| Administrator’s Guide Red Hat Directory Server |
| Previous |
Contents |
Index |
Next |
Contents
Contents
List of Figures
List of Tables
Introduction to This Reference Guide
- Directory Server Overview
- Prerequisite Reading
- Conventions Used in This Book
- Related Information
- Part 1 Administering Red Hat Directory Server
Introduction to Red Hat Directory Server
- Overview of Directory Server Management
- Using the Directory Server Console
- Starting Directory Server Console
- Copying Entry DNs to the Clipboard
- Configuring the Directory Manager
- Binding to the Directory from Red Hat Console
- Changing Login Identity
- Viewing the Current Bind DN from the Console
- Starting and Stopping the Directory Server
- Starting and Stopping the Server from the Console
- Starting and Stopping the Server from the Command-Line
- Configuring LDAP Parameters
- Changing Directory Server Port Numbers
- Placing the Entire Directory Server in Read-Only Mode
- Tracking Modifications to Directory Entries
- Cloning a Directory Server
- Creating a New Directory Server Instance
- Cloning the Directory Configuration
- Starting the Server in Referral Mode
- Using the refer Command
Creating Directory Entries
- Managing Entries from the Directory Console
- Creating a Root Entry
- Creating Directory Entries
- Creating an Entry Using a Predefined Template
- Creating Other Types of Entries
- Modifying Directory Entries
- Displaying the Property Editor
- Adding an Object Class to an Entry
- Removing an Object Class
- Adding an Attribute to an Entry
- Adding Very Large Attributes
- Adding Attribute Values
- Removing an Attribute Value
- Adding an Attribute Subtype
- Deleting Directory Entries
- Managing Entries from the Command-Line
- Providing Input from the Command-Line
- Creating a Root Entry from the Command-Line
- Adding Entries Using LDIF
- Adding and Modifying Entries Using ldapmodify
- Adding Entries Using ldapmodify
- Modifying Entries Using ldapmodify
- Deleting Entries Using ldapdelete
- Using Special Characters
- LDIF Update Statements
- Adding an Entry Using LDIF
- Renaming an Entry Using LDIF
- A Note on Renaming Entries
- Modifying an Entry Using LDIF
- Adding Attributes to Existing Entries Using LDIF
- Changing an Attribute Value Using LDIF
- Deleting All Values of an Attribute Using LDIF
- Deleting a Specific Attribute Value Using LDIF
- Deleting an Entry Using LDIF
- Modifying an Entry in an Internationalized Directory
- Maintaining Referential Integrity
- How Referential Integrity Works
- Using Referential Integrity with Replication
- Configuring the Supplier Server
- Enabling/Disabling Referential Integrity
- From the Directory Server Console
- Recording Updates in the Changelog
- From the Directory Server Console
- Modifying the Update Interval
- From the Directory Server Console
- Modifying the Attribute List
- From the Directory Server Console
Configuring Directory Databases
- Creating and Maintaining Suffixes
- Creating Suffixes
- Creating a New Root Suffix Using the Console
- Creating a New Sub Suffix Using the Console
- Creating Root and Sub Suffixes from the Command-Line
- Maintaining Suffixes
- Using Referrals in a Suffix
- Enabling Referrals Only During Update Operations
- Disabling a Suffix
- Deleting a Suffix
- Creating and Maintaining Databases
- Creating Databases
- Creating a New Database for an Existing Suffix Using the Console
- Creating a New Database for a Single Suffix from the Command-Line
- Adding Multiple Databases for a Single Suffix
- Adding the Custom Distribution Function to a Suffix
- Maintaining Directory Databases
- Placing a Database in Read-Only Mode
- Deleting a Database
- Configuring Transaction Logs for Frequent Database Updates
- Database Encryption
- Encryption Keys
- Encryption Ciphers
- Configuring Database Encryption from the Console
- Configuring Database Encryption Using the Command-Line
- Exporting and Importing an Encrypted Database
- Creating and Maintaining Database Links
- Configuring the Chaining Policy
