Administrator’s Guide
Red Hat Directory Server                                                            

Previous
Contents
Index
Next

Contents


Contents

List of Figures

List of Tables

Introduction to This Reference Guide

Directory Server Overview
Prerequisite Reading
Conventions Used in This Book
Related Information
Part 1 Administering Red Hat Directory Server

Introduction to Red Hat Directory Server

Overview of Directory Server Management
Using the Directory Server Console
Starting Directory Server Console
Copying Entry DNs to the Clipboard
Configuring the Directory Manager
Binding to the Directory from Red Hat Console
Changing Login Identity
Viewing the Current Bind DN from the Console
Starting and Stopping the Directory Server
Starting and Stopping the Server from the Console
Starting and Stopping the Server from the Command-Line
Configuring LDAP Parameters
Changing Directory Server Port Numbers
Placing the Entire Directory Server in Read-Only Mode
Tracking Modifications to Directory Entries
Cloning a Directory Server
Creating a New Directory Server Instance
Cloning the Directory Configuration
Starting the Server in Referral Mode
Using the refer Command

Creating Directory Entries

Managing Entries from the Directory Console
Creating a Root Entry
Creating Directory Entries
Creating an Entry Using a Predefined Template
Creating Other Types of Entries
Modifying Directory Entries
Displaying the Property Editor
Adding an Object Class to an Entry
Removing an Object Class
Adding an Attribute to an Entry
Adding Very Large Attributes
Adding Attribute Values
Removing an Attribute Value
Adding an Attribute Subtype
Deleting Directory Entries
Managing Entries from the Command-Line
Providing Input from the Command-Line
Creating a Root Entry from the Command-Line
Adding Entries Using LDIF
Adding and Modifying Entries Using ldapmodify
Adding Entries Using ldapmodify
Modifying Entries Using ldapmodify
Deleting Entries Using ldapdelete
Using Special Characters
LDIF Update Statements
Adding an Entry Using LDIF
Renaming an Entry Using LDIF
A Note on Renaming Entries
Modifying an Entry Using LDIF
Adding Attributes to Existing Entries Using LDIF
Changing an Attribute Value Using LDIF
Deleting All Values of an Attribute Using LDIF
Deleting a Specific Attribute Value Using LDIF
Deleting an Entry Using LDIF
Modifying an Entry in an Internationalized Directory
Maintaining Referential Integrity
How Referential Integrity Works
Using Referential Integrity with Replication
Configuring the Supplier Server
Enabling/Disabling Referential Integrity
From the Directory Server Console
Recording Updates in the Changelog
From the Directory Server Console
Modifying the Update Interval
From the Directory Server Console
Modifying the Attribute List
From the Directory Server Console

Configuring Directory Databases

Creating and Maintaining Suffixes
Creating Suffixes
Creating a New Root Suffix Using the Console
Creating a New Sub Suffix Using the Console
Creating Root and Sub Suffixes from the Command-Line
Maintaining Suffixes
Using Referrals in a Suffix
Enabling Referrals Only During Update Operations
Disabling a Suffix
Deleting a Suffix
Creating and Maintaining Databases
Creating Databases
Creating a New Database for an Existing Suffix Using the Console
Creating a New Database for a Single Suffix from the Command-Line
Adding Multiple Databases for a Single Suffix
Adding the Custom Distribution Function to a Suffix
Maintaining Directory Databases
Placing a Database in Read-Only Mode
Deleting a Database
Configuring Transaction Logs for Frequent Database Updates
Database Encryption
Encryption Keys
Encryption Ciphers
Configuring Database Encryption from the Console
Configuring Database Encryption Using the Command-Line
Exporting and Importing an Encrypted Database
Creating and Maintaining Database Links
Configuring the Chaining Policy
Chaining Component Operations
Chaining LDAP Controls
Creating a New Database Link
Creating a New Database Link Using the Console
Creating a Database Link from the Command-Line
Chaining Using SSL
Maintaining Database Links
Updating Remote Server Authentication Information
Deleting Database Links
Database Links and Access Control Evaluation
Advanced Feature: Tuning Database Link Performance
Managing Connections to the Remote Server
Detecting Errors During Normal Processing
Managing Threaded Operations
Advanced Feature: Configuring Cascading Chaining
Overview of Cascading Chaining
Configuring Cascading Chaining Defaults Using the Console
Configuring Cascading Chaining Using the Console
Configuring Cascading Chaining from the Command-Line
Summary of Cascading Chaining Configuration Attributes
Cascading Chaining Configuration Example
Configuring Server One
Configuring Server Two
Configuring Server Three
Using Referrals
Setting Default Referrals
Setting a Default Referral Using the Console
Setting a Default Referral from the Command-Line
Creating Smart Referrals
Creating Smart Referrals Using the Directory Server Console
Creating Smart Referrals from the Command-Line
Creating Suffix Referrals
Creating Suffix Referrals Using the Console
Creating Suffix Referrals from the Command-Line

