Manuals / HP / Computer Equipment / Software

HP UX Red Hat Direry Server Software manual Realms, Configuring the KDC Server

Models: UX Red Hat Direry Server Software

1 638

Download 638 pages 23.73 Kb

Page 447

Console

5.1. Realms

A realm is a set of users and the authentication methods for those users to access the realm. A realm resembles a fully-qualified domain name and can be distributed across either a single server or a single domain across multiple machines. A single server instance can also support multiple realms.

Realms are used by the server to associate the DN of the client in the following form, which looks like an LDAP DN:

uid=user_name/[server_instance],cn=realm,cn=mechanism,cn=auth

NOTE

Kerberos systems treat the Kerberos realm as the default realm; other systems default to the server.

Mike Connors in the engineering realm of the European division of example.com would have the following association if he tried to access a different server, such as cyclops:

uid=mconnors/cn=Europe.example.com,

cn=engineering,cn=gssapi,cn=auth

Babara Jensen in the accounting realm of US.example.com would not have to specify a realm:

uid=bjensen,cn=accounting,cn=gssapi,cn=auth

If realms are supported by the mechanism and the default realm was not used, realm must be specified; otherwise, it is omitted. Currently, only GSS-APIsupports the concept of realms.

5.2. Configuring the KDC Server

To use GSS-API, the user first obtains a ticket granting ticket (TGT). In many systems, this TGT is issued when the user first logs into the operating system. There are usually command-line utilities provided with the operating system — kinit, klist, and kdestroy — that can be used to acquire, list, and destroy the TGT. The ticket and the ticket's lifetime are parameters in the Kerberos client and server configuration.

Refer to the operating system documentation for information on installing and configuring a Kerberos server (also called a key distribution center or KDC). Configuring a KDC for Directory Server is described in Section 5.3, “Example: Configuring an Example KDC Server”.

