Distribution of substantively modified versions of this document is prohibited without the explicit permission of the
copyright holder.
Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is
prohibited unless prior permission is obtained from the copyright holder.
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other
countries.
All other trademarks referenced herein are the property of their respective owners.
The GPG fingerprint of the security@redhat.com key is:
CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E
1801 Varsity Drive
Raleigh, NC 27606-2072
USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588
Research Triangle Park, NC 27709
USA
Red Hat Directory Server 8.0
Preface .................................................................................................................. xvii
1. Directory Server Overview ........................................................................... xvii
2. Example and Default References .................................................................xviii
Index .....................................................................................................................601
xv
xvi
Preface
Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory
server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory
Server is the cornerstone for building a centralized and distributed data repository that can be
used in your intranet, over your extranet with your trading partners, or over the public Internet to
reach your customers.
This Administrator's Guide describes all of the administration tasks you need to perform to
maintain Directory Server.
1. Directory Server Overview
Directory Server provides the following key features:
• Multi-master replication — Provides a highly available directory service for both read and
write operations. Multi-master replication can be combined with simple and cascading
replication scenarios to provide a highly flexible and scalable replication environment.
• Chaining and referrals — Increases the power of your directory by storing a complete logical
view of your directory on a single server while maintaining data on a large number of
Directory Servers transparently for clients.
• Roles and classes of service — Provides a flexible mechanism for grouping and sharing
attributes between entries in a dynamic fashion.
• Improved access control mechanisms — Provides support for macros that dramatically
reduce the number of access control statements used in the directory and increase the
scalability of access control evaluation.
• Resource-limits by bind DN — Grants the power to control the amount of server resources
allocated to search operations based on the bind DN of the client.
• Multiple databases — Provides a simple way of breaking down your directory data to simplify
the implementation of replication and chaining in your directory service.
• Password policy and account lockout — Defines a set of rules that govern how passwords
and user accounts are managed in the Directory Server.
• TLS and SSL — Provides secure authentication and communication over the network, using
the Mozilla Network Security Services (NSS) libraries for cryptography.
The major components of Directory Server include the following:
• An LDAP server — The LDAP v3-compliant network daemon.
• Directory Server Console — A graphical management console that dramatically reduces the
effort of setting up and maintaining your directory service.
xvii
Preface
• SNMP agent — Can monitor the Directory Server using the Simple Network Management
Protocol (SNMP).
2. Example and Default References
There are differences between the command, directory, and file locations in Red Hat Enterprise
Linux, Sun Solaris, and HP-UX Directory Server installations. Locations for other platforms are
listed in Section 1, “Directory Server File Locations”. These differences impact the
documentation in two ways:
• The file locations used in the examples or referenced in the procedures are the default
locations on Red Hat Enterprise Linux.
• The default commands used in the examples are also the default commands on Red Hat
Enterprise Linux.
There is another important consideration with the Directory Server tools. The LDAP tools
referenced in this guide are Mozilla LDAP, installed with Directory Server in the
/usr/dir/mozldap directory on Red Hat Enterprise Linux (directories for other platforms are
listed in Chapter 1, General Red Hat Directory Server Usage).
However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the
/usr/bin directory. It is possible to use the OpenLDAP commands as shown in the examples,
but you must use the -x argument to disable SASL, which OpenLDAP tools use by default.
3. Document Conventions
Certain words in this manual are represented in different fonts, styles, and weights. This
highlighting indicates that the word is part of a specific category. The categories include the
following:
Courier font
Courier font represents commands, file names and paths, and prompts .
When shown as below, it indicates computer output:
Bold Courier font represents text that you are to type, such as: service jonas start
If you have to run a command as root, the root prompt (#) precedes the command:
xviii
Document Conventions
# gconftool-2
italic Courier font
Italic Courier font represents a variable, such as an installation directory:
install_dir/bin/
bold font
Bold font represents application programs and text found on a graphical interface.
When shown like this: OK , it indicates a button on a graphical application interface.
