Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Directory Server 8.0

Administration Guide

A Guide for Using and Maintaining Red Hat Directory Server

Ella Deon Lackey

Publication date: January 15, 2008, updated on February 11, 2010

Administration Guide

Directory Server 8.0 Administration Guide A Guide for Using and Maintaining Red Hat Directory Server Edition 8.0.19

Author Ella Deon Lackey

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

All other trademarks are the property of their respective owners.

1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA

iii

Preface xiii

1. Directory Server Overview ............................................................................................. xiii

2. Examples and Formatting .............................................................................................. xiv

3. Additional Reading ........................................................................................................ xv

4. Giving Feedback ........................................................................................................... xv

5. Document History ......................................................................................................... xvi

1. General Red Hat Directory Server Usage 1

1.1. Directory Server File Locations ..................................................................................... 1

1.2. LDAP Tool Locations .................................................................................................... 3

1.3. Starting and Stopping Servers ...................................................................................... 4

1.3.1. Starting and Stopping Directory Server from the Console ..................................... 4

1.3.2. Starting and Stopping Directory Server from the Command Line ........................... 5

1.3.3. Starting and Stopping Administration Server ........................................................ 5

1.4. Starting the Directory Server Console ............................................................................ 6

1.4.1. Logging into Directory Server ............................................................................. 6

1.4.2. Changing Login Identity ..................................................................................... 7

1.4.3. Viewing the Current Console Bind DN ................................................................ 8

1.5. Changing Directory Server Port Numbers ...................................................................... 8

1.6. Creating a New Directory Server Instance ..................................................................... 9

1.7. Configuring the Directory Manager .............................................................................. 10

2. Creating Directory Entries 13

2.1. Managing Entries from the Directory Console ............................................................... 13

2.1.1. Creating a Root Entry ...................................................................................... 13

2.1.2. Creating Directory Entries ................................................................................ 14

2.1.3. Modifying Directory Entries ............................................................................... 16

2.1.4. Deleting Directory Entries ................................................................................. 20

2.2. Managing Entries from the Command-Line .................................................................. 20

2.2.1. Providing Input from the Command-Line ........................................................... 21

2.2.2. Creating a Root Entry from the Command-Line ................................................. 22

2.2.3. Adding Entries Using LDIF ............................................................................... 22

2.2.4. Adding and Modifying Entries Using ldapmodify ................................................. 22

2.2.5. Deleting Entries Using ldapdelete ..................................................................... 25

2.2.6. Using Special Characters ................................................................................. 26

2.3. Tracking Modifications to Directory Entries ................................................................... 26

2.4. LDIF Update Statements ............................................................................................ 27

2.4.1. Adding an Entry Using LDIF ............................................................................. 28

2.4.2. Renaming an Entry Using LDIF ........................................................................ 29

2.4.3. Modifying an Entry Using LDIF ......................................................................... 30

2.4.4. Deleting an Entry Using LDIF ........................................................................... 34

2.4.5. Modifying an Entry in an Internationalized Directory ........................................... 34

2.5. Maintaining Referential Integrity .................................................................................. 34

2.5.1. How Referential Integrity Works ........................................................................ 35

2.5.2. Using Referential Integrity with Replication ........................................................ 35

2.5.3. Enabling/Disabling Referential Integrity ............................................................. 36

2.5.4. Modifying the Update Interval ........................................................................... 36

2.5.5. Modifying the Attribute List ............................................................................... 37

3. Configuring Directory Databases 39

3.1. Creating and Maintaining Suffixes ............................................................................... 39

3.1.1. Creating Suffixes ............................................................................................. 39

3.1.2. Maintaining Suffixes ......................................................................................... 44

Administration Guide

3.2. Creating and Maintaining Databases ........................................................................... 46

3.2.1. Creating Databases ......................................................................................... 46

3.2.2. Maintaining Directory Databases ...................................................................... 50

3.2.3. Database Encryption ........................................................................................ 54

3.3. Creating and Maintaining Database Links .................................................................... 57

3.3.1. Configuring the Chaining Policy ........................................................................ 57

3.3.2. Creating a New Database Link ......................................................................... 62

3.3.3. Chaining Using SSL ........................................................................................ 71

3.3.4. Maintaining Database Links .............................................................................. 71

3.3.5. Database Links and Access Control Evaluation ................................................. 72

3.3.6. Advanced Feature: Tuning Database Link Performance ...................................... 73

3.3.7. Advanced Feature: Configuring Cascading Chaining .......................................... 77

3.4. Using Referrals .......................................................................................................... 88

3.4.1. Starting the Server in Referral Mode ................................................................. 88

3.4.2. Setting Default Referrals .................................................................................. 89

3.4.3. Creating Smart Referrals .................................................................................. 90

3.4.4. Creating Suffix Referrals .................................................................................. 91

4. Populating Directory Databases 95

4.1. Importing Data ........................................................................................................... 95

4.1.1. Importing Entries with Large Attributes .............................................................. 95

4.1.2. Importing a Database from the Console ............................................................ 95

4.1.3. Initializing a Database from the Console ........................................................... 97

4.1.4. Importing from the Command-Line .................................................................... 97

4.2. Exporting Data ......................................................................................................... 100

4.2.1. Exporting Directory Data to LDIF Using the Console ........................................ 102

4.2.2. Exporting a Single Database to LDIF Using the Console ................................... 102

4.2.3. Exporting to LDIF from the Command-Line ...................................................... 103

4.3. Backing up and Restoring Data ................................................................................. 104

4.3.1. Backing up All Databases .............................................................................. 105

4.3.2. Backing up the dse.ldif Configuration File ........................................................ 106

4.3.3. Restoring All Databases ................................................................................. 106

4.3.4. Restoring a Single Database .......................................................................... 108

4.3.5. Restoring Databases That Include Replicated Entries ....................................... 108

4.3.6. Restoring the dse.ldif Configuration File .......................................................... 109

5. Managing Entries with Roles, Classes of Service, and Views 111

5.1. Using Roles ............................................................................................................. 111

5.1.1. About Roles .................................................................................................. 111

5.1.2. Managing Roles Using the Console ................................................................ 113

5.1.3. Managing Roles Using the Command-Line ...................................................... 117

5.1.4. Using Roles Securely ..................................................................................... 120

5.2. Assigning Classes of Service .................................................................................... 121

5.2.1. About CoS .................................................................................................... 121

5.2.2. Managing CoS Using the Console .................................................................. 126

5.2.3. Managing CoS from the Command-Line .......................................................... 129

5.2.4. Creating Role-Based Attributes ....................................................................... 136

5.2.5. Access Control and CoS ................................................................................ 137

5.3. Using Views ............................................................................................................. 137

5.3.1. Creating Views in the Console ........................................................................ 138

5.3.2. Deleting Views from the Directory Server Console ........................................... 139

5.3.3. Creating Views from the Command Line ......................................................... 139

5.3.4. Deleting Views from the Command Line .......................................................... 139

5.4. Using Groups ........................................................................................................... 140

5.4.1. Managing Static Groups ................................................................................. 140

5.4.2. Managing Dynamic Groups ............................................................................ 141

6. Managing Access Control 143

6.1. Access Control Principles .......................................................................................... 143

