeDeleting a Database Select the Make Entire Server Read-Only checkbox Database Encryption Configuring Transaction Logs for Frequent Database Updates Database Encryption Encryption Keys Select the Attribute Encryption tab Configuring Database Encryption from the ConsoleEncryption Ciphers Exporting and Importing an Encrypted Database Configuring Database Encryption Using the Command-LineRun the ldapmodify command1 See .3, Importing from the Command-Linefor more information Creating and Maintaining Database Links Configuring the Chaining PolicyCreating and Maintaining Database Links Chaining Component Operations NsActiveChainingComponents Cn=resource Component Name Description Permissions NsActiveChainingComponents Cn=certificate-based Configuring the Chaining Policy Components Allowed to Chain Chaining Component Operations Using the Console Plug-in Chaining Component Operations from the Command-LineChaining Ldap Controls Chaining Ldap Controls from the Command-Line Chaining Ldap Controls Using the Console Creating a New Database Link Creating a New Database Link Using the ConsoleCreating a New Database Link Ldap Controls and Their OIDs Configuring Directory Databases Specify the configuration information for the database link Creating a Database Link from the Command-Line Providing Bind Credentials Providing Suffix Information NsMultiplexorBindDN cannot be that of the Directory Manager Providing an Ldap URL Attributes Value Summary of Database Link Configuration AttributesProviding a List of Failover Servers File Operations 1, Chaining Component Attributes Value Run ldapmodify1 to add a database link to server a Create an administrative user on server B, as follows Maintaining Database Links Chaining Using SSLUpdating Remote Server Authentication Information Enable SSL on the server that contains the database link Deleting Database Links Database Links and Access Control EvaluationDatabase Links and Access Control Configuring Directory Databases Evaluation Advanced Feature Tuning Database Link PerformanceManaging Connections to the Remote Server Using the Console Managing Connections to the Remote Server Attribute Name Description Database Link Connection Management Attributes Detecting Errors During Normal ProcessingAdvanced Feature Tuning Database Link Managing Threaded Operations Database Link Processing Error Detection Parameters Performance Advanced Feature Configuring Cascading ChainingOverview of Cascading Chaining Configuring Directory Databases Advanced Feature Configuring Cascading Configuring Cascading Chaining Defaults Using the Console Configuring Cascading Chaining Using the Console Chaining Configuring Cascading Chaining from the Command-Line Configuring Directory Databases Attribute Description Summary of Cascading Chaining Configuration AttributesDetecting Loops Aci This attribute must contain the following ACI Cascading Chaining Configuration ExampleCascading Chaining Configuration Attributes 101 Configuring Server One 102 Configuring Server Two 103 Configuring Directory Databases Allow this Configuring Server Three Client on server two Using ReferralsStarting the Server in Referral Mode Setting Default Referrals Setting Default ReferralsSetting a Default Referral Using the Console Setting a Default Referral from the Command-Line Creating Smart Referrals Creating Smart Referrals Using the Directory Server Console 109 Creating Smart Referrals from the Command LineCreating Smart Referrals Creating Suffix Referrals Creating Suffix Referrals Using the Console Creating Suffix Referrals Creating Suffix Referrals from the Command-Line Configuring Directory Databases Action Import Initialize Database Importing DataImport Method Comparison Following sections describe importing data Importing a Database from the ConsolePopulating Directory Databases Initializing a Database from the Console Initializing a Database from the Console Importing Using the ldif2db Command-Line Script Importing from the Command-Line Option Description Importing from the Command-Line Run the ldif2db script Importing Using the ldif2db.pl Perl ScriptLdif2db Parameters Ldif2db Options Importing Using the ldif2ldap Command-Line ScriptRun the ldif2ldap command-line script Exporting Data Splitting a Database Contents into Two Databases Exporting Directory Data to Ldif Using Exporting Directory Data to Ldif Using the Console Exporting to Ldif from the Command-Line Exporting a Single Database to Ldif Using the Console With the -noption or 123 Run the db2ldif command-line scriptLdif file in this case would be Directory and is automatically named Db2ldif Options Backing up and Restoring DataBacking up All Databases Backing up All Databases from the Server Console Click Back Up Directory Server Backing up All