HP Red Hat Directory Administrator's Guide

Red Hat Directory Server 8.0
Administrator's Guide
Red Hat Directory Server 8.0
Red Hat Directory Server 8.0: Administrator's Guide
Copyright © 2008 Red Hat, Inc.
Copyright © 2008 Red Hat. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later with the restrictions noted below (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).
Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder.
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries.
All other trademarks referenced herein are the property of their respective owners. The GPG fingerprint of the security@redhat.com key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E
1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA

Red Hat Directory Server 8.0

Preface .................................................................................................................. xvii
1. Directory Server Overview ........................................................................... xvii
2. Example and Default References .................................................................xviii
3. Document Conventions ...............................................................................xviii
4. Related Information .......................................................................................xx
1. General Red Hat Directory Server Usage ................................................................ 1
1. Directory Server File Locations ....................................................................... 1
2. LDAP Tool Locations ...................................................................................... 4
3. Starting and Stopping Servers ........................................................................ 4
3.1. Starting and Stopping Directory Server from the Console ....................... 5
3.2. Starting and Stopping Directory Server from the Command Line ............ 5
3.3. Starting and Stopping Administration Server ......................................... 6
4. Starting the Directory Server Console .............................................................. 7
4.1. Logging into Directory Server ............................................................... 8
4.2. Changing Login Identity ....................................................................... 8
4.3. Viewing the Current Console Bind DN .................................................. 9
5. Changing Directory Server Port Numbers ........................................................ 9
6. Creating a New Directory Server Instance ......................................................11
7. Configuring the Directory Manager .................................................................12
2. Creating Directory Entries ......................................................................................15
1. Managing Entries from the Directory Console .................................................15
1.1. Creating a Root Entry .........................................................................15
1.2. Creating Directory Entries ...................................................................16
1.3. Modifying Directory Entries .................................................................18
1.4. Deleting Directory Entries ...................................................................23
2. Managing Entries from the Command-Line .....................................................24
2.1. Providing Input from the Command-Line ..............................................24
2.2. Creating a Root Entry from the Command-Line ....................................25
2.3. Adding Entries Using LDIF ..................................................................26
2.4. Adding and Modifying Entries Using ldapmodify ...................................26
2.5. Deleting Entries Using ldapdelete ........................................................29
2.6. Using Special Characters ...................................................................31
3. Tracking Modifications to Directory Entries .....................................................31
4. LDIF Update Statements ...............................................................................32
4.1. Adding an Entry Using LDIF ................................................................34
4.2. Renaming an Entry Using LDIF ...........................................................35
4.3. Modifying an Entry Using LDIF ............................................................36
4.4. Deleting an Entry Using LDIF ..............................................................40
4.5. Modifying an Entry in an Internationalized Directory ..............................41
5. Maintaining Referential Integrity .....................................................................41
5.1. How Referential Integrity Works ..........................................................41
5.2. Using Referential Integrity with Replication ..........................................42
5.3. Enabling/Disabling Referential Integrity ................................................43
5.4. Modifying the Update Interval ..............................................................43
5.5. Modifying the Attribute List ..................................................................44
3. Configuring Directory Databases ............................................................................47
v
Red Hat Directory Server 8.0
1. Creating and Maintaining Suffixes ..................................................................47
1.1. Creating Suffixes ................................................................................48
1.2. Maintaining Suffixes ...........................................................................54
2. Creating and Maintaining Databases ..............................................................56
2.1. Creating Databases ............................................................................56
2.2. Maintaining Directory Databases .........................................................61
2.3. Database Encryption ..........................................................................64
3. Creating and Maintaining Database Links .......................................................69
3.1. Configuring the Chaining Policy ...........................................................69
3.2. Creating a New Database Link ............................................................75
3.3. Chaining Using SSL ...........................................................................86
3.4. Maintaining Database Links ................................................................86
3.5. Database Links and Access Control Evaluation ....................................87
3.6. Advanced Feature: Tuning Database Link Performance ........................89
3.7. Advanced Feature: Configuring Cascading Chaining ............................93
4. Using Referrals ...........................................................................................106
4.1. Starting the Server in Referral Mode ..................................................106
4.2. Setting Default Referrals ...................................................................107
4.3. Creating Smart Referrals ..................................................................108
4.4. Creating Suffix Referrals ...................................................................110
4. Populating Directory Databases ...........................................................................113
1. Importing Data ............................................................................................113
1.1. Importing a Database from the Console .............................................114
1.2. Initializing a Database from the Console ............................................115
1.3. Importing from the Command-Line ....................................................116
2. Exporting Data ............................................................................................119
2.1. Exporting Directory Data to LDIF Using the Console ...........................121
2.2. Exporting a Single Database to LDIF Using the Console .....................122
2.3. Exporting to LDIF from the Command-Line ........................................122
3. Backing up and Restoring Data ....................................................................124
3.1. Backing up All Databases .................................................................124
3.2. Backing up the dse.ldif Configuration File ...........................................126
3.3. Restoring All Databases ...................................................................126
3.4. Restoring a Single Database .............................................................128
3.5. Restoring Databases That Include Replicated Entries .........................129
3.6. Restoring the dse.ldif Configuration File .............................................129
5. Managing Entries with Roles, Class of Service, and Views ....................................131
1. Using Roles ................................................................................................131
1.1. About Roles .....................................................................................131
1.2. Managing Roles Using the Console ...................................................133
1.3. Managing Roles Using the Command-Line ........................................139