427

Image 447

HP UX Red Hat Direry Server Software manual Realms, Configuring the KDC Server

Contents

Administrators Guide Red Hat Directory Server Copyright 2008 Red Hat, Inc Red Hat Directory Server 8.0 Administrators GuideRed Hat Directory Server General Red Hat Directory Server Usage Creating a New Database Link Creating and Maintaining SuffixesCreating and Maintaining Databases Creating and Maintaining Database LinksPage Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Xvi Preface Directory Server OverviewPreface Example and Default ReferencesWhen shown as below, it indicates computer output Document ConventionsXix Document ConventionsRelated Information Chapter Directory Server File LocationsRed Hat Enterprise Linux 4 and 5 General Red Hat Directory Server UsageFile or Directory Location Binaries Sun Solaris 9 sparcHP-UX 11i IA64 Ldap Tool LocationsOpt/dirsrv/bin Ldap Tool LocationsStarting and Stopping Servers Platform Directory LocationStarting and Stopping Directory Server from the Console Starting and Stopping Directory Server fromStart the Directory Server Console Solaris uses /etc/init.d Starting and Stopping Administration ServerHP-UX has a different location for the script On Solaris, the service is init.dStarting the Directory Server Console ConsoleClick Log on to the Directory Server as a New User Changing Login IdentityLogin screen Logging into Directory ServerChanging Directory Server Port Numbers Viewing the Current Console Bind DNViewing the Current Console Bind DN General Red Hat Directory Server Usage Creating a New Directory Server Instance Open the Administration Server ConsoleConfiguration tab, select the Configuration DS tab Creating a New Directory Server InstanceConfiguring the Directory Manager Configuring the Directory Manager Page Creating a Root Entry Managing Entries from the Directory ConsoleTemplate Object Class Directory Server Console, select the Configuration tabCreating Directory Entries Creating Directory EntriesEntry Templates and Corresponding Object Classes Creating an Entry Using a Predefined TemplateRole NsRoleDefinition Class of Service CosSuperDefinition Creating Other Types of EntriesDisplaying the Property Editor Modifying Directory EntriesModifying Directory Entries Adding an Object Class to an EntryRemoving an Object Class Adding an Attribute to an EntryAdding Very Large Attributes Removing an Attribute Value Adding Attribute ValuesInstead, use Adding an Attribute SubtypeLanguage Subtype Binary SubtypeDeleting Directory Entries Deleting Directory EntriesPronunciation Subtype Adding a Subtype to an AttributeManaging Entries from the Command-Line Providing Input from the Command-LineEntries, use Ctrl or Shift Select Delete from the Edit menu Creating a Root Entry from the Command-Line See , Ldif Update StatementsCreating a Root Entry from Adding Entries Using Ldif Adding and Modifying Entries Using ldapmodifyImport the Ldif file from the Directory Server Console Adding Entries Using ldapmodify Command-LineParameter Name Description Modifying Entries Using ldapmodify Input from the Command-LineLdapmodify Parameters Used for Adding Entries Hostname is cyclops Server uses port number Deleting Entries Using ldapdeleteDeleting Entries Using ldapdelete Ldapmodify Parameters Used for Modifying EntriesThis ldapdelete example has the following values Are branch points in the directory treeLdapdelete Parameters Used for Deleting Entries Using Special CharactersUsing Special Characters Tracking Modifications to Directory EntriesLdif Update Statements Select the Track Entry Modification Times checkboxOpen the Tasks tab, and click Restart Directory Server General format of Ldif update statements is as follows Ldif Update StatementsFollowing sections describe the change types in detail Adding an Entry Using LdifRenaming an Entry Using Ldif Renaming an Entry Using LdifFollowing command renames Sue Jacobs to Susan Jacobs Addattribute Modifying an Entry Using LdifAdding Attributes to Existing Entries Using Ldif Modifying an Entry Using LdifFollowing example adds two telephone numbers to the entry Changing an Attribute Value Using Ldif Deleting All Values of an Attribute Using Ldif Deleting a Specific Attribute Value Using LdifEntry is now as follows Barneys entry then becomes Deleting an Entry Using LdifModifying an Entry in an Internationalized Maintaining Referential IntegrityModifying an Entry in an Internationalized Directory How Referential Integrity WorksUsing Referential Integrity with Replication Directory Modifying the Update IntervalYou can enable or disable referential integrity as follows Enabling/Disabling Referential IntegrityModifying the Attribute List Modifying the Attribute List TIPPage A Sample Directory Tree with One Root Suffix Creating and Maintaining SuffixesConfiguring Directory Databases Creating Suffixes 1, Using Referrals in a SuffixCreating Suffixes Creating Suffixes A Sample Directory Tree with a Sub SuffixCreating a New Sub Suffix Using the Console Creating a New Root Suffix Using the ConsoleCreating Root and Sub Suffixes from the Command-Line Attribute Name Value Creating and Maintaining Databases for Creating and Maintaining Database Links forAttribute. See , Creating Maintaining Databases for more informationUsing Referrals in a Suffix Maintaining SuffixesSuffix Attributes To requests from client applications Click Save Enabling Referrals Only During Update OperationsDisabling a Suffix Maintaining SuffixesCreating and Maintaining Databases Creating DatabasesDeleting a Suffix Creating Databases Configuring Directory Databases For example, add a new database to the server example1 Adding Multiple Databases for a Single SuffixConfiguring Directory Databases Placing a Database in Read-Only Mode Maintaining Directory DatabasesMaintaining Directory Databases Change the read-only attribute to on Making a Database Read-Only Using the ConsoleMaking a Database Read-Only from the Command Line Select the database is read-only checkboxClick Save, and then restart the server Placing the Entire Directory Server in Read-Only ModeDeleting a Database Select the Make Entire Server Read-Only checkboxDatabase Encryption Configuring Transaction Logs for Frequent Database UpdatesDatabase Encryption Encryption KeysConfiguring Database