Manuals / HP / Computer Equipment / Software

HP UX Red Hat Direry Server Software Configuring Sasl Authentication at Directory Server Startup

Models: UX Red Hat Direry Server Software

1 638

Download 638 pages 23.73 Kb

Page 449

Image 449

Configuring SASL Authentication at

admin_server =adminserver.company.example.com:749 default_domain = company.example.com

}

[appdefaults] pam = {

debug = true

ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false

}

[logging]

default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/log/kadmind.log

5.4.Configuring SASL Authentication at Directory Server Startup

SASL GSS-API authentication has to be activated in Directory Server so that Kerberos tickets can be used for authentication. This is done by supplying a system configuration file for the init scripts to use which identifies the variable to set the keytab file location. When the init script runs at Directory Server startup, SASL authentication is then immediately active.

The default configuration file is in /etc/sysconfig/dirsrv.

NOTE

The default configuration file on Red Hat Enterprise Linux and HP-UX is in /etc/sysconfig. On Solaris, it is in /etc/default.

If there are multiple Directory Server instances and not all of them will use SASL authentication, then there can be instance-specific configuration files created in that directory named dirsrv-instance. For example, dirsrv-example. The default dirsrv file can be used for a single instance.

To enable SASL authentication, uncomment the KRB5_KTNAME line in the /etc/sysconfig/dirsrv (or instance-specific) file, and set the keytab location for the KRB5_KTNAME variable. For example:

#In order to use SASL/GSSAPI the directory

#server needs to know where to find its keytab

#file - uncomment the following line and set

#the path and filename appropriately

KRB5_KTNAME=/etc/krb5.keytab ; export KRB5_KTNAME

429

Page 449

Image 449

HP UX Red Hat Direry Server Software manual Configuring Sasl Authentication at Directory Server Startup