Populating Directory Databases

Importing Data
Importing a Database from the Console
Initializing a Database from the Console
Importing from the Command-Line
Importing Using the ldif2db Command-Line Script
Importing Using the ldif2db.pl Perl Script
Importing Using the ldif2ldap Command-Line Script
Exporting Data
Exporting Directory Data to LDIF Using the Console
Exporting a Single Database to LDIF Using the Console
Exporting to LDIF from the Command-Line
Backing Up and Restoring Data
Backing Up All Databases
Backing Up All Databases from the Server Console
Backing Up All Databases from the Command-Line
Backing Up the dse.ldif Configuration File
Restoring All Databases
Restoring All Databases from the Console
Restoring Your Database from the Command-Line
Restoring a Single Database
Restoring Databases That Include Replicated Entries
Restoring the dse.ldif Configuration File
Enabling and Disabling Read-Only Mode
Enabling Read-Only Mode
Disabling Read-Only Mode

Advanced Entry Management

Using Groups
Managing Static Groups
Adding a New Static Group
Modifying a Static Group
Managing Dynamic Groups
Adding a New Dynamic Group
Modifying a Dynamic Group
Using Roles
About Roles
Managing Roles Using the Console
Creating a Managed Role
Creating a Filtered Role
Creating a Nested Role
Viewing and Editing an Entry's Roles
Modifying a Role Entry
Making a Role Inactive
Reactivating a Role
Deleting a Role
Managing Roles Using the Command-Line
Examples: Managed Role Definition
Example: Filtered Role Definition
Example: Nested Role Definition
Using Roles Securely
Assigning Class of Service
About CoS
About the CoS Definition Entry
About the CoS Template Entry
How a Pointer CoS Works
How an Indirect CoS Works
How a Classic CoS Works
Managing CoS Using the Console
Creating a New CoS
Creating the CoS Template Entry
Editing an Existing CoS
Deleting a CoS
Managing CoS from the Command-Line
Creating the CoS Definition Entry from the Command-Line
Creating the CoS Template Entry from the Command-Line
Example of a Pointer CoS
Example of an Indirect CoS
Example of a Classic CoS
Creating Role-Based Attributes
Access Control and CoS

Managing Access Control

Access Control Principles
ACI Structure
ACI Placement
ACI Evaluation
ACI Limitations
Default ACIs
Creating ACIs Manually
The ACI Syntax
Example ACI
Defining Targets
Targeting a Directory Entry
Targeting Attributes
Targeting Both an Entry and Attributes
Targeting Entries or Attributes Using LDAP Filters
Targeting Attribute Values Using LDAP Filters
Targeting a Single Directory Entry
Defining Permissions
Allowing or Denying Access
Assigning Rights
Rights Required for LDAP Operations
Permissions Syntax
Access Control and the modrdn Operation
Bind Rules
Bind Rule Syntax
Defining User Access - userdn Keyword
Anonymous Access (anyone Keyword)
General Access (all Keyword)
Self Access (self Keyword)
Parent Access (parent Keyword)
LDAP URLs
Wildcards
Examples
Defining Group Access - groupdn Keyword
Examples
Defining Role Access - roledn Keyword
Defining Access Based on Value Matching
Using the userattr Keyword
Using the userattr Keyword with Inheritance
Granting Add Permission Using the userattr Keyword
Defining Access from a Specific IP Address
Defining Access from a Specific Domain
Defining Access at a Specific Time of Day or Day of Week
Examples
Defining Access Based on Authentication Method
Examples
Using Boolean Bind Rules
Creating ACIs from the Console
Displaying the Access Control Editor
Viewing Current ACIs
Creating a New ACI
Editing an ACI
Deleting an ACI
Access Control Usage Examples
Granting Anonymous Access
ACI "Anonymous example.com"
ACI "Anonymous World"
Granting Write Access to Personal Entries
ACI "Write example.com"
ACI "Write Subscribers"
Restricting Access to Key Roles
ACI "Roles"
Granting a Group Full Access to a Suffix
ACI "HR"
Granting Rights to Add and Delete Group Entries
ACI "Create Group"
ACI "Delete Group"
Granting Conditional Access to a Group or Role
ACI "HostedCompany1"
Denying Access
ACI "Billing Info Read"
ACI "Billing Info Deny"
Setting a Target Using Filtering
Allowing Users to Add or Remove Themselves from a Group
ACI "Group Members"
Defining Permissions for DNs That Contain a Comma
Proxied Authorization ACI Example
Viewing the ACIs for an Entry
Get Effective Rights Control
Using Get Effective Rights from the Command-Line
Using Get Effective Rights from the Console
Get Effective Rights Return Codes
Advanced Access Control: Using Macro ACIs
Macro ACI Example
Macro ACI Syntax
Macro Matching for ($dn)
Macro Matching for [$dn]
Macro Matching for ($attr.attrName)
Access Control and Replication
Logging Access Control Information
Compatibility with Earlier Releases

