Administrators Guide
Red Hat Directory Server
Red Hat Directory Server 8.0 Administrators Guide
Copyright 2008 Red Hat, Inc
Red Hat Directory Server
General Red Hat Directory Server Usage
Creating and Maintaining Database Links
Creating and Maintaining Suffixes
Creating and Maintaining Databases
Creating a New Database Link
Page
Red Hat Directory Server
Page
Red Hat Directory Server
Page
Red Hat Directory Server
Page
Red Hat Directory Server
Page
Xvi
Directory Server Overview
Preface
Document Conventions
Example and Default References
When shown as below, it indicates computer output
Preface
Document Conventions
Xix
Related Information
Directory Server File Locations
Chapter
File or Directory Location
Red Hat Enterprise Linux 4 and 5
General Red Hat Directory Server Usage
Ldap Tool Locations
Sun Solaris 9 sparc
HP-UX 11i IA64
Binaries
Platform Directory Location
Ldap Tool Locations
Starting and Stopping Servers
Opt/dirsrv/bin
Start the Directory Server Console
Starting and Stopping Directory Server from the Console
Starting and Stopping Directory Server from
Starting and Stopping Administration Server
Solaris uses /etc/init.d
Console
On Solaris, the service is init.d
Starting the Directory Server Console
HP-UX has a different location for the script
Logging into Directory Server
Changing Login Identity
Login screen
Click Log on to the Directory Server as a New User
Viewing the Current Console Bind DN
Changing Directory Server Port Numbers
Viewing the Current Console Bind DN
General Red Hat Directory Server Usage
Creating a New Directory Server Instance
Open the Administration Server Console
Configuration tab, select the Configuration DS tab
Creating a New Directory Server Instance
Configuring the Directory Manager
Configuring the Directory Manager
Page
Managing Entries from the Directory Console
Creating a Root Entry
Creating Directory Entries
Directory Server Console, select the Configuration tab
Creating Directory Entries
Template Object Class
Creating Other Types of Entries
Creating an Entry Using a Predefined Template
Role NsRoleDefinition Class of Service CosSuperDefinition
Entry Templates and Corresponding Object Classes
Modifying Directory Entries
Displaying the Property Editor
Adding an Attribute to an Entry
Adding an Object Class to an Entry
Removing an Object Class
Modifying Directory Entries
Adding Very Large Attributes
Adding Attribute Values
Removing an Attribute Value
Binary Subtype
Adding an Attribute Subtype
Language Subtype
Instead, use
Adding a Subtype to an Attribute
Deleting Directory Entries
Pronunciation Subtype
Deleting Directory Entries
Entries, use Ctrl or Shift Select Delete from the Edit menu
Managing Entries from the Command-Line
Providing Input from the Command-Line
Creating a Root Entry from
Creating a Root Entry from the Command-Line
See , Ldif Update Statements
Import the Ldif file from the Directory Server Console
Adding Entries Using Ldif
Adding and Modifying Entries Using ldapmodify
Parameter Name Description
Adding Entries Using ldapmodify
Command-Line
Ldapmodify Parameters Used for Adding Entries
Modifying Entries Using ldapmodify
Input from the Command-Line
Ldapmodify Parameters Used for Modifying Entries
Deleting Entries Using ldapdelete
Deleting Entries Using ldapdelete
Hostname is cyclops Server uses port number
Are branch points in the directory tree
This ldapdelete example has the following values
Tracking Modifications to Directory Entries
Using Special Characters
Using Special Characters
Ldapdelete Parameters Used for Deleting Entries
Open the Tasks tab, and click Restart Directory Server
Ldif Update Statements
Select the Track Entry Modification Times checkbox
Ldif Update Statements
General format of Ldif update statements is as follows
Adding an Entry Using Ldif
Following sections describe the change types in detail
Following command renames Sue Jacobs to Susan Jacobs
Renaming an Entry Using Ldif
Renaming an Entry Using Ldif
Modifying an Entry Using Ldif
Addattribute
Following example adds two telephone numbers to the entry
Adding Attributes to Existing Entries Using Ldif
Modifying an Entry Using Ldif
Changing an Attribute Value Using Ldif
Entry is now as follows
Deleting All Values of an Attribute Using Ldif
Deleting a Specific Attribute Value Using Ldif
Deleting an Entry Using Ldif
Barneys entry then becomes
How Referential Integrity Works
Maintaining Referential Integrity
Modifying an Entry in an Internationalized Directory
Modifying an Entry in an Internationalized
Using Referential Integrity with Replication
Enabling/Disabling Referential Integrity
Modifying the Update Interval
You can enable or disable referential integrity as follows
Directory
Modifying the Attribute List
TIP
Modifying the Attribute List
Page
Creating and Maintaining Suffixes
A Sample Directory Tree with One Root Suffix
Creating Suffixes
Configuring Directory Databases
Creating Suffixes 1, Using Referrals in a Suffix
A Sample Directory Tree with a Sub Suffix
Creating Suffixes
Creating a New Root Suffix Using the Console
Creating a New Sub Suffix Using the Console
Creating Root and Sub Suffixes from the Command-Line
Attribute Name Value
Maintaining Databases for more information
Creating and Maintaining Database Links for
Attribute. See , Creating
Creating and Maintaining Databases for
Suffix Attributes
Using Referrals in a Suffix
Maintaining Suffixes
Maintaining Suffixes
Enabling Referrals Only During Update Operations
Disabling a Suffix
To requests from client applications Click Save
Deleting a Suffix
Creating and Maintaining Databases
Creating Databases
Creating Databases
Configuring Directory Databases
