Managing Sasl | HP UX Red Hat Direry Server Software instruction

Chapter 12.

Managing SASL

Red Hat Directory Server supports LDAP client authentication through the Simple Authentication and Security Layer (SASL), an alternative to TLS/SSL and a native way for some applications to share information securely.

Directory Server supports SASL authentication using the DIGEST-MD5and GSS-APImechanisms, allowing Kerberos tickets to authenticate sessions and encrypt data. This chapter describes how to use SASL with Directory Server.

SASL is a framework, meaning it sets up a system that allows different mechanisms to be used to authenticate a user to the server, depending on what mechanism is enabled in both client and server applications.

SASL can also set up a security layer for an encrypted session. Directory Server utilizes the GSS-APImechanism to encrypt data during sessions.

NOTE

SASL data encryption is not supported for client connections that use TLS/SSL.

1. Authentication Mechanisms

Directory Server support the following SASL encryption mechanisms:

•EXTERNAL. The EXTERNAL authentication mechanism is utilized by services such as TLS/SSL. It can be used with public keys for strong authentication, such as client certificate-based authentication.

•CRAM-MD5.CRAM-MD5is a simple challenge-response authentication method that provides no security layer. Red Hat recommends using a more secure mechanism such as

DIGEST-MD5 or GSS-API.

•DIGEST-MD5.DIGEST-MD5is a mandatory authentication method for LDAPv3 servers. While it is not as strong as public key systems or Kerberos authentication methods, it is preferred over plain text passwords and does protect against plain text attacks.

•Generic Security Services (GSS-API).Generic Security Services (GSS) is a security API that is the native way for UNIX-based operating systems to access and authenticate Kerberos services. GSS-APIalso supports session encryption, similar to TLS/SSL. (However, GSS-APIis not compatible with TLS/SSL; they cannot be used simultaneously.) This allows LDAP clients to authenticate with the server using Kerberos version 5 credentials (tickets) and to use network session encryption.

421

Image 441

HP UX Red Hat Direry Server Software manual Managing Sasl, Authentication Mechanisms