Databases from the Command-LineRun the db2bak command-line script Backing up All Databases Restoring All Databases Backing up the dse.ldif Configuration FileClick Restore Directory Server Restore Directory dialog box is displayed 126 Restoring All Databases Restoring Your Database from the Command-LineUsing the bak2db Command-Line Script Using bak2db.pl Perl Script Restart the Directory Server Restoring a Single DatabaseRun the bak2db.pl Perl script Restoring Databases That Include Restoring the dse.ldif Configuration FileRestoring Databases That Include Replicated Entries 130 About Roles Using Roles Managing Entries with Roles, Class of Service, and Views Managing Roles Using the Console Managing Roles Using the Console 134 Creating a Managed Role 135 Creating a Filtered RoleFollow the steps of .2.1, Creating a Managed Role 136 Creating a Nested RoleViewing and Editing an Entrys Roles Create a new role, as in .2.1, Creating a Managed Role 137 Modifying a Role EntryMaking a Role Inactive Deleting a Role Reactivating a Role Dialog box appears to confirm the deletion. Click Yes Managing Roles Using the Command-LineManaging Roles Using the Command-Line Object Classes and Attributes for Roles Examples Managed Role Definition 141 Example Filtered Role Definition Example Nested Role Definition Using Roles Securely Assigning Class of Service Assigning Class of Service About the CoS Definition Entry About CoS About CoS About the CoS Template EntryHow a Pointer CoS Works Sample Pointer CoS How an Indirect CoS Works Sample Indirect CoS How a Classic CoS Works Sample Classic CoS Searches for CoS-Specified Attributes Creating a New CoS Managing CoS Using the ConsoleManaging CoS Using the Console 150 Property Editor opens Creating the CoS Template Entry Deleting a CoS Editing an Existing CoS CoS Type Object Classes Description Managing CoS from the Command-LineCreating the CoS Definition Entry from the Command-Line Managing CoS from the Command-Line Attribute Definition CoS Definition Entry Object ClassesCoS Definition Entry Attributes Managing CoS from the Command-Line Indirect CoS CoS DefinitionsCoS Type CoS definition Pointer CoS Be added to any other search filter using or Creating the CoS Template Entry from the Command-Line 158 Example of a Pointer CoS Create the template entry Example of an Indirect CoS Example of a Classic CoS Classic CoS definition entry looks like Creating Role-Based AttributesCreating Role-Based Attributes Access Control and CoS Using Views Creating Views in the Console Creating Views in the Console Deleting Views from the Directory Server Console Creating Views from the Command Line Managing Static Groups Using GroupsDeleting Views from the Command Line Deleting Views from the Command Line Modifying a Static Group Adding a New Static Group Managing Dynamic Groups Managing Dynamic GroupsAdding a New Dynamic Group Modifying a Dynamic Group 168 ACI Structure Access Control Principles ACI Limitations ACI PlacementManaging Access Control ACI Evaluation Default ACIs Default ACIs Creating ACIs Manually Aci attribute uses the following syntax ACI SyntaxDefining Targets Defining Targets Targetfilter Ldif Target KeywordsKeyword Valid Expressions Wildcard Allowed Targetattr 175 Targeting a Directory Entry Targeting Attributes 177 Targeting Both an Entry and Attributes 178 Targeting Entries or Attributes Using Ldap Filters Targeting Attribute Values Using Ldap Filters Targeting a Single Directory Entry Defining Permissions Assigning rights Allowing or Denying AccessAssigning Rights Defining Permissions Proxy rights Rights Required for Ldap OperationsUser Rights Selfwrite to the targeted entry, excluding 183 Permissions Syntax Access Control and the modrdn OperationBind Rules Yes, in DN only Bind Rule SyntaxBind Rule Syntax Userdn Dns Defining User Access userdn KeywordLdif Bind Rule Keywords Groupdn Ldap///DN DN Roledn Userattr Parent Access parent Keyword Anonymous Access anyone KeywordGeneral Access all Keyword Self Access self Keyword ScenExamplerio Description WildcardsExamples Userdn Keyword Examples Defining Group Access groupdn Keyword Groupdn Examples Defining Group Access groupdn KeywordDefining Role Access roledn Keyword Defining Access Based on Value Matching Defining Access Based on Value MatchingUsing the userattr Keyword AttrValue is any string representing an attribute value Example with Userdn Bind TypeExample with Groupdn Bind Type 193 Example with Roledn Bind TypeExample with Ldapurl Bind Type Example with Any Attribute Value Using the userattr Keyword with Inheritance Granting Add Permission Using the userattr Keyword Using Inheritance With the userattr Keyword Defining Access from a Specific IP Address Dns keyword allows wildcards. For example Defining Access