User Account Management

Managing the Password Policy
Configuring the Password Policy
Configuring a Global Password Policy Using the Console
Configuring a Subtree/User Password Policy Using the Console
Configuring a Global Password Policy Using the Command-Line
Configuring Subtree/User Password Policy Using the Command-Line
Setting User Passwords
Password Change Extended Operation
Configuring the Account Lockout Policy
Configuring the Account Lockout Policy Using the Console
Configuring the Account Lockout Policy Using the Command-Line
Managing the Password Policy in a Replicated Environment
Sycnhronizing Passwords
Inactivating Users and Roles
Inactivating User and Roles Using the Console
Inactivating User and Roles Using the Command-Line
Activating User and Roles Using the Console
Activating User and Roles Using the Command-Line
Setting Resource Limits Based on the Bind DN
Setting Resource Limits Using the Console
Setting Resource Limits Using the Command-Line

Managing Replication

Replication Overview
Read-Write Replica/Read-Only Replica
Supplier/Consumer
Changelog
Unit of Replication
Replication Identity
Replication Agreement
Compatibility with Earlier Versions of Directory Server
Replication Scenarios
Single-Master Replication
Multi-Master Replication
Cascading Replication
Handling Complex Replication Configurations
Creating the Supplier Bind DN Entry
Configuring Supplier Settings
Configuring a Read-Write Replica
Configuring a Read-Only Replica
Configuring a Hub Supplier
Creating a Replication Agreement
Configuring Single-Master Replication
Configuring the Read-Only Replica on the Consumer Server
Configuring the Read-Write Replica on the Supplier Server
Initializing the Replicas for Single-Master Replication
Configuring Multi-Master Replication
Configuring 2-Way Multi-Master Replication
Configuring the Read-Only Replicas on the Consumer Servers
Configuring the Read-Write Replicas on the Supplier Servers
Initializing the Replicas for Multi-Master Replication
Configuring 4-Way Multi-Master Replication
Configuring the Read-Only Replicas on the Consumer Servers
Configuring the Read-Write Replicas on the Supplier Servers
Initializing the Replicas for Multi-Master Replication
Preventing Monopolization of the Consumer in Multi-Master Replication
Configuring Cascading Replication
Configuring the Read-Only Replica on the Consumer Server
Configuring the Read-Only Replica on the Hub Supplier
Configuring the Read-Write Replica on the Supplier Server
Initializing the Replicas for Cascading Replication
Making a Replica Updatable
Deleting the Changelog
Removing the Changelog
Moving the Changelog to a New Location
Initializing Consumers
When to Initialize a Consumer
Online Consumer Initialization Using the Console
Performing Online Consumer Initialization
Manual Consumer Initialization Using the Command-Line
Manual Consumer Initialization Overview
Exporting a Replica to LDIF
Importing the LDIF File to the Consumer Server
Filesystem Replica Initialization
Initializing the Consumer Replica from the Backup Files
Forcing Replication Updates
Forcing Replication Updates from the Console
Forcing Replication Updates from the Command-Line
Replication over SSL
Configuring Replication over SSL Using the Replication Agreement Wizard
Replication with Earlier Releases
Configuring Directory Server as a Consumer of a Legacy Directory Server
Using the Retro Changelog Plug-in
Enabling the Retro Changelog Plug-in
Trimming the Retro Changelog
Searching and Modifying the Retro Changelog
Retro Changelog and the Access Control Policy
Monitoring Replication Status
Monitoring Replication Status from the Directory Server Console
Monitoring Replication Status from Administration Express
Solving Common Replication Conflicts
Solving Naming Conflicts
Renaming an Entry with a Multi-Valued Naming Attribute
Renaming an Entry with a Single-Valued Naming Attribute
Solving Orphan Entry Conflicts
Solving Potential Interoperability Problems
Troubleshooting Replication-Related Problems
Interpreting Error Messages and Symptoms
Useful Tools