Adding Multiple Databases for a Single Suffix
For example, add a new database to the server example1
Configuring Directory Databases
Maintaining Directory Databases
Placing a Database in Read-Only Mode
Maintaining Directory Databases
Select the database is read-only checkbox
Making a Database Read-Only Using the Console
Making a Database Read-Only from the Command Line
Change the read-only attribute to on
Select the Make Entire Server Read-Only checkbox
Placing the Entire Directory Server in Read-Only Mode
Deleting a Database
Click Save, and then restart the server
Configuring Transaction Logs for Frequent Database Updates
Database Encryption
Encryption Keys
Database Encryption
Select the Attribute Encryption tab
Configuring Database Encryption from the Console
Encryption Ciphers
Exporting and Importing an Encrypted Database
Configuring Database Encryption Using the Command-Line
Run the ldapmodify command1
See .3, Importing from the Command-Linefor more information
Chaining Component Operations
Configuring the Chaining Policy
Creating and Maintaining Database Links
Creating and Maintaining Database Links
Component Name Description Permissions
NsActiveChainingComponents Cn=resource
Configuring the Chaining Policy
NsActiveChainingComponents Cn=certificate-based
Chaining Component Operations Using the Console
Components Allowed to Chain
Plug-in
Chaining Component Operations from the Command-Line
Chaining Ldap Controls
Chaining Ldap Controls Using the Console
Chaining Ldap Controls from the Command-Line
Ldap Controls and Their OIDs
Creating a New Database Link Using the Console
Creating a New Database Link
Creating a New Database Link
Configuring Directory Databases
Creating a Database Link from the Command-Line
Specify the configuration information for the database link
Providing Suffix Information
Providing Bind Credentials
NsMultiplexorBindDN cannot be that of the Directory Manager
Providing an Ldap URL
File
Summary of Database Link Configuration Attributes
Providing a List of Failover Servers
Attributes Value
1, Chaining Component
Operations
Attributes Value
Run ldapmodify1 to add a database link to server a
Create an administrative user on server B, as follows
Enable SSL on the server that contains the database link
Chaining Using SSL
Updating Remote Server Authentication Information
Maintaining Database Links
Deleting Database Links
Database Links and Access Control Evaluation
Database Links and Access Control
Configuring Directory Databases
Managing Connections to the Remote Server
Advanced Feature Tuning Database Link Performance
Managing Connections to the Remote Server Using the Console
Evaluation
Attribute Name Description
Database Link Connection Management Attributes
Detecting Errors During Normal Processing
Advanced Feature Tuning Database Link
Database Link Processing Error Detection Parameters
Managing Threaded Operations
Performance
Advanced Feature Configuring Cascading Chaining
Overview of Cascading Chaining
Configuring Directory Databases
Configuring Cascading Chaining Defaults Using the Console
Advanced Feature Configuring Cascading
Configuring Cascading Chaining Using the Console
Configuring Cascading Chaining from the Command-Line
Chaining
Configuring Directory Databases
Attribute Description
Summary of Cascading Chaining Configuration Attributes
Detecting Loops
Aci This attribute must contain the following ACI
Cascading Chaining Configuration Example
Cascading Chaining Configuration Attributes
Configuring Server One
101
Configuring Server Two
102
103
Configuring Directory Databases
Configuring Server Three
Allow this
Client on server two
Using Referrals
Starting the Server in Referral Mode
Setting a Default Referral from the Command-Line
Setting Default Referrals
Setting a Default Referral Using the Console
Setting Default Referrals
Creating Smart Referrals Using the Directory Server Console
Creating Smart Referrals
109
Creating Smart Referrals from the Command Line
Creating Smart Referrals
Creating Suffix Referrals Using the Console
Creating Suffix Referrals
Creating Suffix Referrals from the Command-Line
Creating Suffix Referrals
Configuring Directory Databases
Action Import Initialize Database
Importing Data
Import Method Comparison
Following sections describe importing data
Importing a Database from the Console
Populating Directory Databases
Initializing a Database from the Console
Initializing a Database from the Console
Importing from the Command-Line
Importing Using the ldif2db Command-Line Script
Importing from the Command-Line
Option Description
Run the ldif2db script
Importing Using the ldif2db.pl Perl Script
Ldif2db Parameters
Exporting Data
Importing Using the ldif2ldap Command-Line Script
Run the ldif2ldap command-line script
Ldif2db Options
Splitting a Database Contents into Two Databases
Exporting Directory Data to Ldif Using the Console
Exporting Directory Data to Ldif Using
Exporting a Single Database to Ldif Using the Console
Exporting to Ldif from the Command-Line
Directory and is automatically named
Run the db2ldif command-line script
Ldif file in this case would be
With the -noption or 123
Backing up All Databases from the Server Console
Backing up and Restoring Data
Backing up All Databases
Db2ldif Options
Backing up All Databases
Backing up All Databases from the Command-Line
Run the db2bak command-line script
Click Back Up Directory Server
Restore Directory dialog box is displayed 126
Backing up the dse.ldif Configuration File
Click Restore Directory Server
Restoring All Databases
Using bak2db.pl Perl Script
Restoring Your Database from the Command-Line
