Sun ONE Directory Server 5.2 Administration Guide
Contents
1. 2 To refresh the current display click Refresh Select the Continuous checkbox if you want the display to refresh automatically every ten seconds 3 To view a different access log file select it from the Select Log drop down menu 392 Sun ONE Directory Server Administration Guide June 2003 Access Log 4 Todisplay a different number of messages enter the number you want to view in the Lines to show text box and then click Refresh 5 To filter the log messages you may enter a string in the Show only lines containing text box and then click Refresh In addition you may also select the Do Not Show Console Logs checkbox which will filter out any message that originated from the console s connections to the server 6 To modify the columns of the table of log entries click View Options Use the controls of the View Options dialog to change the order of the columns add or remove columns and choose a column on which to sort the table Configuring the Access Log You can configure a number of settings to customize the access log including where the directory stores the access log and the creation and deletion policies You can also disable access logging for the directory You may do this because the access log can grow very quickly every 2 000 accesses to your directory will increase your access log by approximately 1 MB However before you turn off access logging consider that the access log2. Managing Attributes with Class of Service in Chapter 4 of the Sun ONE Directory Server Deployment Guide describes each type of CoS in more detail and provides examples and deployment considerations For more information about the object classes and attributes associated with each type of CoS refer to Managing CoS From the Command Line on page 169 CoS Limitations The creation and administration of CoS definition and template entries are subject to the following limitations Further limitations related to the deployment of CoS virtual attributes are given in CoS Limitations in Chapter 4 of the Sun ONE Directory Server Deployment Guide Chapter 5 Advanced Entry Management 165 Defining Class of Service CoS 166 Searches involving CoS generated attributes are unindexed Any search filter may test the existence or compare the value of a virtual attribute However virtual attributes cannot be indexed and any filter component that involves a CoS generated attribute will result in an unindexed search with significant impact on performance Restricted subtrees You cannot create CoS definitions in the cn config nor in the cn schema subtrees Therefore these entries cannot contain virtual attributes Restricted attribute types You must not generate the following attribute types with the CoS mechanism because they will not have the same behavior as real attributes of the same name e userPassword A CoS gene
3. This chapter contains the following sections e Configuration Entries e Managing Entries Using the Console e Managing Entries From the Command Line e Setting Referrals e Encrypting Attribute Values e Maintaining Referential Integrity 45 Configuration Entries Configuration Entries The directory server stores all of its configuration information in the following file ServerRoot slapd serverID config dse ldif This file is in the LDAP Data Interchange Format LDIF to describe LDAP entries attributes and their values as text The directory server configuration in this file consists of e The attributes and values of the cn config entry e All of the entries in the subtree below cn config and their attributes and values Often the presence of an entry or attribute is significant e The object classes and access control instructions ACIs of the root entry and cn monitor entry The other attributes of these entries are generated by the server Directory Server makes all configuration settings readable and writable through LDAP By default the cn config branch of the directory is accessible only to the directory administrators defined in the Administration Server and to the directory manager These administrative users can view and modify the configuration entries just like any other directory entry You should avoid creating entries under the cn config entry because they will be stored in the dse 1dif file
4. 186 Sun ONE Directory Server Administration Guide June 2003 ACI Syntax You can also use a wildcard in the DN to target any number of entries that match the LDAP URL The following are legal examples of wildcard usage e target ldap uid dc example dc com Matches every entry in the entire example com tree that has the uid attribute in the entry s RDN This target will match entries at any depth in the tree for example uid tmorris ou sales dc example dc com uid yyorgens ou marketing dc example dc com uid bjensen ou eng ou east dc example dc com e target ldap uid Anderson ou People dc example dc com Matches every entry in the ou People branch with a uid ending in Anderson e target ldap Anderson ou People dc example dc com Matches every entry in the ou People branch whose RDN ends with Anderson regardless of the naming attribute Multiple wildcards are allowed such as in uid ou dc example dc com This example matches every entry in the example com tree whose distinguished name contains only the uid and ou attributes NOTE You cannot use wildcards in the suffix part of a distinguished name That is if your directory uses the suffixes c us and c GB then you cannot use the following target to reference both suffixes target ldap dc example c Neither can you use a target such as uid b jensen o com Targeting Attributes