from a Specific DomainDefining Access from a Specific Domain Instead, use a fully qualified name Defining Access at a Specific Time of Day or Day of Week Defining Access Based on Authentication Defining Access Based on Authentication Method Authmethod = saslmechanism Method Using Boolean Bind RulesAuthentication bind DN and password over Ldaps Creating ACIs from the Console Click New to open the Access Control Editor Displaying the Access Control EditorDisplaying the Access Control Editor Creating a New ACI Access Control Editor Window Creating a New ACI Managing Access Control Creating a New ACI Managing Access Control Editing an ACI Editing an ACI Control Manager Viewing ACIsDeleting an ACI Get effective rights result looks like the following Get Effective Rights ControlGet Effective Rights Control Permissions Permission Description Using Get Effective Rights from the Command-LinePermissions That Can Be Set on Entries Permissions That Can Be Set on Attributes Using Get Effective Rights from 214 Code Description Using Get Effective Rights from the ConsoleGet Effective Rights Return Codes Check the Show effective rights checkbox Returned Result Codes Logging Access Control InformationAccess Control Usage Examples Granting Anonymous Access Granting Anonymous Access ACI Anonymous World Click New to display the Access Control EditorClick OK in the Access Control Editor window ACI Anonymous example.com Filter for subentries field, type the following filter Granting Write Access to Personal EntriesGranting Write Access to Personal Entries 220 ACI Write example.com ACI Write Subscribers Restricting Access to Key Roles ACI Roles Restricting Access to Key RolesSee , Using Roles Ldif statement should read as follows Granting a Group Full Access to a SuffixACI HR ACI Create Group Granting Rights to Add and Delete Group Entries Managing Access Control Entries Granting Conditional Access to a Group or RoleACI Delete Group 228 ACI HostedCompany1 Ldif statement should be similar to the following Denying AccessDenying Access ACI Billing Info Read 231 ACI Billing Info Deny Allowing Users to Add or Remove Themselves from a Group Setting a Target Using Filtering Allowing Users to Add or Remove ACI Group Members Defining Permissions for DNs That Contain a Comma Proxied Authorization ACI Example Themselves from a Group Advanced Access Control Using Macro ACIsMacro ACI Example 236 Example Directory Tree for Macro ACIs Macro ACI Syntax Macro ACI Syntax Macro ACI Keyword Macro Matching for $dnMacros in ACI Keywords $dn in the subject is replaced with dc=hostedCompany1 Steps for expanding this ACI are as follows 240 Macro Matching for $attr.attrNameFor example, consider the following ACI Compatibility with Earlier Releases Access Control and ReplicationAccess Control and Replication 242 Configuring the Password Policy Managing the Password Policy Managing User Accounts and Passwords Configuring a Global Password Policy Using the Console Configuring the Password Policy Check the Enable fine-grained password policy checkbox Configuring a Subtree/User Password Policy Using the Console Attribute Name Definition Configuring a Global Password Policy Using the Command-Line Directory data because the longer a password Users password will expire after an intervalGiven by the passwordMaxAge attribute Making passwords expire helps protect Session to cycle through the password history Discourage users from reusing old passwordsFor example, setting the minimum password Changing their passwords during a single Attributes, respectively. By default, this Shorter passwords are easier to crackPasswords can be two 2 to 512 characters It down. This attribute is set to 8 by default Lowercase letters a to z This attribute is set to 3 by defaultDefault method Compatibility with Unix passwords Password Policy Attributes CoS specification entry at the subtree level. For example 254 Start the server Setting User PasswordsPassword Change Extended Operation Setting User Passwords 256 Ldappasswd OptionsParameter Description Configuring the Account Lockout Policy Configuring the Account Lockout PolicyConfiguring the Account Lockout Policy Using the Console Attribute Name Definition Account Lockout Policy Attributes Managing the Password Policy in a Replicated EnvironmentManaging the Password Policy in a Synchronizing Passwords Replicated Environment Inactivating Users and Roles Option Name Description Inactivating User and Roles Using the ConsoleInactivating User and Roles Using the Command-Line DN of the user account or role to activate Activating User and Roles Using the ConsoleActivating User and Roles Using the Command-Line Activating User and Roles Using Setting Resource Limits Using the Console Setting Resource Limits Based on