Contents

Administrators Guide Red Hat Directory Server Copyright 2008 Red Hat, Inc Red Hat Directory Server 8.0 Administrators GuideRed Hat Directory Server General Red Hat Directory Server Usage Creating and Maintaining Databases Creating and Maintaining SuffixesCreating and Maintaining Database Links Creating a New Database LinkPage Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Red Hat Directory Server Page Xvi Preface Directory Server OverviewWhen shown as below, it indicates computer output Example and Default ReferencesDocument Conventions PrefaceXix Document ConventionsRelated Information Chapter Directory Server File LocationsFile or Directory Location Red Hat Enterprise Linux 4 and 5General Red Hat Directory Server Usage HP-UX 11i IA64 Sun Solaris 9 sparcLdap Tool Locations BinariesStarting and Stopping Servers Ldap Tool LocationsPlatform Directory Location Opt/dirsrv/binStart the Directory Server Console Starting and Stopping Directory Server from the ConsoleStarting and Stopping Directory Server from Solaris uses /etc/init.d Starting and Stopping Administration ServerStarting the Directory Server Console On Solaris, the service is init.dConsole HP-UX has a different location for the scriptLogin screen Changing Login IdentityLogging into Directory Server Click Log on to the Directory Server as a New UserViewing the Current Console Bind DN Changing Directory Server Port NumbersViewing the Current Console Bind DN General Red Hat Directory Server Usage Configuration tab, select the Configuration DS tab Open the Administration Server ConsoleCreating a New Directory Server Instance Creating a New Directory Server InstanceConfiguring the Directory Manager Configuring the Directory Manager Page Creating a Root Entry Managing Entries from the Directory ConsoleCreating Directory Entries Directory Server Console, select the Configuration tabCreating Directory Entries Template Object ClassRole NsRoleDefinition Class of Service CosSuperDefinition Creating an Entry Using a Predefined TemplateCreating Other Types of Entries Entry Templates and Corresponding Object ClassesDisplaying the Property Editor Modifying Directory EntriesRemoving an Object Class Adding an Object Class to an EntryAdding an Attribute to an Entry Modifying Directory EntriesAdding Very Large Attributes Removing an Attribute Value Adding Attribute ValuesLanguage Subtype Adding an Attribute SubtypeBinary Subtype Instead, usePronunciation Subtype Deleting Directory EntriesAdding a Subtype to an Attribute Deleting Directory EntriesEntries, use Ctrl or Shift Select Delete from the Edit menu Managing Entries from the Command-LineProviding Input from the Command-Line Creating a Root Entry from Creating a Root Entry from the Command-LineSee , Ldif Update Statements Import the Ldif file from the Directory Server Console Adding Entries Using LdifAdding and Modifying Entries Using ldapmodify Parameter Name Description Adding Entries Using ldapmodifyCommand-Line Ldapmodify Parameters Used for Adding Entries Modifying Entries Using ldapmodifyInput from the Command-Line Deleting Entries Using ldapdelete Deleting Entries Using ldapdeleteLdapmodify Parameters Used for Modifying Entries Hostname is cyclops Server uses port numberThis ldapdelete example has the following values Are branch points in the directory treeUsing Special Characters Using Special CharactersTracking Modifications to Directory Entries Ldapdelete Parameters Used for Deleting EntriesOpen the Tasks tab, and click Restart Directory Server Ldif Update StatementsSelect the Track Entry Modification Times checkbox General format of Ldif update statements is as follows Ldif Update StatementsFollowing sections describe the change types in detail Adding an Entry Using LdifFollowing command renames Sue Jacobs to Susan Jacobs Renaming an Entry Using LdifRenaming an Entry Using Ldif Addattribute Modifying an Entry Using LdifFollowing example adds two telephone numbers to the entry Adding Attributes to Existing Entries Using LdifModifying an Entry Using Ldif Changing an Attribute Value Using Ldif Entry is now as follows Deleting All Values of an Attribute Using LdifDeleting a Specific Attribute Value Using Ldif Barneys entry then becomes Deleting an Entry Using LdifModifying an Entry in an Internationalized Directory Maintaining Referential IntegrityHow Referential Integrity Works Modifying an Entry in an InternationalizedUsing Referential Integrity with Replication You can enable or disable referential integrity as follows Modifying the Update IntervalEnabling/Disabling Referential Integrity DirectoryModifying the Attribute List Modifying the Attribute List TIPPage A Sample Directory Tree with One Root Suffix Creating and Maintaining SuffixesCreating Suffixes Configuring Directory DatabasesCreating Suffixes 1, Using Referrals in a Suffix Creating Suffixes A Sample Directory Tree with a Sub SuffixCreating a New Sub Suffix Using the Console Creating a New Root Suffix Using the ConsoleCreating Root and Sub Suffixes from the Command-Line Attribute Name Value Attribute. See , Creating Creating and Maintaining Database Links forMaintaining Databases for more information Creating and Maintaining Databases forSuffix Attributes Using Referrals in a SuffixMaintaining Suffixes Disabling a Suffix Enabling Referrals Only During Update OperationsMaintaining Suffixes To requests from client applications Click SaveDeleting a Suffix Creating and Maintaining DatabasesCreating Databases Creating Databases Configuring Directory Databases For example, add a new database to the server example1 Adding Multiple Databases for a Single SuffixConfiguring Directory Databases Maintaining Directory Databases Placing a Database in Read-Only ModeMaintaining Directory Databases Making a Database Read-Only from the Command Line Making a Database Read-Only Using the ConsoleSelect the database is read-only checkbox Change the read-only attribute to onDeleting a Database Placing the Entire Directory Server in Read-Only ModeSelect the Make Entire Server Read-Only checkbox Click Save, and then restart the serverDatabase Encryption Configuring Transaction Logs for Frequent Database UpdatesDatabase Encryption Encryption KeysSelect the Attribute Encryption tab Configuring Database Encryption from the ConsoleEncryption Ciphers Exporting