Contents

Administrators Guide Red Hat Directory Server Copyright 2008 Red Hat, Inc Red Hat Directory Server 8.0 Administrators Guide Red Hat Directory Server General Red Hat Directory Server Usage Creating and Maintaining Databases Creating and Maintaining SuffixesCreating and Maintaining Database Links Creating a New Database LinkPage Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Xvi Preface Directory Server Overview When shown as below, it indicates computer output Example and Default ReferencesDocument Conventions Preface Xix Document Conventions Related Information Chapter Directory Server File Locations Red Hat Enterprise Linux 4 and 5 General Red Hat Directory Server UsageFile or Directory Location HP-UX 11i IA64 Sun Solaris 9 sparcLdap Tool Locations Binaries Starting and Stopping Servers Ldap Tool LocationsPlatform Directory Location Opt/dirsrv/bin Starting and Stopping Directory Server from the Console Starting and Stopping Directory Server fromStart the Directory Server Console Solaris uses /etc/init.d Starting and Stopping Administration Server Starting the Directory Server Console On Solaris, the service is init.dConsole HP-UX has a different location for the script Login screen Changing Login IdentityLogging into Directory Server Click Log on to the Directory Server as a New User Changing Directory Server Port Numbers Viewing the Current Console Bind DNViewing the Current Console Bind DN General Red Hat Directory Server Usage Configuration tab, select the Configuration DS tab Open the Administration Server ConsoleCreating a New Directory Server Instance Creating a New Directory Server Instance Configuring the Directory Manager Configuring the Directory Manager Page Creating a Root Entry Managing Entries from the Directory Console Creating Directory Entries Directory Server Console, select the Configuration tabCreating Directory Entries Template Object Class Role NsRoleDefinition Class of Service CosSuperDefinition Creating an Entry Using a Predefined TemplateCreating Other Types of Entries Entry Templates and Corresponding Object Classes Displaying the Property Editor Modifying Directory Entries Removing an Object Class Adding an Object Class to an EntryAdding an Attribute to an Entry Modifying Directory Entries Adding Very Large Attributes Removing an Attribute Value Adding Attribute Values Language Subtype Adding an Attribute SubtypeBinary Subtype Instead, use Pronunciation Subtype Deleting Directory EntriesAdding a Subtype to an Attribute Deleting Directory Entries Managing Entries from the Command-Line Providing Input from the Command-LineEntries, use Ctrl or Shift Select Delete from the Edit menu Creating a Root Entry from the Command-Line See , Ldif Update StatementsCreating a Root Entry from Adding Entries Using Ldif Adding and Modifying Entries Using ldapmodifyImport the Ldif file from the Directory Server Console Adding Entries Using ldapmodify Command-LineParameter Name Description Modifying Entries Using ldapmodify Input from the Command-LineLdapmodify Parameters Used for Adding Entries Deleting Entries Using ldapdelete Deleting Entries Using ldapdeleteLdapmodify Parameters Used for Modifying Entries Hostname is cyclops Server uses port number This ldapdelete example has the following values Are branch points in the directory tree Using Special Characters Using Special CharactersTracking Modifications to Directory Entries Ldapdelete Parameters Used for Deleting Entries Ldif Update Statements Select the Track Entry Modification Times checkboxOpen the Tasks tab, and click Restart Directory Server General format of Ldif update statements is as follows Ldif Update Statements Following sections describe the change types in detail Adding an Entry Using Ldif Renaming an Entry Using Ldif Renaming an Entry Using LdifFollowing command renames Sue Jacobs to Susan Jacobs Addattribute Modifying an Entry Using Ldif Adding Attributes to Existing Entries Using Ldif Modifying an Entry Using LdifFollowing example adds two telephone numbers to the entry Changing an Attribute Value Using Ldif Deleting All Values of an Attribute Using Ldif Deleting a Specific Attribute Value Using LdifEntry is now as follows Barneys entry then becomes Deleting an Entry Using Ldif Modifying an Entry in an Internationalized Directory Maintaining Referential IntegrityHow Referential Integrity Works Modifying an Entry in an Internationalized Using Referential Integrity with Replication You can enable or disable referential integrity as follows Modifying the Update IntervalEnabling/Disabling Referential Integrity Directory Modifying the Attribute List Modifying the Attribute List TIPPage A Sample Directory Tree with One Root Suffix Creating and Maintaining Suffixes Configuring Directory Databases Creating Suffixes 1, Using Referrals in a SuffixCreating Suffixes Creating Suffixes A Sample Directory Tree with a Sub Suffix Creating a New Sub Suffix Using the Console Creating a New Root Suffix Using the Console Creating Root and Sub Suffixes from the Command-Line Attribute Name Value Attribute. See , Creating Creating and Maintaining Database Links forMaintaining Databases for more information Creating and Maintaining Databases for Using Referrals in a Suffix Maintaining SuffixesSuffix Attributes Disabling a Suffix Enabling Referrals Only During Update OperationsMaintaining Suffixes To requests from client applications Click Save Creating and Maintaining Databases Creating DatabasesDeleting a Suffix Creating Databases Configuring Directory Databases For example, add a new database to the server example1 Adding Multiple Databases for a Single Suffix Configuring Directory Databases Placing a Database in Read-Only Mode Maintaining Directory DatabasesMaintaining Directory Databases Making a Database Read-Only from the Command Line Making a Database Read-Only Using the ConsoleSelect the database is read-only checkbox Change the read-only attribute to on Deleting a Database Placing the Entire Directory Server in Read-Only ModeSelect the Make Entire Server Read-Only checkbox Click Save, and then restart the server Database Encryption Configuring Transaction Logs for Frequent Database Updates Database Encryption Encryption Keys Configuring Database Encryption from the Console Encryption CiphersSelect the Attribute Encryption