5. Proxy Authorization ACI Example The proxy authorization method is a special form of authentication a user that binds to the directory using its own identity is granted through proxy authorization the rights of another user For this example suppose e The client application s bind DN is uid MoneyWizAcctSoftware ou Applications dc example dc com e The targeted subtree to which the client application is requesting access is ou Accounting dc example dc com e An Accounting Administrator with access permissions to the ou Account ing dc example dc com subtree exists in the directory In order for the client application to gain access to the Accounting subtree using the same access permissions as the Accounting Administrator e The Accounting Administrator must have access permissions to the ou Account ing dc example dc com subtree For example the following ACI grants all rights to the Accounting Administrator entry aci target ldap ou Accounting dc example dc com targetattr version 3 0 acl allowAll AcctAdmin allow all userdn uid AcctAdministrator ou Administrators dc example dc com Chapter 6 Managing Access Control 235 Viewing Effective Rights e The following ACI granting proxy rights to the client application must exist in the directory aci target ldap ou Accounting dc example dc com targetattr version 3 0 acl allowproxy accountingsoftware allow proxy
6. 0 nents 66 Modifying Entries Using ldapmodify 6 cece eee nents 67 Renaming an Entry Using ldapmodify 0 cece eee eee 71 Deleting Entries Using Idapdelete 0 nets 71 Deleting Entries Using ldapmodify 6 eee etn 72 Setting Referrals sasa aw oi odin oi ak ae as Sa dG ae ee Oe a ed eee ah es 72 Setting the Default Referrals 0 0 60 bso cg Hea bee Sen ed eee eee aA ong ad eee des 73 Creating Smart Referrals iii voton ia ak ned cake tinea aa Reel stad ede bee 74 Encrypting Attribute Values y 5 05 Seed d alee nit doe n en he a tases 76 Configuring Attribute Encryption Using the Console 06 77 Configuring Attribute Encryption From the Command Line 6 00 c eee ee eee ee 79 Maintaining Referential Integrity 6 ene een eens 81 How Referential Integrity Works 1 2 0 occ ent enn 81 Configuring Referential Integrity 0 6 82 Using Referential Integrity with Replication 0 0 c ccc 83 Creating Your Directory Tree 000 c cece eee eee 85 Introduction tessi nate ele ae Preset A E aae od eG oe peek ese BAL Oe oR t RN adda 85 Creating Suffixes sgeir iaa tow teeth Goh E et Oe Ge ete TSG ee eta ew aia ae Sed 87 Creating a New Root Suffix Using the Console 6 6 6 c cece cece eens 87 Creating a New Subsuffix Using the Console 06 c cece eect ene eens 90 Creating Suffixes From the Command Line 0 66 c cece eee eee e
7. Deleting Entries Using ldapmodify You may also use the changetype delete keywords to delete entries using the ldapmodify utility All of the same limitations apply as when using 1dapdelete described above The advantage of the LDIF syntax for deleting entries is that you may perform a mix of operation in a single LDIF file The following example will perform the same delete operations as the previous example ldapmodify h host p port D cn Directory Manager w password dn uid b jensen ou People dc example dc com changetype delete dn ou People dc example dc com changetype delete Setting Referrals You can use referrals to tell client applications which server to contact the information is not available locally Referrals are pointers to a remote suffix or entry that Directory Server returns to the client in place of a result The client must then perform the operation again on the remote server named in the referral This redirection occurs in three cases e When a client application requests an entry that does not exist on the local server the server returns the default referral 72 Sun ONE Directory Server Administration Guide June 2003 Setting Referrals e When an entire suffix has been taken offline for maintenance or security reasons the server will return the referrals defined by that suffix The suffix level referrals are described in Setting Access Permissions and Referrals on page
8. Internal Software Token password If you store certificates in an alternate device use the name of the device that appears in the drop down menu at the top of the Manage Certificates Dialog To create certificate databases you must use the administration server and the Certificate Setup Wizard For information on using SSL with your Directory Server see Chapter 11 Implementing Security Using the Directory Server Console The Directory Server console is an interface that you access as a separate window of the Sun ONE Server Console You start the Directory Server console from Sun ONE Server Console as described in the following procedure Starting Directory Server Console 1 Solaris Packages Other Installations Solaris Packages Other Installations Solaris Packages Other Installations Check that the directory server daemon slapd serverID is running If it is not as root or administrative user enter the following command to start it usr sbin directoryserver start ServerRoot slapd serverID start slapd Check that the administration server daemon admin serv is running If it is not as root or administrative user enter the following command to start it usr sbin directoryserver start admin ServerRoot start admin Start Sun ONE Server Console by entering the following command usr sbin directoryserver startconsole ServerRoot startconsole Chapter 1 Introduction to Sun ONE Directory Ser