- Chaining Component Operations
- Chaining LDAP Controls
- Creating a New Database Link
- Creating a New Database Link Using the Console
- Creating a Database Link from the Command-Line
- Chaining Using SSL
- Maintaining Database Links
- Updating Remote Server Authentication Information
- Deleting Database Links
- Database Links and Access Control Evaluation
- Advanced Feature: Tuning Database Link Performance
- Managing Connections to the Remote Server
- Detecting Errors During Normal Processing
- Managing Threaded Operations
- Advanced Feature: Configuring Cascading Chaining
- Overview of Cascading Chaining
- Configuring Cascading Chaining Defaults Using the Console
- Configuring Cascading Chaining Using the Console
- Configuring Cascading Chaining from the Command-Line
- Summary of Cascading Chaining Configuration Attributes
- Cascading Chaining Configuration Example
- Configuring Server One
- Configuring Server Two
- Configuring Server Three
- Using Referrals
- Setting Default Referrals
- Setting a Default Referral Using the Console
- Setting a Default Referral from the Command-Line
- Creating Smart Referrals
- Creating Smart Referrals Using the Directory Server Console
- Creating Smart Referrals from the Command-Line
- Creating Suffix Referrals
- Creating Suffix Referrals Using the Console
- Creating Suffix Referrals from the Command-Line
Populating Directory Databases
- Importing Data
- Importing a Database from the Console
- Initializing a Database from the Console
- Importing from the Command-Line
- Importing Using the ldif2db Command-Line Script
- Importing Using the ldif2db.pl Perl Script
- Importing Using the ldif2ldap Command-Line Script
- Exporting Data
- Exporting Directory Data to LDIF Using the Console
- Exporting a Single Database to LDIF Using the Console
- Exporting to LDIF from the Command-Line
- Backing Up and Restoring Data
- Backing Up All Databases
- Backing Up All Databases from the Server Console
- Backing Up All Databases from the Command-Line
- Backing Up the dse.ldif Configuration File
- Restoring All Databases
- Restoring All Databases from the Console
- Restoring Your Database from the Command-Line
- Restoring a Single Database
- Restoring Databases That Include Replicated Entries
- Restoring the dse.ldif Configuration File
- Enabling and Disabling Read-Only Mode
- Enabling Read-Only Mode
- Disabling Read-Only Mode
Advanced Entry Management
- Using Groups
- Managing Static Groups
- Adding a New Static Group
- Modifying a Static Group
- Managing Dynamic Groups
- Adding a New Dynamic Group
- Modifying a Dynamic Group
- Using Roles
- About Roles
- Managing Roles Using the Console
- Creating a Managed Role
- Creating a Filtered Role
- Creating a Nested Role
- Viewing and Editing an Entry's Roles
- Modifying a Role Entry
- Making a Role Inactive
- Reactivating a Role
- Deleting a Role
- Managing Roles Using the Command-Line
- Examples: Managed Role Definition
- Example: Filtered Role Definition
- Example: Nested Role Definition
- Using Roles Securely
- Assigning Class of Service
- About CoS
- About the CoS Definition Entry
- About the CoS Template Entry
- How a Pointer CoS Works
- How an Indirect CoS Works
- How a Classic CoS Works
- Managing CoS Using the Console
- Creating a New CoS
- Creating the CoS Template Entry
- Editing an Existing CoS
- Deleting a CoS
- Managing CoS from the Command-Line
- Creating the CoS Definition Entry from the Command-Line
- Creating the CoS Template Entry from the Command-Line
- Example of a Pointer CoS
- Example of an Indirect CoS
- Example of a Classic CoS
- Creating Role-Based Attributes
- Access Control and CoS
Managing Access Control
- Access Control Principles
- ACI Structure
- ACI Placement
- ACI Evaluation
- ACI Limitations
- Default ACIs
- Creating ACIs Manually
- The ACI Syntax
- Example ACI
- Defining Targets
- Targeting a Directory Entry
- Targeting Attributes
- Targeting Both an Entry and Attributes
- Targeting Entries or Attributes Using LDAP Filters
- Targeting Attribute Values Using LDAP Filters