tab Configuring Database Encryption Using the Command-Line Run the ldapmodify command1Exporting and Importing an Encrypted Database See .3, Importing from the Command-Linefor more information Creating and Maintaining Database Links Configuring the Chaining PolicyChaining Component Operations Creating and Maintaining Database Links NsActiveChainingComponents Cn=resource Component Name Description Permissions NsActiveChainingComponents Cn=certificate-based Configuring the Chaining Policy Components Allowed to Chain Chaining Component Operations Using the Console Chaining Component Operations from the Command-Line Chaining Ldap ControlsPlug-in Chaining Ldap Controls from the Command-Line Chaining Ldap Controls Using the Console Creating a New Database Link Creating a New Database Link Using the ConsoleLdap Controls and Their OIDs Creating a New Database Link Configuring Directory Databases Specify the configuration information for the database link Creating a Database Link from the Command-Line Providing Bind Credentials Providing Suffix Information NsMultiplexorBindDN cannot be that of the Directory Manager Providing an Ldap URL Providing a List of Failover Servers Summary of Database Link Configuration AttributesFile Attributes Value Operations 1, Chaining Component Attributes Value Run ldapmodify1 to add a database link to server a Create an administrative user on server B, as follows Updating Remote Server Authentication Information Chaining Using SSLEnable SSL on the server that contains the database link Maintaining Database Links Database Links and Access Control Evaluation Database Links and Access ControlDeleting Database Links Configuring Directory Databases Managing Connections to the Remote Server Using the Console Advanced Feature Tuning Database Link PerformanceManaging Connections to the Remote Server Evaluation Attribute Name Description Detecting Errors During Normal Processing Advanced Feature Tuning Database LinkDatabase Link Connection Management Attributes Managing Threaded Operations Database Link Processing Error Detection Parameters Advanced Feature Configuring Cascading Chaining Overview of Cascading ChainingPerformance Configuring Directory Databases Advanced Feature Configuring Cascading Configuring Cascading Chaining Defaults Using the Console Configuring Cascading Chaining Using the Console Chaining Configuring Cascading Chaining from the Command-Line Configuring Directory Databases Summary of Cascading Chaining Configuration Attributes Detecting LoopsAttribute Description Cascading Chaining Configuration Example Cascading Chaining Configuration AttributesAci This attribute must contain the following ACI 101 Configuring Server One 102 Configuring Server Two 103 Configuring Directory Databases Allow this Configuring Server Three Using Referrals Starting the Server in Referral ModeClient on server two Setting a Default Referral Using the Console Setting Default ReferralsSetting a Default Referral from the Command-Line Setting Default Referrals Creating Smart Referrals Creating Smart Referrals Using the Directory Server Console Creating Smart Referrals from the Command Line Creating Smart Referrals109 Creating Suffix Referrals Creating Suffix Referrals Using the Console Creating Suffix Referrals Creating Suffix Referrals from the Command-Line Configuring Directory Databases Importing Data Import Method ComparisonAction Import Initialize Database Importing a Database from the Console Populating Directory DatabasesFollowing sections describe importing data Initializing a Database from the Console Initializing a Database from the Console Importing Using the ldif2db Command-Line Script Importing from the Command-Line Option Description Importing from the Command-Line Importing Using the ldif2db.pl Perl Script Ldif2db ParametersRun the ldif2db script Run the ldif2ldap command-line script Importing Using the ldif2ldap Command-Line ScriptExporting Data Ldif2db Options Splitting a Database Contents into Two Databases Exporting Directory Data to Ldif Using Exporting Directory Data to Ldif Using the Console Exporting to Ldif from the Command-Line Exporting a Single Database to Ldif Using the Console Ldif file in this case would be Run the db2ldif command-line scriptDirectory and is automatically named With the -noption or 123 Backing up All Databases Backing up and Restoring DataBacking up All Databases from the Server Console Db2ldif Options Run the db2bak command-line script Backing up All Databases from the Command-LineBacking up All Databases Click Back Up Directory Server Click Restore Directory Server Backing up the dse.ldif Configuration FileRestore Directory dialog box is displayed 126 Restoring All Databases Using the bak2db Command-Line Script Restoring Your Database from the Command-LineUsing bak2db.pl Perl Script Restoring All Databases Restoring a Single Database Run the bak2db.pl Perl scriptRestart the Directory Server Restoring the dse.ldif Configuration File Restoring Databases That Include Replicated EntriesRestoring Databases That Include 130 About Roles Using Roles Managing Entries with Roles, Class of Service, and Views Managing Roles Using the Console Managing Roles Using the Console 134 Creating a Managed Role Creating a Filtered Role Follow the steps of .2.1, Creating a Managed Role135 Viewing and Editing an Entrys Roles Creating a Nested RoleCreate a new role, as in .2.1, Creating a Managed Role 136 Modifying a Role Entry Making a Role Inactive137 Deleting a Role Reactivating a Role Managing Roles Using the Command-Line Managing Roles Using the Command-LineObject Classes and Attributes for Roles Dialog box appears to confirm the deletion. Click Yes Examples Managed Role Definition 141 Example Filtered Role Definition Example Nested Role Definition Using Roles Securely Assigning Class of Service Assigning Class of Service About the CoS Definition Entry About CoS About the CoS Template Entry How a Pointer CoS WorksAbout CoS Sample Pointer CoS How an Indirect CoS Works Sample Indirect CoS How a Classic CoS Works Sample Classic CoS Searches for CoS-Specified Attributes Managing CoS Using the Console Managing CoS Using the ConsoleCreating a New CoS 150 Property Editor opens Creating the CoS Template Entry Deleting a CoS Editing an Existing CoS Creating the CoS Definition