the Bind DN Entering a value of -1indicates no limit Click OK Setting Resource Limits Using the Command-Line 266 Read-Write and Read-Only Replicas Replication OverviewWhat Directory Units Are Replicated Managing Replication Suppliers and ConsumersChangelog Replication Identity Replication Agreement Replication AgreementCompatibility with Earlier Versions of Directory Server Single-Master Replication Replication Scenarios Multi-Master Replication Multi-Master Replication 272 Multi-Master Replication Two Masters Multi-Master Replication Four Masters Replication Cascading Replication Creating the Supplier Bind DN Entry Creating the Supplier Bind DN Entry Configuring Single-Master Replication Configuring the Read-Write Replica on Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Supplier Server Create the Replication Agreement Create the Replication Agreement Managing Replication Create the Replication Agreement Replication will not begin until the consumer is initialized Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier Servers Configuring Multi-Master Replication 287 Configuring the Read-Write Replicas on Managing Replication Supplier Servers Configuring the Read-Only Replicas on the Consumer Servers Managing Replication Setting up the Replication Agreements Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized 297 Preventing Monopolization of the Consumer Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Server Configuring the Read-Only Replica on Configuring the Read-Only Replica on the Hub Consumer Server Managing Replication Setting up the Replication Agreements Managing Replication DN and password Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Configuring Replication from the Command Configuring Replication from the Command LineConfiguring Suppliers from the Command Line 312 Changelog, to which Changelog AttributesLine Object Class or Attribute Description Values 314 Consumer. This is required for Replica Attributes Configuring Consumers from the Command LineConfiguring Consumers from the Command Forward update requests. By Configuring Hubs from the Command Line Configuring Replication Agreements from the Command Line Parameter to SSL. If TLS/SSL 318 Qualified host and domain Objectclass=* $ Exclude Attributes will not be Configuring Replication Agreements fromReplication between Servers Nsds5replicabindcredentials Nsds5replicatedattributelist 320 Midnight and 2359 is PM. For example, the settingReplication Agreement Attributes Command Line Initializing Consumers Online from the Command Line Deleting the Changelog Making a Replica Updatable Moving the Changelog to a New Location Initializing ConsumersRemoving the Changelog Moving the Changelog to a New Location Online Consumer Initialization Using the Console When to Initialize a Consumer Initializing Consumers Online Using Initializing Consumers Online Using the Command Line Exporting a Replica to Ldif Manual Consumer Initialization Using the Command Line Importing the Ldif File to the Consumer Server Filesystem Replica Initialization Initializing the Consumer Replica from the Backup Files Restart the destination Directory Server. For example Forcing Replication UpdatesForcing Replication Updates Stop the destination Directory Server if it is running Forcing Replication Updates from the Command-Line Forcing Replication Updates from the Console Replicating Account Lockout Attributes Replicating Account Lockout AttributesExample 8.1. ReplicateNow Script Example ReplicateNow Variables Replication over SSL Replicating o=NetscapeRoot for Select SSL Client AuthenticationSelect Simple Authentication Directory Server Installation Guide See , Enabling and Disabling Plug-ins Administration Server FailoverReplication with Earlier Releases Using the Retro Changelog Plug-in Retro Changelog Entry Enabling the Retro Changelog Plug-inAttributes of a Retro Changelog Entry Enabling the Retro Changelog Plug-in Trimming the Retro Changelog Searching and Modifying the Retro Changelog Retro Changelog and the Access Control PolicyRetro Changelog and the Access Control Monitoring Replication Status Table Header Description Monitoring Replication Status from Administration ExpressDirectory Server Console Replication Status Table header shows the replica ID 341 Policy Solving Common Replication Conflicts Solving Naming Conflicts Solving Naming ConflictsRenaming an Entry with a Multi-Valued Naming Attribute 344 Unique identifier attribute nsuniqueid cannot be deleted Renaming an Entry with a Single-Valued Naming Attribute Solving Orphan Entry Conflicts Solving Potential Interoperability Problems Troubleshooting Replication-Related Troubleshooting Replication-Related Problems Error/Symptom Reason Impact Remedy Problems Direct consumers