6.1.1. ACI Structure ................................................................................................. 143

6.1.2. ACI Placement .............................................................................................. 143

6.1.3. ACI Evaluation ............................................................................................... 144

6.1.4. ACI Limitations .............................................................................................. 144

6.2. Default ACIs ............................................................................................................. 145

6.3. Creating ACIs Manually ............................................................................................ 146

6.3.1. The ACI Syntax ............................................................................................. 146

6.3.2. Defining Targets ............................................................................................. 147

6.3.3. Defining Permissions ..................................................................................... 152

6.4. Bind Rules ............................................................................................................... 156

6.4.1. Bind Rule Syntax ........................................................................................... 156

6.4.2. Defining User Access - userdn Keyword .......................................................... 157

6.4.3. Defining Group Access - groupdn Keyword ..................................................... 160

6.4.4. Defining Role Access - roledn Keyword ........................................................... 161

6.4.5. Defining Access Based on Value Matching ...................................................... 161

6.4.6. Defining Access from a Specific IP Address .................................................... 166

6.4.7. Defining Access from a Specific Domain ......................................................... 167

6.4.8. Defining Access at a Specific Time of Day or Day of Week ............................... 167

6.4.9. Defining Access Based on Authentication Method ............................................ 169

6.4.10. Using Boolean Bind Rules ............................................................................ 170

6.5. Creating ACIs from the Console ................................................................................ 170

6.5.1. Displaying the Access Control Editor ............................................................... 171

6.5.2. Creating a New ACI ....................................................................................... 173

6.5.3. Editing an ACI ............................................................................................... 178

6.5.4. Deleting an ACI ............................................................................................. 179

6.6. Viewing ACIs ............................................................................................................ 179

6.7. Get Effective Rights Control ...................................................................................... 179

6.7.1. Using Get Effective Rights from the Command-Line ......................................... 181

6.7.2. Using Get Effective Rights from the Console ................................................... 183

6.7.3. Get Effective Rights Return Codes .................................................................. 183

6.8. Logging Access Control Information ........................................................................... 184

6.9. Access Control Usage Examples ............................................................................... 184

6.9.1. Granting Anonymous Access .......................................................................... 185

6.9.2. Granting Write Access to Personal Entries ...................................................... 187

6.9.3. Restricting Access to Key Roles ..................................................................... 189

6.9.4. Granting a Group Full Access to a Suffix ......................................................... 191

6.9.5. Granting Rights to Add and Delete Group Entries ............................................ 192

6.9.6. Granting Conditional Access to a Group or Role .............................................. 194

6.9.7. Denying Access ............................................................................................. 195

6.9.8. Setting a Target Using Filtering ....................................................................... 197

6.9.9. Allowing Users to Add or Remove Themselves from a Group ............................ 198

6.9.10. Defining Permissions for DNs That Contain a Comma .................................... 199

6.9.11. Proxied Authorization ACI Example ............................................................... 199

6.10. Advanced Access Control: Using Macro ACIs ........................................................... 200

6.10.1. Macro ACI Example ..................................................................................... 200

Administration Guide

6.10.2. Macro ACI Syntax ........................................................................................ 202

6.11. Access Control and Replication ............................................................................... 205

6.12. Compatibility with Earlier Releases .......................................................................... 205

7. Managing User Accounts and Passwords 207

7.1. Managing the Password Policy .................................................................................. 207

7.1.1. Configuring the Password Policy ..................................................................... 207

7.1.2. Setting User Passwords ................................................................................. 217

7.1.3. Password Change Extended Operation ........................................................... 217

7.1.4. Configuring the Account Lockout Policy ........................................................... 219

7.1.5. Managing the Password Policy in a Replicated Environment ............................. 221

7.1.6. Synchronizing Passwords ............................................................................... 222

7.2. Inactivating Users and Roles ..................................................................................... 222

7.2.1. Inactivating User and Roles Using the Console ................................................ 223

7.2.2. Inactivating User and Roles Using the Command-Line ..................................... 223

7.2.3. Activating User and Roles Using the Console .................................................. 224

7.2.4. Activating User and Roles Using the Command-Line ........................................ 224

7.3. Setting Resource Limits Based on the Bind DN .......................................................... 224

7.3.1. Setting Resource Limits Using the Console ..................................................... 225

7.3.2. Setting Resource Limits Using the Command-Line ........................................... 225

8. Managing Replication 227

8.1. Replication Overview ................................................................................................ 227

8.1.1. What Directory Units Are Replicated ............................................................... 227

8.1.2. Read-Write and Read-Only Replicas ............................................................... 227

8.1.3. Suppliers and Consumers .............................................................................. 227

8.1.4. Changelog ..................................................................................................... 228

8.1.5. Replication Identity ......................................................................................... 228

8.1.6. Replication Agreement ................................................................................... 229

8.1.7. Replicating Attributes with Fractional Replication .............................................. 229

8.1.8. Compatibility with Earlier Versions of Directory Server ...................................... 229

8.2. Replication Scenarios ............................................................................................... 230

8.2.1. Single-Master Replication ............................................................................... 230

8.2.2. Multi-Master Replication ................................................................................. 231

8.2.3. Cascading Replication .................................................................................... 233

8.3. Creating the Supplier Bind DN Entry .......................................................................... 235

8.4. Configuring Single-Master Replication ........................................................................ 236

8.4.1. Configuring the Read-Write Replica on the Supplier Server ............................... 236

8.4.2. Configuring the Read-Only Replica on the Consumer ....................................... 238

8.4.3. Create the Replication Agreement .................................................................. 240

8.5. Configuring Multi-Master Replication .......................................................................... 246

8.5.1. Configuring the Read-Write Replicas on the Supplier Servers ........................... 246

8.5.2. Configuring the Read-Only Replicas on the Consumer Servers ......................... 249

8.5.3. Setting up the Replication Agreements ............................................................ 251

8.5.4. Preventing Monopolization of the Consumer in Multi-Master Replication ............. 257

8.6. Configuring Cascading Replication ............................................................................ 258

8.6.1. Configuring the Read-Write Replica on the Supplier Server ............................... 258

8.6.2. Configuring the Read-Only Replica on the Consumer Server ............................ 260

8.6.3. Configuring the Read-Only Replica on the Hub ................................................ 262

8.6.4. Setting up the Replication Agreements ............................................................ 265

8.7. Configuring Replication from the Command Line ........................................................ 271

8.7.1. Configuring Suppliers from the Command Line ................................................ 271

vii

8.7.2. Configuring Consumers from the Command Line ............................................. 274

8.7.3. Configuring Hubs from the Command Line ...................................................... 275

8.7.4. Configuring Replication Agreements from the Command Line ........................... 276

8.7.5. Initializing Consumers Online from the Command Line ..................................... 279

8.8. Making a Replica Updatable ..................................................................................... 280

8.9. Deleting the Changelog ............................................................................................ 280

8.9.1. Removing the Changelog ............................................................................... 280

8.9.2. Moving the Changelog to a New Location ....................................................... 281

8.10. Initializing Consumers ............................................................................................. 281