Entry from the Command-Line Managing CoS from the Command-LineManaging CoS from the Command-Line CoS Type Object Classes Description CoS Definition Entry Object Classes CoS Definition Entry AttributesAttribute Definition Managing CoS from the Command-Line CoS Type CoS definition CoS DefinitionsPointer CoS Indirect CoS Be added to any other search filter using or Creating the CoS Template Entry from the Command-Line 158 Example of a Pointer CoS Create the template entry Example of an Indirect CoS Example of a Classic CoS Creating Role-Based Attributes Creating Role-Based AttributesClassic CoS definition entry looks like Access Control and CoS Using Views Creating Views in the Console Creating Views in the Console Deleting Views from the Directory Server Console Creating Views from the Command Line Deleting Views from the Command Line Using GroupsDeleting Views from the Command Line Managing Static Groups Modifying a Static Group Adding a New Static Group Adding a New Dynamic Group Managing Dynamic GroupsModifying a Dynamic Group Managing Dynamic Groups 168 ACI Structure Access Control Principles Managing Access Control ACI PlacementACI Evaluation ACI Limitations Default ACIs Default ACIs Creating ACIs Manually Defining Targets ACI SyntaxDefining Targets Aci attribute uses the following syntax Keyword Valid Expressions Wildcard Allowed Ldif Target KeywordsTargetattr Targetfilter 175 Targeting a Directory Entry Targeting Attributes 177 Targeting Both an Entry and Attributes 178 Targeting Entries or Attributes Using Ldap Filters Targeting Attribute Values Using Ldap Filters Targeting a Single Directory Entry Defining Permissions Assigning Rights Allowing or Denying AccessDefining Permissions Assigning rights User Rights Rights Required for Ldap OperationsSelfwrite to the targeted entry, excluding Proxy rights 183 Access Control and the modrdn Operation Bind RulesPermissions Syntax Bind Rule Syntax Bind Rule SyntaxUserdn Yes, in DN only Ldif Bind Rule Keywords Defining User Access userdn KeywordGroupdn Ldap///DN DN Roledn Userattr Dns General Access all Keyword Anonymous Access anyone KeywordSelf Access self Keyword Parent Access parent Keyword Wildcards ExamplesScenExamplerio Description Userdn Keyword Examples Defining Group Access groupdn Keyword Defining Group Access groupdn Keyword Defining Role Access roledn KeywordGroupdn Examples Defining Access Based on Value Matching Using the userattr KeywordDefining Access Based on Value Matching Example with Userdn Bind Type Example with Groupdn Bind TypeAttrValue is any string representing an attribute value Example with Roledn Bind Type Example with Ldapurl Bind Type193 Example with Any Attribute Value Using the userattr Keyword with Inheritance Granting Add Permission Using the userattr Keyword Using Inheritance With the userattr Keyword Defining Access from a Specific IP Address Defining Access from a Specific Domain Defining Access from a Specific DomainInstead, use a fully qualified name Dns keyword allows wildcards. For example Defining Access at a Specific Time of Day or Day of Week Defining Access Based on Authentication Defining Access Based on Authentication Method Authmethod = saslmechanism Using Boolean Bind Rules Authentication bind DN and password over LdapsMethod Creating ACIs from the Console Displaying the Access Control Editor Displaying the Access Control EditorClick New to open the Access Control Editor Creating a New ACI Access Control Editor Window Creating a New ACI Managing Access Control Creating a New ACI Managing Access Control Editing an ACI Editing an ACI Viewing ACIs Deleting an ACIControl Manager Get Effective Rights Control Get Effective Rights Control PermissionsGet effective rights result looks like the following Permissions That Can Be Set on Entries Using Get Effective Rights from the Command-LinePermissions That Can Be Set on Attributes Permission Description Using Get Effective Rights from 214 Get Effective Rights Return Codes Using Get Effective Rights from the ConsoleCheck the Show effective rights checkbox Code Description Logging Access Control Information Access Control Usage ExamplesReturned Result Codes Granting Anonymous Access Granting Anonymous Access Click OK in the Access Control Editor window Click New to display the Access Control EditorACI Anonymous example.com ACI Anonymous World Granting Write Access to Personal Entries Granting Write Access to Personal EntriesFilter for subentries field, type the following filter 220 ACI Write example.com ACI Write Subscribers Restricting Access to Key Roles Restricting Access to Key Roles See , Using RolesACI Roles Granting a Group Full Access to a Suffix ACI HRLdif statement should read as follows ACI Create Group Granting Rights to Add and Delete Group Entries Managing Access Control Granting Conditional Access to a Group or Role ACI Delete GroupEntries 228 ACI HostedCompany1 Denying Access Denying AccessLdif statement should be similar to the following ACI Billing Info Read 231 ACI Billing Info Deny Allowing Users to Add or Remove Themselves from a Group Setting a Target Using Filtering Allowing Users to Add or Remove ACI Group Members Defining Permissions for DNs That Contain a Comma Proxied Authorization ACI Example Advanced Access Control Using Macro ACIs Macro ACI ExampleThemselves from a Group 236 Example Directory Tree for Macro ACIs Macro ACI Syntax Macro ACI Syntax Macro Matching for $dn Macros in ACI KeywordsMacro ACI Keyword $dn in the subject is replaced with dc=hostedCompany1 Steps for expanding this ACI are as follows Macro Matching for $attr.attrName For example, consider the following ACI240 Access Control and Replication Access Control and ReplicationCompatibility with Earlier Releases 242 Configuring the Password Policy Managing the Password Policy Managing User Accounts and Passwords Configuring a Global Password Policy Using the Console Configuring the Password Policy Check the Enable fine-grained password policy checkbox Configuring a Subtree/User Password Policy Using the Console Attribute Name Definition Configuring a Global Password Policy Using the Command-Line Given by the passwordMaxAge attribute Users password will expire after an intervalMaking passwords expire helps protect Directory data because the longer a password For example, setting