Using the bak2db Command-Line Script
Restoring All Databases
Restart the Directory Server
Restoring a Single Database
Run the bak2db.pl Perl script
Restoring Databases That Include
Restoring the dse.ldif Configuration File
Restoring Databases That Include Replicated Entries
130
Using Roles
About Roles
Managing Entries with Roles, Class of Service, and Views
Managing Roles Using the Console
Managing Roles Using the Console
Creating a Managed Role
134
135
Creating a Filtered Role
Follow the steps of .2.1, Creating a Managed Role
Create a new role, as in .2.1, Creating a Managed Role
Creating a Nested Role
Viewing and Editing an Entrys Roles
136
137
Modifying a Role Entry
Making a Role Inactive
Reactivating a Role
Deleting a Role
Object Classes and Attributes for Roles
Managing Roles Using the Command-Line
Managing Roles Using the Command-Line
Dialog box appears to confirm the deletion. Click Yes
Examples Managed Role Definition
Example Filtered Role Definition
141
Using Roles Securely
Example Nested Role Definition
Assigning Class of Service
Assigning Class of Service
About CoS
About the CoS Definition Entry
About CoS
About the CoS Template Entry
How a Pointer CoS Works
How an Indirect CoS Works
Sample Pointer CoS
How a Classic CoS Works
Sample Indirect CoS
Searches for CoS-Specified Attributes
Sample Classic CoS
Creating a New CoS
Managing CoS Using the Console
Managing CoS Using the Console
150
Creating the CoS Template Entry
Property Editor opens
Editing an Existing CoS
Deleting a CoS
Managing CoS from the Command-Line
Managing CoS from the Command-Line
Creating the CoS Definition Entry from the Command-Line
CoS Type Object Classes Description
Attribute Definition
CoS Definition Entry Object Classes
CoS Definition Entry Attributes
Managing CoS from the Command-Line
Pointer CoS
CoS Definitions
CoS Type CoS definition
Indirect CoS
Creating the CoS Template Entry from the Command-Line
Be added to any other search filter using or
Example of a Pointer CoS
158
Example of an Indirect CoS
Create the template entry
Example of a Classic CoS
Classic CoS definition entry looks like
Creating Role-Based Attributes
Creating Role-Based Attributes
Using Views
Access Control and CoS
Creating Views in the Console
Creating Views in the Console
Creating Views from the Command Line
Deleting Views from the Directory Server Console
Deleting Views from the Command Line
Using Groups
Deleting Views from the Command Line
Managing Static Groups
Adding a New Static Group
Modifying a Static Group
Modifying a Dynamic Group
Managing Dynamic Groups
Adding a New Dynamic Group
Managing Dynamic Groups
168
Access Control Principles
ACI Structure
ACI Evaluation
ACI Placement
Managing Access Control
ACI Limitations
Default ACIs
Default ACIs
Creating ACIs Manually
Defining Targets
ACI Syntax
Defining Targets
Aci attribute uses the following syntax
Targetattr
Ldif Target Keywords
Keyword Valid Expressions Wildcard Allowed
Targetfilter
Targeting a Directory Entry
175
Targeting Attributes
Targeting Both an Entry and Attributes
177
Targeting Entries or Attributes Using Ldap Filters
178
Targeting Attribute Values Using Ldap Filters
Defining Permissions
Targeting a Single Directory Entry
Defining Permissions
Allowing or Denying Access
Assigning Rights
Assigning rights
Selfwrite to the targeted entry, excluding
Rights Required for Ldap Operations
User Rights
Proxy rights
183
Permissions Syntax
Access Control and the modrdn Operation
Bind Rules
Userdn
Bind Rule Syntax
Bind Rule Syntax
Yes, in DN only
Groupdn Ldap///DN DN Roledn Userattr
Defining User Access userdn Keyword
Ldif Bind Rule Keywords
Dns
Self Access self Keyword
Anonymous Access anyone Keyword
General Access all Keyword
Parent Access parent Keyword
ScenExamplerio Description
Wildcards
Examples
Defining Group Access groupdn Keyword
Userdn Keyword Examples
Groupdn Examples
Defining Group Access groupdn Keyword
Defining Role Access roledn Keyword
Defining Access Based on Value Matching
Defining Access Based on Value Matching
Using the userattr Keyword
AttrValue is any string representing an attribute value
Example with Userdn Bind Type
Example with Groupdn Bind Type
193
Example with Roledn Bind Type
Example with Ldapurl Bind Type
Using the userattr Keyword with Inheritance
Example with Any Attribute Value
Using Inheritance With the userattr Keyword
Granting Add Permission Using the userattr Keyword
Defining Access from a Specific IP Address
Instead, use a fully qualified name
Defining Access from a Specific Domain
Defining Access from a Specific Domain
Dns keyword allows wildcards. For example
Defining Access at a Specific Time of Day or Day of Week
Defining Access Based on Authentication Method
Defining Access Based on Authentication
Authmethod = saslmechanism
Method
Using Boolean Bind Rules
Authentication bind DN and password over Ldaps
Creating ACIs from the Console
Click New to open the Access Control Editor
Displaying the Access Control Editor
Displaying the Access Control Editor
Access Control Editor Window
Creating a New ACI
Creating a New ACI
Managing Access Control
Creating a New ACI
Managing Access Control
Editing an ACI
Editing an ACI
Control Manager
Viewing ACIs
Deleting an ACI
Get effective rights result looks like the following
Get Effective Rights Control
Get Effective Rights Control Permissions
Permissions That Can Be Set on Attributes
Using Get Effective Rights from the Command-Line
Permissions That Can Be Set on Entries
Permission Description
Using Get Effective Rights from
214
Check the Show effective rights checkbox
Using Get Effective Rights from the Console
Get Effective Rights Return Codes