1.4. Using Roles Securely .......................................................................142
2. Assigning Class of Service ..........................................................................143
2.1. About CoS .......................................................................................144
2.2. Managing CoS Using the Console .....................................................149
2.3. Managing CoS from the Command-Line ............................................153
2.4. Creating Role-Based Attributes .........................................................160
vi
2.5. Access Control and CoS ...................................................................162
3. Using Views ................................................................................................162
3.1. Creating Views in the Console ..........................................................163
3.2. Deleting Views from the Directory Server Console ..............................164
3.3. Creating Views from the Command Line ............................................164
3.4. Deleting Views from the Command Line ............................................165
4. Using Groups .............................................................................................165
4.1. Managing Static Groups ...................................................................165
4.2. Managing Dynamic Groups ...............................................................167
6. Managing Access Control ....................................................................................169
1. Access Control Principles ............................................................................169
1.1. ACI Structure ...................................................................................169
1.2. ACI Placement .................................................................................170
1.3. ACI Evaluation .................................................................................170
1.4. ACI Limitations .................................................................................170
2. Default ACIs ...............................................................................................171
3. Creating ACIs Manually ...............................................................................172
3.1. The ACI Syntax ................................................................................173
3.2. Defining Targets ...............................................................................173
3.3. Defining Permissions ........................................................................180
4. Bind Rules ..................................................................................................184
4.1. Bind Rule Syntax ..............................................................................185
4.2. Defining User Access - userdn Keyword ............................................186
4.3. Defining Group Access - groupdn Keyword ........................................190
4.4. Defining Role Access - roledn Keyword .............................................190
4.5. Defining Access Based on Value Matching ........................................191
4.6. Defining Access from a Specific IP Address .......................................196
4.7. Defining Access from a Specific Domain ............................................197
4.8. Defining Access at a Specific Time of Day or Day of Week .................198
4.9. Defining Access Based on Authentication Method ..............................199
4.10. Using Boolean Bind Rules ...............................................................201
5. Creating ACIs from the Console ...................................................................202
5.1. Displaying the Access Control Editor .................................................203
5.2. Creating a New ACI ..........................................................................204
5.3. Editing an ACI ..................................................................................209
5.4. Deleting an ACI ................................................................................210
6. Viewing ACIs ..............................................................................................210
7. Get Effective Rights Control .........................................................................211
7.1. Using Get Effective Rights from the Command-Line ...........................212
7.2. Using Get Effective Rights from the Console ......................................215
7.3. Get Effective Rights Return Codes ....................................................215
8. Logging Access Control Information .............................................................216
9. Access Control Usage Examples .................................................................216
9.1. Granting Anonymous Access ............................................................217
9.2. Granting Write Access to Personal Entries .........................................219
9.3. Restricting Access to Key Roles ........................................................222
9.4. Granting a Group Full Access to a Suffix ............................................224
vii
Red Hat Directory Server 8.0
9.5. Granting Rights to Add and Delete Group Entries ...............................225
9.6. Granting Conditional Access to a Group or Role .................................227
9.7. Denying Access ...............................................................................229
9.8. Setting a Target Using Filtering .........................................................232
9.9. Allowing Users to Add or Remove Themselves from a Group ..............232
9.10. Defining Permissions for DNs That Contain a Comma ......................234
9.11. Proxied Authorization ACI Example .................................................234
10. Advanced Access Control: Using Macro ACIs .............................................235
10.1. Macro ACI Example ........................................................................235
10.2. Macro ACI Syntax ..........................................................................237
11. Access Control and Replication ..................................................................241
12. Compatibility with Earlier Releases .............................................................241
7. Managing User Accounts and Passwords .............................................................243
1. Managing the Password Policy ....................................................................243
1.1. Configuring the Password Policy .......................................................243
1.2. Setting User Passwords ....................................................................255
1.3. Password Change Extended Operation .............................................255
1.4. Configuring the Account Lockout Policy .............................................257
1.5. Managing the Password Policy in a Replicated Environment ...............259
1.6. Synchronizing Passwords .................................................................260
2. Inactivating Users and Roles .......................................................................261
2.1. Inactivating User and Roles Using the Console ..................................262
2.2. Inactivating User and Roles Using the Command-Line ........................262
2.3. Activating User and Roles Using the Console .....................................263
2.4. Activating User and Roles Using the Command-Line ..........................263
3. Setting Resource Limits Based on the Bind DN .............................................264
3.1. Setting Resource Limits Using the Console ........................................264
3.2. Setting Resource Limits Using the Command-Line .............................265
8. Managing Replication ..........................................................................................267
1. Replication Overview ...................................................................................267
1.1. What Directory Units Are Replicated ..................................................267
1.2. Read-Write and Read-Only Replicas .................................................267
1.3. Suppliers and Consumers .................................................................268
1.4. Changelog .......................................................................................268
1.5. Replication Identity ...........................................................................268
1.6. Replication Agreement .....................................................................269
1.7. Compatibility with Earlier Versions of Directory Server ........................269
2. Replication Scenarios ..................................................................................270
2.1. Single-Master Replication .................................................................270
2.2. Multi-Master Replication ...................................................................271
2.3. Cascading Replication ......................................................................274
3. Creating the Supplier Bind DN Entry .............................................................275
4. Configuring Single-Master Replication ..........................................................276
4.1. Configuring the Read-Write Replica on the Supplier Server .................277
4.2. Configuring the Read-Only Replica on the Consumer .........................278