- Targeting a Single Directory Entry
- Defining Permissions
- Allowing or Denying Access
- Assigning Rights
- Rights Required for LDAP Operations
- Permissions Syntax
- Access Control and the modrdn Operation
- Bind Rules
- Bind Rule Syntax
- Defining User Access - userdn Keyword
- Anonymous Access (anyone Keyword)
- General Access (all Keyword)
- Self Access (self Keyword)
- Parent Access (parent Keyword)
- LDAP URLs
- Wildcards
- Examples
- Defining Group Access - groupdn Keyword
- Examples
- Defining Role Access - roledn Keyword
- Defining Access Based on Value Matching
- Using the userattr Keyword
- Using the userattr Keyword with Inheritance
- Granting Add Permission Using the userattr Keyword
- Defining Access from a Specific IP Address
- Defining Access from a Specific Domain
- Defining Access at a Specific Time of Day or Day of Week
- Examples
- Defining Access Based on Authentication Method
- Examples
- Using Boolean Bind Rules
- Creating ACIs from the Console
- Displaying the Access Control Editor
- Viewing Current ACIs
- Creating a New ACI
- Editing an ACI
- Deleting an ACI
- Access Control Usage Examples
- Granting Anonymous Access
- ACI "Anonymous example.com"
- ACI "Anonymous World"
- Granting Write Access to Personal Entries
- ACI "Write example.com"
- ACI "Write Subscribers"
- Restricting Access to Key Roles
- ACI "Roles"
- Granting a Group Full Access to a Suffix
- ACI "HR"
- Granting Rights to Add and Delete Group Entries
- ACI "Create Group"
- ACI "Delete Group"
- Granting Conditional Access to a Group or Role
- ACI "HostedCompany1"
- Denying Access
- ACI "Billing Info Read"
- ACI "Billing Info Deny"
- Setting a Target Using Filtering
- Allowing Users to Add or Remove Themselves from a Group
- ACI "Group Members"
- Defining Permissions for DNs That Contain a Comma
- Proxied Authorization ACI Example
- Viewing the ACIs for an Entry
- Get Effective Rights Control
- Using Get Effective Rights from the Command-Line
- Using Get Effective Rights from the Console
- Get Effective Rights Return Codes
- Advanced Access Control: Using Macro ACIs
- Macro ACI Example
- Macro ACI Syntax
- Macro Matching for ($dn)
- Macro Matching for [$dn]
- Macro Matching for ($attr.attrName)
- Access Control and Replication
- Logging Access Control Information
- Compatibility with Earlier Releases
User Account Management
- Managing the Password Policy
- Configuring the Password Policy
- Configuring a Global Password Policy Using the Console
- Configuring a Subtree/User Password Policy Using the Console
- Configuring a Global Password Policy Using the Command-Line
- Configuring Subtree/User Password Policy Using the Command-Line
- Setting User Passwords
- Password Change Extended Operation
- Configuring the Account Lockout Policy
- Configuring the Account Lockout Policy Using the Console
- Configuring the Account Lockout Policy Using the Command-Line
- Managing the Password Policy in a Replicated Environment
- Sycnhronizing Passwords
- Inactivating Users and Roles
- Inactivating User and Roles Using the Console
- Inactivating User and Roles Using the Command-Line
- Activating User and Roles Using the Console
- Activating User and Roles Using the Command-Line
- Setting Resource Limits Based on the Bind DN
- Setting Resource Limits Using the Console
- Setting Resource Limits Using the Command-Line
Managing Replication
- Replication Overview
- Read-Write Replica/Read-Only Replica
- Supplier/Consumer
- Changelog
- Unit of Replication
- Replication Identity
- Replication Agreement
- Compatibility with Earlier Versions of Directory Server
- Replication Scenarios
- Single-Master Replication
- Multi-Master Replication
- Cascading Replication
- Handling Complex Replication Configurations
- Creating the Supplier Bind DN Entry
- Configuring Supplier Settings
- Configuring a Read-Write Replica
- Configuring a Read-Only Replica
- Configuring a Hub Supplier
- Creating a Replication Agreement
- Configuring Single-Master Replication