But some consumers Follows Are way behind SupplierIf it has been Replayed to all Replication Status Replication ErrorsSee Section Monitoring 352 Create new attributes, as in .2, Creating Attributes Overview of Extending SchemaManaging Attributes Viewing Attributes Syntax Extending the Directory SchemaField Name Field Description Creating AttributesAttributes Tab Reference Creating Attributes OIDs are described in .1, Attributes Tab Reference Editing AttributesDeleting Attributes Managing Object Classes This procedure is explained in .4, Deleting AttributesManaging Object Classes Viewing Object Classes 358 ReferenceParent Creating Object Classes Creating Object ClassesObject Classes Tab Reference Click OK to save the new object class Editing Object Classes Deleting Object Classes Deleting Object Classes Turning Schema Checking On and Off About Index Types About Indexes Attribute Pres Sub Purpose About Default, System, and Standard IndexesOverview of Default Indexes Managing Indexes Integrity for About Default, System, and StandardMaintaining Referential 366 Default IndexesOverview of System Indexes Attribute Pres Purpose Overview of the Searching AlgorithmOverview of Standard Indexes System Indexes Managing Indexes Approximate Searches Approximate SearchesBalancing the Benefits of Indexing Directory Server is maintaining the following indexes 370 Creating Indexes Creating Indexes Creating Indexes from the Server Console Adding an Index Entry Creating Indexes from the Command-LineCreating Indexes from the Command-Line 374 To create a new index for a particular database, add it to Creating Indexes from the Command-Line Db2index Options describes the db2index.pl options Running the db2index.pl ScriptDb2index.pl Options Run the db2index.pl Perl script Creating Browsing Indexes from Creating Browsing Indexes from the Command-LineCreating Browsing Indexes from the Server Console Adding a Browsing Index Entry Managing Indexes This first browsing index entry must be added to Running the vlvindex Script Run the vlvindex script Setting Access Control for VLV InformationVlvindex Options Stop the server.3 Change ldap//all to ldap//anyone and save your changes Deleting IndexesDeleting Indexes A text editor, open the dse.ldif file Deleting Indexes from the Server Console Deleting Indexes from the Command-Line Ldapdelete Options describes the ldapdelete options Deleting Indexes from the Command-LineDeleting an Index Entry Run the db2index.pl Perl script. For example Ldapdelete Options Db2index Options Deleting Browsing Indexes from the Command-LineDeleting Browsing Indexes from the Server Console Deleting a Browsing Index Entry Option Description Vlvindex Options describes the vlvindex options Managing Indexes Search Performance Indexing Performance Backwards Compatibility and Migration Attribute Primary Name Attribute Alias Attribute Name Quick Reference TableBackwards Compatibility and Migration 391 Attribute Name Quick Reference TableAttribute Name Quick Reference Table 392 Enabling SSL Summary of Steps Introduction to TLS/SSL in the Directory Server Turn on TLS/SSL in the directory Command-Line Functions for Start TLSManaging SSL Obtaining and Installing Server Certificates Obtaining and Installing Server CertificatesTroubleshooting Start TLS Generate a Certificate Request Generate a Certificate Request Managing SSL After generating the certificate request, send it to the CA Send the Certificate Request Install the Certificate Trust the Certificate Authority Trust the Certificate Authority Confirm That The New Certificates Are Installed Using certutil Generate the Directory Server client certificate Create a password file for the security token passwordCreating Directory Server Certificates 404 Certutil Options Starting the Server with TLS/SSL EnabledThrough the Command Line Certutil Usage Select the certificate to use from the drop-down menu Click Cipher SettingsEnabling TLS/SSL Only in the Directory Server Enabling TLS/SSL Only in the Directory Described in , Starting and Stopping Servers 409 Server Click Cipher SettingsCheck the Use SSL in the Console box. Hit Save Creating a Password File for the Directory Server Creating a Password File for Creating a Password File for the Administration Server Available Ciphers Setting Security PreferencesRestart the Administration Server TLSv1 Ciphers Administration Server SSLv3 Ciphers Click Cipher SettingSelecting the Encryption Cipher Encryption tab, click Save Using Certificate-Based AuthenticationUsing Certificate-Based Authentication Allowing/Requiring Client Authentication Setting up Certificate-Based Authentication Now start Red Hat Console Configuring Ldap Clients to Use SSLConfiguring Ldap Clients to Use SSL Stop the Directory Server Begin