8.10.1. When to Initialize a Consumer ...................................................................... 282

8.10.2. Online Consumer Initialization Using the Console ........................................... 282

8.10.3. Initializing Consumers Online Using the Command Line ................................. 283

8.10.4. Manual Consumer Initialization Using the Command Line ............................... 283

8.10.5. Filesystem Replica Initialization ..................................................................... 284

8.11. Forcing Replication Updates .................................................................................... 286

8.11.1. Forcing Replication Updates from the Console ............................................... 286

8.11.2. Forcing Replication Updates from the Command-Line ..................................... 287

8.12. Replicating Account Lockout Attributes ..................................................................... 288

8.12.1. Configuring Directory Server to Replicate Password Policy Attributes ............... 288

8.12.2. Configuring Fractional Replication for Password Policy Attributes .................... 289

8.13. Replication over SSL .............................................................................................. 289

8.14. Replicating o=NetscapeRoot for Administration Server Failover ................................. 290

8.15. Replication with Earlier Releases ............................................................................. 291

8.16. Using the Retro Changelog Plug-in .......................................................................... 292

8.16.1. Enabling the Retro Changelog Plug-in ........................................................... 293

8.16.2. Trimming the Retro Changelog ..................................................................... 294

8.16.3. Searching and Modifying the Retro Changelog ............................................... 294

8.16.4. Retro Changelog and the Access Control Policy ............................................ 294

8.17. Monitoring Replication Status .................................................................................. 295

8.17.1. Monitoring Replication Status from the Directory Server Console ..................... 295

8.17.2. Monitoring Replication Status from Administration Express ............................. 296

8.18. Solving Common Replication Conflicts ..................................................................... 298

8.18.1. Solving Naming Conflicts .............................................................................. 298

8.18.2. Solving Orphan Entry Conflicts ..................................................................... 300

8.18.3. Solving Potential Interoperability Problems .................................................... 301

8.19. Troubleshooting Replication-Related Problems ......................................................... 301

9. Extending the Directory Schema 307

9.1. Overview of Extending Schema ................................................................................. 307

9.2. Managing Attributes .................................................................................................. 307

9.2.1. Viewing Attributes .......................................................................................... 307

9.2.2. Creating Attributes ......................................................................................... 309

9.2.3. Editing Attributes ............................................................................................ 309

9.2.4. Deleting Attributes .......................................................................................... 310

9.3. Managing Object Classes ......................................................................................... 310

9.3.1. Viewing Object Classes .................................................................................. 310

9.3.2. Creating Object Classes ................................................................................. 312

9.3.3. Editing Object Classes ................................................................................... 313

9.3.4. Deleting Object Classes ................................................................................. 314

9.4. Turning Schema Checking On and Off ....................................................................... 314

10. Managing Indexes 317

Administration Guide

viii

10.1. About Indexes ........................................................................................................ 317

10.1.1. About Index Types ....................................................................................... 317

10.1.2. About Default, System, and Standard Indexes ............................................... 318

10.1.3. Overview of the Searching Algorithm ............................................................. 321

10.1.4. Approximate Searches ................................................................................. 322

10.1.5. Balancing the Benefits of Indexing ................................................................ 322

10.2. Creating Indexes .................................................................................................... 324

10.2.1. Creating Indexes from the Server Console .................................................... 324

10.2.2. Creating Indexes from the Command-Line ..................................................... 325

10.2.3. Creating Browsing Indexes from the Server Console ...................................... 328

10.2.4. Creating Browsing Indexes from the Command-Line ...................................... 328

10.3. Deleting Indexes ..................................................................................................... 331

10.3.1. Deleting Indexes from the Server Console ..................................................... 332

10.3.2. Deleting Indexes from the Command-Line ..................................................... 332

10.3.3. Deleting Browsing Indexes from the Server Console ....................................... 334

10.3.4. Deleting Browsing Indexes from the Command-Line ....................................... 334

10.4. Managing Indexes .................................................................................................. 336

10.4.1. Indexing Performance .................................................................................. 337

10.4.2. Search Performance .................................................................................... 337

10.4.3. Backwards Compatibility and Migration .......................................................... 338

10.5. Attribute Name Quick Reference Table ..................................................................... 339

11. Managing SSL 341

11.1. Introduction to TLS/SSL in the Directory Server ........................................................ 341

11.1.1. Enabling SSL: Summary of Steps ................................................................. 341

11.1.2. Command-Line Functions for Start TLS ......................................................... 342

11.2. Obtaining and Installing Server Certificates ............................................................... 343

11.2.1. Step 1: Generate a Certificate Request ......................................................... 344

11.2.2. Step 2: Send the Certificate Request ............................................................. 347

11.2.3. Step 3: Install the Certificate ......................................................................... 348

11.2.4. Step 4: Trust the Certificate Authority ............................................................ 349

11.2.5. Step 5: Confirm That The New Certificates Are Installed ................................. 349

11.3. Using certutil .......................................................................................................... 350

11.3.1. Creating Directory Server Certificates through the Command Line ................... 350

11.3.2. certutil Usage ............................................................................................... 352

11.4. Starting the Server with TLS/SSL Enabled ............................................................... 353

11.4.1. Enabling TLS/SSL Only in the Directory Server .............................................. 353

11.4.2. Enabling TLS/SSL in the Directory Server, Administration Server, and Console

................................................................................................................................ 355

11.4.3. Creating a Password File for the Directory Server .......................................... 357

11.4.4. Creating a Password File for the Administration Server ................................... 357

11.5. Setting Security Preferences .................................................................................... 358

11.5.1. Available Ciphers ......................................................................................... 358

11.5.2. Selecting the Encryption Cipher .................................................................... 360

11.6. Using Certificate-Based Authentication ..................................................................... 360

11.6.1. Setting up Certificate-Based Authentication .................................................... 361

11.6.2. Allowing/Requiring Client Authentication ........................................................ 362

11.7. Configuring LDAP Clients to Use SSL ...................................................................... 362

12. Managing SASL 365

12.1. Authentication Mechanisms ..................................................................................... 365

12.2. SASL Identity Mapping ............................................................................................ 366

12.3. Configuring SASL Identity Mapping from the Console ............................................... 367

12.4. Configuring SASL Identity Mapping from the Command-Line ..................................... 369

12.5. Configuring Kerberos .............................................................................................. 369

12.5.1. Realms ........................................................................................................ 369

12.5.2. Configuring the KDC Server ......................................................................... 370

12.5.3. Example: Configuring an Example KDC Server .............................................. 371

12.5.4. Configuring SASL Authentication at Directory Server Startup ........................... 371

13. Monitoring Server and Database Activity 373

13.1. Viewing and Configuring Log Files ........................................................................... 373

13.1.1. Defining a Log File Rotation Policy ............................................................... 373

13.1.2. Defining a Log File Deletion Policy ................................................................ 374

13.1.3. Access Log .................................................................................................. 375

13.1.4. Error Log ..................................................................................................... 376

13.1.5. Audit Log ..................................................................................................... 378

13.2. Manual Log File Rotation ........................................................................................ 379

13.3. Monitoring Server Activity ........................................................................................ 379

13.3.1. Monitoring the Server from the Directory Server Console ................................ 379

13.3.2. Monitoring the Directory Server from the Command Line ................................ 383

13.4. Monitoring Database Activity ................................................................................... 385