the minimum password Discourage users from reusing old passwordsChanging their passwords during a single Session to cycle through the password history Passwords can be two 2 to 512 characters Shorter passwords are easier to crackIt down. This attribute is set to 8 by default Attributes, respectively. By default, this Default method This attribute is set to 3 by defaultCompatibility with Unix passwords Lowercase letters a to z Password Policy Attributes CoS specification entry at the subtree level. For example 254 Password Change Extended Operation Setting User PasswordsSetting User Passwords Start the server Ldappasswd Options Parameter Description256 Configuring the Account Lockout Policy Configuring the Account Lockout Policy Using the ConsoleConfiguring the Account Lockout Policy Attribute Name Definition Managing the Password Policy in a Replicated Environment Managing the Password Policy in aAccount Lockout Policy Attributes Synchronizing Passwords Replicated Environment Inactivating Users and Roles Inactivating User and Roles Using the Console Inactivating User and Roles Using the Command-LineOption Name Description Activating User and Roles Using the Command-Line Activating User and Roles Using the ConsoleActivating User and Roles Using DN of the user account or role to activate Setting Resource Limits Using the Console Setting Resource Limits Based on the Bind DN Entering a value of -1indicates no limit Click OK Setting Resource Limits Using the Command-Line 266 Replication Overview What Directory Units Are ReplicatedRead-Write and Read-Only Replicas Changelog Suppliers and ConsumersReplication Identity Managing Replication Replication Agreement Compatibility with Earlier Versions of Directory ServerReplication Agreement Single-Master Replication Replication Scenarios Multi-Master Replication Multi-Master Replication 272 Multi-Master Replication Two Masters Multi-Master Replication Four Masters Replication Cascading Replication Creating the Supplier Bind DN Entry Creating the Supplier Bind DN Entry Configuring Single-Master Replication Configuring the Read-Write Replica on Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Supplier Server Create the Replication Agreement Create the Replication Agreement Managing Replication Create the Replication Agreement Replication will not begin until the consumer is initialized Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier Servers Configuring Multi-Master Replication 287 Configuring the Read-Write Replicas on Managing Replication Supplier Servers Configuring the Read-Only Replicas on the Consumer Servers Managing Replication Setting up the Replication Agreements Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized 297 Preventing Monopolization of the Consumer Configuring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Server Configuring the Read-Only Replica on Configuring the Read-Only Replica on the Hub Consumer Server Managing Replication Setting up the Replication Agreements Managing Replication DN and password Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Configuring Replication from the Command Line Configuring Suppliers from the Command LineConfiguring Replication from the Command 312 Line Changelog AttributesObject Class or Attribute Description Values Changelog, to which 314 Consumer. This is required for Configuring Consumers from the Command Configuring Consumers from the Command LineForward update requests. By Replica Attributes Configuring Hubs from the Command Line Configuring Replication Agreements from the Command Line Parameter to SSL. If TLS/SSL 318 Qualified host and domain Replication between Servers Nsds5replicabindcredentials Configuring Replication Agreements fromNsds5replicatedattributelist Objectclass=* $ Exclude Attributes will not be Midnight and 2359 is PM. For example, the setting Replication Agreement Attributes320 Command Line Initializing Consumers Online from the Command Line Deleting the Changelog Making a Replica Updatable Removing the Changelog Initializing ConsumersMoving the Changelog to a New Location Moving the Changelog to a New Location Online Consumer Initialization Using the Console When to Initialize a Consumer Initializing Consumers Online Using Initializing Consumers Online Using the Command Line Exporting a Replica to Ldif Manual Consumer Initialization Using the Command Line Importing the Ldif File to the Consumer Server Filesystem Replica Initialization Initializing the Consumer Replica from the Backup Files Forcing Replication Updates Forcing Replication UpdatesStop the destination Directory Server if it is running Restart the destination Directory Server. For example Forcing Replication Updates from the Command-Line Forcing Replication Updates from the Console Example 8.1. ReplicateNow Script Example Replicating Account Lockout AttributesReplicateNow Variables Replicating Account Lockout Attributes Replication over SSL Select SSL Client Authentication Select Simple AuthenticationReplicating o=NetscapeRoot for Directory Server Installation Guide Administration Server Failover Replication with Earlier ReleasesSee , Enabling and Disabling Plug-ins Using the Retro Changelog Plug-in Attributes of a Retro Changelog Entry Enabling the Retro Changelog Plug-inEnabling the Retro Changelog Plug-in Retro Changelog Entry Trimming the Retro Changelog Retro Changelog and the Access Control Retro Changelog and the Access Control PolicyMonitoring Replication Status Searching and Modifying the Retro Changelog Monitoring Replication Status from Administration Express Directory Server Console Replication StatusTable Header Description Table header shows the replica ID 341 Policy Solving Common Replication Conflicts Solving Naming Conflicts Renaming an Entry with a Multi-Valued Naming AttributeSolving Naming Conflicts 344 Unique identifier attribute nsuniqueid cannot be deleted Renaming an Entry with a Single-Valued Naming Attribute Solving Orphan Entry Conflicts Solving Potential Interoperability Problems Troubleshooting Replication-Related Troubleshooting Replication-Related Problems Error/Symptom Reason Impact Remedy Problems If it has been But some consumers Follows Are way behind SupplierReplayed to all Direct consumers See Section Replication ErrorsMonitoring Replication Status 352 Managing