and Importing an Encrypted Database Configuring Database Encryption Using the Command-LineRun the ldapmodify command1 See .3, Importing from the Command-Linefor more information Creating and Maintaining Database Links Configuring the Chaining PolicyChaining Component Operations Creating and Maintaining Database LinksNsActiveChainingComponents Cn=resource Component Name Description PermissionsNsActiveChainingComponents Cn=certificate-based Configuring the Chaining PolicyComponents Allowed to Chain Chaining Component Operations Using the ConsolePlug-in Chaining Component Operations from the Command-LineChaining Ldap Controls Chaining Ldap Controls from the Command-Line Chaining Ldap Controls Using the ConsoleCreating a New Database Link Creating a New Database Link Using the ConsoleLdap Controls and Their OIDs Creating a New Database LinkConfiguring Directory Databases Specify the configuration information for the database link Creating a Database Link from the Command-LineProviding Bind Credentials Providing Suffix InformationNsMultiplexorBindDN cannot be that of the Directory Manager Providing an Ldap URL Providing a List of Failover Servers Summary of Database Link Configuration AttributesFile Attributes ValueOperations 1, Chaining ComponentAttributes Value Run ldapmodify1 to add a database link to server a Create an administrative user on server B, as follows Updating Remote Server Authentication Information Chaining Using SSLEnable SSL on the server that contains the database link Maintaining Database LinksDeleting Database Links Database Links and Access Control EvaluationDatabase Links and Access Control Configuring Directory Databases Managing Connections to the Remote Server Using the Console Advanced Feature Tuning Database Link PerformanceManaging Connections to the Remote Server EvaluationAttribute Name Description Database Link Connection Management Attributes Detecting Errors During Normal ProcessingAdvanced Feature Tuning Database Link Managing Threaded Operations Database Link Processing Error Detection ParametersPerformance Advanced Feature Configuring Cascading ChainingOverview of Cascading Chaining Configuring Directory Databases Advanced Feature Configuring Cascading Configuring Cascading Chaining Defaults Using the ConsoleConfiguring Cascading Chaining Using the Console Chaining Configuring Cascading Chaining from the Command-LineConfiguring Directory Databases Attribute Description Summary of Cascading Chaining Configuration AttributesDetecting Loops Aci This attribute must contain the following ACI Cascading Chaining Configuration ExampleCascading Chaining Configuration Attributes 101 Configuring Server One102 Configuring Server Two103 Configuring Directory Databases Allow this Configuring Server ThreeClient on server two Using ReferralsStarting the Server in Referral Mode Setting a Default Referral Using the Console Setting Default ReferralsSetting a Default Referral from the Command-Line Setting Default ReferralsCreating Smart Referrals Creating Smart Referrals Using the Directory Server Console109 Creating Smart Referrals from the Command LineCreating Smart Referrals Creating Suffix Referrals Creating Suffix Referrals Using the ConsoleCreating Suffix Referrals Creating Suffix Referrals from the Command-LineConfiguring Directory Databases Action Import Initialize Database Importing DataImport Method Comparison Following sections describe importing data Importing a Database from the ConsolePopulating Directory Databases Initializing a Database from the Console Initializing a Database from the ConsoleImporting Using the ldif2db Command-Line Script Importing from the Command-LineOption Description Importing from the Command-LineRun the ldif2db script Importing Using the ldif2db.pl Perl ScriptLdif2db Parameters Run the ldif2ldap command-line script Importing Using the ldif2ldap Command-Line ScriptExporting Data Ldif2db OptionsSplitting a Database Contents into Two Databases Exporting Directory Data to Ldif Using Exporting Directory Data to Ldif Using the ConsoleExporting to Ldif from the Command-Line Exporting a Single Database to Ldif Using the ConsoleLdif file in this case would be Run the db2ldif command-line scriptDirectory and is automatically named With the -noption or 123Backing up All Databases Backing up and Restoring DataBacking up All Databases from the Server Console Db2ldif OptionsRun the db2bak command-line script Backing up All Databases from the Command-LineBacking up All Databases Click Back Up Directory ServerClick Restore Directory Server Backing up the dse.ldif Configuration FileRestore Directory dialog box is displayed 126 Restoring All DatabasesUsing the bak2db Command-Line Script Restoring Your Database from the Command-LineUsing bak2db.pl Perl Script Restoring All DatabasesRestart the Directory Server Restoring a Single DatabaseRun the bak2db.pl Perl script Restoring Databases That Include Restoring the dse.ldif Configuration FileRestoring Databases That Include Replicated Entries 130 About Roles Using RolesManaging Entries with Roles, Class of Service, and Views Managing Roles Using the Console Managing Roles Using the Console134 Creating a Managed Role135 Creating a Filtered RoleFollow the steps of .2.1, Creating a Managed Role Viewing and Editing an Entrys Roles Creating a Nested RoleCreate a new role, as in .2.1, Creating a Managed Role 136137 Modifying a Role EntryMaking a Role Inactive Deleting a Role Reactivating a RoleManaging Roles Using the Command-Line Managing Roles Using the Command-LineObject Classes and Attributes for Roles Dialog box appears to confirm the deletion. Click YesExamples Managed Role Definition 141 Example Filtered Role DefinitionExample Nested Role Definition Using Roles SecurelyAssigning Class of Service Assigning Class of ServiceAbout the CoS Definition Entry About CoSAbout CoS About the CoS Template EntryHow a Pointer CoS Works Sample Pointer CoS How an Indirect CoS WorksSample Indirect CoS How a Classic CoS WorksSample Classic CoS Searches for CoS-Specified AttributesCreating a New CoS Managing CoS Using the ConsoleManaging CoS Using the Console 150 Property Editor opens Creating the CoS Template EntryDeleting a CoS Editing an Existing CoSCreating the CoS Definition Entry from the Command-Line Managing CoS from the Command-LineManaging