13.4.1. Monitoring Database Activity from the Directory Server Console ...................... 385

13.4.2. Monitoring Databases from the Command Line .............................................. 388

13.5. Monitoring Database Link Activity ............................................................................ 390

14. Monitoring Directory Server Using SNMP 393

14.1. About SNMP .......................................................................................................... 393

14.2. Configuring the Master Agent .................................................................................. 394

14.3. Configuring the Subagent ........................................................................................ 394

14.3.1. Subagent Configuration File .......................................................................... 394

14.3.2. Starting the Subagent .................................................................................. 395

14.3.3. Testing the Subagent ................................................................................... 395

14.4. Configuring SNMP Traps ......................................................................................... 396

14.5. Configuring the Directory Server for SNMP .............................................................. 396

14.6. Using the Management Information Base ................................................................. 397

14.6.1. Operations Table .......................................................................................... 397

14.6.2. Entries Table ................................................................................................ 399

14.6.3. Entity Table .................................................................................................. 399

14.6.4. Interaction Table .......................................................................................... 400

15. Tuning Directory Server Performance 403

15.1. Tuning Server Performance ..................................................................................... 403

15.2. Tuning Database Performance ................................................................................ 404

15.2.1. Optimizing Search Performance .................................................................... 404

15.2.2. Tuning Transaction Logging .......................................................................... 405

15.2.3. Changing the Location of the Database Transaction Log ................................. 406

15.2.4. Changing the Database Checkpoint Interval .................................................. 406

15.2.5. Disabling Durable Transactions ..................................................................... 407

15.2.6. Specifying Transaction Batching .................................................................... 407

15.3. Miscellaneous Tuning Tips ...................................................................................... 408

15.3.1. Avoid Creating Entries Under the cn=config Entry in the dse.ldif File ................ 408

16. Administering Directory Server Plug-ins 409

16.1. Server Plug-in Functionality Reference ..................................................................... 409

Administration Guide

16.1.1. 7-Bit Check Plug-in ...................................................................................... 409

16.1.2. ACL Plug-in ................................................................................................. 409

16.1.3. ACL Preoperation Plug-in ............................................................................. 410

16.1.4. Binary Syntax Plug-in ................................................................................... 410

16.1.5. Boolean Syntax Plug-in ................................................................................ 410

16.1.6. Case Exact String Syntax Plug-in ................................................................. 411

16.1.7. Case Ignore String Syntax Plug-in ................................................................ 411

16.1.8. Chaining Database Plug-in ........................................................................... 412

16.1.9. Class of Service Plug-in ............................................................................... 412

16.1.10. Country String Syntax Plug-in ..................................................................... 412

16.1.11. Distinguished Name Syntax Plug-in ............................................................. 413

16.1.12. Generalized Time Syntax Plug-in ................................................................ 413

16.1.13. Integer Syntax Plug-in ................................................................................ 414

16.1.14. Internationalization Plug-in .......................................................................... 414

16.1.15. ldbm Database Plug-in ............................................................................... 415

16.1.16. Legacy Replication Plug-in .......................................................................... 415

16.1.17. Multi-Master Replication Plug-in .................................................................. 416

16.1.18. Octet String Syntax Plug-in ......................................................................... 416

16.1.19. CLEAR Password Storage Plug-in .............................................................. 416

16.1.20. CRYPT Password Storage Plug-in .............................................................. 417

16.1.21. NS-MTA-MD5 Password Storage Plug-in ..................................................... 417

16.1.22. SHA Password Storage Plug-in ................................................................... 418

16.1.23. SSHA Password Storage Plug-in ................................................................ 419

16.1.24. Postal Address String Syntax Plug-in .......................................................... 419

16.1.25. PTA Plug-in ............................................................................................... 419

16.1.26. Referential Integrity Postoperation Plug-in .................................................... 420

16.1.27. Retro Changelog Plug-in ............................................................................ 421

16.1.28. Roles Plug-in ............................................................................................. 422

16.1.29. Space Insensitive String Syntax Plug-in ....................................................... 422

16.1.30. State Change Plug-in ................................................................................. 423

16.1.31. Telephone Syntax Plug-in ........................................................................... 423

16.1.32. UID Uniqueness Plug-in ............................................................................. 423

16.1.33. URI Plug-in ................................................................................................ 424

16.2. Enabling and Disabling Plug-ins .............................................................................. 425

17. Using the Pass-through Authentication Plug-in 427

17.1. How Directory Server Uses PTA .............................................................................. 427

17.2. PTA Plug-in Syntax ................................................................................................. 428

17.3. Configuring the PTA Plug-in .................................................................................... 430

17.3.1. Turning the Plug-in On or Off ........................................................................ 431

17.3.2. Configuring the Servers to Use a Secure Connection ..................................... 431

17.3.3. Specifying the Authenticating Directory Server ............................................... 431

17.3.4. Specifying the Pass-through Subtree ............................................................. 432

17.3.5. Configuring the Optional Parameters ............................................................. 433

17.4. PTA Plug-in Syntax Examples ................................................................................. 433

17.4.1. Specifying One Authenticating Directory Server and One Subtree .................... 434

17.4.2. Specifying Multiple Authenticating Directory Servers ....................................... 434

17.4.3. Specifying One Authenticating Directory Server and Multiple Subtrees ............. 434

17.4.4. Using Non-Default Parameter Values ............................................................ 435

17.4.5. Specifying Different Optional Parameters and Subtrees for Different

Authenticating Directory Servers .............................................................................. 435

18. Using the Attribute Uniqueness Plug-in 437

18.1. Overview of the Attribute Uniqueness Plug-in ........................................................... 437

18.2. Attribute Uniqueness Plug-in Syntax ........................................................................ 438

18.3. Creating an Instance of the Attribute Uniqueness Plug-in .......................................... 439

18.4. Configuring Attribute Uniqueness Plug-ins ................................................................ 440

18.4.1. Viewing Plug-in Configuration Information ...................................................... 440

18.4.2. Configuring Attribute Uniqueness Plug-ins from the Directory Server Console ... 441

18.4.3. Configuring Attribute Uniqueness Plug-ins from the Command-Line ................. 441

18.5. Attribute Uniqueness Plug-in Syntax Examples ......................................................... 443

18.5.1. Specifying One Attribute and One Subtree .................................................... 444

18.5.2. Specifying One Attribute and Multiple Subtrees .............................................. 444

18.6. Replication and the Attribute Uniqueness Plug-in ...................................................... 444

18.6.1. Simple Replication Scenario ......................................................................... 445

18.6.2. Multi-Master Replication Scenario ................................................................. 445

19. Synchronizing Red Hat Directory Server with Microsoft Active Directory 447

19.1. About Windows Sync .............................................................................................. 447

19.2. Configuring Windows Sync ...................................................................................... 449