Code Description
Returned Result Codes
Logging Access Control Information
Access Control Usage Examples
Granting Anonymous Access
Granting Anonymous Access
ACI Anonymous example.com
Click New to display the Access Control Editor
Click OK in the Access Control Editor window
ACI Anonymous World
Filter for subentries field, type the following filter
Granting Write Access to Personal Entries
Granting Write Access to Personal Entries
ACI Write example.com
220
ACI Write Subscribers
Restricting Access to Key Roles
ACI Roles
Restricting Access to Key Roles
See , Using Roles
Ldif statement should read as follows
Granting a Group Full Access to a Suffix
ACI HR
Granting Rights to Add and Delete Group Entries
ACI Create Group
Managing Access Control
Entries
Granting Conditional Access to a Group or Role
ACI Delete Group
ACI HostedCompany1
228
Ldif statement should be similar to the following
Denying Access
Denying Access
ACI Billing Info Read
ACI Billing Info Deny
231
Setting a Target Using Filtering
Allowing Users to Add or Remove Themselves from a Group
ACI Group Members
Allowing Users to Add or Remove
Proxied Authorization ACI Example
Defining Permissions for DNs That Contain a Comma
Themselves from a Group
Advanced Access Control Using Macro ACIs
Macro ACI Example
Example Directory Tree for Macro ACIs
236
Macro ACI Syntax
Macro ACI Syntax
Macro ACI Keyword
Macro Matching for $dn
Macros in ACI Keywords
Steps for expanding this ACI are as follows
$dn in the subject is replaced with dc=hostedCompany1
240
Macro Matching for $attr.attrName
For example, consider the following ACI
Compatibility with Earlier Releases
Access Control and Replication
Access Control and Replication
242
Managing the Password Policy
Configuring the Password Policy
Configuring a Global Password Policy Using the Console
Managing User Accounts and Passwords
Configuring the Password Policy
Configuring a Subtree/User Password Policy Using the Console
Check the Enable fine-grained password policy checkbox
Configuring a Global Password Policy Using the Command-Line
Attribute Name Definition
Making passwords expire helps protect
Users password will expire after an interval
Given by the passwordMaxAge attribute
Directory data because the longer a password
Changing their passwords during a single
Discourage users from reusing old passwords
For example, setting the minimum password
Session to cycle through the password history
It down. This attribute is set to 8 by default
Shorter passwords are easier to crack
Passwords can be two 2 to 512 characters
Attributes, respectively. By default, this
Compatibility with Unix passwords
This attribute is set to 3 by default
Default method
Lowercase letters a to z
Password Policy Attributes
CoS specification entry at the subtree level. For example
254
Setting User Passwords
Setting User Passwords
Password Change Extended Operation
Start the server
256
Ldappasswd Options
Parameter Description
Configuring the Account Lockout Policy
Configuring the Account Lockout Policy
Configuring the Account Lockout Policy Using the Console
Attribute Name Definition
Account Lockout Policy Attributes
Managing the Password Policy in a Replicated Environment
Managing the Password Policy in a
Synchronizing Passwords
Inactivating Users and Roles
Replicated Environment
Option Name Description
Inactivating User and Roles Using the Console
Inactivating User and Roles Using the Command-Line
Activating User and Roles Using
Activating User and Roles Using the Console
Activating User and Roles Using the Command-Line
DN of the user account or role to activate
Setting Resource Limits Based on the Bind DN
Setting Resource Limits Using the Console
Setting Resource Limits Using the Command-Line
Entering a value of -1indicates no limit Click OK
266
Read-Write and Read-Only Replicas
Replication Overview
What Directory Units Are Replicated
Replication Identity
Suppliers and Consumers
Changelog
Managing Replication
Replication Agreement
Replication Agreement
Compatibility with Earlier Versions of Directory Server
Replication Scenarios
Single-Master Replication
Multi-Master Replication
Multi-Master Replication
Multi-Master Replication Two Masters
272
Multi-Master Replication Four Masters
Cascading Replication
Replication
Creating the Supplier Bind DN Entry
Creating the Supplier Bind DN Entry
Configuring Single-Master Replication
Configuring the Read-Write Replica on the Supplier Server
Configuring the Read-Write Replica on
Configuring the Read-Only Replica on the Consumer
Supplier Server
Create the Replication Agreement
Create the Replication Agreement
Managing Replication
Create the Replication Agreement
Replication will not begin until the consumer is initialized
Configuring Multi-Master Replication
Configuring Multi-Master Replication
Configuring the Read-Write Replicas on the Supplier Servers
Configuring the Read-Write Replicas on
287
Managing Replication
Configuring the Read-Only Replicas on the Consumer Servers
Supplier Servers
Managing Replication
Setting up the Replication Agreements
Setting up the Replication Agreements
Managing Replication
Setting up the Replication Agreements
Managing Replication
Setting up the Replication Agreements
Replication will not begin until the consumer is initialized
Preventing Monopolization of the Consumer
297
Configuring Cascading Replication
Configuring the Read-Write Replica on the Supplier Server
Configuring the Read-Only Replica on the Consumer Server
Configuring the Read-Only Replica on
Configuring the Read-Only Replica on the Hub
Consumer Server
Managing Replication
Setting up the Replication Agreements
Managing Replication