CoS from the Command-Line CoS Type Object Classes DescriptionAttribute Definition CoS Definition Entry Object ClassesCoS Definition Entry Attributes Managing CoS from the Command-Line CoS Type CoS definition CoS DefinitionsPointer CoS Indirect CoSBe added to any other search filter using or Creating the CoS Template Entry from the Command-Line158 Example of a Pointer CoSCreate the template entry Example of an Indirect CoSExample of a Classic CoS Classic CoS definition entry looks like Creating Role-Based AttributesCreating Role-Based Attributes Access Control and CoS Using ViewsCreating Views in the Console Creating Views in the ConsoleDeleting Views from the Directory Server Console Creating Views from the Command LineDeleting Views from the Command Line Using GroupsDeleting Views from the Command Line Managing Static GroupsModifying a Static Group Adding a New Static GroupAdding a New Dynamic Group Managing Dynamic GroupsModifying a Dynamic Group Managing Dynamic Groups168 ACI Structure Access Control PrinciplesManaging Access Control ACI PlacementACI Evaluation ACI LimitationsDefault ACIs Default ACIsCreating ACIs Manually Defining Targets ACI SyntaxDefining Targets Aci attribute uses the following syntaxKeyword Valid Expressions Wildcard Allowed Ldif Target KeywordsTargetattr Targetfilter175 Targeting a Directory EntryTargeting Attributes 177 Targeting Both an Entry and Attributes178 Targeting Entries or Attributes Using Ldap FiltersTargeting Attribute Values Using Ldap Filters Targeting a Single Directory Entry Defining PermissionsAssigning Rights Allowing or Denying AccessDefining Permissions Assigning rightsUser Rights Rights Required for Ldap OperationsSelfwrite to the targeted entry, excluding Proxy rights183 Permissions Syntax Access Control and the modrdn OperationBind Rules Bind Rule Syntax Bind Rule SyntaxUserdn Yes, in DN onlyLdif Bind Rule Keywords Defining User Access userdn KeywordGroupdn Ldap///DN DN Roledn Userattr DnsGeneral Access all Keyword Anonymous Access anyone KeywordSelf Access self Keyword Parent Access parent KeywordScenExamplerio Description WildcardsExamples Userdn Keyword Examples Defining Group Access groupdn KeywordGroupdn Examples Defining Group Access groupdn KeywordDefining Role Access roledn Keyword Defining Access Based on Value Matching Defining Access Based on Value MatchingUsing the userattr Keyword AttrValue is any string representing an attribute value Example with Userdn Bind TypeExample with Groupdn Bind Type 193 Example with Roledn Bind TypeExample with Ldapurl Bind Type Example with Any Attribute Value Using the userattr Keyword with InheritanceGranting Add Permission Using the userattr Keyword Using Inheritance With the userattr KeywordDefining Access from a Specific IP Address Defining Access from a Specific Domain Defining Access from a Specific DomainInstead, use a fully qualified name Dns keyword allows wildcards. For exampleDefining Access at a Specific Time of Day or Day of Week Defining Access Based on Authentication Defining Access Based on Authentication MethodAuthmethod = saslmechanism Method Using Boolean Bind RulesAuthentication bind DN and password over Ldaps Creating ACIs from the Console Click New to open the Access Control Editor Displaying the Access Control EditorDisplaying the Access Control Editor Creating a New ACI Access Control Editor WindowCreating a New ACI Managing Access Control Creating a New ACI Managing Access Control Editing an ACI Editing an ACIControl Manager Viewing ACIsDeleting an ACI Get effective rights result looks like the following Get Effective Rights ControlGet Effective Rights Control Permissions Permissions That Can Be Set on Entries Using Get Effective Rights from the Command-LinePermissions That Can Be Set on Attributes Permission DescriptionUsing Get Effective Rights from 214 Get Effective Rights Return Codes Using Get Effective Rights from the ConsoleCheck the Show effective rights checkbox Code DescriptionReturned Result Codes Logging Access Control InformationAccess Control Usage Examples Granting Anonymous Access Granting Anonymous AccessClick OK in the Access Control Editor window Click New to display the Access Control EditorACI Anonymous example.com ACI Anonymous WorldFilter for subentries field, type the following filter Granting Write Access to Personal EntriesGranting Write Access to Personal Entries 220 ACI Write example.comACI Write Subscribers Restricting Access to Key Roles ACI Roles Restricting Access to Key RolesSee , Using Roles Ldif statement should read as follows Granting a Group Full Access to a SuffixACI HR ACI Create Group Granting Rights to Add and Delete Group EntriesManaging Access Control Entries Granting Conditional Access to a Group or RoleACI Delete Group 228 ACI HostedCompany1Ldif statement should be similar to the following Denying AccessDenying Access ACI Billing Info Read 231 ACI Billing Info DenyAllowing Users to Add or Remove Themselves from a Group Setting a Target Using FilteringAllowing Users to Add or Remove ACI Group MembersDefining Permissions for DNs That Contain a Comma Proxied Authorization ACI ExampleThemselves from a Group Advanced Access Control Using Macro ACIsMacro ACI Example 236 Example Directory Tree for Macro ACIsMacro ACI Syntax Macro ACI SyntaxMacro ACI Keyword Macro Matching for $dnMacros in ACI Keywords $dn in the subject is replaced with dc=hostedCompany1 Steps for expanding this ACI are as follows240 Macro Matching for $attr.attrNameFor example, consider the following ACI Compatibility with Earlier Releases Access Control and ReplicationAccess Control and Replication 242 Configuring the Password Policy Managing the Password PolicyManaging User Accounts and Passwords Configuring a Global Password Policy Using the ConsoleConfiguring the Password Policy Check the Enable fine-grained password policy checkbox Configuring a Subtree/User Password Policy Using the ConsoleAttribute Name Definition Configuring a Global Password Policy Using the Command-LineGiven by the passwordMaxAge attribute Users password will expire after an intervalMaking passwords expire helps protect Directory data because the longer a passwordFor example, setting the minimum password Discourage users from reusing old passwordsChanging their passwords during a single Session to cycle