19.2.1. Step 1: Configure SSL on Directory Server .................................................... 449

19.2.2. Step 2: Configure the Active Directory Domain ............................................... 450

19.2.3. Step 3: Select or Create the Sync Identity ..................................................... 451

19.2.4. Step 4: Install and Configure the Password Sync Service ................................ 451

19.2.5. Step 5: Configure the Password Sync Service ............................................... 453

19.2.6. Step 6: Configure the Directory Server Database for Synchronization ............... 454

19.2.7. Step 7: Create the Synchronization Agreement .............................................. 455

19.2.8. Step 7: Begin Synchronization ...................................................................... 457

19.3. Using Windows Sync .............................................................................................. 457

19.3.1. Synchronizing Users .................................................................................... 457

19.3.2. Synchronizing Groups .................................................................................. 460

19.3.3. Deleting Entries ........................................................................................... 461

19.3.4. Resurrecting Entries ..................................................................................... 461

19.3.5. Manually Updating and Resynchronizing Entries ............................................ 462

19.3.6. Checking Synchronization Status .................................................................. 462

19.3.7. Modifying the Sync Agreement ..................................................................... 462

19.4. Schema Differences ................................................................................................ 463

19.4.1. Password Policies ........................................................................................ 463

19.4.2. Groups ........................................................................................................ 463

19.4.3. Values for street and streetAddress ............................................................... 463

19.4.4. Contraints on the initials Attribute .................................................................. 464

19.5. Password Sync Service .......................................................................................... 464

19.5.1. Modifying Password Sync ............................................................................. 464

19.5.2. Starting and Stopping the Password Sync Service ......................................... 464

19.5.3. Uninstalling Password Sync Service .............................................................. 464

19.6. Troubleshooting ...................................................................................................... 465

A. LDAP Data Interchange Format 467

A.1. About the LDIF File Format ...................................................................................... 467

A.2. Continuing Lines in LDIF .......................................................................................... 468

A.3. Representing Binary Data ......................................................................................... 468

A.3.1. Standard LDIF Notation ................................................................................. 469

A.3.2. Base-64 Encoding ......................................................................................... 469

A.4. Specifying Directory Entries Using LDIF .................................................................... 470

Administration Guide

xii

A.4.1. Specifying Domain Entries ............................................................................. 470

A.4.2. Specifying Organizational Unit Entries ............................................................ 471

A.4.3. Specifying Organizational Person Entries ........................................................ 472

A.5. Defining Directories Using LDIF ................................................................................ 473

A.5.1. LDIF File Example ......................................................................................... 474

A.6. Storing Information in Multiple Languages ................................................................. 475

B. Finding Directory Entries 477

B.1. Finding Entries Using the Directory Server Console .................................................... 477

B.2. Using ldapsearch ..................................................................................................... 478

B.2.1. Using Special Characters ............................................................................... 479

B.2.2. ldapsearch Command-Line Format ................................................................. 479

B.2.3. Commonly Used ldapsearch Options .............................................................. 480

B.2.4. ldapsearch Examples ..................................................................................... 481

B.3. LDAP Search Filters ................................................................................................. 484

B.3.1. Search Filter Syntax ...................................................................................... 484

B.4. Searching an Internationalized Directory .................................................................... 487

B.4.1. Matching Rule Filter Syntax ........................................................................... 488

B.4.2. Supported Search Types ................................................................................ 490

B.4.3. International Search Examples ....................................................................... 491

C. LDAP URLs 495

C.1. Components of an LDAP URL .................................................................................. 495

C.2. Escaping Unsafe Characters .................................................................................... 496

C.3. Examples of LDAP URLs ......................................................................................... 497

D. Internationalization 499

D.1. About Locales .......................................................................................................... 499

D.2. Identifying Supported Locales ................................................................................... 500

D.3. Supported Language Subtypes ................................................................................. 501

D.4. Troubleshooting Matching Rules ............................................................................... 502

Glossary 505

Index 519

xiii

Preface

Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet, over your extranet with your trading partners, or over the public Internet to reach your customers.

This Administrator's Guide describes all of the administration tasks you need to perform to maintain Directory Server.

1. Directory Server Overview

Directory Server provides the following key features:

• Multi-master replication — Provides a highly available directory service for both read and write operations. Multi-master replication can be combined with simple and cascading replication scenarios to provide a highly flexible and scalable replication environment.

• Chaining and referrals — Increases the power of your directory by storing a complete logical view of your directory on a single server while maintaining data on a large number of Directory Servers transparently for clients.

• Roles and classes of service — Provides a flexible mechanism for grouping and sharing attributes between entries in a dynamic fashion.

• Improved access control mechanisms — Provides support for macros that dramatically reduce the number of access control statements used in the directory and increase the scalability of access control evaluation.

• Resource-limits by bind DN — Grants the power to control the amount of server resources allocated to search operations based on the bind DN of the client.

• Multiple databases — Provides a simple way of breaking down your directory data to simplify the implementation of replication and chaining in your directory service.

• Password policy and account lockout — Defines a set of rules that govern how passwords and user accounts are managed in the Directory Server.

• TLS and SSL — Provides secure authentication and communication over the network, using the Mozilla Network Security Services (NSS) libraries for cryptography.

The major components of Directory Server include the following:

• An LDAP server — The LDAP v3-compliant network daemon.

• Directory Server Console — A graphical management console that dramatically reduces the effort of setting up and maintaining your directory service.

• SNMP agent — Can monitor the Directory Server using the Simple Network Management Protocol (SNMP).

Preface

xiv

2. Examples and Formatting

All of the examples for Red Hat Directory Server commands, file locations, and other usage are given for Red Hat Enterprise Linux 5 (32-bit) systems. Be certain to use the appropriate commands and files for your platform.

To start the Red Hat Directory Server:

/etc/init.d/dirsv start

Example 1. Example Command

All of the tools for Red Hat Directory Server are located in the /usr/bin directory. These tools can be run from any location without specifying the tool location.

There is another important consideration with the Red Hat Directory Server tools. The LDAP tools referenced in this guide are Mozilla LDAP, installed with Red Hat Directory Server in the /usr/lib/ mozldap directory on Red Hat Enterprise Linux 5 (32-bit).

However, Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the /usr/ bin directory. It is possible to use the OpenLDAP commands as shown in the examples, but you must use the -x argument to disable SASL, which OpenLDAP tools use by default.

Certain words are represented in different fonts, styles, and weights. Different character formatting is used to indicate the function or purpose of the phrase being highlighted.

Formatting Style Purpose

Monospace font Monospace is used for commands, package names, files and

directory paths, and any text displayed in a prompt.

Monospace with a background

This type of formatting is used for anything entered or returned in a command prompt.

Italicized text Any text which is italicized is a variable, such as

instance_name or hostname. Occasionally, this is also used to

emphasize a new term or other phrase.

Bolded text Most phrases which are in bold are application names, such as

Cygwin, or are fields or options in a user interface, such as a User Name Here: field or Save button.

Other formatting styles draw attention to important text.

NOTE

A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue.

IMPORTANT

Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.

Additional Reading

WARNING

A warning indicates potential data loss, as may happen when tuning hardware for maximum performance.

3. Additional Reading

The Directory Server Administrator's Guide describes how to set up, configure, and administer Red Hat Directory Server and its contents. The instructions for installing the various Directory Server components are contained in the Red Hat Directory Server Installation Guide. Many of the scripts and commands used to install and administer the Directory Server are explained in detail in the Red Hat Directory Server Configuration, Command, and File Reference.