Extending the Directory Schema

Overview of Extending Schema
Managing Attributes
Viewing Attributes
Creating Attributes
Editing Attributes
Deleting Attributes
Managing Object Classes
Viewing Object Classes
Creating Object Classes
Editing Object Classes
Deleting Object Classes
Turning Schema Checking On and Off

Managing Indexes

About Indexes
About Index Types
About Default, System, and Standard Indexes
Overview of Default Indexes
Overview of System Indexes
Overview of Standard Indexes
Overview of the Searching Algorithm
Balancing the Benefits of Indexing
Creating Indexes
Creating Indexes from the Server Console
Creating Indexes from the Command-Line
Adding an Index Entry
Running the db2index.pl Script
Creating VLV Indexes from the Server Console
Creating VLV Indexes from the Command-Line
Adding a Browsing Index Entry
Running the vlvindex Script
Setting Access Control for VLV Information
Deleting Indexes
Deleting Indexes from the Server Console
Deleting Indexes from the Command-Line
Deleting an Index Entry
Running the db2index.pl Script
Deleting Browsing and VLV Indexes from the Server Console
Deleting Browsing and VLV Indexes from the Command-Line
Deleting a Browsing Index Entry
Running the vlvindex Script
Managing Indexes
Indexing Performance
Search Performance
idlistscanlimit
Backwards Compatibility and Migration
Attribute Name Quick Reference Table

Managing SSL and SASL

Introduction to SSL in the Directory Server
Enabling SSL: Summary of Steps
Command-Line Functions for Start TLS
Troubleshooting Start TLS
Obtaining and Installing Server Certificates
Step 1: Generate a Certificate Request
Step 2: Send the Certificate Request
Step 3: Install the Certificate
Step 4: Trust the Certificate Authority
Step 5: Confirm That Your New Certificates Are Installed
Using certutil
Starting the Server with SSL Enabled
Enabling SSL Only in the Directory Server:
Enabling SSL in the Directory Server, Admin Server, and Console
Creating a Password File
Setting Security Preferences
Using Certificate-Based Authentication
Setting up Certificate-Based Authentication
Allowing/Requiring Client Authentication
Configuring LDAP Clients to Use SSL
Introduction to SASL
Authentication Mechanisms
SASL Identity Mapping
Legacy Identity Mapping
Configuring SASL Identity Mapping from the Console
Configuring SASL Identity Mapping from the Command-Line
Configuring Kerberos
Realms
Configuring the KDC Server
Example

Monitoring Server and Database Activity

Viewing and Configuring Log Files
Defining a Log File Rotation Policy
Defining a Log File Deletion Policy
Access Log
Viewing the Access Log
Configuring the Access Log
Error Log
Viewing the Error Log
Configuring the Error Log
Audit Log
Viewing the Audit Log
Configuring the Audit Log
Manual Log File Rotation
Monitoring Server Activity
Monitoring Your Server from the Directory Server Console
Viewing the Server Performance Monitor
Overview of Server Performance Monitor Information
General Information (Server)
Resource Summary
Current Resource Usage
Connection Status
Global Database Cache Information
Monitoring Your Server from the Command-Line
Monitoring Database Activity
Monitoring Database Activity from the Server Console
Viewing Database Performance Monitors
Overview of Database Performance Monitor Information
General Information (Database)
Summary Information Table
Database Cache Information Table
Database File-Specific Table
Monitoring Databases from the Command-Line
Monitoring Database Link Activity

Monitoring Directory Server Using SNMP

About SNMP
Configuring the Master Agent
Configuring the Subagent
Subagent Configuration File
agentx-master
agentx-logdir
server
Starting the Subagent
Testing the Subagent
Configuring the Directory Server for SNMP
Using the Management Information Base
Operations Table
Entries Table
Interaction Table

Tuning Directory Server Performance

Tuning Server Performance
Tuning Database Performance
Optimizing Search Performance
Tuning Transaction Logging
Changing the Location of the Database Transaction Log
Changing the Database Checkpoint Interval
Disabling Durable Transactions
Specifying Transaction Batching
Miscellaneous Tuning Tips
Avoid Creating Entries Under the cn=config Entry in the dse.ldif File
Part 2 Plug-ins Reference