DN and password
Managing Replication
Setting up the Replication Agreements
Replication will not begin until the consumer is initialized
Configuring Replication from the Command
Configuring Replication from the Command Line
Configuring Suppliers from the Command Line
312
Object Class or Attribute Description Values
Changelog Attributes
Line
Changelog, to which
Consumer. This is required for
314
Forward update requests. By
Configuring Consumers from the Command Line
Configuring Consumers from the Command
Replica Attributes
Configuring Hubs from the Command Line
Configuring Replication Agreements from the Command Line
Qualified host and domain
Parameter to SSL. If TLS/SSL 318
Nsds5replicatedattributelist
Configuring Replication Agreements from
Replication between Servers Nsds5replicabindcredentials
Objectclass=* $ Exclude Attributes will not be
320
Midnight and 2359 is PM. For example, the setting
Replication Agreement Attributes
Initializing Consumers Online from the Command Line
Command Line
Making a Replica Updatable
Deleting the Changelog
Moving the Changelog to a New Location
Initializing Consumers
Removing the Changelog
Moving the Changelog to a New Location
When to Initialize a Consumer
Online Consumer Initialization Using the Console
Initializing Consumers Online Using the Command Line
Initializing Consumers Online Using
Manual Consumer Initialization Using the Command Line
Exporting a Replica to Ldif
Filesystem Replica Initialization
Importing the Ldif File to the Consumer Server
Initializing the Consumer Replica from the Backup Files
Stop the destination Directory Server if it is running
Forcing Replication Updates
Forcing Replication Updates
Restart the destination Directory Server. For example
Forcing Replication Updates from the Console
Forcing Replication Updates from the Command-Line
ReplicateNow Variables
Replicating Account Lockout Attributes
Example 8.1. ReplicateNow Script Example
Replicating Account Lockout Attributes
Replication over SSL
Replicating o=NetscapeRoot for
Select SSL Client Authentication
Select Simple Authentication
Directory Server Installation Guide
See , Enabling and Disabling Plug-ins
Administration Server Failover
Replication with Earlier Releases
Using the Retro Changelog Plug-in
Enabling the Retro Changelog Plug-in
Enabling the Retro Changelog Plug-in
Attributes of a Retro Changelog Entry
Retro Changelog Entry
Trimming the Retro Changelog
Monitoring Replication Status
Retro Changelog and the Access Control Policy
Retro Changelog and the Access Control
Searching and Modifying the Retro Changelog
Table Header Description
Monitoring Replication Status from Administration Express
Directory Server Console Replication Status
Policy
Table header shows the replica ID 341
Solving Common Replication Conflicts
Solving Naming Conflicts
Solving Naming Conflicts
Renaming an Entry with a Multi-Valued Naming Attribute
Unique identifier attribute nsuniqueid cannot be deleted
344
Renaming an Entry with a Single-Valued Naming Attribute
Solving Potential Interoperability Problems
Solving Orphan Entry Conflicts
Troubleshooting Replication-Related Problems
Troubleshooting Replication-Related
Error/Symptom Reason Impact Remedy
Problems
Replayed to all
But some consumers Follows Are way behind Supplier
If it has been
Direct consumers
Monitoring
Replication Errors
See Section
Replication Status
352
Viewing Attributes
Overview of Extending Schema
Managing Attributes
Create new attributes, as in .2, Creating Attributes
Name
Extending the Directory Schema
Field
Syntax
Creating Attributes
Creating Attributes
Attributes Tab Reference
Field Description
OIDs are described in .1, Attributes Tab Reference
Editing Attributes
Deleting Attributes
Viewing Object Classes
This procedure is explained in .4, Deleting Attributes
Managing Object Classes
Managing Object Classes
358
Reference
Parent
Creating Object Classes
Creating Object Classes
Object Classes Tab Reference
Editing Object Classes
Click OK to save the new object class
Deleting Object Classes
Deleting Object Classes
Turning Schema Checking On and Off
About Indexes
About Index Types
Managing Indexes
About Default, System, and Standard Indexes
Overview of Default Indexes
Attribute Pres Sub Purpose
Referential
About Default, System, and Standard
Maintaining
Integrity for
366
Default Indexes
Overview of System Indexes
System Indexes
Overview of the Searching Algorithm
Overview of Standard Indexes
Attribute Pres Purpose
Managing Indexes
Approximate Searches
Approximate Searches
Balancing the Benefits of Indexing
Directory Server is maintaining the following indexes 370
Creating Indexes
Creating Indexes
Creating Indexes from the Server Console
Adding an Index Entry
Creating Indexes from the Command-Line
Creating Indexes from the Command-Line
To create a new index for a particular database, add it to
374
Creating Indexes from the Command-Line
Run the db2index.pl Perl script
Running the db2index.pl Script
Db2index.pl Options
Db2index Options describes the db2index.pl options
Adding a Browsing Index Entry
Creating Browsing Indexes from the Command-Line
Creating Browsing Indexes from the Server Console
Creating Browsing Indexes from
Managing Indexes
Running the vlvindex Script
This first browsing index entry must be added to
Stop the server.3
Setting Access Control for VLV Information
Vlvindex Options
Run the vlvindex script
A text editor, open the dse.ldif file
Deleting Indexes
Deleting Indexes
Change ldap//all to ldap//anyone and save your changes
Deleting Indexes from the Command-Line
Deleting Indexes from the Server Console
Ldapdelete Options describes the ldapdelete options