Encryption from the Console Encryption CiphersSelect the Attribute Encryption tab Configuring Database Encryption Using the Command-Line Run the ldapmodify command1Exporting and Importing an Encrypted Database See .3, Importing from the Command-Linefor more information Creating and Maintaining Database Links Configuring the Chaining PolicyCreating and Maintaining Database Links Chaining Component OperationsNsActiveChainingComponents Cn=resource Component Name Description PermissionsNsActiveChainingComponents Cn=certificate-based Configuring the Chaining PolicyComponents Allowed to Chain Chaining Component Operations Using the ConsoleChaining Component Operations from the Command-Line Chaining Ldap ControlsPlug-in Chaining Ldap Controls from the Command-Line Chaining Ldap Controls Using the ConsoleCreating a New Database Link Creating a New Database Link Using the ConsoleCreating a New Database Link Ldap Controls and Their OIDsConfiguring Directory Databases Specify the configuration information for the database link Creating a Database Link from the Command-LineProviding Bind Credentials Providing Suffix InformationNsMultiplexorBindDN cannot be that of the Directory Manager Providing an Ldap URL Attributes Value Summary of Database Link Configuration AttributesProviding a List of Failover Servers FileOperations 1, Chaining ComponentAttributes Value Run ldapmodify1 to add a database link to server a Create an administrative user on server B, as follows Maintaining Database Links Chaining Using SSLUpdating Remote Server Authentication Information Enable SSL on the server that contains the database linkDatabase Links and Access Control Evaluation Database Links and Access ControlDeleting Database Links Configuring Directory Databases Evaluation Advanced Feature Tuning Database Link PerformanceManaging Connections to the Remote Server Using the Console Managing Connections to the Remote ServerAttribute Name Description Detecting Errors During Normal Processing Advanced Feature Tuning Database LinkDatabase Link Connection Management Attributes Managing Threaded Operations Database Link Processing Error Detection ParametersAdvanced Feature Configuring Cascading Chaining Overview of Cascading ChainingPerformance Configuring Directory Databases Advanced Feature Configuring Cascading Configuring Cascading Chaining Defaults Using the ConsoleConfiguring Cascading Chaining Using the Console Chaining Configuring Cascading Chaining from the Command-LineConfiguring Directory Databases Summary of Cascading Chaining Configuration Attributes Detecting LoopsAttribute Description Cascading Chaining Configuration Example Cascading Chaining Configuration AttributesAci This attribute must contain the following ACI 101 Configuring Server One102 Configuring Server Two103 Configuring Directory Databases Allow this Configuring Server ThreeUsing Referrals Starting the Server in Referral ModeClient on server two Setting Default Referrals Setting Default ReferralsSetting a Default Referral Using the Console Setting a Default Referral from the Command-LineCreating Smart Referrals Creating Smart Referrals Using the Directory Server ConsoleCreating Smart Referrals from the Command Line Creating Smart Referrals109 Creating Suffix Referrals Creating Suffix Referrals Using the ConsoleCreating Suffix Referrals Creating Suffix Referrals from the Command-LineConfiguring Directory Databases Importing Data Import Method ComparisonAction Import Initialize Database Importing a Database from the Console Populating Directory DatabasesFollowing sections describe importing data Initializing a Database from the Console Initializing a Database from the ConsoleImporting Using the ldif2db Command-Line Script Importing from the Command-LineOption Description Importing from the Command-LineImporting Using the ldif2db.pl Perl Script Ldif2db ParametersRun the ldif2db script Ldif2db Options Importing Using the ldif2ldap Command-Line ScriptRun the ldif2ldap command-line script Exporting DataSplitting a Database Contents into Two Databases Exporting Directory Data to Ldif Using Exporting Directory Data to Ldif Using the ConsoleExporting to Ldif from the Command-Line Exporting a Single Database to Ldif Using the ConsoleWith the -noption or 123 Run the db2ldif command-line scriptLdif file in this case would be Directory and is automatically namedDb2ldif Options Backing up and Restoring DataBacking up All Databases Backing up All Databases from the Server ConsoleClick Back Up Directory Server Backing up All Databases from the Command-LineRun the db2bak command-line script Backing up All DatabasesRestoring All Databases Backing up the dse.ldif Configuration FileClick Restore Directory Server Restore Directory dialog box is displayed 126Restoring All Databases Restoring Your Database from the Command-LineUsing the bak2db Command-Line Script Using bak2db.pl Perl ScriptRestoring a Single Database Run the bak2db.pl Perl scriptRestart the Directory Server Restoring the dse.ldif Configuration File Restoring Databases That Include Replicated EntriesRestoring Databases That Include 130 About Roles Using RolesManaging Entries with Roles, Class of Service, and Views Managing Roles Using the Console Managing Roles Using the Console134 Creating a Managed RoleCreating a Filtered Role Follow the steps of .2.1, Creating a Managed Role135 136 Creating a Nested RoleViewing and Editing an Entrys Roles Create a new role, as in .2.1, Creating a Managed RoleModifying a Role Entry Making a Role Inactive137 Deleting a Role Reactivating a RoleDialog box appears to confirm the deletion. Click Yes Managing Roles Using the Command-LineManaging Roles Using the Command-Line Object Classes and Attributes for RolesExamples Managed Role Definition 141 Example Filtered Role DefinitionExample Nested Role Definition Using Roles SecurelyAssigning Class of Service Assigning Class of ServiceAbout the CoS Definition Entry About CoSAbout the CoS Template Entry How a Pointer CoS WorksAbout CoS Sample Pointer CoS How an Indirect CoS WorksSample Indirect CoS How a Classic CoS WorksSample Classic CoS Searches for CoS-Specified AttributesManaging CoS Using the Console Managing CoS Using the ConsoleCreating a New CoS 150 Property Editor opens Creating the CoS Template EntryDeleting a CoS Editing