Additionally, the manual uses different strategies to draw your attention to pieces of information.
In order of how critical the information is to you, these items are marked as follows:
Note
A note is typically information that you need to understand the behavior of the
system.
Tip
A tip is typically an alternative way of performing a task.
Important
Important information is necessary, but possibly unexpected, such as a
configuration change that will not persist after a reboot.
Caution
A caution indicates an act that would violate your support agreement, such as
recompiling the kernel.
xix
Preface
Warning
A warning indicates potential data loss, as may happen when tuning hardware
for maximum performance.
4. Related Information
This manual describes how to administer the Directory Server and its contents. The instructions
for installing the various Directory Server components are contained in the Red Hat DirectoryServer Installation Guide.
The document set for Directory Server also contains the following guides:
• Red Hat Directory Server Release Notes - Contains important information on new features,
fixed bugs, known issues and workarounds, and other important deployment information for
this specific version of Directory Server.
• Red Hat Directory Server Configuration, Command, and File Reference - Provides reference
information on the command-line scripts, configuration attributes, and log files shipped with
Directory Server.
• Red Hat Directory Server Installation Guide - Contains procedures for installing your Directory
Server as well as procedures for migrating from a previous installation of Directory Server.
For the latest information about Directory Server, including current release notes, complete
product documentation, technical notes, and deployment information, see the Red Hat Directory
Server documentation site at http://www.redhat.com/docs/manuals/dir-server/.
xx
Chapter 1.
General Red Hat Directory Server
Usage
Red Hat Directory Server product includes a directory service, an administration server to
manage multiple server instances, and a Java-based console to manage server instances
through a graphical interface. This chapter provides an overview of the basic tasks for
administering a directory service.
The Directory Server is a robust, scalable server designed to manage an enterprise-wide
directory of users and resources. It is based on an open-systems server protocol called the
Lightweight Directory Access Protocol (LDAP). Directory Server runs the ns-slapd daemon on
the host machine. The server manages the directory databases and responds to client requests.
Directory Server 8.0 is comprised of several components, which work in tandem:
• The Directory Server is the core LDAP server daemon. It is compliant with LDAP v3
standards. This component includes command-line server management and administration
programs and scripts for common operations like export and backing up databases.
• The Directory Server Console is the user interface that simplifies managing users, groups,
and other LDAP data for your enterprise. The Console is used for all aspects of server
management, including making backups; configuring security, replication, and databases;
adding entries; and monitoring servers and viewing statistics.
• The Administration Server is the management agent which administers Directory Server
instances. It communicates with the Directory Server Console and performs operations on the
Directory Server instances. It also provides a simple HTML interface and online help pages.
Most Directory Server administrative tasks are available through the Directory Server Console,
but it is also possible to administer the Directory Server by manually editing the configuration
files or by using command-line utilities.
1. Directory Server File Locations
Red Hat Directory Server 8.0 conforms to the Filesystem Hierarchy Standards. For more
information on FHS, see the FHS homepage, http://www.pathname.com/fhs/. The files and
directories installed with Directory Server are listed in the tables below for each supported
platform.
In the file locations listed in the following tables, instance is the server instance name that was
given during setup. By default, this is the leftmost component of the fully-qualified host and
domain name. For example, if the hostname is ldap.example.com, the instance name is ldap
by default.
The Administration Server directories are named the same as the Directory Server directories,
1
Chapter 1. General Red Hat Directory Server Usage
only instead of the instance as a directory name, the Administration Server directories are
named admin-serv. For any directory or folder named slapd-instance, substitute admin-serv,
such as /etc/dirsrv/slapd-example and /etc/dirsrv/admin-serv.
Red Hat Directory Server uses Mozilla LDAP tools — such as ldapsearch, ldapmodify, and
ldapdelete — for command-line operations. The MozLDAP tools are installed with Directory
Server.