The document set for Directory Server contains the following guides:

• Red Hat Directory Server Release Notes contain important information on new features, fixed bugs, known issues and workarounds, and other important deployment information for this specific version of Directory Server.

• Red Hat Directory Server Administrator's Guide contains procedures for the day-to-day maintenance of the directory service. Includes information on configuring server-side plug-ins.

• Red Hat Directory Server Configuration, Command, and File Reference provides reference information on the command-line scripts, configuration attributes, and log files shipped with Directory Server.

• Red Hat Directory Server Installation Guide contains procedures for installing your Directory Server as well as procedures for migrating from a previous installation of Directory Server.

For the latest information about Directory Server, including current release notes, complete product documentation, technical notes, and deployment information, see the Red Hat Directory Server documentation site at http://www.redhat.com/docs/manuals/dir-server/.

4. Giving Feedback

If there is any error in this Administrator's Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Directory Server through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues:

• Select the Red Hat Directory Server product.

• Set the component to Doc - administration-guide.

• Set the version number to 8.0.

• For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo.

For enhancements, put in what information needs to be added and why.

• Give a clear title for the bug. For example, "Incorrect command example for setup script options" is better than "Bad example".

Preface

xvi

We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at mailto:docs@redhat.com.

5. Document History

Revision

8.0.19

February 11, 2010 Ella Deon Lackey

Clarifying how passwordUnlock works, per Bugzilla #552377. Correcting the nsds5replicacredentials example in the replication agreements command-line example, per Bugzilla #560032.

Revision

8.0.18

January 11, 2010 Ella Deon Lackey

Adding section on nsslapd-cachememsize and the import buffer size, per Bugzilla #531043.

Revision

8.0.17

November 30, 2009 Ella Deon Lackey

Fixing a self-referential cross-link.

Revision

8.0.16

October 13, 2009 Ella Deon Lackey

Correcting passwordIsGlobalPolicy configuration, per Bugzilla #526449.

Revision

8.0.15

September 9, 2009 Ella Deon Lackey

Removing any references to the Directory Server Gateway or Org Chart.

Revision

8.0.14

September 5, 2009 Ella Deon Lackey

Fixing the ldapmodify examples for adding new role entries to include the -a option, which is requred; related to Bug #521336.

Revision

8.0.13

August 6, 2009 Ella Deon Lackey

Fixing links in configuration for o=Netscape replication, per Bug #514020.

Revision

8.0.12

May 4, 2009 Ella Deon Lackey

Clarifying how to export a replica with db2ldif, per Bug #452576. Corrected the authmethod bind rule example, per Bug #437007. Corrected inconsistent use of quotation marks in examples for chaining, per Bug #488818. Clarified the max cache size file description, per Bug #490038. Corrected the server certificate name in the pk12util example, per Bug #490499. Fixed the CNs used in the examples in the certutil procedure, per Bug #492135 and Bug #488152. Updated the defaults for log deletion attributes, per Bug #475331.

Revision

8.0.11

April 9, 2009 Ella Deon Lackey

Removed paragraph about empty value for nsIndexType, per Bug #464651.

Revision

8.0.10

April 7, 2009 Ella Deon Lackey

Corrected description of nsds5ReplicaPurgeDelay, per Bug #489754.

Document History

xvii

Revision 8.0.9 February 24, 2009 Ella Deon Lackey

Edited pin.txt information, per Bug #487149.

Revision 8.0.8 February 7, 2009 Ella Deon Lackey

Add -2 option to the example for generating a CA certificate, per Bug #481174.

Revision 8.0.7 January 16, 2009 Ella Deon Lackey

Correcting the Administration Server password file token example, per Bugzilla #476910.

Revision 8.0.6 January 10, 2009 Ella Deon Lackey

Changing the ECC key to RSA key in the certutil example per the email from SEG engineer Marc Sauton.

Revision 8.0.5 September 5, 2008 Ella Deon Lackey

Fixing minor typos in the database chapter, per Bugzilla 159786.

Revision 8.0.4 August 28, 2008 Ella Deon Lackey

Editing the procedure for configuring transaction logs for frequent updates, adding missing and necessary steps per Bugzilla 459839. Removing an incorrect note about server startup time in the common usage chapter. Correcting the procedure for using a password file for running the Administration Server with SSL. Minor changes to the fractional replication and password policy replication sections, per Bugzilla

450973. Edits to certutil sections, per Bugzilla 441889.

Revision 8.0.3 April 30, 2008 Ella Deon Lackey

Correcting the labels in the graphic dirtree3.png, per Bugzilla 443809. Correcting password expiration description, per Bugzilla 239642.

Revision 8.0.2 April 7, 2008 Ella Deon Lackey

Correcting bad cross-reference links in the performance tuning chapter. Minor edits to the SSL cipher list, per Bugzilla 234966. Changing the name and location of template-cl-dump.pl and template-repl-monitor.pl, per Bugzilla

239337.

Revision 8.0.1 April 7, 2008 Ella Deon Lackey

239337.

Revision 8.0.1 February 12, 2008 Ella Deon Lackey

Clarifying the location of Mozilla LDAP tools, per Bugzilla 430539. Removing references to 7.1 manuals, per Bugzilla 430562. Removing a misleading note box in the synchronization chapter. Correcting the schema directory path.

Revision 8.0.0 January 15, 2008 Ella Deon Lackey

Initial draft for version 8.0.

xviii

Chapter 1.

General Red Hat Directory Server Usage

Red Hat Directory Server product includes a directory service, an administration server to manage multiple server instances, and a Java-based console to manage server instances through a graphical interface. This chapter provides an overview of the basic tasks for administering a directory service.

The Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources. It is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). Directory Server runs the ns-slapd daemon on the host machine. The server manages the directory databases and responds to client requests.

Directory Server 8.0 is comprised of several components, which work in tandem:

• The Directory Server is the core LDAP server daemon. It is compliant with LDAP v3 standards. This component includes command-line server management and administration programs and scripts for common operations like export and backing up databases.

• The Directory Server Console is the user interface that simplifies managing users, groups, and other LDAP data for your enterprise. The Console is used for all aspects of server management, including making backups; configuring security, replication, and databases; adding entries; and monitoring servers and viewing statistics.

• The Administration Server is the management agent which administers Directory Server instances. It communicates with the Directory Server Console and performs operations on the Directory Server instances. It also provides a simple HTML interface and online help pages.

Most Directory Server administrative tasks are available through the Directory Server Console, but it is also possible to administer the Directory Server by manually editing the configuration files or by using command-line utilities.

1.1. Directory Server File Locations

Red Hat Directory Server 8.0 conforms to the Filesystem Hierarchy Standards. For more information on FHS, see the FHS homepage, http://www.pathname.com/fhs/. The files and directories installed with Directory Server are listed in the tables below for each supported platform.

In the file locations listed in the following tables, instance is the server instance name that was given during setup. By default, this is the leftmost component of the fully-qualified host and domain name. For example, if the hostname is ldap.example.com, the instance name is ldap by default.