Deleting Indexes from the Command-Line
Deleting an Index Entry
Ldapdelete Options
Run the db2index.pl Perl script. For example
Deleting a Browsing Index Entry
Deleting Browsing Indexes from the Command-Line
Deleting Browsing Indexes from the Server Console
Db2index Options
Option Description
Managing Indexes
Vlvindex Options describes the vlvindex options
Indexing Performance
Search Performance
Backwards Compatibility and Migration
Attribute Primary Name Attribute Alias
Attribute Name Quick Reference Table
Backwards Compatibility and Migration
391
Attribute Name Quick Reference Table
Attribute Name Quick Reference Table
392
Introduction to TLS/SSL in the Directory Server
Enabling SSL Summary of Steps
Turn on TLS/SSL in the directory
Command-Line Functions for Start TLS
Managing SSL
Obtaining and Installing Server Certificates
Obtaining and Installing Server Certificates
Troubleshooting Start TLS
Generate a Certificate Request
Generate a Certificate Request
Managing SSL
Send the Certificate Request
After generating the certificate request, send it to the CA
Install the Certificate
Trust the Certificate Authority
Trust the Certificate Authority
Using certutil
Confirm That The New Certificates Are Installed
Generate the Directory Server client certificate
Create a password file for the security token password
Creating Directory Server Certificates
404
Certutil Usage
Starting the Server with TLS/SSL Enabled
Through the Command Line
Certutil Options
Select the certificate to use from the drop-down menu
Click Cipher Settings
Enabling TLS/SSL Only in the Directory Server
Enabling TLS/SSL Only in the Directory
Described in , Starting and Stopping Servers
409
Server Click Cipher Settings
Check the Use SSL in the Console box. Hit Save
Creating a Password File for the Directory Server
Creating a Password File for the Administration Server
Creating a Password File for
Available Ciphers
Setting Security Preferences
Restart the Administration Server
Administration Server
TLSv1 Ciphers
SSLv3 Ciphers
Click Cipher Setting
Selecting the Encryption Cipher
Encryption tab, click Save
Using Certificate-Based Authentication
Using Certificate-Based Authentication
Setting up Certificate-Based Authentication
Allowing/Requiring Client Authentication
Stop the Directory Server
Configuring Ldap Clients to Use SSL
Configuring Ldap Clients to Use SSL
Now start Red Hat Console
Client certificate resembles the following
Begin Certificate
Configuring Ldap Clients to Use SSL Click Set Value
420
Authentication Mechanisms
Managing Sasl
Managing Sasl
Sasl is configured by entries under a container entry 422
Sasl Identity Mapping
423
Sasl Identity Mapping
Sasl identity mapping entries are children of this entry
Configuring Sasl Identity Mapping from the Console
Configuring Sasl Identity Mapping from
Supported Kerberos Systems
Configuring Sasl Identity Mapping from the Command-Line
Configuring Kerberos
Operating System Kerberos Version
Configuring the KDC Server
Realms
Example Configuring an Example KDC Server
Configuring Sasl Authentication at Directory Server Startup
Configuring Sasl Authentication at
Managing Sasl
Defining a Log File Rotation Policy
Viewing and Configuring Log Files
Administration Express
Monitoring Server and Database Activity
Defining a Log File Deletion Policy
Access Log
Viewing the Access Log
Defining a Log File Deletion Policy
Configuring the Access Log
Display to refresh automatically every ten seconds
Error Log
Error Log
Viewing the Error Log
Click Save 436
Configuring the Error Log
Containing text box, and click Refresh
Viewing the Audit Log
Configuring the Audit Log
Audit Log
Audit Log
Manual Log File Rotation
Monitoring Server Activity
Monitoring the Server from the Directory Server Console
Monitoring the Server from the Directory
Resource Usage Since Startup Average Per Minute
General Information Server
Resource Summary
Resource Current Total
Connection can account for multiple
Current Resource Usage
Server Console
Operations, and therefore multiple threads
Connection Status
Monitoring the Directory Server from
Monitoring the Directory Server from the Command Line
Global Database Cache Information
Attribute Description
444
Time GMT in UTC format
Monitoring Database Activity
Server Monitoring Attributes
General Information Database
See , Tuning Database
Maximum Cache Size setting. See Section
Performance Metric Current Total
Summary Information
Tuning Database Performance for
Cache setting. See , Tuning
Monitoring Database Activity from
10. Database File-Specific
Monitoring Databases from the Command Line
Database Cache Information
Directory Server Console
Maximum Entries in Cache attribute
Monitoring Database Link Activity
Monitoring Database Link Activity
11. Directory Server Monitoring Attributes
Lower the number of page evicts the better
12. Database Link Monitoring Attributes
452
Snmp
About Snmp
Monitoring Directory Server Using Snmp
Configuring the Master Agent Configuring the Subagent
Subagent Configuration File
Agentx-master
Server
Starting the Subagent
Agent-logdir
Starting the Subagent
Configuring Snmp Traps
Testing the Subagent
Configuring the Directory Server for Snmp
Configuring the Directory Server for Snmp
Using the Management Information Base
Operations Table
Managed Object Description
Operations Table Managed Objects and Descriptions
Entries Table
Entries Table Managed Objects and Descriptions
Entries Table
Entity Table
Interaction Table
Interaction Table
Entity Table Managed Objects and Descriptions
Object will contain a value of zero
Interaction Table Managed Objects and Descriptions