an Existing CoSCoS Type Object Classes Description Managing CoS from the Command-LineCreating the CoS Definition Entry from the Command-Line Managing CoS from the Command-LineCoS Definition Entry Object Classes CoS Definition Entry AttributesAttribute Definition Managing CoS from the Command-Line Indirect CoS CoS DefinitionsCoS Type CoS definition Pointer CoSBe added to any other search filter using or Creating the CoS Template Entry from the Command-Line158 Example of a Pointer CoSCreate the template entry Example of an Indirect CoSExample of a Classic CoS Creating Role-Based Attributes Creating Role-Based AttributesClassic CoS definition entry looks like Access Control and CoS Using ViewsCreating Views in the Console Creating Views in the ConsoleDeleting Views from the Directory Server Console Creating Views from the Command LineManaging Static Groups Using GroupsDeleting Views from the Command Line Deleting Views from the Command LineModifying a Static Group Adding a New Static GroupManaging Dynamic Groups Managing Dynamic GroupsAdding a New Dynamic Group Modifying a Dynamic Group168 ACI Structure Access Control PrinciplesACI Limitations ACI PlacementManaging Access Control ACI EvaluationDefault ACIs Default ACIsCreating ACIs Manually Aci attribute uses the following syntax ACI SyntaxDefining Targets Defining TargetsTargetfilter Ldif Target KeywordsKeyword Valid Expressions Wildcard Allowed Targetattr175 Targeting a Directory EntryTargeting Attributes 177 Targeting Both an Entry and Attributes178 Targeting Entries or Attributes Using Ldap FiltersTargeting Attribute Values Using Ldap Filters Targeting a Single Directory Entry Defining PermissionsAssigning rights Allowing or Denying AccessAssigning Rights Defining PermissionsProxy rights Rights Required for Ldap OperationsUser Rights Selfwrite to the targeted entry, excluding183 Access Control and the modrdn Operation Bind RulesPermissions Syntax Yes, in DN only Bind Rule SyntaxBind Rule Syntax UserdnDns Defining User Access userdn KeywordLdif Bind Rule Keywords Groupdn Ldap///DN DN Roledn UserattrParent Access parent Keyword Anonymous Access anyone KeywordGeneral Access all Keyword Self Access self KeywordWildcards ExamplesScenExamplerio Description Userdn Keyword Examples Defining Group Access groupdn KeywordDefining Group Access groupdn Keyword Defining Role Access roledn KeywordGroupdn Examples Defining Access Based on Value Matching Using the userattr KeywordDefining Access Based on Value Matching Example with Userdn Bind Type Example with Groupdn Bind TypeAttrValue is any string representing an attribute value Example with Roledn Bind Type Example with Ldapurl Bind Type193 Example with Any Attribute Value Using the userattr Keyword with InheritanceGranting Add Permission Using the userattr Keyword Using Inheritance With the userattr KeywordDefining Access from a Specific IP Address Dns keyword allows wildcards. For example Defining Access from a Specific DomainDefining Access from a Specific Domain Instead, use a fully qualified nameDefining Access at a Specific Time of Day or Day of Week Defining Access Based on Authentication Defining Access Based on Authentication MethodAuthmethod = saslmechanism Using Boolean Bind Rules Authentication bind DN and password over LdapsMethod Creating ACIs from the Console Displaying the Access Control Editor Displaying the Access Control EditorClick New to open the Access Control Editor Creating a New ACI Access Control Editor WindowCreating a New ACI Managing Access Control Creating a New ACI Managing Access Control Editing an ACI Editing an ACIViewing ACIs Deleting an ACIControl Manager Get Effective Rights Control Get Effective Rights Control PermissionsGet effective rights result looks like the following Permission Description Using Get Effective Rights from the Command-LinePermissions That Can Be Set on Entries Permissions That Can Be Set on AttributesUsing Get Effective Rights from 214 Code Description Using Get Effective Rights from the ConsoleGet Effective Rights Return Codes Check the Show effective rights checkboxLogging Access Control Information Access Control Usage ExamplesReturned Result Codes Granting Anonymous Access Granting Anonymous AccessACI Anonymous World Click New to display the Access Control EditorClick OK in the Access Control Editor window ACI Anonymous example.comGranting Write Access to Personal Entries Granting Write Access to Personal EntriesFilter for subentries field, type the following filter 220 ACI Write example.comACI Write Subscribers Restricting Access to Key Roles Restricting Access to Key Roles See , Using RolesACI Roles Granting a Group Full Access to a Suffix ACI HRLdif statement should read as follows ACI Create Group Granting Rights to Add and Delete Group EntriesManaging Access Control Granting Conditional Access to a Group or Role ACI Delete GroupEntries 228 ACI HostedCompany1Denying Access Denying AccessLdif statement should be similar to the following ACI Billing Info Read 231 ACI Billing Info DenyAllowing Users to Add or Remove Themselves from a Group Setting a Target Using FilteringAllowing Users to Add or Remove ACI Group MembersDefining Permissions for DNs That Contain a Comma Proxied Authorization ACI ExampleAdvanced Access Control Using Macro ACIs Macro ACI ExampleThemselves from a Group 236 Example Directory Tree for Macro ACIsMacro ACI Syntax Macro ACI SyntaxMacro Matching for $dn Macros in ACI KeywordsMacro ACI Keyword $dn in the subject is replaced with dc=hostedCompany1 Steps for expanding this ACI are as followsMacro Matching for $attr.attrName For example, consider the following ACI240 Access Control and Replication Access Control and ReplicationCompatibility with Earlier Releases 242 Configuring the Password Policy Managing the Password PolicyManaging User Accounts and Passwords Configuring a Global Password Policy Using the ConsoleConfiguring the Password Policy Check the Enable fine-grained password policy checkbox Configuring a Subtree/User Password Policy Using the ConsoleAttribute Name Definition Configuring a Global Password Policy Using the Command-LineDirectory data because the longer a password Users password will expire after an intervalGiven by the passwordMaxAge attribute Making passwords expire helps protectSession to