- Configuring the Read-Only Replica on the Consumer Server
- Configuring the Read-Write Replica on the Supplier Server
- Initializing the Replicas for Single-Master Replication
- Configuring Multi-Master Replication
- Configuring 2-Way Multi-Master Replication
- Configuring the Read-Only Replicas on the Consumer Servers
- Configuring the Read-Write Replicas on the Supplier Servers
- Initializing the Replicas for Multi-Master Replication
- Configuring 4-Way Multi-Master Replication
- Configuring the Read-Only Replicas on the Consumer Servers
- Configuring the Read-Write Replicas on the Supplier Servers
- Initializing the Replicas for Multi-Master Replication
- Preventing Monopolization of the Consumer in Multi-Master Replication
- Configuring Cascading Replication
- Configuring the Read-Only Replica on the Consumer Server
- Configuring the Read-Only Replica on the Hub Supplier
- Configuring the Read-Write Replica on the Supplier Server
- Initializing the Replicas for Cascading Replication
- Making a Replica Updatable
- Deleting the Changelog
- Removing the Changelog
- Moving the Changelog to a New Location
- Initializing Consumers
- When to Initialize a Consumer
- Online Consumer Initialization Using the Console
- Performing Online Consumer Initialization
- Manual Consumer Initialization Using the Command-Line
- Manual Consumer Initialization Overview
- Exporting a Replica to LDIF
- Importing the LDIF File to the Consumer Server
- Filesystem Replica Initialization
- Initializing the Consumer Replica from the Backup Files
- Forcing Replication Updates
- Forcing Replication Updates from the Console
- Forcing Replication Updates from the Command-Line
- Replication over SSL
- Configuring Replication over SSL Using the Replication Agreement Wizard
- Replication with Earlier Releases
- Configuring Directory Server as a Consumer of a Legacy Directory Server
- Using the Retro Changelog Plug-in
- Enabling the Retro Changelog Plug-in
- Trimming the Retro Changelog
- Searching and Modifying the Retro Changelog
- Retro Changelog and the Access Control Policy
- Monitoring Replication Status
- Monitoring Replication Status from the Directory Server Console
- Monitoring Replication Status from Administration Express
- Solving Common Replication Conflicts
- Solving Naming Conflicts
- Renaming an Entry with a Multi-Valued Naming Attribute
- Renaming an Entry with a Single-Valued Naming Attribute
- Solving Orphan Entry Conflicts
- Solving Potential Interoperability Problems
- Troubleshooting Replication-Related Problems
- Interpreting Error Messages and Symptoms
- Useful Tools
Extending the Directory Schema
- Overview of Extending Schema
- Managing Attributes
- Viewing Attributes
- Creating Attributes
- Editing Attributes
- Deleting Attributes
- Managing Object Classes
- Viewing Object Classes
- Creating Object Classes
- Editing Object Classes
- Deleting Object Classes
- Turning Schema Checking On and Off
Managing Indexes
- About Indexes
- About Index Types
- About Default, System, and Standard Indexes
- Overview of Default Indexes
- Overview of System Indexes
- Overview of Standard Indexes
- Overview of the Searching Algorithm
- Balancing the Benefits of Indexing
- Creating Indexes
- Creating Indexes from the Server Console
- Creating Indexes from the Command-Line
- Adding an Index Entry
- Running the db2index.pl Script
- Creating VLV Indexes from the Server Console
- Creating VLV Indexes from the Command-Line
- Adding a Browsing Index Entry
- Running the vlvindex Script
- Setting Access Control for VLV Information
- Deleting Indexes
- Deleting Indexes from the Server Console
- Deleting Indexes from the Command-Line
- Deleting an Index Entry
- Running the db2index.pl Script
- Deleting Browsing and VLV Indexes from the Server Console
- Deleting Browsing and VLV Indexes from the Command-Line
- Deleting a Browsing Index Entry
- Running the vlvindex Script
- Managing Indexes
- Indexing Performance
- Search Performance
- idlistscanlimit
- Backwards Compatibility and Migration