through the password historyPasswords can be two 2 to 512 characters Shorter passwords are easier to crackIt down. This attribute is set to 8 by default Attributes, respectively. By default, thisDefault method This attribute is set to 3 by defaultCompatibility with Unix passwords Lowercase letters a to zPassword Policy Attributes CoS specification entry at the subtree level. For example 254 Password Change Extended Operation Setting User PasswordsSetting User Passwords Start the server256 Ldappasswd OptionsParameter Description Configuring the Account Lockout Policy Configuring the Account Lockout PolicyConfiguring the Account Lockout Policy Using the Console Attribute Name Definition Account Lockout Policy Attributes Managing the Password Policy in a Replicated EnvironmentManaging the Password Policy in a Synchronizing Passwords Replicated Environment Inactivating Users and RolesOption Name Description Inactivating User and Roles Using the ConsoleInactivating User and Roles Using the Command-Line Activating User and Roles Using the Command-Line Activating User and Roles Using the ConsoleActivating User and Roles Using DN of the user account or role to activateSetting Resource Limits Using the Console Setting Resource Limits Based on the Bind DNEntering a value of -1indicates no limit Click OK Setting Resource Limits Using the Command-Line266 Read-Write and Read-Only Replicas Replication OverviewWhat Directory Units Are Replicated Changelog Suppliers and ConsumersReplication Identity Managing ReplicationReplication Agreement Replication AgreementCompatibility with Earlier Versions of Directory Server Single-Master Replication Replication ScenariosMulti-Master Replication Multi-Master Replication272 Multi-Master Replication Two MastersMulti-Master Replication Four Masters Replication Cascading ReplicationCreating the Supplier Bind DN Entry Creating the Supplier Bind DN EntryConfiguring Single-Master Replication Configuring the Read-Write Replica on Configuring the Read-Write Replica on the Supplier ServerConfiguring the Read-Only Replica on the Consumer Supplier Server Create the Replication Agreement Create the Replication Agreement Managing Replication Create the Replication Agreement Replication will not begin until the consumer is initialized Configuring Multi-Master Replication Configuring the Read-Write Replicas on the Supplier Servers Configuring Multi-Master Replication287 Configuring the Read-Write Replicas onManaging Replication Supplier Servers Configuring the Read-Only Replicas on the Consumer ServersManaging Replication Setting up the Replication Agreements Setting up the Replication AgreementsManaging Replication Setting up the Replication Agreements Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized 297 Preventing Monopolization of the ConsumerConfiguring Cascading Replication Configuring the Read-Write Replica on the Supplier Server Configuring the Read-Only Replica on the Consumer Server Configuring the Read-Only Replica on Configuring the Read-Only Replica on the Hub Consumer Server Managing Replication Setting up the Replication Agreements Managing Replication DN and password Managing Replication Setting up the Replication Agreements Replication will not begin until the consumer is initialized Configuring Replication from the Command Configuring Replication from the Command LineConfiguring Suppliers from the Command Line 312 Line Changelog AttributesObject Class or Attribute Description Values Changelog, to which314 Consumer. This is required forConfiguring Consumers from the Command Configuring Consumers from the Command LineForward update requests. By Replica AttributesConfiguring Hubs from the Command Line Configuring Replication Agreements from the Command Line Parameter to SSL. If TLS/SSL 318 Qualified host and domainReplication between Servers Nsds5replicabindcredentials Configuring Replication Agreements fromNsds5replicatedattributelist Objectclass=* $ Exclude Attributes will not be320 Midnight and 2359 is PM. For example, the settingReplication Agreement Attributes Command Line Initializing Consumers Online from the Command LineDeleting the Changelog Making a Replica UpdatableRemoving the Changelog Initializing ConsumersMoving the Changelog to a New Location Moving the Changelog to a New LocationOnline Consumer Initialization Using the Console When to Initialize a ConsumerInitializing Consumers Online Using Initializing Consumers Online Using the Command LineExporting a Replica to Ldif Manual Consumer Initialization Using the Command LineImporting the Ldif File to the Consumer Server Filesystem Replica InitializationInitializing the Consumer Replica from the Backup Files Forcing Replication Updates Forcing Replication UpdatesStop the destination Directory Server if it is running Restart the destination Directory Server. For exampleForcing Replication Updates from the Command-Line Forcing Replication Updates from the ConsoleExample 8.1. ReplicateNow Script Example Replicating Account Lockout AttributesReplicateNow Variables Replicating Account Lockout AttributesReplication over SSL Replicating o=NetscapeRoot for Select SSL Client AuthenticationSelect Simple Authentication Directory Server Installation Guide See , Enabling and Disabling Plug-ins Administration Server FailoverReplication with Earlier Releases Using the Retro Changelog Plug-in Attributes of a Retro Changelog Entry Enabling the Retro Changelog Plug-inEnabling the Retro Changelog Plug-in Retro Changelog EntryTrimming the Retro Changelog Retro Changelog and the Access Control Retro Changelog and the Access Control PolicyMonitoring Replication Status Searching and Modifying the Retro ChangelogTable Header Description Monitoring Replication Status from Administration ExpressDirectory Server Console Replication Status Table header shows the replica ID 341 PolicySolving Common Replication Conflicts Solving Naming Conflicts Solving Naming ConflictsRenaming an Entry with a Multi-Valued Naming Attribute 344 Unique identifier attribute nsuniqueid cannot be deletedRenaming an Entry with a Single-Valued Naming Attribute Solving Orphan Entry Conflicts Solving Potential Interoperability ProblemsTroubleshooting Replication-Related Troubleshooting Replication-Related ProblemsError/Symptom Reason Impact Remedy Problems If it has