cycle through the password history Discourage users from reusing old passwordsFor example, setting the minimum password Changing their passwords during a singleAttributes, respectively. By default, this Shorter passwords are easier to crackPasswords can be two 2 to 512 characters It down. This attribute is set to 8 by defaultLowercase letters a to z This attribute is set to 3 by defaultDefault method Compatibility with Unix passwordsPassword Policy Attributes CoS specification entry at the subtree level. For example 254 Start the server Setting User PasswordsPassword Change Extended Operation Setting User PasswordsLdappasswd Options Parameter Description256 Configuring the Account Lockout Policy Configuring the Account Lockout Policy Using the ConsoleConfiguring the Account Lockout Policy Attribute Name Definition Managing the Password Policy in a Replicated Environment Managing the Password Policy in aAccount Lockout Policy Attributes Synchronizing Passwords Replicated Environment Inactivating Users and RolesInactivating User and Roles Using the Console Inactivating User and Roles Using the Command-LineOption Name Description DN of the user account or role to activate Activating User and Roles Using the ConsoleActivating User and Roles Using the Command-Line Activating User and Roles UsingSetting Resource Limits Using the Console Setting Resource Limits Based on the Bind DNEntering a value of -1indicates no limit Click OK Setting Resource Limits Using the Command-Line266 Replication Overview What Directory Units Are ReplicatedRead-Write and Read-Only Replicas Managing Replication Suppliers and ConsumersChangelog Replication IdentityReplication Agreement Compatibility with Earlier Versions of Directory ServerReplication Agreement Single-Master Replication Replication ScenariosMulti-Master Replication Multi-Master Replication272 Multi-Master Replication Two MastersMulti-Master Replication Four Masters Replication Cascading ReplicationCreating the Supplier Bind DN Entry Creating the Supplier Bind DN EntryConfiguring Single-Master Replication Configuring the Read-Write Replica on Configuring the Read-Write Replica on the Supplier ServerConfiguring the Read-Only Replica on the Consumer Supplier Server Create the Replication Agreement Create the Replication Agreement Managing Replication Create the Replication Agreement Replication will not begin until the consumer is initialized Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier Servers Configuring Multi-Master Replication287 Configuring the Read-Write Replicas onManaging Replication Supplier Servers Configuring the Read-Only Replicas on the Consumer ServersManaging Replication Setting up the Replication Agreements Setting up the Replication AgreementsManaging Replication Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized 297 Preventing Monopolization of the ConsumerConfiguring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Server Configuring the Read-Only Replica on Configuring the Read-Only Replica on the Hub Consumer Server Managing Replication Setting up the Replication Agreements Managing Replication DN and password Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Configuring Replication from the Command Line Configuring Suppliers from the Command LineConfiguring Replication from the Command 312 Changelog, to which Changelog AttributesLine Object Class or Attribute Description Values314 Consumer. This is required forReplica Attributes Configuring Consumers from the Command LineConfiguring Consumers from the Command Forward update requests. ByConfiguring Hubs from the Command Line Configuring Replication Agreements from the Command Line Parameter to SSL. If TLS/SSL 318 Qualified host and domainObjectclass=* $ Exclude Attributes will not be Configuring Replication Agreements fromReplication between Servers Nsds5replicabindcredentials Nsds5replicatedattributelistMidnight and 2359 is PM. For example, the setting Replication Agreement Attributes320 Command Line Initializing Consumers Online from the Command LineDeleting the Changelog Making a Replica UpdatableMoving the Changelog to a New Location Initializing ConsumersRemoving the Changelog Moving the Changelog to a New LocationOnline Consumer Initialization Using the Console When to Initialize a ConsumerInitializing Consumers Online Using Initializing Consumers Online Using the Command LineExporting a Replica to Ldif Manual Consumer Initialization Using the Command LineImporting the Ldif File to the Consumer Server Filesystem Replica InitializationInitializing the Consumer Replica from the Backup Files Restart the destination Directory Server. For example Forcing Replication UpdatesForcing Replication Updates Stop the destination Directory Server if it is runningForcing Replication Updates from the Command-Line Forcing Replication Updates from the ConsoleReplicating Account Lockout Attributes Replicating Account Lockout AttributesExample 8.1. ReplicateNow Script Example ReplicateNow VariablesReplication over SSL Select SSL Client Authentication Select Simple AuthenticationReplicating o=NetscapeRoot for Directory Server Installation Guide Administration Server Failover Replication with Earlier ReleasesSee , Enabling and Disabling Plug-ins Using the Retro Changelog Plug-in Retro Changelog Entry Enabling the Retro Changelog Plug-inAttributes of a Retro Changelog Entry Enabling the Retro Changelog Plug-inTrimming the Retro Changelog Searching and Modifying the Retro Changelog Retro Changelog and the Access Control PolicyRetro Changelog and the Access Control Monitoring Replication StatusMonitoring Replication Status from Administration Express Directory Server Console Replication StatusTable Header Description Table header shows the replica ID 341 PolicySolving Common Replication Conflicts Solving Naming Conflicts Renaming an Entry with a Multi-Valued Naming AttributeSolving Naming Conflicts 344 Unique identifier attribute nsuniqueid cannot be deletedRenaming an Entry with a Single-Valued Naming Attribute Solving Orphan Entry Conflicts Solving Potential Interoperability ProblemsTroubleshooting Replication-Related Troubleshooting Replication-Related ProblemsError/Symptom Reason Impact Remedy Problems Direct consumers But some consumers Follows Are way behind SupplierIf it has