The Administration Server directories are named the same as the Directory Server directories, only instead of the instance as a directory name, the Administration Server directories are named admin-

serv. For any directory or folder named slapd-instance, substitute admin-serv, such as /etc/ dirsrv/slapd-example and /etc/dirsrv/admin-serv.

File or Directory Location

Log files /var/log/dirsrv/slapd-instance

Configuration files /etc/dirsrv/slapd-instance

Instance directory /usr/lib/dirsrv/slapd-instance

Chapter 1. General Red Hat Directory Server Usage

File or Directory Location

Database files /var/lib/dirsrv/slapd-instance

Runtime files /var/lock/dirsrv/slapd-instance

/var/run/dirsrv/slapd-instance

Initscripts /etc/rc.d/init.d/dirsrv and /etc/

sysconfig/dirsrv

/etc/rc.d/init.d/dirsrv-admin and / etc/sysconfig/dirsrv-admin

Tools /usr/bin/

/usr/sbin/

Table 1.1. Red Hat Enterprise Linux 4 and 5 (x86)

File or Directory Location

Log files /var/log/dirsrv/slapd-instance

Configuration files /etc/dirsrv/slapd-instance

Instance directory /usr/lib64/dirsrv/slapd-instance

Database files /var/lib/dirsrv/slapd-instance

Runtime files /var/lock/dirsrv/slapd-instance

/var/run/dirsrv/slapd-instance

Initscripts /etc/rc.d/init.d/dirsrv and /etc/

sysconfig/dirsrv

/etc/rc.d/init.d/dirsrv-admin and / etc/sysconfig/dirsrv-admin

Tools /usr/bin/

/usr/sbin/

Table 1.2. Red Hat Enterprise Linux 4 and 5 (x86_64)

File or Directory Location

Log files /var/log/dirsrv/slapd-instance

Configuration files /etc/dirsrv/slapd-instance

Instance directory /usr/lib/sparc9/dirsrv/slapd-instance

Database files /var/lib/dirsrv/slapd-instance

Runtime files /var/lock/dirsrv/slapd-instance

/var/run/dirsrv/slapd-instance

Initscripts /etc/rc.d/init.d/dirsrv and /etc/

default/dirsrv

/etc/rc.d/init.d/dirsrv-admin and / etc/default/dirsrv-admin

Tools /usr/bin/

LDAP Tool Locations

File or Directory Location

/usr/sbin/

Table 1.3. Sun Solaris 9 (sparc)

File or Directory Location

Log files /var/opt/log/dirsrv/slapd-instance

Configuration files /etc/opt/dirsrv/slapd-instance

Instance directory /opt/dirsrv/slapd-instance

Database files /var/opt/dirsrv/slapd-instance

Runtime files /var/opt/dirsrv/instance

Binaries /opt/dirsrv/bin/

/opt/dirsrv/sbin/

Libraries /opt/dirsrv/lib/

Table 1.4. HP-UX 11i (IA64)

1.2. LDAP Tool Locations

Red Hat Directory Server uses Mozilla LDAP tools — such as ldapsearch, ldapmodify, and ldapdelete — for command-line operations. The MozLDAP tools are installed with Directory Server.

Platform Directory Location

Red Hat Enterprise Linux 4 i386 /usr/lib/mozldap6

Red Hat Enterprise Linux 4 x86_64 /usr/lib64/mozldap6

Red Hat Enterprise Linux 5 i386 /usr/lib/mozldap

Red Hat Enterprise Linux 5 x86_64 /usr/lib64/mozldap

Sun Solaris /usr/lib/sparcv9/mozldap

HP-UX /opt/dirsrv/bin

For all Red Hat Directory Server guides and documentation, the LDAP tools used in the examples, such as ldapsearch and ldapmodify, are the Mozilla LDAP tools. For most Linux systems, OpenLDAP tools are already installed in the /usr/bin/ directory. These OpenLDAP tools are not supported for Directory Server operations. For the best results with the Directory Server, make sure the path to the Mozilla LDAP tools comes first in the PATH or use the full path and file name for every LDAP operation.

However, these OpenLDAP tools can be used for Directory Server operations with certain cautions:

• The output of the other tools may be different, so it may not look like the examples in the documentation.

• The OpenLDAP tools require a -x argument to disable SASL so that it can be used for a simple bind, meaning the -D and -w arguments or an anonymous bind.

• The OpenLDAP tools' arguments for using TLS/SSL and SASL are quite different than the Mozilla LDAP arguments. See the OpenLDAP documentation for instructions on those arguments.

Chapter 1. General Red Hat Directory Server Usage

1.3. Starting and Stopping Servers

The Directory Server is running when the setup-ds-admin.pl script completes. Avoid stopping and starting the server to prevent interrupting replication, searches, and other server operations.

• If the Directory Server has SSL enabled, you cannot restart the server from the Console; you must use the command-line. It is possible to restart without being prompted for a password; see

Section 11.4.3, “Creating a Password File for the Directory Server” for more information.

• Rebooting the host system can automatically start the ns-slapd process. The directory provides startup or run command (rc) scripts. On Red Hat Enterprise Linux, use the chkconfig command to enable the Directory Server and Administration Server to start on boot. On Solaris, the commands are already set up in the /etc/rc.d directories to start up the servers at boot time. For HP-UX, check the operating system documentation for details on adding these scripts.

1.3.1. Starting and Stopping Directory Server from the Console

1. Start the Directory Server Console.

/usr/bin/redhat-idm-console -a http://localhost:9830

2. In the Tasks tab, click Start the Directory Server, Stop the Directory Server, or Restart the

Directory Server.

When the Directory Server is successfully started or stopped from the Directory Server Console, the server displays a message box stating that the server has either started or shut down.

Starting and Stopping Directory Server from the Command Line

1.3.2. Starting and Stopping Directory Server from the Command Line

There are two ways to start, stop, or restart the Directory Server:

• There are scripts in the instance directories. For example:

/usr/lib/dirsrv/slapd-instance/start-slapd /usr/lib/dirsrv/slapd-instance/restart-slapd /usr/lib/dirsrv/slapd-instance/stop-slapd

• The Directory Server service can also be stopped and started using system tools on Red Hat Enterprise Linux and Solaris. For example, Linux uses the service tool:

service dirsrv {start|stop|restart} instance

NOTE

The service name for the Directory Server process on Red Hat Enterprise Linux is dirsrv.

Solaris uses /etc/init.d:

/etc/init.d/dirsrv {start|stop|restart} instance

The Directory Server instance name can be specific in both the start|stop|restart-slapd and system scripts. If an instance name is not given, the start or stop operation applies to all instances on the machine.

1.3.3. Starting and Stopping Administration Server

There are two ways to start, stop, or restart the Administration Server:

• There are scripts in the /usr/sbin directory.

/usr/sbin/start|stop|restart-ds-admin

• The Administration Server service can also be stopped and started using system tools on Red Hat Enterprise Linux and Solaris. For example, on Red Hat Enterprise Linux, the command is service:

service dirsrv-admin {start|stop|restart}

NOTE

The service name for the Administration Server process on Red Hat Enterprise Linux is dirsrv-admin.