4.3. Create the Replication Agreement .....................................................280
5. Configuring Multi-Master Replication ............................................................285
viii
5.1. Configuring the Read-Write Replicas on the Supplier Servers .............286
5.2. Configuring the Read-Only Replicas on the Consumer Servers ...........289
5.3. Setting up the Replication Agreements ..............................................291
5.4. Preventing Monopolization of the Consumer in Multi-Master Replication 297
6. Configuring Cascading Replication ...............................................................298
6.1. Configuring the Read-Write Replica on the Supplier Server .................299
6.2. Configuring the Read-Only Replica on the Consumer Server ..............300
6.3. Configuring the Read-Only Replica on the Hub ..................................302
6.4. Setting up the Replication Agreements ..............................................305
7. Configuring Replication from the Command Line ...........................................311
7.1. Configuring Suppliers from the Command Line ...................................311
7.2. Configuring Consumers from the Command Line ...............................315
7.3. Configuring Hubs from the Command Line .........................................316
7.4. Configuring Replication Agreements from the Command Line .............317
7.5. Initializing Consumers Online from the Command Line .......................321
8. Making a Replica Updatable ........................................................................322
9. Deleting the Changelog ...............................................................................322
9.1. Removing the Changelog .................................................................323
9.2. Moving the Changelog to a New Location ..........................................323
10. Initializing Consumers ...............................................................................323
10.1. When to Initialize a Consumer .........................................................324
10.2. Online Consumer Initialization Using the Console .............................324
10.3. Initializing Consumers Online Using the Command Line ....................325
10.4. Manual Consumer Initialization Using the Command Line .................326
10.5. Filesystem Replica Initialization .......................................................327
11. Forcing Replication Updates ......................................................................329
11.1. Forcing Replication Updates from the Console .................................330
11.2. Forcing Replication Updates from the Command-Line .......................330
12. Replicating Account Lockout Attributes .......................................................331
13. Replication over SSL .................................................................................332
14. Replicating o=NetscapeRoot for Administration Server Failover ...................333
15. Replication with Earlier Releases ...............................................................335
16. Using the Retro Changelog Plug-in .............................................................336
16.1. Enabling the Retro Changelog Plug-in .............................................337
16.2. Trimming the Retro Changelog ........................................................338
16.3. Searching and Modifying the Retro Changelog .................................339
16.4. Retro Changelog and the Access Control Policy ...............................339
17. Monitoring Replication Status .....................................................................339
17.1. Monitoring Replication Status from the Directory Server Console .......339
17.2. Monitoring Replication Status from Administration Express ...............340
18. Solving Common Replication Conflicts ........................................................342
18.1. Solving Naming Conflicts ................................................................343
18.2. Solving Orphan Entry Conflicts ........................................................346
18.3. Solving Potential Interoperability Problems .......................................346
19. Troubleshooting Replication-Related Problems ...........................................347
9. Extending the Directory Schema ..........................................................................353
1. Overview of Extending Schema ...................................................................353
ix
Red Hat Directory Server 8.0
2. Managing Attributes ....................................................................................353
2.1. Viewing Attributes ............................................................................353
2.2. Creating Attributes ...........................................................................355
2.3. Editing Attributes ..............................................................................356
2.4. Deleting Attributes ............................................................................356
3. Managing Object Classes ............................................................................357
3.1. Viewing Object Classes ....................................................................357
3.2. Creating Object Classes ...................................................................359
3.3. Editing Object Classes ......................................................................360
3.4. Deleting Object Classes ....................................................................361
4. Turning Schema Checking On and Off .........................................................362
10. Managing Indexes .............................................................................................363
1. About Indexes .............................................................................................363
1.1. About Index Types ...........................................................................363
1.2. About Default, System, and Standard Indexes ...................................364
1.3. Overview of the Searching Algorithm .................................................367
1.4. Approximate Searches .....................................................................369
1.5. Balancing the Benefits of Indexing .....................................................369
2. Creating Indexes .........................................................................................371
2.1. Creating Indexes from the Server Console .........................................372
2.2. Creating Indexes from the Command-Line .........................................373
2.3. Creating Browsing Indexes from the Server Console ..........................377
2.4. Creating Browsing Indexes from the Command-Line ..........................377
3. Deleting Indexes .........................................................................................381
3.1. Deleting Indexes from the Server Console .........................................382
3.2. Deleting Indexes from the Command-Line .........................................382
3.3. Deleting Browsing Indexes from the Server Console ...........................385
3.4. Deleting Browsing Indexes from the Command-Line ...........................385
4. Managing Indexes .......................................................................................387
4.1. Indexing Performance ......................................................................388
4.2. Search Performance .........................................................................388
4.3. Backwards Compatibility and Migration ..............................................390
5. Attribute Name Quick Reference Table .........................................................390
11. Managing SSL ..................................................................................................393
1. Introduction to TLS/SSL in the Directory Server ............................................393
1.1. Enabling SSL: Summary of Steps ......................................................393
1.2. Command-Line Functions for Start TLS .............................................394
2. Obtaining and Installing Server Certificates ...................................................395
2.1. Step 1: Generate a Certificate Request ..............................................396
2.2. Step 2: Send the Certificate Request .................................................399
2.3. Step 3: Install the Certificate .............................................................400
2.4. Step 4: Trust the Certificate Authority ................................................401
2.5. Step 5: Confirm That The New Certificates Are Installed .....................402
3. Using certutil ...............................................................................................402
3.1. Creating Directory Server Certificates through the Command Line .......402
3.2. certutil Usage ...................................................................................405
4. Starting the Server with TLS/SSL Enabled ....................................................405
x
4.1. Enabling TLS/SSL Only in the Directory Server ..................................406
4.2. Enabling TLS/SSL in the Directory Server, Administration Server, and
Console .................................................................................................408