been Replayed to allReplication Status Replication ErrorsSee Section Monitoring352 Create new attributes, as in .2, Creating Attributes Overview of Extending SchemaManaging Attributes Viewing AttributesSyntax Extending the Directory SchemaField NameField Description Creating AttributesAttributes Tab Reference Creating AttributesEditing Attributes Deleting AttributesOIDs are described in .1, Attributes Tab Reference Managing Object Classes This procedure is explained in .4, Deleting AttributesManaging Object Classes Viewing Object ClassesReference Parent358 Creating Object Classes Object Classes Tab ReferenceCreating Object Classes Click OK to save the new object class Editing Object ClassesDeleting Object Classes Deleting Object ClassesTurning Schema Checking On and Off About Index Types About IndexesAttribute Pres Sub Purpose About Default, System, and Standard IndexesOverview of Default Indexes Managing IndexesIntegrity for About Default, System, and StandardMaintaining ReferentialDefault Indexes Overview of System Indexes366 Attribute Pres Purpose Overview of the Searching AlgorithmOverview of Standard Indexes System IndexesManaging Indexes Approximate Searches Balancing the Benefits of IndexingApproximate Searches Directory Server is maintaining the following indexes 370 Creating Indexes Creating IndexesCreating Indexes from the Server Console Creating Indexes from the Command-Line Creating Indexes from the Command-LineAdding an Index Entry 374 To create a new index for a particular database, add it toCreating Indexes from the Command-Line Db2index Options describes the db2index.pl options Running the db2index.pl ScriptDb2index.pl Options Run the db2index.pl Perl scriptCreating Browsing Indexes from Creating Browsing Indexes from the Command-LineCreating Browsing Indexes from the Server Console Adding a Browsing Index EntryManaging Indexes This first browsing index entry must be added to Running the vlvindex ScriptRun the vlvindex script Setting Access Control for VLV InformationVlvindex Options Stop the server.3Change ldap//all to ldap//anyone and save your changes Deleting IndexesDeleting Indexes A text editor, open the dse.ldif fileDeleting Indexes from the Server Console Deleting Indexes from the Command-LineDeleting Indexes from the Command-Line Deleting an Index EntryLdapdelete Options describes the ldapdelete options Run the db2index.pl Perl script. For example Ldapdelete OptionsDb2index Options Deleting Browsing Indexes from the Command-LineDeleting Browsing Indexes from the Server Console Deleting a Browsing Index EntryOption Description Vlvindex Options describes the vlvindex options Managing IndexesSearch Performance Indexing PerformanceBackwards Compatibility and Migration Attribute Name Quick Reference Table Backwards Compatibility and MigrationAttribute Primary Name Attribute Alias Attribute Name Quick Reference Table Attribute Name Quick Reference Table391 392 Enabling SSL Summary of Steps Introduction to TLS/SSL in the Directory ServerCommand-Line Functions for Start TLS Managing SSLTurn on TLS/SSL in the directory Obtaining and Installing Server Certificates Troubleshooting Start TLSObtaining and Installing Server Certificates Generate a Certificate Request Generate a Certificate Request Managing SSL After generating the certificate request, send it to the CA Send the Certificate RequestInstall the Certificate Trust the Certificate Authority Trust the Certificate AuthorityConfirm That The New Certificates Are Installed Using certutilCreate a password file for the security token password Creating Directory Server CertificatesGenerate the Directory Server client certificate 404 Certutil Options Starting the Server with TLS/SSL EnabledThrough the Command Line Certutil UsageClick Cipher Settings Enabling TLS/SSL Only in the Directory ServerSelect the certificate to use from the drop-down menu Enabling TLS/SSL Only in the Directory Described in , Starting and Stopping Servers Server Click Cipher Settings Check the Use SSL in the Console box. Hit Save409 Creating a Password File for the Directory Server Creating a Password File for Creating a Password File for the Administration ServerSetting Security Preferences Restart the Administration ServerAvailable Ciphers TLSv1 Ciphers Administration ServerClick Cipher Setting Selecting the Encryption CipherSSLv3 Ciphers Using Certificate-Based Authentication Using Certificate-Based AuthenticationEncryption tab, click Save Allowing/Requiring Client Authentication Setting up Certificate-Based AuthenticationNow start Red Hat Console Configuring Ldap Clients to Use SSLConfiguring Ldap Clients to Use SSL Stop the Directory ServerBegin Certificate Client certificate resembles the followingConfiguring Ldap Clients to Use SSL Click Set Value 420 Managing Sasl Authentication MechanismsSasl is configured by entries under a container entry 422 Sasl Identity MappingManaging Sasl Sasl Identity Mapping Sasl identity mapping entries are children of this entry423 Configuring Sasl Identity Mapping from the Console Configuring Sasl Identity Mapping from Operating System Kerberos Version Configuring Sasl Identity Mapping from the Command-LineConfiguring Kerberos Supported Kerberos SystemsRealms Configuring the KDC ServerExample Configuring an Example KDC Server Configuring Sasl Authentication at Configuring Sasl Authentication at Directory Server StartupManaging Sasl Viewing and Configuring Log Files Administration ExpressDefining a Log File Rotation Policy Monitoring Server and Database Activity Defining a Log File Deletion Policy Access LogViewing the Access Log Defining a Log File Deletion PolicyDisplay to refresh automatically every ten seconds Configuring the Access LogError Log Viewing the Error LogError Log Configuring the Error Log Containing text box, and click RefreshClick Save 436 Audit Log Configuring the Audit LogAudit Log Viewing the Audit LogMonitoring Server Activity Manual Log File RotationMonitoring the Server from the Directory Monitoring the Server from the Directory Server ConsoleResource Current Total General Information ServerResource Summary Resource Usage Since Startup Average Per MinuteOperations, and therefore multiple threads Current Resource UsageServer Console Connection can account for multipleConnection Status