- Attribute Name Quick Reference Table
Managing SSL and SASL
- Introduction to SSL in the Directory Server
- Enabling SSL: Summary of Steps
- Command-Line Functions for Start TLS
- Troubleshooting Start TLS
- Obtaining and Installing Server Certificates
- Step 1: Generate a Certificate Request
- Step 2: Send the Certificate Request
- Step 3: Install the Certificate
- Step 4: Trust the Certificate Authority
- Step 5: Confirm That Your New Certificates Are Installed
- Using certutil
- Starting the Server with SSL Enabled
- Enabling SSL Only in the Directory Server:
- Enabling SSL in the Directory Server, Admin Server, and Console
- Creating a Password File
- Setting Security Preferences
- Using Certificate-Based Authentication
- Setting up Certificate-Based Authentication
- Allowing/Requiring Client Authentication
- Configuring LDAP Clients to Use SSL
- Introduction to SASL
- Authentication Mechanisms
- SASL Identity Mapping
- Legacy Identity Mapping
- Configuring SASL Identity Mapping from the Console
- Configuring SASL Identity Mapping from the Command-Line
- Configuring Kerberos
- Realms
- Configuring the KDC Server
- Example
Monitoring Server and Database Activity
- Viewing and Configuring Log Files
- Defining a Log File Rotation Policy
- Defining a Log File Deletion Policy
- Access Log
- Viewing the Access Log
- Configuring the Access Log
- Error Log
- Viewing the Error Log
- Configuring the Error Log
- Audit Log
- Viewing the Audit Log
- Configuring the Audit Log
- Manual Log File Rotation
- Monitoring Server Activity
- Monitoring Your Server from the Directory Server Console
- Viewing the Server Performance Monitor
- Overview of Server Performance Monitor Information
- General Information (Server)
- Resource Summary
- Current Resource Usage
- Connection Status
- Global Database Cache Information
- Monitoring Your Server from the Command-Line
- Monitoring Database Activity
- Monitoring Database Activity from the Server Console
- Viewing Database Performance Monitors
- Overview of Database Performance Monitor Information
- General Information (Database)
- Summary Information Table
- Database Cache Information Table
- Database File-Specific Table
- Monitoring Databases from the Command-Line
- Monitoring Database Link Activity
Monitoring Directory Server Using SNMP
- About SNMP
- Configuring the Master Agent
- Configuring the Subagent
- Subagent Configuration File
- agentx-master
- agentx-logdir
- server
- Starting the Subagent
- Testing the Subagent
- Configuring the Directory Server for SNMP
- Using the Management Information Base
- Operations Table
- Entries Table
- Interaction Table
Tuning Directory Server Performance
- Tuning Server Performance
- Tuning Database Performance
- Optimizing Search Performance
- Tuning Transaction Logging
- Changing the Location of the Database Transaction Log
- Changing the Database Checkpoint Interval
- Disabling Durable Transactions
- Specifying Transaction Batching
- Miscellaneous Tuning Tips
- Avoid Creating Entries Under the cn=config Entry in the dse.ldif File
- Part 2 Plug-ins Reference
Administering Directory Server Plug-ins
- Server Plug-in Functionality Reference
- 7-bit Check Plug-in
- ACL Plug-in
- ACL Preoperation Plug-in
- Binary Syntax Plug-in
- Boolean Syntax Plug-in
- Case Exact String Syntax Plug-in
- Case Ignore String Syntax Plug-in
- Chaining Database Plug-in
- Class of Service Plug-in
- Country String Syntax Plug-in
- Distinguished Name Syntax Plug-in
- Generalized Time Syntax Plug-in
- Integer Syntax Plug-in
- Internationalization Plug-in
- ldbm Database Plug-in
- Legacy Replication Plug-in
- Multi-Master Replication Plug-in
- Octet String Syntax Plug-in
- CLEAR Password Storage Plug-in
- CRYPT Password Storage Plug-in
- NS-MTA-MD5 Password Storage Plug-in
- SHA Password Storage Plug-in
- SSHA Password Storage Plug-in
- Postal Address String Syntax Plug-in
- PTA Plug-in
- Referential Integrity Postoperation Plug-in
- Retro Changelog Plug-in
- Roles Plug-in
- Space Insensitive String Syntax Plug-in