been But some consumers Follows Are way behind SupplierReplayed to all Direct consumersSee Section Replication ErrorsMonitoring Replication Status352 Managing Attributes Overview of Extending SchemaViewing Attributes Create new attributes, as in .2, Creating AttributesField Extending the Directory SchemaName SyntaxAttributes Tab Reference Creating AttributesCreating Attributes Field DescriptionOIDs are described in .1, Attributes Tab Reference Editing AttributesDeleting Attributes Managing Object Classes This procedure is explained in .4, Deleting AttributesViewing Object Classes Managing Object Classes358 ReferenceParent Creating Object Classes Creating Object ClassesObject Classes Tab Reference Click OK to save the new object class Editing Object ClassesDeleting Object Classes Deleting Object ClassesTurning Schema Checking On and Off About Index Types About IndexesOverview of Default Indexes About Default, System, and Standard IndexesManaging Indexes Attribute Pres Sub PurposeMaintaining About Default, System, and StandardReferential Integrity for366 Default IndexesOverview of System Indexes Overview of Standard Indexes Overview of the Searching AlgorithmSystem Indexes Attribute Pres PurposeManaging Indexes Approximate Searches Approximate SearchesBalancing the Benefits of Indexing Directory Server is maintaining the following indexes 370 Creating Indexes Creating IndexesCreating Indexes from the Server Console Adding an Index Entry Creating Indexes from the Command-LineCreating Indexes from the Command-Line 374 To create a new index for a particular database, add it toCreating Indexes from the Command-Line Db2index.pl Options Running the db2index.pl ScriptRun the db2index.pl Perl script Db2index Options describes the db2index.pl optionsCreating Browsing Indexes from the Server Console Creating Browsing Indexes from the Command-LineAdding a Browsing Index Entry Creating Browsing Indexes fromManaging Indexes This first browsing index entry must be added to Running the vlvindex ScriptVlvindex Options Setting Access Control for VLV InformationStop the server.3 Run the vlvindex scriptDeleting Indexes Deleting IndexesA text editor, open the dse.ldif file Change ldap//all to ldap//anyone and save your changesDeleting Indexes from the Server Console Deleting Indexes from the Command-LineLdapdelete Options describes the ldapdelete options Deleting Indexes from the Command-LineDeleting an Index Entry Run the db2index.pl Perl script. For example Ldapdelete OptionsDeleting Browsing Indexes from the Server Console Deleting Browsing Indexes from the Command-LineDeleting a Browsing Index Entry Db2index OptionsOption Description Vlvindex Options describes the vlvindex options Managing IndexesSearch Performance Indexing PerformanceBackwards Compatibility and Migration Attribute Primary Name Attribute Alias Attribute Name Quick Reference TableBackwards Compatibility and Migration 391 Attribute Name Quick Reference TableAttribute Name Quick Reference Table 392 Enabling SSL Summary of Steps Introduction to TLS/SSL in the Directory ServerTurn on TLS/SSL in the directory Command-Line Functions for Start TLSManaging SSL Obtaining and Installing Server Certificates Obtaining and Installing Server CertificatesTroubleshooting Start TLS Generate a Certificate Request Generate a Certificate Request Managing SSL After generating the certificate request, send it to the CA Send the Certificate RequestInstall the Certificate Trust the Certificate Authority Trust the Certificate AuthorityConfirm That The New Certificates Are Installed Using certutilGenerate the Directory Server client certificate Create a password file for the security token passwordCreating Directory Server Certificates 404 Through the Command Line Starting the Server with TLS/SSL EnabledCertutil Usage Certutil OptionsSelect the certificate to use from the drop-down menu Click Cipher SettingsEnabling TLS/SSL Only in the Directory Server Enabling TLS/SSL Only in the Directory Described in , Starting and Stopping Servers 409 Server Click Cipher SettingsCheck the Use SSL in the Console box. Hit Save Creating a Password File for the Directory Server Creating a Password File for Creating a Password File for the Administration ServerAvailable Ciphers Setting Security PreferencesRestart the Administration Server TLSv1 Ciphers Administration ServerSSLv3 Ciphers Click Cipher SettingSelecting the Encryption Cipher Encryption tab, click Save Using Certificate-Based AuthenticationUsing Certificate-Based Authentication Allowing/Requiring Client Authentication Setting up Certificate-Based AuthenticationConfiguring Ldap Clients to Use SSL Configuring Ldap Clients to Use SSLStop the Directory Server Now start Red Hat ConsoleBegin Certificate Client certificate resembles the followingConfiguring Ldap Clients to Use SSL Click Set Value 420 Managing Sasl Authentication MechanismsManaging Sasl Sasl is configured by entries under a container entry 422Sasl Identity Mapping 423 Sasl Identity MappingSasl identity mapping entries are children of this entry Configuring Sasl Identity Mapping from the Console Configuring Sasl Identity Mapping from Configuring Kerberos Configuring Sasl Identity Mapping from the Command-LineSupported Kerberos Systems Operating System Kerberos VersionRealms Configuring the KDC ServerExample Configuring an Example KDC Server Configuring Sasl Authentication at Configuring Sasl Authentication at Directory Server StartupManaging Sasl Defining a Log File Rotation Policy Viewing and Configuring Log FilesAdministration Express Monitoring Server and Database Activity Viewing the Access Log Access LogDefining a Log File Deletion Policy Defining a Log File Deletion PolicyDisplay to refresh automatically every ten seconds Configuring the Access LogError Log Error LogViewing the Error Log Click Save 436 Configuring the Error LogContaining text box, and click Refresh Audit Log Configuring the Audit LogViewing the Audit Log Audit LogMonitoring Server Activity Manual Log File RotationMonitoring the Server from the Directory Monitoring the Server from the Directory Server ConsoleResource Summary General Information ServerResource Usage Since Startup Average Per Minute Resource Current TotalServer Console Current Resource UsageConnection can account for multiple Operations, and therefore