Attributes Overview of Extending SchemaViewing Attributes Create new attributes, as in .2, Creating Attributes Field Extending the Directory SchemaName Syntax Attributes Tab Reference Creating AttributesCreating Attributes Field Description Editing Attributes Deleting AttributesOIDs are described in .1, Attributes Tab Reference Managing Object Classes This procedure is explained in .4, Deleting AttributesViewing Object Classes Managing Object Classes Reference Parent358 Creating Object Classes Object Classes Tab ReferenceCreating Object Classes Click OK to save the new object class Editing Object Classes Deleting Object Classes Deleting Object Classes Turning Schema Checking On and Off About Index Types About Indexes Overview of Default Indexes About Default, System, and Standard IndexesManaging Indexes Attribute Pres Sub Purpose Maintaining About Default, System, and StandardReferential Integrity for Default Indexes Overview of System Indexes366 Overview of Standard Indexes Overview of the Searching AlgorithmSystem Indexes Attribute Pres Purpose Managing Indexes Approximate Searches Balancing the Benefits of IndexingApproximate Searches Directory Server is maintaining the following indexes 370 Creating Indexes Creating Indexes Creating Indexes from the Server Console Creating Indexes from the Command-Line Creating Indexes from the Command-LineAdding an Index Entry 374 To create a new index for a particular database, add it to Creating Indexes from the Command-Line Db2index.pl Options Running the db2index.pl ScriptRun the db2index.pl Perl script Db2index Options describes the db2index.pl options Creating Browsing Indexes from the Server Console Creating Browsing Indexes from the Command-LineAdding a Browsing Index Entry Creating Browsing Indexes from Managing Indexes This first browsing index entry must be added to Running the vlvindex Script Vlvindex Options Setting Access Control for VLV InformationStop the server.3 Run the vlvindex script Deleting Indexes Deleting IndexesA text editor, open the dse.ldif file Change ldap//all to ldap//anyone and save your changes Deleting Indexes from the Server Console Deleting Indexes from the Command-Line Deleting Indexes from the Command-Line Deleting an Index EntryLdapdelete Options describes the ldapdelete options Run the db2index.pl Perl script. For example Ldapdelete Options Deleting Browsing Indexes from the Server Console Deleting Browsing Indexes from the Command-LineDeleting a Browsing Index Entry Db2index Options Option Description Vlvindex Options describes the vlvindex options Managing Indexes Search Performance Indexing Performance Backwards Compatibility and Migration Attribute Name Quick Reference Table Backwards Compatibility and MigrationAttribute Primary Name Attribute Alias Attribute Name Quick Reference Table Attribute Name Quick Reference Table391 392 Enabling SSL Summary of Steps Introduction to TLS/SSL in the Directory Server Command-Line Functions for Start TLS Managing SSLTurn on TLS/SSL in the directory Obtaining and Installing Server Certificates Troubleshooting Start TLSObtaining and Installing Server Certificates Generate a Certificate Request Generate a Certificate Request Managing SSL After generating the certificate request, send it to the CA Send the Certificate Request Install the Certificate Trust the Certificate Authority Trust the Certificate Authority Confirm That The New Certificates Are Installed Using certutil Create a password file for the security token password Creating Directory Server CertificatesGenerate the Directory Server client certificate 404 Through the Command Line Starting the Server with TLS/SSL EnabledCertutil Usage Certutil Options Click Cipher Settings Enabling TLS/SSL Only in the Directory ServerSelect the certificate to use from the drop-down menu Enabling TLS/SSL Only in the Directory Described in , Starting and Stopping Servers Server Click Cipher Settings Check the Use SSL in the Console box. Hit Save409 Creating a Password File for the Directory Server Creating a Password File for Creating a Password File for the Administration Server Setting Security Preferences Restart the Administration ServerAvailable Ciphers TLSv1 Ciphers Administration Server Click Cipher Setting Selecting the Encryption CipherSSLv3 Ciphers Using Certificate-Based Authentication Using Certificate-Based AuthenticationEncryption tab, click Save Allowing/Requiring Client Authentication Setting up Certificate-Based Authentication Configuring Ldap Clients to Use SSL Configuring Ldap Clients to Use SSLStop the Directory Server Now start Red Hat Console Begin Certificate Client certificate resembles the following Configuring Ldap Clients to Use SSL Click Set Value 420 Managing Sasl Authentication Mechanisms Sasl is configured by entries under a container entry 422 Sasl Identity MappingManaging Sasl Sasl Identity Mapping Sasl identity mapping entries are children of this entry423 Configuring Sasl Identity Mapping from the Console Configuring Sasl Identity Mapping from Configuring Kerberos Configuring Sasl Identity Mapping from the Command-LineSupported Kerberos Systems Operating System Kerberos Version Realms Configuring the KDC Server Example Configuring an Example KDC Server Configuring Sasl Authentication at Configuring Sasl Authentication at Directory Server Startup Managing Sasl Viewing and Configuring Log Files Administration ExpressDefining a Log File Rotation Policy Monitoring Server and Database Activity Viewing the Access Log Access LogDefining a Log File Deletion Policy Defining a Log File Deletion Policy Display to refresh automatically every ten seconds Configuring the Access Log Error Log Viewing the Error LogError Log Configuring the Error Log Containing text box, and click RefreshClick Save 436 Audit Log Configuring the Audit LogViewing the Audit Log Audit Log Monitoring Server Activity Manual Log File Rotation Monitoring the Server from the Directory Monitoring the Server from the Directory Server Console Resource Summary General Information ServerResource Usage Since Startup Average Per Minute Resource Current Total Server Console Current Resource UsageConnection can account for multiple Operations, and therefore multiple threads Connection Status Monitoring the Directory Server from the Command Line Global