4.3. Creating a Password File for the Directory Server ..............................410
4.4. Creating a Password File for the Administration Server .......................411
5. Setting Security Preferences ........................................................................412
5.1. Available Ciphers .............................................................................412
5.2. Selecting the Encryption Cipher ........................................................414
6. Using Certificate-Based Authentication .........................................................415
6.1. Setting up Certificate-Based Authentication ........................................416
6.2. Allowing/Requiring Client Authentication ............................................416
7. Configuring LDAP Clients to Use SSL ..........................................................417
12. Managing SASL ................................................................................................421
1. Authentication Mechanisms .........................................................................421
2. SASL Identity Mapping ................................................................................422
3. Configuring SASL Identity Mapping from the Console ....................................424
4. Configuring SASL Identity Mapping from the Command-Line .........................426
5. Configuring Kerberos ..................................................................................426
5.1. Realms ............................................................................................427
5.2. Configuring the KDC Server ..............................................................427
5.3. Example: Configuring an Example KDC Server ..................................428
5.4. Configuring SASL Authentication at Directory Server Startup ..............429
13. Monitoring Server and Database Activity .............................................................431
1. Viewing and Configuring Log Files ...............................................................431
1.1. Defining a Log File Rotation Policy ....................................................431
1.2. Defining a Log File Deletion Policy ....................................................433
1.3. Access Log ......................................................................................433
1.4. Error Log .........................................................................................435
1.5. Audit Log .........................................................................................437
2. Manual Log File Rotation .............................................................................438
3. Monitoring Server Activity ............................................................................438
3.1. Monitoring the Server from the Directory Server Console ....................439
3.2. Monitoring the Directory Server from the Command Line ....................443
4. Monitoring Database Activity ........................................................................445
4.1. Monitoring Database Activity from the Directory Server Console ..........445
4.2. Monitoring Databases from the Command Line ..................................448
5. Monitoring Database Link Activity .................................................................451
14. Monitoring Directory Server Using SNMP ...........................................................453
1. About SNMP ...............................................................................................453
2. Configuring the Master Agent .......................................................................454
3. Configuring the Subagent ............................................................................454
3.1. Subagent Configuration File ..............................................................454
3.2. Starting the Subagent .......................................................................455
3.3. Testing the Subagent .......................................................................456
4. Configuring SNMP Traps .............................................................................456
5. Configuring the Directory Server for SNMP ...................................................457
6. Using the Management Information Base .....................................................457
xi
Red Hat Directory Server 8.0
6.1. Operations Table ..............................................................................458
6.2. Entries Table ...................................................................................460
6.3. Entity Table .....................................................................................460
6.4. Interaction Table ..............................................................................461
15. Tuning Directory Server Performance .................................................................463
1. Tuning Server Performance .........................................................................463
2. Tuning Database Performance ....................................................................464
2.1. Optimizing Search Performance ........................................................464
2.2. Tuning Transaction Logging ..............................................................466
2.3. Changing the Location of the Database Transaction Log ....................466
2.4. Changing the Database Checkpoint Interval .......................................467
2.5. Disabling Durable Transactions .........................................................468
2.6. Specifying Transaction Batching .......................................................468
3. Miscellaneous Tuning Tips ..........................................................................468
3.1. Avoid Creating Entries Under the cn=config Entry in the dse.ldif File ....469
16. Administering Directory Server Plug-ins ..............................................................471
1. Server Plug-in Functionality Reference .........................................................471
1.1. 7-Bit Check Plug-in ...........................................................................471
1.2. ACL Plug-in .....................................................................................471
1.3. ACL Preoperation Plug-in .................................................................472
1.4. Binary Syntax Plug-in .......................................................................472
1.5. Boolean Syntax Plug-in ....................................................................473
1.6. Case Exact String Syntax Plug-in ......................................................473
1.7. Case Ignore String Syntax Plug-in .....................................................474
1.8. Chaining Database Plug-in ...............................................................474
1.9. Class of Service Plug-in ....................................................................475
1.10. Country String Syntax Plug-in ..........................................................475
1.11. Distinguished Name Syntax Plug-in .................................................476
1.12. Generalized Time Syntax Plug-in .....................................................476
1.13. Integer Syntax Plug-in ....................................................................477
1.14. Internationalization Plug-in ..............................................................477
1.15. ldbm Database Plug-in ....................................................................478
1.16. Legacy Replication Plug-in ..............................................................478
1.17. Multi-Master Replication Plug-in ......................................................479
1.18. Octet String Syntax Plug-in .............................................................479
1.19. CLEAR Password Storage Plug-in ...................................................480
1.20. CRYPT Password Storage Plug-in ..................................................480
1.21. NS-MTA-MD5 Password Storage Plug-in .........................................481
1.22. SHA Password Storage Plug-in .......................................................482
1.23. SSHA Password Storage Plug-in .....................................................482
1.24. Postal Address String Syntax Plug-in ...............................................483
1.25. PTA Plug-in ...................................................................................483
1.26. Referential Integrity Postoperation Plug-in ........................................484
1.27. Retro Changelog Plug-in .................................................................485
1.28. Roles Plug-in .................................................................................486
1.29. Space Insensitive String Syntax Plug-in ...........................................486
1.30. State Change Plug-in ......................................................................487
xii
1.31. Telephone Syntax Plug-in ...............................................................488
1.32. UID Uniqueness Plug-in ..................................................................488
1.33. URI Plug-in ....................................................................................489
2. Enabling and Disabling Plug-ins ...................................................................490