Certificate Client certificate resembles the following Configuring Ldap Clients to Use SSL Click Set Value 420 Managing Sasl Authentication Mechanisms Managing Sasl Sasl is configured by entries under a container entry 422Sasl Identity Mapping 423 Sasl Identity MappingSasl identity mapping entries are children of this entry Configuring Sasl Identity Mapping from the Console Configuring Sasl Identity Mapping from Operating System Kerberos Version Configuring Sasl Identity Mapping from the Command-LineConfiguring Kerberos Supported Kerberos Systems Realms Configuring the KDC Server Example Configuring an Example KDC Server Configuring Sasl Authentication at Configuring Sasl Authentication at Directory Server Startup Managing Sasl Defining a Log File Rotation Policy Viewing and Configuring Log FilesAdministration Express Monitoring Server and Database Activity Defining a Log File Deletion Policy Access LogViewing the Access Log Defining a Log File Deletion Policy Display to refresh automatically every ten seconds Configuring the Access Log Error Log Error LogViewing the Error Log Click Save 436 Configuring the Error LogContaining text box, and click Refresh Audit Log Configuring the Audit LogAudit Log Viewing the Audit Log Monitoring Server Activity Manual Log File Rotation Monitoring the Server from the Directory Monitoring the Server from the Directory Server Console Resource Current Total General Information ServerResource Summary Resource Usage Since Startup Average Per Minute Operations, and therefore multiple threads Current Resource UsageServer Console Connection can account for multiple Connection Status Monitoring the Directory Server from Monitoring the Directory Server from the Command LineGlobal Database Cache Information 444 Attribute Description Time GMT in UTC format Monitoring Database ActivityServer Monitoring Attributes Performance Metric Current Total See , Tuning DatabaseMaximum Cache Size setting. See Section General Information Database Monitoring Database Activity from Tuning Database Performance forCache setting. See , Tuning Summary Information 10. Database File-Specific Monitoring Databases from the Command LineDatabase Cache Information Directory Server Console Maximum Entries in Cache attribute Lower the number of page evicts the better Monitoring Database Link Activity11. Directory Server Monitoring Attributes Monitoring Database Link Activity 452 12. Database Link Monitoring Attributes About Snmp Snmp Agentx-master Configuring the Master Agent Configuring the SubagentSubagent Configuration File Monitoring Directory Server Using Snmp Starting the Subagent Starting the SubagentAgent-logdir Server Testing the Subagent Configuring Snmp Traps Configuring the Directory Server for Snmp Configuring the Directory Server for SnmpUsing the Management Information Base Managed Object Description Operations Table Entries Table Operations Table Managed Objects and Descriptions Entries Table Managed Objects and Descriptions Entries TableEntity Table Interaction Table Interaction TableEntity Table Managed Objects and Descriptions 462 Interaction Table Managed Objects and DescriptionsManagement subsystem was initialized, this Object will contain a value of zero Tuning Server Performance Tuning Directory Server Performance Optimizing Search Performance Tuning Database PerformanceTuning Directory Server Performance Optimizing Search Performance Changing the Location of the Database Transaction Log Tuning Transaction Logging Changing the Database Checkpoint Interval Changing the Database Checkpoint Interval Specifying Transaction Batching Miscellaneous Tuning TipsDisabling Durable Transactions Avoid Creating Entries Under the cn=config 470 Details of 7-Bit Check Plug-in Server Plug-in Functionality ReferenceBit Check Plug-in ACL Plug-in Details of ACI Plug-in Administering Directory Server Plug-insACL Preoperation Plug-in Binary Syntax Plug-in Details of Boolean Syntax Plug-in Boolean Syntax Plug-inCase Exact String Syntax Plug-in Details of Binary Syntax Plug-in Details of Case Ignore String Syntax Plug-in Case Ignore String Syntax Plug-inChaining Database Plug-in Details of Case Exact String Syntax Plug-in Country String Syntax Plug-in Class of Service Plug-inDetails of Class of Service Plug-in Class of Service Plug-in 11. Details of Distinguished Name Syntax Plug-in Distinguished Name Syntax Plug-inGeneralized Time Syntax Plug-in 10. Details of Country String Plug-in 13. Details of Integer Syntax Plug-in Integer Syntax Plug-inInternationalization Plug-in 12. Details of Generalized Time Syntax Plug-in 15. Details of ldbm Database Plug-in Ldbm Database Plug-inLegacy Replication Plug-in 14. Details of Internationalization Plug-in 17. Details of Multi-Master Replication Plug-in