Administering Directory Server Plug-ins

Server Plug-in Functionality Reference
7-bit Check Plug-in
ACL Plug-in
ACL Preoperation Plug-in
Binary Syntax Plug-in
Boolean Syntax Plug-in
Case Exact String Syntax Plug-in
Case Ignore String Syntax Plug-in
Chaining Database Plug-in
Class of Service Plug-in
Country String Syntax Plug-in
Distinguished Name Syntax Plug-in
Generalized Time Syntax Plug-in
Integer Syntax Plug-in
Internationalization Plug-in
ldbm Database Plug-in
Legacy Replication Plug-in
Multi-Master Replication Plug-in
Octet String Syntax Plug-in
CLEAR Password Storage Plug-in
CRYPT Password Storage Plug-in
NS-MTA-MD5 Password Storage Plug-in
SHA Password Storage Plug-in
SSHA Password Storage Plug-in
Postal Address String Syntax Plug-in
PTA Plug-in
Referential Integrity Postoperation Plug-in
Retro Changelog Plug-in
Roles Plug-in
Space Insensitive String Syntax Plug-in
State Change Plug-in
Telephone Syntax Plug-in
UID Uniqueness Plug-in
URI Plug-in
Enabling and Disabling Plug-ins from the Server Console

Using the Pass-through Authentication Plug-in

How Directory Server Uses PTA
PTA Plug-in Syntax
Configuring the PTA Plug-in
Turning the Plug-in On or Off
Configuring the Servers to Use a Secure Connection
Specifying the Authenticating Directory Server
Specifying the Pass-through Subtree
Configuring the Optional Parameters
PTA Plug-in Syntax Examples
Specifying One Authenticating Directory Server and One Subtree
Specifying Multiple Authenticating Directory Servers
Specifying One Authenticating Directory Server and Multiple Subtrees
Using Non-Default Parameter Values
Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers

Using the Attribute Uniqueness Plug-in

Overview of the Attribute Uniqueness Plug-in
Overview of the UID Uniqueness Plug-in
Attribute Uniqueness Plug-in Syntax
Creating an Instance of the Attribute Uniqueness Plug-in
Configuring Attribute Uniqueness Plug-ins
Viewing Plug-in Configuration Information
Configuring Attribute Uniqueness Plug-ins from the Directory Server Console
Configuring Attribute Uniqueness Plug-ins from the Command-Line
Turning the Plug-in On or Off
Specifying a Suffix or Subtree
Using the markerObjectClass and requiredObjectClass Keywords
Attribute Uniqueness Plug-in Syntax Examples
Specifying One Attribute and One Subtree
Specifying One Attribute and Multiple Subtrees
Replication and the Attribute Uniqueness Plug-in
Simple Replication Scenario
Multi-Master Replication Scenario

Windows Sync

About Windows Sync
How Windows Sync Works
Installing Sync Services
Installing and Configuring the Password Sync Service
Reconfiguring the Password Sync Service
Setting Up SSL for the Password Sync Service
Installing and Configuring the NT4 LDAP Service
Uninstalling the Sync Services
Configuring Windows Sync
Using Windows Sync
Synchronized Entries
Groups
Manually Initiating Synchronization
The Need for Re-Synchronization
Checking Synchronization Status
Modifying the Synchronization Agreement
Active Directory Schema Compatibility
NT4-Specific Limitiations
Troubleshooting
Part 3 Appendixes

LDAP Data Interchange Format

LDIF File Format
Continuing Lines in LDIF
Representing Binary Data
Specifying Directory Entries Using LDIF
Specifying Organization Entries
Specifying Organizational Unit Entries
Specifying Organizational Person Entries
Defining Directories Using LDIF
LDIF File Example
Storing Information in Multiple Languages

Finding Directory Entries

Finding Entries Using the Server Console
Using ldapsearch
Using Special Characters
ldapsearch Command-Line Format
Commonly Used ldapsearch Options
ldapsearch Examples
Returning All Entries
Specifying Search Filters on the Command-Line
Searching the Root DSE Entry
Searching the Schema Entry
Using LDAP_BASEDN
Displaying Subsets of Attributes
Specifying Search Filters Using a File
Specifying DNs That Contain Commas in Search Filters
Using Client Authentication When Searching
LDAP Search Filters
Search Filter Syntax
Using Attributes in Search Filters
Using Operators in Search Filters
Using Compound Search Filters
Search Filter Examples
Searching an Internationalized Directory
Matching Rule Filter Syntax
Matching Rule Formats
Using Wildcards in Matching Rule Filters
Supported Search Types
International Search Examples
Less-Than Example
Less-Than or Equal-to Example
Equality Example
Greater-Than or Equal-to Example
Greater-Than Example
Substring Example

LDAP URLs

Components of an LDAP URL
Escaping Unsafe Characters
Examples of LDAP URLs

Internationalization

About Locales
Identifying Supported Locales
Supported Language Subtypes
Troubleshooting Matching Rules

Glossary

Index




Previous
Contents
Index
Next

© 2001 Sun Microsystems, Inc. Used by permission. © 2005 Red Hat, Inc. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments.

last updated May 20, 2005