Database Cache InformationMonitoring the Directory Server from 444 Attribute Description Monitoring Database Activity Server Monitoring AttributesTime GMT in UTC format Maximum Cache Size setting. See Section See , Tuning DatabaseGeneral Information Database Performance Metric Current Total Cache setting. See , Tuning Tuning Database Performance forSummary Information Monitoring Database Activity from Monitoring Databases from the Command Line Database Cache Information10. Database File-Specific Directory Server Console Maximum Entries in Cache attribute 11. Directory Server Monitoring Attributes Monitoring Database Link ActivityMonitoring Database Link Activity Lower the number of page evicts the better 452 12. Database Link Monitoring Attributes About Snmp Snmp Subagent Configuration File Configuring the Master Agent Configuring the SubagentMonitoring Directory Server Using Snmp Agentx-master Agent-logdir Starting the SubagentServer Starting the Subagent Testing the Subagent Configuring Snmp Traps Configuring the Directory Server for Snmp Using the Management Information BaseConfiguring the Directory Server for Snmp Managed Object Description Operations Table Entries Table Operations Table Managed Objects and Descriptions Entries Table Entity TableEntries Table Managed Objects and Descriptions Interaction Table Entity Table Managed Objects and DescriptionsInteraction Table Management subsystem was initialized, this Interaction Table Managed Objects and DescriptionsObject will contain a value of zero 462 Tuning Server Performance Tuning Directory Server Performance Tuning Database Performance Tuning Directory Server PerformanceOptimizing Search Performance Optimizing Search Performance Changing the Location of the Database Transaction Log Tuning Transaction Logging Changing the Database Checkpoint Interval Changing the Database Checkpoint Interval Miscellaneous Tuning Tips Disabling Durable TransactionsSpecifying Transaction Batching Avoid Creating Entries Under the cn=config 470 Bit Check Plug-in Server Plug-in Functionality ReferenceACL Plug-in Details of 7-Bit Check Plug-in ACL Preoperation Plug-in Administering Directory Server Plug-insBinary Syntax Plug-in Details of ACI Plug-in Case Exact String Syntax Plug-in Boolean Syntax Plug-inDetails of Binary Syntax Plug-in Details of Boolean Syntax Plug-in Chaining Database Plug-in Case Ignore String Syntax Plug-inDetails of Case Exact String Syntax Plug-in Details of Case Ignore String Syntax Plug-in Details of Class of Service Plug-in Class of Service Plug-inClass of Service Plug-in Country String Syntax Plug-in Generalized Time Syntax Plug-in Distinguished Name Syntax Plug-in10. Details of Country String Plug-in 11. Details of Distinguished Name Syntax Plug-in Internationalization Plug-in Integer Syntax Plug-in12. Details of Generalized Time Syntax Plug-in 13. Details of Integer Syntax Plug-in Legacy Replication Plug-in Ldbm Database Plug-in14. Details of Internationalization Plug-in 15. Details of ldbm Database Plug-in Octet String Syntax Plug-in Multi-Master Replication Plug-in16. Details of Legacy Replication Plug-in 17. Details of Multi-Master Replication Plug-in Crypt Password Storage Plug-in Clear Password Storage Plug-in19. Details of Clear Password Storage Plug-in 18. Details of Octet String Syntax Plug-in 20. Details of Crypt Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in21. Details of NS-MTA-MD5 Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in SHA Password Storage Plug-in Ssha Password Storage Plug-in22. Details of SHA Password Storage Plug-in Postal Address String Syntax Plug-in 23. Details of Ssha Password Storage Plug-inPTA Plug-in 24. Details of Postal Address String Syntax Plug-in Authentication Plug-in Using the Pass-throughSee , Using the Pass-through Referential Integrity Postoperation Plug-in 26. Details of Referential Integrity Post-Operation Plug-in Retro Changelog Plug-inRetro Changelog Plug-in See , Managing Indexes for Space Insensitive String Syntax Plug-in Roles Plug-in27. Details of Retro Changelog Plug-in 28. Details of Roles Plug-in 29. Details of Space Insensitive String Syntax Plug-in State Change Plug-inState Change Plug-in See Appendix B, Finding Directory Entries UID Uniqueness Plug-in Telephone Syntax Plug-in30. Details of State Change Plug-in 31. Details of Telephone Syntax Plug-in URI Plug-in See , Using the Attribute32. Details of UID Uniqueness Plug-in URI Plug-in 33. Details of URI Plug-in Enabling and Disabling Plug-ins How Directory Server Uses PTA Using the Pass-through Authentication Plug-in PTA Plug-in Syntax Using the Pass-through Authentication Plug-in Variable Definition PTA Plug-in Syntax Configuring the Optional Parameters for See .5, Configuring the OptionalSpecifying the Pass-through Subtree for Configuring the PTA Plug-in Configuring the PTA Plug-inPTA Plug-in Parameters Configuring the Servers to Use a Secure Connection Specifying the Authenticating Directory ServerTurning the Plug-in On or Off Specifying the Pass-through Subtree Specifying the Pass-through Subtree Configuring the Optional Parameters PTA Plug-in Syntax Examples PTA Plug-in Syntax Examples Using Non-Default Parameter Values Specifying Multiple Authenticating Directory Servers Specifying Different Optional Parameters 502 Overview of the Attribute Uniqueness Plug-in Using the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in Syntax Using the Attribute Uniqueness Plug-in Attribute Uniqueness Plug-in Syntax See .3.1, Turning the Plug-in On or505 Attribute Uniqueness Plug-in Variables Creating an Instance of the Attribute Uniqueness Plug-in Configuring Attribute Uniqueness Plug-ins Viewing Plug-in Configuration InformationConfiguring Attribute Uniqueness Plug-ins From the Property Editor From the Configuration tab Turning the Plug-in On or Off Specifying a Suffix or Subtree509 Using the markerObjectClass and requiredObjectClass Keywords Attribute Uniqueness Plug-in Syntax Examples From the Command-LineSpecifying One Attribute and One Subtree Specifying One Attribute and Multiple Subtrees Simple Replication Scenario Replication and the Attribute Uniqueness Plug-in Multi-Master Replication Scenario Multi-Master Replication Scenario 514 About Windows Sync Active Directory Directory Server Synchronization Process 517 About