Monitoring the Directory Server from the Command Line Global Database Cache InformationMonitoring the Directory Server from 444 Attribute DescriptionMonitoring Database Activity Server Monitoring AttributesTime GMT in UTC format Performance Metric Current Total See , Tuning DatabaseMaximum Cache Size setting. See Section General Information DatabaseMonitoring Database Activity from Tuning Database Performance forCache setting. See , Tuning Summary InformationMonitoring Databases from the Command Line Database Cache Information10. Database File-Specific Directory Server Console Maximum Entries in Cache attribute Lower the number of page evicts the better Monitoring Database Link Activity11. Directory Server Monitoring Attributes Monitoring Database Link Activity452 12. Database Link Monitoring AttributesAbout Snmp SnmpAgentx-master Configuring the Master Agent Configuring the SubagentSubagent Configuration File Monitoring Directory Server Using SnmpStarting the Subagent Starting the SubagentAgent-logdir ServerTesting the Subagent Configuring Snmp TrapsConfiguring the Directory Server for Snmp Using the Management Information BaseConfiguring the Directory Server for Snmp Managed Object Description Operations TableEntries Table Operations Table Managed Objects and DescriptionsEntries Table Entity TableEntries Table Managed Objects and Descriptions Interaction Table Entity Table Managed Objects and DescriptionsInteraction Table 462 Interaction Table Managed Objects and DescriptionsManagement subsystem was initialized, this Object will contain a value of zeroTuning Server Performance Tuning Directory Server PerformanceTuning Database Performance Tuning Directory Server PerformanceOptimizing Search Performance Optimizing Search Performance Changing the Location of the Database Transaction Log Tuning Transaction LoggingChanging the Database Checkpoint Interval Changing the Database Checkpoint IntervalMiscellaneous Tuning Tips Disabling Durable TransactionsSpecifying Transaction Batching Avoid Creating Entries Under the cn=config 470 Details of 7-Bit Check Plug-in Server Plug-in Functionality ReferenceBit Check Plug-in ACL Plug-inDetails of ACI Plug-in Administering Directory Server Plug-insACL Preoperation Plug-in Binary Syntax Plug-inDetails of Boolean Syntax Plug-in Boolean Syntax Plug-inCase Exact String Syntax Plug-in Details of Binary Syntax Plug-inDetails of Case Ignore String Syntax Plug-in Case Ignore String Syntax Plug-inChaining Database Plug-in Details of Case Exact String Syntax Plug-inCountry String Syntax Plug-in Class of Service Plug-inDetails of Class of Service Plug-in Class of Service Plug-in11. Details of Distinguished Name Syntax Plug-in Distinguished Name Syntax Plug-inGeneralized Time Syntax Plug-in 10. Details of Country String Plug-in13. Details of Integer Syntax Plug-in Integer Syntax Plug-inInternationalization Plug-in 12. Details of Generalized Time Syntax Plug-in15. Details of ldbm Database Plug-in Ldbm Database Plug-inLegacy Replication Plug-in 14. Details of Internationalization Plug-in17. Details of Multi-Master Replication Plug-in Multi-Master Replication Plug-inOctet String Syntax Plug-in 16. Details of Legacy Replication Plug-in18. Details of Octet String Syntax Plug-in Clear Password Storage Plug-inCrypt Password Storage Plug-in 19. Details of Clear Password Storage Plug-inNS-MTA-MD5 Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in20. Details of Crypt Password Storage Plug-in 21. Details of NS-MTA-MD5 Password Storage Plug-inSHA Password Storage Plug-in Ssha Password Storage Plug-in22. Details of SHA Password Storage Plug-in 24. Details of Postal Address String Syntax Plug-in 23. Details of Ssha Password Storage Plug-inPostal Address String Syntax Plug-in PTA Plug-inReferential Integrity Postoperation Plug-in Using the Pass-throughAuthentication Plug-in See , Using the Pass-throughSee , Managing Indexes for Retro Changelog Plug-in26. Details of Referential Integrity Post-Operation Plug-in Retro Changelog Plug-in28. Details of Roles Plug-in Roles Plug-inSpace Insensitive String Syntax Plug-in 27. Details of Retro Changelog Plug-inSee Appendix B, Finding Directory Entries State Change Plug-in29. Details of Space Insensitive String Syntax Plug-in State Change Plug-in31. Details of Telephone Syntax Plug-in Telephone Syntax Plug-inUID Uniqueness Plug-in 30. Details of State Change Plug-inURI Plug-in See , Using the AttributeURI Plug-in 32. Details of UID Uniqueness Plug-in33. Details of URI Plug-in Enabling and Disabling Plug-insHow Directory Server Uses PTA Using the Pass-through Authentication Plug-inPTA Plug-in Syntax Using the Pass-through Authentication Plug-inVariable Definition PTA Plug-in SyntaxConfiguring the Optional Parameters for See .5, Configuring the OptionalSpecifying the Pass-through Subtree for Configuring the PTA Plug-in Configuring the PTA Plug-inPTA Plug-in Parameters Configuring the Servers to Use a Secure Connection Specifying the Authenticating Directory ServerTurning the Plug-in On or Off Specifying the Pass-through Subtree Specifying the Pass-through SubtreeConfiguring the Optional Parameters PTA Plug-in Syntax Examples PTA Plug-in Syntax ExamplesUsing Non-Default Parameter Values Specifying Multiple Authenticating Directory ServersSpecifying Different Optional Parameters 502 Overview of the Attribute Uniqueness Plug-in Using the Attribute Uniqueness Plug-inAttribute Uniqueness Plug-in Syntax Using the Attribute Uniqueness Plug-inAttribute Uniqueness Plug-in Syntax See .3.1, Turning the Plug-in On or505 Attribute Uniqueness Plug-in Variables Creating an Instance of the Attribute Uniqueness Plug-inConfiguring Attribute Uniqueness Plug-ins Viewing Plug-in Configuration InformationConfiguring Attribute Uniqueness Plug-ins From the Property Editor From the Configuration tabTurning the Plug-in On or Off Specifying a Suffix or Subtree509 Using the markerObjectClass and requiredObjectClass Keywords Specifying One Attribute and Multiple Subtrees From the Command-LineAttribute Uniqueness Plug-in Syntax Examples Specifying One Attribute and One SubtreeSimple Replication Scenario Replication and the Attribute Uniqueness Plug-inMulti-Master Replication Scenario Multi-Master Replication Scenario514 About Windows Sync Active Directory Directory Server