17. Using the Pass-through Authentication Plug-in ....................................................491
1. How Directory Server Uses PTA ..................................................................491
2. PTA Plug-in Syntax .....................................................................................492
3. Configuring the PTA Plug-in .........................................................................495
3.1. Turning the Plug-in On or Off ............................................................496
3.2. Configuring the Servers to Use a Secure Connection .........................496
3.3. Specifying the Authenticating Directory Server ...................................496
3.4. Specifying the Pass-through Subtree .................................................497
3.5. Configuring the Optional Parameters .................................................498
4. PTA Plug-in Syntax Examples .....................................................................499
4.1. Specifying One Authenticating Directory Server and One Subtree .......499
4.2. Specifying Multiple Authenticating Directory Servers ...........................500
4.3. Specifying One Authenticating Directory Server and Multiple Subtrees 500
4.4. Using Non-Default Parameter Values ................................................500
4.5. Specifying Different Optional Parameters and Subtrees for Different
Authenticating Directory Servers ..............................................................501
18. Using the Attribute Uniqueness Plug-in ...............................................................503
1. Overview of the Attribute Uniqueness Plug-in ................................................503
2. Attribute Uniqueness Plug-in Syntax .............................................................504
3. Creating an Instance of the Attribute Uniqueness Plug-in ...............................506
4. Configuring Attribute Uniqueness Plug-ins ....................................................507
4.1. Viewing Plug-in Configuration Information ..........................................507
4.2. Configuring Attribute Uniqueness Plug-ins from the Directory Server
Console .................................................................................................508
4.3. Configuring Attribute Uniqueness Plug-ins from the Command-Line ....509
5. Attribute Uniqueness Plug-in Syntax Examples .............................................511
5.1. Specifying One Attribute and One Subtree .........................................511
5.2. Specifying One Attribute and Multiple Subtrees ..................................511
6. Replication and the Attribute Uniqueness Plug-in ..........................................512
6.1. Simple Replication Scenario .............................................................512
6.2. Multi-Master Replication Scenario .....................................................513
19. Synchronizing Red Hat Directory Server with Microsoft Active Directory ...............515
1. About Windows Sync ..................................................................................515
2. Configuring Windows Sync ..........................................................................518
2.1. Step 1: Configure SSL on Directory Server ........................................518
2.2. Step 2: Configure the Active Directory Domain ...................................519
2.3. Step 3: Select or Create the Sync Identity ..........................................520
2.4. Step 4: Install and Configure the Password Sync Service ....................521
2.5. Step 5: Configure the Directory Server Database for Synchronization ..524
2.6. Step 6: Create the Synchronization Agreement ..................................525
2.7. Step 7: Begin Synchronization ..........................................................527
3. Using Windows Sync ...................................................................................527
3.1. Synchronizing Users .........................................................................528
xiii
Red Hat Directory Server 8.0
3.2. Synchronizing Groups ......................................................................530
3.3. Deleting Entries ................................................................................531
3.4. Resurrecting Entries .........................................................................532
3.5. Manually Updating and Resynchronizing Entries ................................532
3.6. Checking Synchronization Status ......................................................533
3.7. Modifying the Sync Agreement ..........................................................533
4. Schema Differences ....................................................................................534
4.1. Password Policies ............................................................................534
4.2. Groups ............................................................................................534
4.3. Values for street and streetAddress ...................................................534
4.4. Contraints on the initials attribute .......................................................535
5. Password Sync Service ...............................................................................535
5.1. Modifying Password Sync .................................................................535
5.2. Starting and Stopping the Password Sync Service ..............................535
5.3. Uninstalling Password Sync Service ..................................................536
6. Troubleshooting ..........................................................................................536
A. LDAP Data Interchange Format ...........................................................................539
1. About the LDIF File Format ..........................................................................539
2. Continuing Lines in LDIF .............................................................................540
3. Representing Binary Data ............................................................................541
3.1. Standard LDIF Notation ....................................................................541
3.2. Base-64 Encoding ............................................................................541
4. Specifying Directory Entries Using LDIF .......................................................542
4.1. Specifying Domain Entries ................................................................542
4.2. Specifying Organizational Unit Entries ...............................................544
4.3. Specifying Organizational Person Entries ...........................................545
5. Defining Directories Using LDIF ...................................................................546
5.1. LDIF File Example ............................................................................548
6. Storing Information in Multiple Languages ....................................................549
B. Finding Directory Entries .....................................................................................551
1. Finding Entries Using the Directory Server Console ......................................551
2. Using ldapsearch ........................................................................................552
2.1. Using Special Characters .................................................................553
2.2. ldapsearch Command-Line Format ....................................................553
2.3. Commonly Used ldapsearch Options .................................................554
2.4. ldapsearch Examples .......................................................................556
3. LDAP Search Filters ....................................................................................559
3.1. Search Filter Syntax .........................................................................560
4. Searching an Internationalized Directory .......................................................563
4.1. Matching Rule Filter Syntax ..............................................................564
4.2. Supported Search Types ..................................................................567
4.3. International Search Examples ..........................................................568
C. LDAP URLs .......................................................................................................571
1. Components of an LDAP URL .....................................................................571
2. Escaping Unsafe Characters .......................................................................573
3. Examples of LDAP URLs .............................................................................573
D. Internationalization .............................................................................................577
xiv
1. About Locales .............................................................................................577
2. Identifying Supported Locales ......................................................................578
3. Supported Language Subtypes ....................................................................580
4. Troubleshooting Matching Rules ..................................................................581
Glossary ................................................................................................................583
Index .....................................................................................................................601
xv
xvi