Windows Sync Configure SSL on Directory Server Configuring Windows Sync Configure the Active Directory Domain Configure the Active DirectorySelect the Enterprise Root CA option Iv. Accept the certificate request. For example Select or Create the Sync Identity Domain Install and Configure the Password Sync Service Reboot the Windows machine to start Password Sync Hit Next, then Finish to install Password Sync 523 Install and Configure the Password Give trusted peer status to the server Configure the Directory Server Database for Synchronization Create the Synchronization Agreement Sync Service Setting up the Sync Agreement Begin Synchronization Using Windows SyncBegin Synchronization Synchronizing Users Synchronizing Groups Deleting Entries Synchronizing Users Synchronizing Users Directory Server Active Directory529 PhysicalDeliveryOfficeName Synchronizing Groups Deleting Entries Deleting EntriesNtGroupAttributes NtGroupId Name SamAccountName NtGroupType Description Member SeeAlso Manually Updating and Resynchronizing Entries Resurrecting Entries Checking Synchronization Status Modifying the Sync AgreementChecking Synchronization Status Password Policies Schema DifferencesGroups Values for street and streetAddress Modifying Password Sync Password Sync ServiceStarting and Stopping the Password Sync Service Contraints on the initials attribute Uninstalling Password Sync Service TroubleshootingTo uninstall the Password Sync service, do the following Open the Add/Remove Programs utility 537 Troubleshooting 538 About the Ldif File Format Appendix A. Ldap Data Interchange Format Table A.1. Ldif Fields Continuing Lines in LdifAppendix A. Ldap Data Interchange Format Field Definition Standard Ldif Notation Representing Binary DataBase-64 Encoding Representing Binary Data Specifying Domain Entries Specifying Directory Entries Using Ldif Specifying Organizational Unit Entries Table A.2. Ldif Elements in Domain EntriesDomain Entries Ldif Element Description Specifying Organizational Unit Entries Specifying Organizational Person Entries Table A.3. Ldif Elements in Organizational Unit EntriesSpecifying Organizational Person Entries Table A.4. Ldif Elements in Person Entries Defining Directories Using Ldif 547 Defining Directories Using Ldif Ldif File Example Storing Information in Multiple Languages Storing Information in Multiple Languages 550 File contents are then converted to UTF-8 Figure B.1. Browsing Entries in the Directory Tab Finding Entries Using the Directory Server Console Appendix B. Finding Directory Entries Using ldapsearch Ldapsearch command must use the following format Ldapsearch Command-Line Format Commonly Used ldapsearch Options Commonly Used ldapsearch Options Returning All Entries Ldapsearch Examples Searching the Schema Entry Specifying Search Filters on the Command LineUsing Ldapbasedn Searching the Root DSE Entry Specifying Search Filters Using a File Displaying Subsets of AttributesThis example assumes the search base is set with Ldapbasedn Ldap Search Filters Using Client Authentication When SearchingSpecifying DNs That Contain Commas in Search Filters Ldap Search Filters Using Operators in Search Filters Using Attributes in Search FiltersSearch Filter Syntax Basic syntax of a search filter is Table B.1. Search Filter Operators Using Compound Search FiltersSearch Filter Syntax Search Type Operator Description Operator Symbol Description Search Filter ExamplesTable B.2. Search Filter Boolean Operators Searching an Internationalized Directory Searching an Internationalized Directory Matching Rule Formats Matching Rule Filter Syntax Using a Language Tag for the Matching Rule Using an OID for the Matching RuleMatching Rule Filter Syntax 565 Using an OID and Suffix for the Matching Rule Using Wildcards in Matching Rule FiltersUsing a Language Tag and Suffix for the Matching Rule Table B.3, Search Types, Operators, and Suffixes Supported Search Types Supported Search TypesSearch Type Operator Suffix Less-Than Example International Search ExamplesLess-Than or Equal-to Example Equality Example Greater-Than Example Greater-Than or Equal-to ExampleSubstring Example International Search Examples 570 But either one of these will work correctly Ldap URLs have the following syntax Components of an Ldap URLComponent Hostname Port Table C.1. Ldap URL Components Appendix C. Ldap URLsComponent Description Examples of Ldap URLs Escaping Unsafe CharactersEscaping Unsafe Characters Unsafe Character Escape Characters Example 575 Examples of Ldap URLs 576 About Locales Appendix D. Internationalization Identifying Supported Locales Appendix D. InternationalizationLocale Language Tag Collation Order Object Identifiers OIDs Table D.1. Supported Locales Supported Language Subtypes579 Supported Language Subtypes Troubleshooting Matching Rules Troubleshooting Matching RulesTable D.2. Supported Language Subtypes 582 See Also access control instruction See Also access control listSee Also ID list scan limit Value GlossarySee base DN See bind DN See Certificate Authority See Also virtual list view index That provides client access to the directory Directory Access Protocol. The ISO X.500 standard protocolSee Ldap client See Also template entry See directory tree See CoS definition entrySee distinguished name See Directory Manager See Directory Server Gateway See Also cascading replication See Ldap Data Interchange Format See Snmp master agent See supplier Directory tree See object identifier See Also access rightsEncoded messages which form the basis of data exchanges Between Snmp devices. Also protocol data unit Receives to the authenticating directory server Authenticating directory server, pass-through subtrees,Name. Also relative distinguished name Process is called a referral Request for Comments. Procedures or standards documentsSubmitted to the Internet community. People can send Comments on the technologies before they become accepted Directory Server during installation Server Instance Entry. The ID assigned to an instanceSee supplier-initiated replication Simple Network Management Protocol SubagentSee Snmp subagent See CoS template entry Protocol. Also Transport Layer SecuritySee Also browsing index Page 600 Index Index Page Index Page Index Ldapbasedn Index Ldif Index MIB Index Page Index Page MIB Page Index