- State Change Plug-in
- Telephone Syntax Plug-in
- UID Uniqueness Plug-in
- URI Plug-in
- Enabling and Disabling Plug-ins from the Server Console
Using the Pass-through Authentication Plug-in
- How Directory Server Uses PTA
- PTA Plug-in Syntax
- Configuring the PTA Plug-in
- Turning the Plug-in On or Off
- Configuring the Servers to Use a Secure Connection
- Specifying the Authenticating Directory Server
- Specifying the Pass-through Subtree
- Configuring the Optional Parameters
- PTA Plug-in Syntax Examples
- Specifying One Authenticating Directory Server and One Subtree
- Specifying Multiple Authenticating Directory Servers
- Specifying One Authenticating Directory Server and Multiple Subtrees
- Using Non-Default Parameter Values
- Specifying Different Optional Parameters and Subtrees for Different Authenticating Directory Servers
Using the Attribute Uniqueness Plug-in
- Overview of the Attribute Uniqueness Plug-in
- Overview of the UID Uniqueness Plug-in
- Attribute Uniqueness Plug-in Syntax
- Creating an Instance of the Attribute Uniqueness Plug-in
- Configuring Attribute Uniqueness Plug-ins
- Viewing Plug-in Configuration Information
- Configuring Attribute Uniqueness Plug-ins from the Directory Server Console
- Configuring Attribute Uniqueness Plug-ins from the Command-Line
- Turning the Plug-in On or Off
- Specifying a Suffix or Subtree
- Using the markerObjectClass and requiredObjectClass Keywords
- Attribute Uniqueness Plug-in Syntax Examples
- Specifying One Attribute and One Subtree
- Specifying One Attribute and Multiple Subtrees
- Replication and the Attribute Uniqueness Plug-in
- Simple Replication Scenario
- Multi-Master Replication Scenario
Windows Sync
- About Windows Sync
- How Windows Sync Works
- Installing Sync Services
- Installing and Configuring the Password Sync Service
- Reconfiguring the Password Sync Service
- Setting Up SSL for the Password Sync Service
- Installing and Configuring the NT4 LDAP Service
- Uninstalling the Sync Services
- Configuring Windows Sync
- Using Windows Sync
- Synchronized Entries
- Groups
- Manually Initiating Synchronization
- The Need for Re-Synchronization
- Checking Synchronization Status
- Modifying the Synchronization Agreement
- Active Directory Schema Compatibility
- NT4-Specific Limitiations
- Troubleshooting
- Part 3 Appendixes
LDAP Data Interchange Format
- LDIF File Format
- Continuing Lines in LDIF
- Representing Binary Data
- Specifying Directory Entries Using LDIF
- Specifying Organization Entries
- Specifying Organizational Unit Entries
- Specifying Organizational Person Entries
- Defining Directories Using LDIF
- LDIF File Example
- Storing Information in Multiple Languages
Finding Directory Entries
- Finding Entries Using the Server Console
- Using ldapsearch
- Using Special Characters
- ldapsearch Command-Line Format
- Commonly Used ldapsearch Options
- ldapsearch Examples
- Returning All Entries
- Specifying Search Filters on the Command-Line
- Searching the Root DSE Entry
- Searching the Schema Entry
- Using LDAP_BASEDN
- Displaying Subsets of Attributes
- Specifying Search Filters Using a File
- Specifying DNs That Contain Commas in Search Filters
- Using Client Authentication When Searching
- LDAP Search Filters
- Search Filter Syntax
- Using Attributes in Search Filters
- Using Operators in Search Filters
- Using Compound Search Filters
- Search Filter Examples
- Searching an Internationalized Directory
- Matching Rule Filter Syntax
- Matching Rule Formats
- Using Wildcards in Matching Rule Filters
- Supported Search Types
- International Search Examples
- Less-Than Example
- Less-Than or Equal-to Example
- Equality Example
- Greater-Than or Equal-to Example
- Greater-Than Example
- Substring Example
LDAP URLs
- Components of an LDAP URL
- Escaping Unsafe Characters
- Examples of LDAP URLs
Internationalization
- About Locales
- Identifying Supported Locales
- Supported Language Subtypes
- Troubleshooting Matching Rules
Glossary
Index
| Previous |
Contents |
Index |
Next |