Preface

Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.
This Administrator's Guide describes all of the administration tasks you need to perform to maintain Directory Server.

1. Directory Server Overview

Directory Server provides the following key features:
• Multi-master replication — Provides a highly available directory service for both read and
write operations. Multi-master replication can be combined with simple and cascading replication scenarios to provide a highly flexible and scalable replication environment.
• Chaining and referrals — Increases the power of your directory by storing a complete logical
view of your directory on a single server while maintaining data on a large number of Directory Servers transparently for clients.
• Roles and classes of service — Provides a flexible mechanism for grouping and sharing
attributes between entries in a dynamic fashion.
• Improved access control mechanisms — Provides support for macros that dramatically
reduce the number of access control statements used in the directory and increase the scalability of access control evaluation.
• Resource-limits by bind DN — Grants the power to control the amount of server resources
allocated to search operations based on the bind DN of the client.
• Multiple databases — Provides a simple way of breaking down your directory data to simplify
the implementation of replication and chaining in your directory service.
• Password policy and account lockout — Defines a set of rules that govern how passwords
and user accounts are managed in the Directory Server.
• TLS and SSL — Provides secure authentication and communication over the network, using
the Mozilla Network Security Services (NSS) libraries for cryptography.
The major components of Directory Server include the following:
• An LDAP server — The LDAP v3-compliant network daemon.
• Directory Server Console — A graphical management console that dramatically reduces the
effort of setting up and maintaining your directory service.
xvii
Preface
• SNMP agent — Can monitor the Directory Server using the Simple Network Management
Protocol (SNMP).

2. Example and Default References

There are differences between the command, directory, and file locations in Red Hat Enterprise Linux, Sun Solaris, and HP-UX Directory Server installations. Locations for other platforms are listed in Section 1, “Directory Server File Locations”. These differences impact the documentation in two ways:
• The file locations used in the examples or referenced in the procedures are the default
locations on Red Hat Enterprise Linux.
• The default commands used in the examples are also the default commands on Red Hat
Enterprise Linux.
There is another important consideration with the Directory Server tools. The LDAP tools referenced in this guide are Mozilla LDAP, installed with Directory Server in the
/usr/dir/mozldap directory on Red Hat Enterprise Linux (directories for other platforms are
listed in Chapter 1, General Red Hat Directory Server Usage). However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the
/usr/bin directory. It is possible to use the OpenLDAP commands as shown in the examples,
but you must use the -x argument to disable SASL, which OpenLDAP tools use by default.

3. Document Conventions

Certain words in this manual are represented in different fonts, styles, and weights. This highlighting indicates that the word is part of a specific category. The categories include the following:
Courier font
Courier font represents commands, file names and paths, and prompts . When shown as below, it indicates computer output:
Desktop about.html logs paulwesterberg.png Mail backupfiles mail reports
bold Courier font
Bold Courier font represents text that you are to type, such as: service jonas start If you have to run a command as root, the root prompt (#) precedes the command:
xviii
Document Conventions
# gconftool-2
italic Courier font
Italic Courier font represents a variable, such as an installation directory:
install_dir/bin/
bold font
Bold font represents application programs and text found on a graphical interface. When shown like this: OK , it indicates a button on a graphical application interface.
Additionally, the manual uses different strategies to draw your attention to pieces of information. In order of how critical the information is to you, these items are marked as follows:
Note
A note is typically information that you need to understand the behavior of the system.
Tip
A tip is typically an alternative way of performing a task.
Important
Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.
Caution
A caution indicates an act that would violate your support agreement, such as recompiling the kernel.
xix
Preface
Warning
A warning indicates potential data loss, as may happen when tuning hardware for maximum performance.

4. Related Information

This manual describes how to administer the Directory Server and its contents. The instructions for installing the various Directory Server components are contained in the Red Hat Directory Server Installation Guide.
The document set for Directory Server also contains the following guides:
Red Hat Directory Server Release Notes - Contains important information on new features,
fixed bugs, known issues and workarounds, and other important deployment information for this specific version of Directory Server.
Red Hat Directory Server Configuration, Command, and File Reference - Provides reference
information on the command-line scripts, configuration attributes, and log files shipped with Directory Server.
Red Hat Directory Server Installation Guide - Contains procedures for installing your Directory
Server as well as procedures for migrating from a previous installation of Directory Server.
For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, see the Red Hat Directory Server documentation site at http://www.redhat.com/docs/manuals/dir-server/.
xx
Chapter 1.
General Red Hat Directory Server Usage
Red Hat Directory Server product includes a directory service, an administration server to manage multiple server instances, and a Java-based console to manage server instances through a graphical interface. This chapter provides an overview of the basic tasks for administering a directory service.
The Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources. It is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). Directory Server runs the ns-slapd daemon on the host machine. The server manages the directory databases and responds to client requests.
Directory Server 8.0 is comprised of several components, which work in tandem:
• The Directory Server is the core LDAP server daemon. It is compliant with LDAP v3
standards. This component includes command-line server management and administration programs and scripts for common operations like export and backing up databases.
• The Directory Server Console is the user interface that simplifies managing users, groups,
and other LDAP data for your enterprise. The Console is used for all aspects of server management, including making backups; configuring security, replication, and databases; adding entries; and monitoring servers and viewing statistics.
• The Administration Server is the management agent which administers Directory Server
instances. It communicates with the Directory Server Console and performs operations on the Directory Server instances. It also provides a simple HTML interface and online help pages.
Most Directory Server administrative tasks are available through the Directory Server Console, but it is also possible to administer the Directory Server by manually editing the configuration files or by using command-line utilities.