multiple threadsConnection Status Monitoring the Directory Server from Monitoring the Directory Server from the Command LineGlobal Database Cache Information 444 Attribute DescriptionTime GMT in UTC format Monitoring Database ActivityServer Monitoring Attributes Maximum Cache Size setting. See Section See , Tuning DatabaseGeneral Information Database Performance Metric Current TotalCache setting. See , Tuning Tuning Database Performance forSummary Information Monitoring Database Activity from10. Database File-Specific Monitoring Databases from the Command LineDatabase Cache Information Directory Server Console Maximum Entries in Cache attribute 11. Directory Server Monitoring Attributes Monitoring Database Link ActivityMonitoring Database Link Activity Lower the number of page evicts the better452 12. Database Link Monitoring AttributesAbout Snmp SnmpSubagent Configuration File Configuring the Master Agent Configuring the SubagentMonitoring Directory Server Using Snmp Agentx-masterAgent-logdir Starting the SubagentServer Starting the SubagentTesting the Subagent Configuring Snmp TrapsConfiguring the Directory Server for Snmp Configuring the Directory Server for SnmpUsing the Management Information Base Managed Object Description Operations TableEntries Table Operations Table Managed Objects and DescriptionsEntries Table Managed Objects and Descriptions Entries TableEntity Table Interaction Table Interaction TableEntity Table Managed Objects and Descriptions Management subsystem was initialized, this Interaction Table Managed Objects and DescriptionsObject will contain a value of zero 462Tuning Server Performance Tuning Directory Server PerformanceOptimizing Search Performance Tuning Database PerformanceTuning Directory Server Performance Optimizing Search Performance Changing the Location of the Database Transaction Log Tuning Transaction LoggingChanging the Database Checkpoint Interval Changing the Database Checkpoint IntervalSpecifying Transaction Batching Miscellaneous Tuning TipsDisabling Durable Transactions Avoid Creating Entries Under the cn=config 470 Bit Check Plug-in Server Plug-in Functionality ReferenceACL Plug-in Details of 7-Bit Check Plug-inACL Preoperation Plug-in Administering Directory Server Plug-insBinary Syntax Plug-in Details of ACI Plug-inCase Exact String Syntax Plug-in Boolean Syntax Plug-inDetails of Binary Syntax Plug-in Details of Boolean Syntax Plug-inChaining Database Plug-in Case Ignore String Syntax Plug-inDetails of Case Exact String Syntax Plug-in Details of Case Ignore String Syntax Plug-inDetails of Class of Service Plug-in Class of Service Plug-inClass of Service Plug-in Country String Syntax Plug-inGeneralized Time Syntax Plug-in Distinguished Name Syntax Plug-in10. Details of Country String Plug-in 11. Details of Distinguished Name Syntax Plug-inInternationalization Plug-in Integer Syntax Plug-in12. Details of Generalized Time Syntax Plug-in 13. Details of Integer Syntax Plug-inLegacy Replication Plug-in Ldbm Database Plug-in14. Details of Internationalization Plug-in 15. Details of ldbm Database Plug-inOctet String Syntax Plug-in Multi-Master Replication Plug-in16. Details of Legacy Replication Plug-in 17. Details of Multi-Master Replication Plug-inCrypt Password Storage Plug-in Clear Password Storage Plug-in19. Details of Clear Password Storage Plug-in 18. Details of Octet String Syntax Plug-in20. Details of Crypt Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in21. Details of NS-MTA-MD5 Password Storage Plug-in NS-MTA-MD5 Password Storage Plug-in22. Details of SHA Password Storage Plug-in SHA Password Storage Plug-inSsha Password Storage Plug-in Postal Address String Syntax Plug-in 23. Details of Ssha Password Storage Plug-inPTA Plug-in 24. Details of Postal Address String Syntax Plug-inAuthentication Plug-in Using the Pass-throughSee , Using the Pass-through Referential Integrity Postoperation Plug-in26. Details of Referential Integrity Post-Operation Plug-in Retro Changelog Plug-inRetro Changelog Plug-in See , Managing Indexes forSpace Insensitive String Syntax Plug-in Roles Plug-in27. Details of Retro Changelog Plug-in 28. Details of Roles Plug-in29. Details of Space Insensitive String Syntax Plug-in State Change Plug-inState Change Plug-in See Appendix B, Finding Directory EntriesUID Uniqueness Plug-in Telephone Syntax Plug-in30. Details of State Change Plug-in 31. Details of Telephone Syntax Plug-inURI Plug-in See , Using the Attribute32. Details of UID Uniqueness Plug-in URI Plug-in33. Details of URI Plug-in Enabling and Disabling Plug-insHow Directory Server Uses PTA Using the Pass-through Authentication Plug-inPTA Plug-in Syntax Using the Pass-through Authentication Plug-inVariable Definition PTA Plug-in SyntaxSpecifying the Pass-through Subtree for Configuring the Optional Parameters forSee .5, Configuring the Optional PTA Plug-in Parameters Configuring the PTA Plug-inConfiguring the PTA Plug-in Turning the Plug-in On or Off Configuring the Servers to Use a Secure ConnectionSpecifying the Authenticating Directory Server Specifying the Pass-through Subtree Specifying the Pass-through SubtreeConfiguring the Optional Parameters PTA Plug-in Syntax Examples PTA Plug-in Syntax ExamplesUsing Non-Default Parameter Values Specifying Multiple Authenticating Directory ServersSpecifying Different Optional Parameters 502 Overview of the Attribute Uniqueness Plug-in Using the Attribute Uniqueness Plug-inAttribute Uniqueness Plug-in Syntax Using the Attribute Uniqueness Plug-in505 Attribute Uniqueness Plug-in SyntaxSee .3.1, Turning the Plug-in On or Attribute Uniqueness Plug-in Variables Creating an Instance of the Attribute Uniqueness Plug-inConfiguring Attribute Uniqueness Plug-ins Configuring Attribute Uniqueness Plug-insViewing Plug-in Configuration Information From the Property Editor From the Configuration tab509 Turning the Plug-in On or OffSpecifying a Suffix or Subtree Using the markerObjectClass and requiredObjectClass Keywords Attribute Uniqueness Plug-in Syntax Examples From the Command-LineSpecifying One Attribute and One Subtree Specifying One Attribute and Multiple SubtreesSimple Replication Scenario Replication and the Attribute Uniqueness Plug-inMulti-Master Replication Scenario Multi-Master Replication Scenario514 About Windows Sync Active