On Solaris, the service is init.d:

Chapter 1. General Red Hat Directory Server Usage

/etc/init.d/dirsrv-admin {start|stop|restart}

1.4. Starting the Directory Server Console

There is a simple script to launch the Directory Server Console. On Red Hat Enterprise Linux and Solaris, run the following:

/usr/bin/redhat-idm-console

HP-UX has a different location for the script:

/opt/dirsrv/bin/redhat-idm-console

NOTE

Make sure that the correct JRE — the program called java — is set in the PATH before launching the Console. Run the following to see if the Java program is in the PATH and to get the version and vendor information:

java -version

When the login screen opens, you are prompted for the username, password, and Administration Server location. It is possible to send the Administration Server URL and port with the start script. For example:

/usr/bin/redhat-idm-console -a http://localhost:9830

The a option is a convenience, particularly if you are logging into a Directory Server for the first time. On subsequent logins, the URL is saved. If you do not pass the Administration Server port number with the redhat-idm-console command, then you are prompted for it at the Console login screen.

1.4.1. Logging into Directory Server

After starting the Directory Server Console, a login screen opens, requiring the username and password for the user logging in and the URL for the Administration Server instance being access. The user logged in at the Console is the user who is binding to Directory Server. This determines the access permissions granted and allowed operations while access the directory tree. The user account used to log into the Directory Server Console can make significant differences in the access; for example, the Directory Manager has access to every user and configuration entry in Directory Server, while the admin entry created during installation has access to only configuration entries, not user entries. Regular user accounts are more limited.

To bind to, or log into, the Directory Server, supply a username and password at the login box.

Changing Login Identity

1.4.2. Changing Login Identity

At any time during a session, you can log in as a different user, without having to restart the Console. To change the login identity, do the following:

1. In the Directory Server Console, select the Tasks tab.

2. Click Log on to the Directory Server as a New User.

3. A login dialog box appears.

Chapter 1. General Red Hat Directory Server Usage

Enter the full distinguished name of the entry with which to bind to the server. For example, to bind as user Barbara Jensen, enter her full DN in the login box:

cn=Barbara Jensen, ou=People,dc=example,dc=com

1.4.3. Viewing the Current Console Bind DN

To see the bind DN that is currently logged into the Directory Server Console, click the login icon in the lower-left corner of the window. The current bind DN appears next to the login icon.

Figure 1.1. Viewing the Bind DN

1.5. Changing Directory Server Port Numbers

The standard and secure LDAP port numbers used by Directory Server can be changed through the Directory Server Console or by changing the value of the nsslapd-port or nsslapd-secureport attribute under the cn=config entry in the dse.ldif.

NOTE

Modifying the standard or secure port numbers for a Configuration Directory Server, which maintains the o=NetscapeRoot subtree should be done through the Directory Server Console.

Changing the configuration directory or user directory port or secure port numbers has the following repercussions:

• The Directory Server port number must also be updated in the Administration Server configuration.

• If there are other Directory Server instances that point to the configuration or user directory, update those servers to point to the new port number.

To modify a Directory Server LDAP or LDAPS port for either a user or a configuration directory, do the following:

1. In the Directory Server Console, select the Configuration tab, and then select the top entry in the

navigation tree in the left pane.

2. Select the Settings tab in the right pane.

3. Enter the port number for the server to use for non-SSL communications in the Port field. The

default value is 389.

4. Enter the port number for the server to use for SSL communications in the Encrypted Port field.

The encrypted port number must not be the same port number used for normal LDAP communications. The default value is 636.

5. Click Save.

Creating a New Directory Server Instance

6. The Console returns a warning, You are about to change the port number for the Configuration

Directory. This will affect all Administration Servers that use this directory and you'll need to update them with the new port number. Are you sure you want to change the port number? Click Yes.

7. Then a dialog appears, reading that the changes will not take effect until the server is restarted.

Click OK.

NOTE

Do not restart the Directory Server at this point. If you do, you will not be able to make the necessary changes to the Administration Server through the Console.

8. Open the Administration Server Console.

9. In the Configuration tab, select the Configuration DS tab.

10. In the LDAP Port field, type in the new LDAP port number for your Directory Server instance.

11. Check the Secure Connection box if this is a secure port.

NOTE

If you try to save these changes at this step, you will get a warning box that reads, Invalid LDAP Host/LDAP Port, can not connect. Click OK, and ignore this warning.

12. In the Tasks tab of the Directory Server Console, click Restart Directory Server. A dialog to confirm that you want to restart the server. Click Yes.

13. Open the Configuration DS tab of the Administration Server Console and select Save.

A dialog will appear, reading The Directory Server setting has been modified. You must shutdown

and restart your Administration Server and all the servers in the Server Group for the changes to take effect. Click OK.

14. In the Tasks tab of the Administration Server Console, click Restart Admin Server. A dialog opens reading that the Administration Server has been successfully restarted. Click Close.

NOTE

You must close and reopen the Console before you can do anything else in the Console. Refresh may not update the Console, and, if you try to do anything, you will get a warning that reads Unable to contact LDAP server.

1.6. Creating a New Directory Server Instance

Additional instances can be created through the Directory Server Console or using the setup-ds.pl script. For information on using the setup-ds.pl script, see the Directory Server Installation Guide. To create an instance using the Directory Server Console, do the following:

1. In the Red Hat Console window, select Server Group in the navigation tree, and then right-click.

Chapter 1. General Red Hat Directory Server Usage

2. From the pop-up menu, select Create Instance and then Directory Server.

The Create New Instance dialog box is displayed.

3. Enter a unique identifier for the server in the Server Identifier field.

NOTE

This name must only have alphanumeric characters, a dash (-), or an underscore (_).

4. Enter the a port number for LDAP communications in the Network port field.

5. Enter the suffix managed by this new instance of the directory in the Base Suffix field.

6. Enter a DN for the Directory Manager in the Root DN field.

For information on the role and privileges of the Directory Manager entry, refer to Section 1.7,

“Configuring the Directory Manager”.

7. Enter the password for this user in the Password for Root DN field, and confirm it.

8. Enter the user ID for the Directory Server daemon in the Server Runtime User ID field.

9. Click OK.

A status box appears to confirm that the operation was successful. To dismiss it, click OK.

1.7. Configuring the Directory Manager

The Directory Manager is the privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the Directory Manager entry; likewise, limits on searches and other operations do not apply. The Directory Manager entry is created during installation; the default DN is cn=Directory Manager. The password for this user is defined in the nsslapd-rootdn attribute.

To change the Directory Manager DN and password and the encryption scheme used for this password, do the following:

1. Log in to the Directory Server Console as Directory Manager.

If you are already logged in to the Console, change the bind DN, as described in Section 1.4.2,

“Changing Login Identity”.

2. In the Directory Server Console, select the Configuration tab, and then select the top entry in the

navigation tree in the left pane.

3. Select the Manager tab in the right pane.

4. Enter the new distinguished name for the Directory Manager in the Root DN field.

The default value is cn=Directory Manager.

5. From the Manager Password Encryption pull-down menu, select the storage scheme you want

the server to use to store the password for Directory Manager.

Configuring the Directory Manager

6. Enter the new password, and confirm it.

7. Click Save.

+ 522 hidden pages

Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Specifications and Main Features

Frequently Asked Questions

User Manual