1. Directory Server File Locations

Red Hat Directory Server 8.0 conforms to the Filesystem Hierarchy Standards. For more information on FHS, see the FHS homepage, http://www.pathname.com/fhs/. The files and directories installed with Directory Server are listed in the tables below for each supported platform.
In the file locations listed in the following tables, instance is the server instance name that was given during setup. By default, this is the leftmost component of the fully-qualified host and domain name. For example, if the hostname is ldap.example.com, the instance name is ldap by default.
The Administration Server directories are named the same as the Directory Server directories,
1
Chapter 1. General Red Hat Directory Server Usage
only instead of the instance as a directory name, the Administration Server directories are named admin-serv. For any directory or folder named slapd-instance, substitute admin-serv, such as /etc/dirsrv/slapd-example and /etc/dirsrv/admin-serv.
File or Directory Location
Log files /var/log/dirsrv/slapd-instance Configuration files /etc/dirsrv/slapd-instance Instance directory /usr/lib/dirsrv/slapd-instance Database files /var/lib/dirsrv/slapd-instance Runtime files
/var/lock/dirsrv/slapd-instance /var/run/dirsrv/slapd-instance
Initscripts
/etc/rc.d/init.d/dirsrv and /etc/sysconfig/dirsrv
/etc/rc.d/init.d/dirsrv-admin and /etc/sysconfig/dirsrv-admin
Tools
/usr/bin/
/usr/sbin/
Table 1.1. Red Hat Enterprise Linux 4 and 5 (x86)
File or Directory Location
Log files /var/log/dirsrv/slapd-instance Configuration files /etc/dirsrv/slapd-instance Instance directory /usr/lib64/dirsrv/slapd-instance Database files /var/lib/dirsrv/slapd-instance Runtime files
/var/lock/dirsrv/slapd-instance /var/run/dirsrv/slapd-instance
Initscripts
/etc/rc.d/init.d/dirsrv and /etc/sysconfig/dirsrv
Tools
2
/etc/rc.d/init.d/dirsrv-admin and /etc/sysconfig/dirsrv-admin
/usr/bin/
/usr/sbin/
LDAP Tool Locations
File or Directory Location
Table 1.2. Red Hat Enterprise Linux 4 and 5 (x86_64)
File or Directory Location
Log files /var/log/dirsrv/slapd-instance Configuration files /etc/dirsrv/slapd-instance Instance directory /usr/lib/sparc9/dirsrv/slapd-instance Database files /var/lib/dirsrv/slapd-instance Runtime files
/var/lock/dirsrv/slapd-instance /var/run/dirsrv/slapd-instance
Initscripts
/etc/rc.d/init.d/dirsrv and /etc/default/dirsrv
/etc/rc.d/init.d/dirsrv-admin and /etc/default/dirsrv-admin
Tools
/usr/bin/
/usr/sbin/
Table 1.3. Sun Solaris 9 (sparc)
File or Directory Location
Log files /var/opt/log/dirsrv/slapd-instance Configuration files /etc/opt/dirsrv/slapd-instance Instance directory /opt/dirsrv/slapd-instance Database files /var/opt/dirsrv/slapd-instance Runtime files /var/opt/dirsrv/instance Binaries
/opt/dirsrv/bin/
/opt/dirsrv/sbin/
Libraries /opt/dirsrv/lib/
Table 1.4. HP-UX 11i (IA64)
3
Chapter 1. General Red Hat Directory Server Usage

2. LDAP Tool Locations

Red Hat Directory Server uses Mozilla LDAP tools — such as ldapsearch, ldapmodify, and
ldapdelete — for command-line operations. The MozLDAP tools are installed with Directory
Server.
Platform Directory Location
Red Hat Enterprise Linux 4 i386 /usr/lib/mozldap6 Red Hat Enterprise Linux 4 x86_64 /usr/lib64/mozldap6 Red Hat Enterprise Linux 5 i386 /usr/lib/mozldap Red Hat Enterprise Linux 5 x86_64 /usr/lib64/mozldap Sun Solaris /usr/lib/sparcv9/mozldap HP-UX /opt/dirsrv/bin
For all Red Hat Directory Server guides and documentation, the LDAP tools used in the examples, such as ldapsearch and ldapmodify, are the Mozilla LDAP tools. For most Linux systems, OpenLDAP tools are already installed in the /usr/bin/ directory. These OpenLDAP tools are not supported for Directory Server operations. For the best results with the Directory Server, make sure the path to the Mozilla LDAP tools comes first in the PATH or use the full path and file name for every LDAP operation.
However, these OpenLDAP tools can be used for Directory Server operations with certain cautions:
• The output of the other tools may be different, so it may not look like the examples in the
documentation.
• The OpenLDAP tools require a -x argument to disable SASL so that it can be used for a
simple bind, meaning the -D and -w arguments or an anonymous bind.
• The OpenLDAP tools' arguments for using TLS/SSL and SASL are quite different than the
Mozilla LDAP arguments. See the OpenLDAP documentation for instructions on those arguments.

3. Starting and Stopping Servers

The Directory Server is running when the setup-ds-admin.pl script completes. Avoid stopping and starting the server to prevent interrupting replication, searches, and other server operations.
• If the Directory Server has SSL enabled, you cannot restart the server from the Console; you
must use the command-line. It is possible to restart without being prompted for a password; see Section 4.3, “Creating a Password File for the Directory Server” for more information.
• Rebooting the host system can automatically start the ns-slapd process. The directory
4
Starting and Stopping Directory Server from
provides startup or run command (rc) scripts. On Red Hat Enterprise Linux, use the
chkconfig command to enable the Directory Server and Administration Server to start on
boot. On Solaris, the commands are already set up in the /etc/rc.d directories to start up the servers at boot time. For HP-UX, check the operating system documentation for details on adding these scripts.

3.1. Starting and Stopping Directory Server from the Console

1. Start the Directory Server Console.
/usr/bin/redhat-idm-console -a http://localhost:9830
2. In the Tasks tab, click Start the Directory Server, Stop the Directory Server, or Restart
the Directory Server.
When the Directory Server is successfully started or stopped from the Directory Server Console, the server displays a message box stating that the server has either started or shut down.