Synchronization Process 517 About Windows SyncConfigure SSL on Directory Server Configuring Windows SyncConfigure the Active Directory Domain Configure the Active DirectorySelect the Enterprise Root CA option Iv. Accept the certificate request. For example Select or Create the Sync IdentityDomain Install and Configure the Password Sync ServiceReboot the Windows machine to start Password Sync Hit Next, then Finish to install Password Sync523 Install and Configure the PasswordGive trusted peer status to the server Configure the Directory Server Database for SynchronizationCreate the Synchronization Agreement Sync ServiceSetting up the Sync Agreement Synchronizing Users Synchronizing Groups Deleting Entries Using Windows SyncBegin Synchronization Begin SynchronizationSynchronizing Users Synchronizing Users Directory Server Active Directory529 PhysicalDeliveryOfficeName Synchronizing GroupsDescription Member SeeAlso Deleting EntriesDeleting Entries NtGroupAttributes NtGroupId Name SamAccountName NtGroupTypeManually Updating and Resynchronizing Entries Resurrecting EntriesChecking Synchronization Status Modifying the Sync AgreementChecking Synchronization Status Values for street and streetAddress Schema DifferencesPassword Policies GroupsContraints on the initials attribute Password Sync ServiceModifying Password Sync Starting and Stopping the Password Sync ServiceOpen the Add/Remove Programs utility TroubleshootingUninstalling Password Sync Service To uninstall the Password Sync service, do the following537 Troubleshooting538 About the Ldif File Format Appendix A. Ldap Data Interchange FormatField Definition Continuing Lines in LdifTable A.1. Ldif Fields Appendix A. Ldap Data Interchange FormatRepresenting Binary Data Representing Binary DataStandard Ldif Notation Base-64 EncodingSpecifying Domain Entries Specifying Directory Entries Using LdifLdif Element Description Table A.2. Ldif Elements in Domain EntriesSpecifying Organizational Unit Entries Domain EntriesSpecifying Organizational Unit Entries Specifying Organizational Person Entries Table A.3. Ldif Elements in Organizational Unit EntriesSpecifying Organizational Person Entries Table A.4. Ldif Elements in Person Entries Defining Directories Using Ldif547 Defining Directories Using LdifLdif File Example Storing Information in Multiple Languages Storing Information in Multiple Languages550 File contents are then converted to UTF-8Figure B.1. Browsing Entries in the Directory Tab Finding Entries Using the Directory Server ConsoleAppendix B. Finding Directory Entries Using ldapsearchLdapsearch command must use the following format Ldapsearch Command-Line FormatCommonly Used ldapsearch Options Commonly Used ldapsearch Options Returning All Entries Ldapsearch ExamplesSearching the Root DSE Entry Specifying Search Filters on the Command LineSearching the Schema Entry Using LdapbasednSpecifying Search Filters Using a File Displaying Subsets of AttributesThis example assumes the search base is set with Ldapbasedn Ldap Search Filters Using Client Authentication When SearchingLdap Search Filters Specifying DNs That Contain Commas in Search FiltersBasic syntax of a search filter is Using Attributes in Search FiltersUsing Operators in Search Filters Search Filter SyntaxSearch Type Operator Description Using Compound Search FiltersTable B.1. Search Filter Operators Search Filter SyntaxOperator Symbol Description Search Filter ExamplesTable B.2. Search Filter Boolean Operators Searching an Internationalized Directory Searching an Internationalized DirectoryMatching Rule Formats Matching Rule Filter Syntax565 Using an OID for the Matching RuleUsing a Language Tag for the Matching Rule Matching Rule Filter SyntaxTable B.3, Search Types, Operators, and Suffixes Using Wildcards in Matching Rule FiltersUsing an OID and Suffix for the Matching Rule Using a Language Tag and Suffix for the Matching RuleSupported Search Types Supported Search TypesSearch Type Operator Suffix Equality Example International Search ExamplesLess-Than Example Less-Than or Equal-to ExampleInternational Search Examples Greater-Than or Equal-to ExampleGreater-Than Example Substring Example570 But either one of these will work correctlyHostname Port Components of an Ldap URLLdap URLs have the following syntax ComponentTable C.1. Ldap URL Components Appendix C. Ldap URLsComponent Description Unsafe Character Escape Characters Escaping Unsafe CharactersExamples of Ldap URLs Escaping Unsafe CharactersExample 575 Examples of Ldap URLs576 About Locales Appendix D. InternationalizationIdentifying Supported Locales Appendix D. InternationalizationLocale Language Tag Collation Order Object Identifiers OIDs Table D.1. Supported Locales Supported Language Subtypes579 Supported Language Subtypes Troubleshooting Matching Rules Troubleshooting Matching RulesTable D.2. Supported Language Subtypes 582 See Also access control instruction See Also access control listSee Also ID list scan limit See bind DN GlossaryValue See base DNSee Certificate Authority See Also virtual list view indexSee Also template entry Directory Access Protocol. The ISO X.500 standard protocolThat provides client access to the directory See Ldap clientSee Directory Manager See CoS definition entrySee directory tree See distinguished nameSee Directory Server Gateway See Also cascading replication See Ldap Data Interchange Format See Snmp master agent See supplierDirectory tree Between Snmp devices. Also protocol data unit See Also access rightsSee object identifier Encoded messages which form the basis of data exchangesReceives to the authenticating directory server Authenticating directory server, pass-through subtrees,Name. Also relative distinguished name Comments on the technologies before they become accepted Request for Comments. Procedures or standards documentsProcess is called a referral Submitted to the Internet community. People can sendDirectory Server during installation Server Instance Entry. The ID assigned to an instanceSee supplier-initiated replication Simple Network Management Protocol SubagentSee Snmp subagent See CoS template entry Protocol. Also Transport Layer SecuritySee Also browsing index Page 600 Index Index Page Index Page Index Ldapbasedn Index Ldif Index MIB Index Page Index Page MIB Page Index