Multi-Master Replication Plug-inOctet String Syntax Plug-in 16. Details of Legacy Replication Plug-in 18. Details of Octet String Syntax Plug-in Clear Password Storage Plug-inCrypt Password Storage Plug-in 19. Details of Clear Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in20. Details of Crypt Password Storage Plug-in 21. Details of NS-MTA-MD5 Password Storage Plug-in 22. Details of SHA Password Storage Plug-in SHA Password Storage Plug-inSsha Password Storage Plug-in 24. Details of Postal Address String Syntax Plug-in 23. Details of Ssha Password Storage Plug-inPostal Address String Syntax Plug-in PTA Plug-in Referential Integrity Postoperation Plug-in Using the Pass-throughAuthentication Plug-in See , Using the Pass-through See , Managing Indexes for Retro Changelog Plug-in26. Details of Referential Integrity Post-Operation Plug-in Retro Changelog Plug-in 28. Details of Roles Plug-in Roles Plug-inSpace Insensitive String Syntax Plug-in 27. Details of Retro Changelog Plug-in See Appendix B, Finding Directory Entries State Change Plug-in29. Details of Space Insensitive String Syntax Plug-in State Change Plug-in 31. Details of Telephone Syntax Plug-in Telephone Syntax Plug-inUID Uniqueness Plug-in 30. Details of State Change Plug-in URI Plug-in See , Using the AttributeURI Plug-in 32. Details of UID Uniqueness Plug-in 33. Details of URI Plug-in Enabling and Disabling Plug-ins How Directory Server Uses PTA Using the Pass-through Authentication Plug-in PTA Plug-in Syntax Using the Pass-through Authentication Plug-in Variable Definition PTA Plug-in Syntax Specifying the Pass-through Subtree for Configuring the Optional Parameters forSee .5, Configuring the Optional PTA Plug-in Parameters Configuring the PTA Plug-inConfiguring the PTA Plug-in Turning the Plug-in On or Off Configuring the Servers to Use a Secure ConnectionSpecifying the Authenticating Directory Server Specifying the Pass-through Subtree Specifying the Pass-through Subtree Configuring the Optional Parameters PTA Plug-in Syntax Examples PTA Plug-in Syntax Examples Using Non-Default Parameter Values Specifying Multiple Authenticating Directory Servers Specifying Different Optional Parameters 502 Overview of the Attribute Uniqueness Plug-in Using the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in Syntax Using the Attribute Uniqueness Plug-in 505 Attribute Uniqueness Plug-in SyntaxSee .3.1, Turning the Plug-in On or Attribute Uniqueness Plug-in Variables Creating an Instance of the Attribute Uniqueness Plug-in Configuring Attribute Uniqueness Plug-ins Configuring Attribute Uniqueness Plug-insViewing Plug-in Configuration Information From the Property Editor From the Configuration tab 509 Turning the Plug-in On or OffSpecifying a Suffix or Subtree Using the markerObjectClass and requiredObjectClass Keywords Specifying One Attribute and Multiple Subtrees From the Command-LineAttribute Uniqueness Plug-in Syntax Examples Specifying One Attribute and One Subtree Simple Replication Scenario Replication and the Attribute Uniqueness Plug-in Multi-Master Replication Scenario Multi-Master Replication Scenario 514 About Windows Sync Active Directory Directory Server Synchronization Process 517 About Windows Sync Configure SSL on Directory Server Configuring Windows Sync Select the Enterprise Root CA option Configure the Active Directory DomainConfigure the Active Directory Iv. Accept the certificate request. For example Select or Create the Sync Identity Domain Install and Configure the Password Sync Service Reboot the Windows machine to start Password Sync Hit Next, then Finish to install Password Sync 523 Install and Configure the Password Give trusted peer status to the server Configure the Directory Server Database for Synchronization Create the Synchronization Agreement Sync Service Setting up the Sync Agreement Synchronizing Users Synchronizing Groups Deleting Entries Using Windows SyncBegin Synchronization Begin Synchronization Synchronizing Users 529 Synchronizing UsersDirectory Server Active Directory PhysicalDeliveryOfficeName Synchronizing Groups Description Member SeeAlso Deleting EntriesDeleting Entries NtGroupAttributes NtGroupId Name SamAccountName NtGroupType Manually Updating and Resynchronizing Entries Resurrecting Entries Checking Synchronization Status Checking Synchronization StatusModifying the Sync Agreement Values for street and streetAddress Schema DifferencesPassword Policies Groups Contraints on the initials attribute Password Sync ServiceModifying Password Sync Starting and Stopping the Password Sync Service Open the Add/Remove Programs utility TroubleshootingUninstalling Password Sync Service To uninstall the Password Sync service, do the following 537 Troubleshooting 538 About the Ldif File