3.2. Starting and Stopping Directory Server from the Command Line

5
Chapter 1. General Red Hat Directory Server Usage
There are two ways to start, stop, or restart the Directory Server:
• There are scripts in the instance directories. For example:
/usr/lib/dirsrv/slapd-instance/start-slapd /usr/lib/dirsrv/slapd-instance/restart-slapd /usr/lib/dirsrv/slapd-instance/stop-slapd
• The Directory Server service can also be stopped and started using system tools on Red Hat
Enterprise Linux and Solaris. For example, Linux uses the service tool:
service dirsrv {start|stop|restart} instance
NOTE
The service name for the Directory Server process on Red Hat Enterprise Linux is dirsrv.
Solaris uses /etc/init.d:
/etc/init.d/dirsrv {start|stop|restart} instance
The Directory Server instance name can be specific in both the start|stop|restart-slapd and system scripts. If an instance name is not given, the start or stop operation applies to all instances on the machine.

3.3. Starting and Stopping Administration Server

There are two ways to start, stop, or restart the Administration Server:
• There are scripts in the /usr/sbin directory.
/usr/sbin/start|stop|restart-ds-admin
• The Administration Server service can also be stopped and started using system tools on Red
Hat Enterprise Linux and Solaris. For example, on Red Hat Enterprise Linux, the command is
service:
service dirsrv-admin {start|stop|restart}
6
the Console
NOTE
The service name for the Administration Server process on Red Hat Enterprise Linux is dirsrv-admin.
On Solaris, the service is init.d:
/etc/init.d/dirsrv-admin {start|stop|restart}

4. Starting the Directory Server Console

There is a simple script to launch the Directory Server Console. On Red Hat Enterprise Linux and Solaris, run the following:
/usr/bin/redhat-idm-console
HP-UX has a different location for the script:
/opt/dirsrv/bin/redhat-idm-console
NOTE
Make sure that the correct JRE — the program called java — is set in the PATH before launching the Console. Run the following to see if the Java program is in the PATH and to get the version and vendor information:
java -version
When the login screen opens, you are prompted for the username, password, and Administration Server location. It is possible to send the Administration Server URL and port with the start script. For example:
/usr/bin/redhat-idm-console -a http://localhost:9830
The a option is a convenience, particularly if you are logging into a Directory Server for the first time. On subsequent logins, the URL is saved. If you do not pass the Administration Server port number with the redhat-idm-console command, then you are prompted for it at the Console
7
Chapter 1. General Red Hat Directory Server Usage
login screen.

4.1. Logging into Directory Server

After starting the Directory Server Console, a login screen opens, requiring the username and password for the user logging in and the URL for the Administration Server instance being access. The user logged in at the Console is the user who is binding to Directory Server. This determines the access permissions granted and allowed operations while access the directory tree. The user account used to log into the Directory Server Console can make significant differences in the access; for example, the Directory Manager has access to every user and configuration entry in Directory Server, while the admin entry created during installation has access to only configuration entries, not user entries. Regular user accounts are more limited.
To bind to, or log into, the Directory Server, supply a username and password at the login box.

4.2. Changing Login Identity

At any time during a session, you can log in as a different user, without having to restart the Console. To change the login identity, do the following:
1. In the Directory Server Console, select the Tasks tab.
2. Click Log on to the Directory Server as a New User.
8
3. A login dialog box appears.
Viewing the Current Console Bind DN
Enter the full distinguished name of the entry with which to bind to the server. For example, to bind as user Barbara Jensen, enter her full DN in the login box:
cn=Barbara Jensen, ou=People,dc=example,dc=com

4.3. Viewing the Current Console Bind DN

To see the bind DN that is currently logged into the Directory Server Console, click the login icon in the lower-left corner of the window. The current bind DN appears next to the login icon.
Figure 1.1. Viewing the Bind DN

5. Changing Directory Server Port Numbers

The standard and secure LDAP port numbers used by Directory Server can be changed through the Directory Server Console or by changing the value of the nsslapd-port or
nsslapd-secureport attribute under the cn=config entry in the dse.ldif.
NOTE
Modifying the standard or secure port numbers for a Configuration Directory
9
Chapter 1. General Red Hat Directory Server Usage
Server, which maintains the o=NetscapeRoot subtree should be done through the Directory Server Console.
Changing the configuration directory or user directory port or secure port numbers has the following repercussions:
• The Directory Server port number must also be updated in the Administration Server
configuration.
• If there are other Directory Server instances that point to the configuration or user directory,
update those servers to point to the new port number.
To modify a Directory Server LDAP or LDAPS port for either a user or a configuration directory, do the following:
1. In the Directory Server Console, select the Configuration tab, and then select the top entry
in the navigation tree in the left pane.
2. Select the Settings tab in the right pane.
3. Enter the port number for the server to use for non-SSL communications in the Port field.
The default value is 389.
4. Enter the port number for the server to use for SSL communications in the Encrypted Port
field. The encrypted port number must not be the same port number used for normal LDAP
communications. The default value is 636.
5. Click Save.
6. The Console returns a warning, You are about to change the port number for the
Configuration Directory. This will affect all Administration Servers that use this directory and you'll need to update them with the new port number. Are you sure you want to change the port number? Click Yes.
7. Then a dialog appears, reading that the changes will not take effect until the server is
restarted. Click OK.
10
NOTE
Do not restart the Directory Server at this point. If you do, you will not be able to make the necessary changes to the Administration Server through the Console.
Loading...
+ 608 hidden pages