Directory Directory Server Synchronization Process 517 About Windows SyncConfigure SSL on Directory Server Configuring Windows SyncSelect the Enterprise Root CA option Configure the Active Directory DomainConfigure the Active Directory Iv. Accept the certificate request. For example Select or Create the Sync IdentityDomain Install and Configure the Password Sync ServiceReboot the Windows machine to start Password Sync Hit Next, then Finish to install Password Sync523 Install and Configure the PasswordGive trusted peer status to the server Configure the Directory Server Database for SynchronizationCreate the Synchronization Agreement Sync ServiceSetting up the Sync Agreement Begin Synchronization Using Windows SyncBegin Synchronization Synchronizing Users Synchronizing Groups Deleting EntriesSynchronizing Users 529 Synchronizing UsersDirectory Server Active Directory PhysicalDeliveryOfficeName Synchronizing GroupsDeleting Entries Deleting EntriesNtGroupAttributes NtGroupId Name SamAccountName NtGroupType Description Member SeeAlsoManually Updating and Resynchronizing Entries Resurrecting EntriesChecking Synchronization Status Checking Synchronization StatusModifying the Sync Agreement Password Policies Schema DifferencesGroups Values for street and streetAddressModifying Password Sync Password Sync ServiceStarting and Stopping the Password Sync Service Contraints on the initials attributeUninstalling Password Sync Service TroubleshootingTo uninstall the Password Sync service, do the following Open the Add/Remove Programs utility537 Troubleshooting538 About the Ldif File Format Appendix A. Ldap Data Interchange FormatTable A.1. Ldif Fields Continuing Lines in LdifAppendix A. Ldap Data Interchange Format Field DefinitionStandard Ldif Notation Representing Binary DataBase-64 Encoding Representing Binary DataSpecifying Domain Entries Specifying Directory Entries Using LdifSpecifying Organizational Unit Entries Table A.2. Ldif Elements in Domain EntriesDomain Entries Ldif Element DescriptionSpecifying Organizational Unit Entries Specifying Organizational Person Entries Specifying Organizational Person EntriesTable A.3. Ldif Elements in Organizational Unit Entries Table A.4. Ldif Elements in Person Entries Defining Directories Using Ldif547 Defining Directories Using LdifLdif File Example Storing Information in Multiple Languages Storing Information in Multiple Languages550 File contents are then converted to UTF-8Figure B.1. Browsing Entries in the Directory Tab Finding Entries Using the Directory Server ConsoleAppendix B. Finding Directory Entries Using ldapsearchLdapsearch command must use the following format Ldapsearch Command-Line FormatCommonly Used ldapsearch Options Commonly Used ldapsearch Options Returning All Entries Ldapsearch ExamplesSearching the Schema Entry Specifying Search Filters on the Command LineUsing Ldapbasedn Searching the Root DSE EntryThis example assumes the search base is set with Ldapbasedn Specifying Search Filters Using a FileDisplaying Subsets of Attributes Ldap Search Filters Using Client Authentication When SearchingSpecifying DNs That Contain Commas in Search Filters Ldap Search FiltersUsing Operators in Search Filters Using Attributes in Search FiltersSearch Filter Syntax Basic syntax of a search filter isTable B.1. Search Filter Operators Using Compound Search FiltersSearch Filter Syntax Search Type Operator DescriptionTable B.2. Search Filter Boolean Operators Operator Symbol DescriptionSearch Filter Examples Searching an Internationalized Directory Searching an Internationalized DirectoryMatching Rule Formats Matching Rule Filter SyntaxUsing a Language Tag for the Matching Rule Using an OID for the Matching RuleMatching Rule Filter Syntax 565Using an OID and Suffix for the Matching Rule Using Wildcards in Matching Rule FiltersUsing a Language Tag and Suffix for the Matching Rule Table B.3, Search Types, Operators, and SuffixesSearch Type Operator Suffix Supported Search TypesSupported Search Types Less-Than Example International Search ExamplesLess-Than or Equal-to Example Equality ExampleGreater-Than Example Greater-Than or Equal-to ExampleSubstring Example International Search Examples570 But either one of these will work correctlyLdap URLs have the following syntax Components of an Ldap URLComponent Hostname PortComponent Description Table C.1. Ldap URL ComponentsAppendix C. Ldap URLs Examples of Ldap URLs Escaping Unsafe CharactersEscaping Unsafe Characters Unsafe Character Escape CharactersExample 575 Examples of Ldap URLs576 About Locales Appendix D. InternationalizationLocale Language Tag Collation Order Object Identifiers OIDs Identifying Supported LocalesAppendix D. Internationalization 579 Table D.1. Supported LocalesSupported Language Subtypes Supported Language Subtypes Table D.2. Supported Language Subtypes Troubleshooting Matching RulesTroubleshooting Matching Rules 582 See Also ID list scan limit See Also access control instructionSee Also access control list Value GlossarySee base DN See bind DNSee Certificate Authority See Also virtual list view indexThat provides client access to the directory Directory Access Protocol. The ISO X.500 standard protocolSee Ldap client See Also template entrySee directory tree See CoS definition entrySee distinguished name See Directory ManagerSee Directory Server Gateway See Also cascading replication See Ldap Data Interchange Format See Snmp master agent See supplierDirectory tree See object identifier See Also access rightsEncoded messages which form the basis of data exchanges Between Snmp devices. Also protocol data unitName. Also relative distinguished name Receives to the authenticating directory serverAuthenticating directory server, pass-through subtrees, Process is called a referral Request for Comments. Procedures or standards documentsSubmitted to the Internet community. People can send Comments on the technologies before they become acceptedSee supplier-initiated replication Directory Server during installationServer Instance Entry. The ID assigned to an instance See Snmp subagent Simple Network Management ProtocolSubagent See Also browsing index See CoS template entryProtocol. Also Transport Layer Security Page 600 Index Index Page Index Page Index Ldapbasedn Index Ldif Index MIB Index Page Index Page MIB Page Index