PlatformDirectory Location
Red Hat Enterprise Linux 4 i386/usr/lib/mozldap6
Red Hat Enterprise Linux 4 x86_64/usr/lib64/mozldap6
Red Hat Enterprise Linux 5 i386/usr/lib/mozldap
Red Hat Enterprise Linux 5 x86_64/usr/lib64/mozldap
Sun Solaris/usr/lib/sparcv9/mozldap
HP-UX/opt/dirsrv/bin
For all Red Hat Directory Server guides and documentation, the LDAP tools used in the
examples, such as ldapsearch and ldapmodify, are the Mozilla LDAP tools. For most Linux
systems, OpenLDAP tools are already installed in the /usr/bin/ directory. These OpenLDAP
tools are not supported for Directory Server operations. For the best results with the Directory
Server, make sure the path to the Mozilla LDAP tools comes first in the PATH or use the full path
and file name for every LDAP operation.
However, these OpenLDAP tools can be used for Directory Server operations with certain
cautions:
• The output of the other tools may be different, so it may not look like the examples in the
documentation.
• The OpenLDAP tools require a -x argument to disable SASL so that it can be used for a
simple bind, meaning the -D and -w arguments or an anonymous bind.
• The OpenLDAP tools' arguments for using TLS/SSL and SASL are quite different than the
Mozilla LDAP arguments. See the OpenLDAP documentation for instructions on those
arguments.
3. Starting and Stopping Servers
The Directory Server is running when the setup-ds-admin.pl script completes. Avoid stopping
and starting the server to prevent interrupting replication, searches, and other server operations.
• If the Directory Server has SSL enabled, you cannot restart the server from the Console; you
must use the command-line. It is possible to restart without being prompted for a password;
see Section 4.3, “Creating a Password File for the Directory Server” for more information.
• Rebooting the host system can automatically start the ns-slapd process. The directory
4
Starting and Stopping Directory Server from
provides startup or run command (rc) scripts. On Red Hat Enterprise Linux, use the
chkconfig command to enable the Directory Server and Administration Server to start on
boot. On Solaris, the commands are already set up in the /etc/rc.d directories to start up
the servers at boot time. For HP-UX, check the operating system documentation for details on
adding these scripts.
3.1. Starting and Stopping Directory Server from the Console
1. Start the Directory Server Console.
/usr/bin/redhat-idm-console -a http://localhost:9830
2. In the Tasks tab, click Start the Directory Server, Stop the Directory Server, or Restart
the Directory Server.
When the Directory Server is successfully started or stopped from the Directory Server Console,
the server displays a message box stating that the server has either started or shut down.
3.2. Starting and Stopping Directory Server from the Command
Line
5
Chapter 1. General Red Hat Directory Server Usage
There are two ways to start, stop, or restart the Directory Server:
• There are scripts in the instance directories. For example:
• The Directory Server service can also be stopped and started using system tools on Red Hat
Enterprise Linux and Solaris. For example, Linux uses the service tool:
service dirsrv {start|stop|restart} instance
NOTE
The service name for the Directory Server process on Red Hat Enterprise Linux
is dirsrv.
Solaris uses /etc/init.d:
/etc/init.d/dirsrv {start|stop|restart} instance
The Directory Server instance name can be specific in both the start|stop|restart-slapd
and system scripts. If an instance name is not given, the start or stop operation applies to all
instances on the machine.
3.3. Starting and Stopping Administration Server
There are two ways to start, stop, or restart the Administration Server:
• There are scripts in the /usr/sbin directory.
/usr/sbin/start|stop|restart-ds-admin
• The Administration Server service can also be stopped and started using system tools on Red
Hat Enterprise Linux and Solaris. For example, on Red Hat Enterprise Linux, the command is
service:
service dirsrv-admin {start|stop|restart}
6
the Console
NOTE
The service name for the Administration Server process on Red Hat Enterprise
Linux is dirsrv-admin.