Management subsystem was initialized, this
462
Tuning Directory Server Performance
Tuning Server Performance
Optimizing Search Performance
Tuning Database Performance
Tuning Directory Server Performance
Optimizing Search Performance
Tuning Transaction Logging
Changing the Location of the Database Transaction Log
Changing the Database Checkpoint Interval
Changing the Database Checkpoint Interval
Specifying Transaction Batching
Miscellaneous Tuning Tips
Disabling Durable Transactions
Avoid Creating Entries Under the cn=config
470
ACL Plug-in
Server Plug-in Functionality Reference
Bit Check Plug-in
Details of 7-Bit Check Plug-in
Binary Syntax Plug-in
Administering Directory Server Plug-ins
ACL Preoperation Plug-in
Details of ACI Plug-in
Details of Binary Syntax Plug-in
Boolean Syntax Plug-in
Case Exact String Syntax Plug-in
Details of Boolean Syntax Plug-in
Details of Case Exact String Syntax Plug-in
Case Ignore String Syntax Plug-in
Chaining Database Plug-in
Details of Case Ignore String Syntax Plug-in
Class of Service Plug-in
Class of Service Plug-in
Details of Class of Service Plug-in
Country String Syntax Plug-in
10. Details of Country String Plug-in
Distinguished Name Syntax Plug-in
Generalized Time Syntax Plug-in
11. Details of Distinguished Name Syntax Plug-in
12. Details of Generalized Time Syntax Plug-in
Integer Syntax Plug-in
Internationalization Plug-in
13. Details of Integer Syntax Plug-in
14. Details of Internationalization Plug-in
Ldbm Database Plug-in
Legacy Replication Plug-in
15. Details of ldbm Database Plug-in
16. Details of Legacy Replication Plug-in
Multi-Master Replication Plug-in
Octet String Syntax Plug-in
17. Details of Multi-Master Replication Plug-in
19. Details of Clear Password Storage Plug-in
Clear Password Storage Plug-in
Crypt Password Storage Plug-in
18. Details of Octet String Syntax Plug-in
21. Details of NS-MTA-MD5 Password Storage Plug-in
NS-MTA-MD5 Password Storage Plug-in
20. Details of Crypt Password Storage Plug-in
NS-MTA-MD5 Password Storage Plug-in
22. Details of SHA Password Storage Plug-in
SHA Password Storage Plug-in
Ssha Password Storage Plug-in
PTA Plug-in
23. Details of Ssha Password Storage Plug-in
Postal Address String Syntax Plug-in
24. Details of Postal Address String Syntax Plug-in
See , Using the Pass-through
Using the Pass-through
Authentication Plug-in
Referential Integrity Postoperation Plug-in
Retro Changelog Plug-in
Retro Changelog Plug-in
26. Details of Referential Integrity Post-Operation Plug-in
See , Managing Indexes for
27. Details of Retro Changelog Plug-in
Roles Plug-in
Space Insensitive String Syntax Plug-in
28. Details of Roles Plug-in
State Change Plug-in
State Change Plug-in
29. Details of Space Insensitive String Syntax Plug-in
See Appendix B, Finding Directory Entries
30. Details of State Change Plug-in
Telephone Syntax Plug-in
UID Uniqueness Plug-in
31. Details of Telephone Syntax Plug-in
32. Details of UID Uniqueness Plug-in
See , Using the Attribute
URI Plug-in
URI Plug-in
Enabling and Disabling Plug-ins
33. Details of URI Plug-in
Using the Pass-through Authentication Plug-in
How Directory Server Uses PTA
Using the Pass-through Authentication Plug-in
PTA Plug-in Syntax
PTA Plug-in Syntax
Variable Definition
Specifying the Pass-through Subtree for
Configuring the Optional Parameters for
See .5, Configuring the Optional
PTA Plug-in Parameters
Configuring the PTA Plug-in
Configuring the PTA Plug-in
Turning the Plug-in On or Off
Configuring the Servers to Use a Secure Connection
Specifying the Authenticating Directory Server
Specifying the Pass-through Subtree
Specifying the Pass-through Subtree
Configuring the Optional Parameters
PTA Plug-in Syntax Examples
PTA Plug-in Syntax Examples
Specifying Multiple Authenticating Directory Servers
Using Non-Default Parameter Values
Specifying Different Optional Parameters
502
Using the Attribute Uniqueness Plug-in
Overview of the Attribute Uniqueness Plug-in
Using the Attribute Uniqueness Plug-in
Attribute Uniqueness Plug-in Syntax
505
Attribute Uniqueness Plug-in Syntax
See .3.1, Turning the Plug-in On or
Creating an Instance of the Attribute Uniqueness Plug-in
Attribute Uniqueness Plug-in Variables
Configuring Attribute Uniqueness Plug-ins
Configuring Attribute Uniqueness Plug-ins
Viewing Plug-in Configuration Information
From the Configuration tab
From the Property Editor
509
Turning the Plug-in On or Off
Specifying a Suffix or Subtree
Using the markerObjectClass and requiredObjectClass Keywords
Specifying One Attribute and One Subtree
From the Command-Line
Attribute Uniqueness Plug-in Syntax Examples
Specifying One Attribute and Multiple Subtrees
Replication and the Attribute Uniqueness Plug-in
Simple Replication Scenario
Multi-Master Replication Scenario
Multi-Master Replication Scenario
514
About Windows Sync
Active Directory Directory Server Synchronization Process
About Windows Sync
517
Configuring Windows Sync
Configure SSL on Directory Server
Select the Enterprise Root CA option
Configure the Active Directory Domain
Configure the Active Directory
Select or Create the Sync Identity
Iv. Accept the certificate request. For example
Install and Configure the Password Sync Service
Domain
Hit Next, then Finish to install Password Sync
Reboot the Windows machine to start Password Sync
Install and Configure the Password
523
Configure the Directory Server Database for Synchronization
Give trusted peer status to the server
Sync Service
Create the Synchronization Agreement
Setting up the Sync Agreement
Begin Synchronization
Using Windows Sync
Begin Synchronization
Synchronizing Users Synchronizing Groups Deleting Entries