Format Appendix A. Ldap Data Interchange Format Field Definition Continuing Lines in LdifTable A.1. Ldif Fields Appendix A. Ldap Data Interchange Format Representing Binary Data Representing Binary DataStandard Ldif Notation Base-64 Encoding Specifying Domain Entries Specifying Directory Entries Using Ldif Ldif Element Description Table A.2. Ldif Elements in Domain EntriesSpecifying Organizational Unit Entries Domain Entries Specifying Organizational Unit Entries Specifying Organizational Person Entries Specifying Organizational Person EntriesTable A.3. Ldif Elements in Organizational Unit Entries Table A.4. Ldif Elements in Person Entries Defining Directories Using Ldif 547 Defining Directories Using Ldif Ldif File Example Storing Information in Multiple Languages Storing Information in Multiple Languages 550 File contents are then converted to UTF-8 Figure B.1. Browsing Entries in the Directory Tab Finding Entries Using the Directory Server Console Appendix B. Finding Directory Entries Using ldapsearch Ldapsearch command must use the following format Ldapsearch Command-Line Format Commonly Used ldapsearch Options Commonly Used ldapsearch Options Returning All Entries Ldapsearch Examples Searching the Root DSE Entry Specifying Search Filters on the Command LineSearching the Schema Entry Using Ldapbasedn This example assumes the search base is set with Ldapbasedn Specifying Search Filters Using a FileDisplaying Subsets of Attributes Ldap Search Filters Using Client Authentication When SearchingLdap Search Filters Specifying DNs That Contain Commas in Search Filters Basic syntax of a search filter is Using Attributes in Search FiltersUsing Operators in Search Filters Search Filter Syntax Search Type Operator Description Using Compound Search FiltersTable B.1. Search Filter Operators Search Filter Syntax Table B.2. Search Filter Boolean Operators Operator Symbol DescriptionSearch Filter Examples Searching an Internationalized Directory Searching an Internationalized Directory Matching Rule Formats Matching Rule Filter Syntax 565 Using an OID for the Matching RuleUsing a Language Tag for the Matching Rule Matching Rule Filter Syntax Table B.3, Search Types, Operators, and Suffixes Using Wildcards in Matching Rule FiltersUsing an OID and Suffix for the Matching Rule Using a Language Tag and Suffix for the Matching Rule Search Type Operator Suffix Supported Search TypesSupported Search Types Equality Example International Search ExamplesLess-Than Example Less-Than or Equal-to Example International Search Examples Greater-Than or Equal-to ExampleGreater-Than Example Substring Example 570 But either one of these will work correctly Hostname Port Components of an Ldap URLLdap URLs have the following syntax Component Component Description Table C.1. Ldap URL ComponentsAppendix C. Ldap URLs Unsafe Character Escape Characters Escaping Unsafe CharactersExamples of Ldap URLs Escaping Unsafe Characters Example 575 Examples of Ldap URLs 576 About Locales Appendix D. Internationalization Locale Language Tag Collation Order Object Identifiers OIDs Identifying Supported LocalesAppendix D. Internationalization 579 Table D.1. Supported LocalesSupported Language Subtypes Supported Language Subtypes Table D.2. Supported Language Subtypes Troubleshooting Matching RulesTroubleshooting Matching Rules 582 See Also ID list scan limit See Also access control instructionSee Also access control list See bind DN GlossaryValue See base DN See Certificate Authority See Also virtual list view index See Also template entry Directory Access Protocol. The ISO X.500 standard protocolThat provides client access to the directory See Ldap client See Directory Manager See CoS definition entrySee directory tree See distinguished name See Directory Server Gateway See Also cascading replication See Ldap Data Interchange Format See Snmp master agent See supplier Directory tree Between Snmp devices. Also protocol data unit See Also access rightsSee object identifier Encoded messages which form the basis of data exchanges Name. Also relative distinguished name Receives to the authenticating directory serverAuthenticating directory server, pass-through subtrees, Comments on the technologies before they become accepted Request for Comments. Procedures or standards documentsProcess is called a referral Submitted to the Internet community. People can send See supplier-initiated replication Directory Server during installationServer Instance Entry. The ID assigned to an instance See Snmp subagent Simple Network Management ProtocolSubagent See Also browsing index See CoS template entryProtocol. Also Transport Layer Security Page 600 Index Index Page Index Page Index Ldapbasedn Index Ldif Index MIB Index Page Index Page MIB Page Index