On Solaris, the service is init.d:
/etc/init.d/dirsrv-admin {start|stop|restart}
4. Starting the Directory Server Console
There is a simple script to launch the Directory Server Console. On Red Hat Enterprise Linux
and Solaris, run the following:
/usr/bin/redhat-idm-console
HP-UX has a different location for the script:
/opt/dirsrv/bin/redhat-idm-console
NOTE
Make sure that the correct JRE — the program called java — is set in the PATH
before launching the Console. Run the following to see if the Java program is in
the PATH and to get the version and vendor information:
java -version
When the login screen opens, you are prompted for the username, password, and
Administration Server location. It is possible to send the Administration Server URL and port
with the start script. For example:
/usr/bin/redhat-idm-console -a http://localhost:9830
The a option is a convenience, particularly if you are logging into a Directory Server for the first
time. On subsequent logins, the URL is saved. If you do not pass the Administration Server port
number with the redhat-idm-console command, then you are prompted for it at the Console
7
Chapter 1. General Red Hat Directory Server Usage
login screen.
4.1. Logging into Directory Server
After starting the Directory Server Console, a login screen opens, requiring the username and
password for the user logging in and the URL for the Administration Server instance being
access. The user logged in at the Console is the user who is binding to Directory Server. This
determines the access permissions granted and allowed operations while access the directory
tree. The user account used to log into the Directory Server Console can make significant
differences in the access; for example, the Directory Manager has access to every user and
configuration entry in Directory Server, while the admin entry created during installation has
access to only configuration entries, not user entries. Regular user accounts are more limited.
To bind to, or log into, the Directory Server, supply a username and password at the login box.
4.2. Changing Login Identity
At any time during a session, you can log in as a different user, without having to restart the
Console. To change the login identity, do the following:
1. In the Directory Server Console, select the Tasks tab.
2. Click Log on to the Directory Server as a New User.
8
3. A login dialog box appears.
Viewing the Current Console Bind DN
Enter the full distinguished name of the entry with which to bind to the server. For example, to
bind as user Barbara Jensen, enter her full DN in the login box:
cn=Barbara Jensen, ou=People,dc=example,dc=com
4.3. Viewing the Current Console Bind DN
To see the bind DN that is currently logged into the Directory Server Console, click the login
icon in the lower-left corner of the window. The current bind DN appears next to the login icon.
Figure 1.1. Viewing the Bind DN
5. Changing Directory Server Port Numbers
The standard and secure LDAP port numbers used by Directory Server can be changed
through the Directory Server Console or by changing the value of the nsslapd-port or
nsslapd-secureport attribute under the cn=config entry in the dse.ldif.
NOTE
Modifying the standard or secure port numbers for a Configuration Directory
9
Chapter 1. General Red Hat Directory Server Usage
Server, which maintains the o=NetscapeRoot subtree should be done through
the Directory Server Console.
Changing the configuration directory or user directory port or secure port numbers has the
following repercussions:
• The Directory Server port number must also be updated in the Administration Server
configuration.
• If there are other Directory Server instances that point to the configuration or user directory,
update those servers to point to the new port number.
To modify a Directory Server LDAP or LDAPS port for either a user or a configuration directory,
do the following:
1. In the Directory Server Console, select the Configuration tab, and then select the top entry
in the navigation tree in the left pane.
2. Select the Settings tab in the right pane.
3. Enter the port number for the server to use for non-SSL communications in the Port field.
The default value is 389.
4. Enter the port number for the server to use for SSL communications in the Encrypted Port
field.
The encrypted port number must not be the same port number used for normal LDAP
communications. The default value is 636.
5. Click Save.
6. The Console returns a warning, You are about to change the port number for the
Configuration Directory. This will affect all Administration Servers that use this directory and
you'll need to update them with the new port number. Are you sure you want to change the
port number? Click Yes.
7. Then a dialog appears, reading that the changes will not take effect until the server is
restarted. Click OK.
10
NOTE
Do not restart the Directory Server at this point. If you do, you will not be able to
make the necessary changes to the Administration Server through the Console.
Loading...
+ 608 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.