Synchronizing Users
529
Synchronizing Users
Directory Server Active Directory
Synchronizing Groups
PhysicalDeliveryOfficeName
NtGroupAttributes NtGroupId Name SamAccountName NtGroupType
Deleting Entries
Deleting Entries
Description Member SeeAlso
Resurrecting Entries
Manually Updating and Resynchronizing Entries
Checking Synchronization Status
Checking Synchronization Status
Modifying the Sync Agreement
Groups
Schema Differences
Password Policies
Values for street and streetAddress
Starting and Stopping the Password Sync Service
Password Sync Service
Modifying Password Sync
Contraints on the initials attribute
To uninstall the Password Sync service, do the following
Troubleshooting
Uninstalling Password Sync Service
Open the Add/Remove Programs utility
Troubleshooting
537
538
Appendix A. Ldap Data Interchange Format
About the Ldif File Format
Appendix A. Ldap Data Interchange Format
Continuing Lines in Ldif
Table A.1. Ldif Fields
Field Definition
Base-64 Encoding
Representing Binary Data
Standard Ldif Notation
Representing Binary Data
Specifying Directory Entries Using Ldif
Specifying Domain Entries
Domain Entries
Table A.2. Ldif Elements in Domain Entries
Specifying Organizational Unit Entries
Ldif Element Description
Specifying Organizational Unit Entries
Specifying Organizational Person Entries
Specifying Organizational Person Entries
Table A.3. Ldif Elements in Organizational Unit Entries
Defining Directories Using Ldif
Table A.4. Ldif Elements in Person Entries
Defining Directories Using Ldif
547
Ldif File Example
Storing Information in Multiple Languages
Storing Information in Multiple Languages
File contents are then converted to UTF-8
550
Finding Entries Using the Directory Server Console
Figure B.1. Browsing Entries in the Directory Tab
Using ldapsearch
Appendix B. Finding Directory Entries
Ldapsearch Command-Line Format
Ldapsearch command must use the following format
Commonly Used ldapsearch Options
Commonly Used ldapsearch Options
Ldapsearch Examples
Returning All Entries
Using Ldapbasedn
Specifying Search Filters on the Command Line
Searching the Schema Entry
Searching the Root DSE Entry
This example assumes the search base is set with Ldapbasedn
Specifying Search Filters Using a File
Displaying Subsets of Attributes
Specifying DNs That Contain Commas in Search Filters
Using Client Authentication When Searching
Ldap Search Filters
Ldap Search Filters
Search Filter Syntax
Using Attributes in Search Filters
Using Operators in Search Filters
Basic syntax of a search filter is
Search Filter Syntax
Using Compound Search Filters
Table B.1. Search Filter Operators
Search Type Operator Description
Table B.2. Search Filter Boolean Operators
Operator Symbol Description
Search Filter Examples
Searching an Internationalized Directory
Searching an Internationalized Directory
Matching Rule Filter Syntax
Matching Rule Formats
Matching Rule Filter Syntax
Using an OID for the Matching Rule
Using a Language Tag for the Matching Rule
565
Using a Language Tag and Suffix for the Matching Rule
Using Wildcards in Matching Rule Filters
Using an OID and Suffix for the Matching Rule
Table B.3, Search Types, Operators, and Suffixes
Search Type Operator Suffix
Supported Search Types
Supported Search Types
Less-Than or Equal-to Example
International Search Examples
Less-Than Example
Equality Example
Substring Example
Greater-Than or Equal-to Example
Greater-Than Example
International Search Examples
But either one of these will work correctly
570
Component
Components of an Ldap URL
Ldap URLs have the following syntax
Hostname Port
Component Description
Table C.1. Ldap URL Components
Appendix C. Ldap URLs
Escaping Unsafe Characters
Escaping Unsafe Characters
Examples of Ldap URLs
Unsafe Character Escape Characters
Example
Examples of Ldap URLs
575
576
Appendix D. Internationalization
About Locales
Locale Language Tag Collation Order Object Identifiers OIDs
Identifying Supported Locales
Appendix D. Internationalization
579
Table D.1. Supported Locales
Supported Language Subtypes
Supported Language Subtypes
Table D.2. Supported Language Subtypes
Troubleshooting Matching Rules
Troubleshooting Matching Rules
582
See Also ID list scan limit
See Also access control instruction
See Also access control list
See base DN
Glossary
Value
See bind DN
See Also virtual list view index
See Certificate Authority
See Ldap client
Directory Access Protocol. The ISO X.500 standard protocol
That provides client access to the directory
See Also template entry
See distinguished name
See CoS definition entry
See directory tree
See Directory Manager
See Directory Server Gateway
See Also cascading replication
See Ldap Data Interchange Format
See supplier
See Snmp master agent
Directory tree
Encoded messages which form the basis of data exchanges
See Also access rights
See object identifier
Between Snmp devices. Also protocol data unit
Name. Also relative distinguished name
Receives to the authenticating directory server
Authenticating directory server, pass-through subtrees,
Submitted to the Internet community. People can send
Request for Comments. Procedures or standards documents
Process is called a referral
Comments on the technologies before they become accepted
See supplier-initiated replication
Directory Server during installation
Server Instance Entry. The ID assigned to an instance
See Snmp subagent
Simple Network Management Protocol
Subagent
See Also browsing index
See CoS template entry
Protocol. Also Transport Layer Security
Page
600
Index
Index
Page
Index
Page
Index
Ldapbasedn
Index
Ldif
Index
MIB
Index
Page
Index
Page
MIB
Page
Index