9. Using the Console When using the console the server will create the certificate database files automatically the first time you invoke the certificate manager dialog 1 On the top level Tasks tab of the Directory Server console click the Manage Certificates button Alternatively with the Tasks tab showing select the Manage Certificates item from the Console gt Security menu 2 The server will automatically create a certificate and key database and you will be asked to set its password for the security device This password protects the private keys of the certificates stored in your server Enter the password twice to confirm it then click OK Using the Command Line When creating the certificate database files from the command line you must use the path and file name prefixes shown in the following procedure so that the server can find them 1 On the server host machine create a certificate database with the following command certutil N d ServerRoot alias P slapd LCserverID where LCserverID is your server name in all lower case letters The tool will prompt you for a password to protect the keys of the certificates Sun ONE Directory Server Administration Guide June 2003 Obtaining and Installing Server Certificates Generating a Certificate Request Use one of the following procedures to generate a PKCS 10 certificate request in PEM format PEM is the Privacy Enhanced Mail format specified by RFCs 1421 throug
10. in the Sun ONE Server Console Server Management Guide To start the server with SSL enabled you must provide the password which protects the server s certificates e On Windows you must start the server from the server s host machine For security reasons the dialog box prompting you for the password will appear only on the server s host machine e OnUNIX you must start the server from the command line Alternatively on either platform you can create a password file to store your certificate password By placing your certificate database password in a file you can start your server from the server console and also allow your server to automatically restart when running unattended CAUTION This password is stored in clear text within the password file so its usage represents a significant security risk Do not use a password file if your server is running in an unsecured environment Sun ONE Directory Server Administration Guide June 2003 Using the Directory Server Console The password file must be placed in the following location ServerRoot alias slapd serverID pin txt where serverID is the identifier you specified for the server when you installed it You need to include the name of the security token and its password in the file as follows deviceName Token password The device name for the internal certificate database is shown in this example capitalization and spacing must be exactly as shown
11. ACI Limitations When creating an access control policy for your directory service you need to be aware of the following restrictions e If your directory tree is distributed over several servers using the chaining feature some restrictions apply to the keywords you can use in access control statements o ACIs that depend on group entries groupdn keyword must be located on the same server as the group entry If the group is dynamic then all members of the group must have an entry on the server too If the group is static the members entries can be located on remote servers o ACTs that depend on role definitions roledn keyword must be located on the same server as the role definition entry Every entry that is intended to have the role must also be located on the same server However you can do value matching of values stored in the target entry with values stored in the entry of the bind user for example using the userattr keyword Access is evaluated normally even if the bind user does not have an entry on the server that holds the ACI For more information on how to chain access control evaluation see Access Control Through Chained Suffixes on page 111 Sun ONE Directory Server Administration Guide June 2003 Default ACIs Attributes generated by a CoS cannot be used in all ACI keywords Specifically you should not use attributes generated by CoS with the userattr and userdnattr keywords because the access
12. Disabling a Replication Agreement on page 302 To delete a replication agreement 1 On the top level Configuration tab on the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix 2 Inthe right panel select the replication agreement you want to delete 3 Click the Delete button to the right of the list of agreements 4 Click Yes to confirm that you want to delete the replication agreement Promoting or Demoting Replicas Promoting or demoting a replica changes its role in the replication topology Dedicated consumers may be promoted to hubs and hubs may be promoted to masters Masters may be demoted to hubs and hubs may also be demoted to dedicated consumers However masters may not be demoted directly to consumers just as consumers may not be promoted directly to masters The allowed promotions and demotions within the multi master replication mechanism make the topology very flexible A site that was formerly served by a consumer replica may grow and require a hub with several replicas to handle the load If the load includes many modifications to the replica contents the hub can become a master to allow faster local changes that can then be replicated to other masters at other sites Chapter 8 Managing Replication 303 Modifying the Replication Topology 304 To promote or demote a replica 1 On the top level Configuration t
13. When the CA sends a response be sure to save the information in a text file The PKCS 11 certificate in PEM format will look similar to the following example PEM is the Privacy Enhanced Mail format specified by RFCs 1421 through 1424 http www ietf org rfc rfcl421 txt and used to represent a base64 encoded certificate in US ASCII characters SSeS BEGIN CERTIFICATE MIICjJCCAZugAwI BAg ICCEEwDOYJKoZ I hKqvcNAQFBOAwf DELMAkGA1UEBhAMCVVMx IzAhBgNVBAoG1BhbG9a2FWaWxs ZGwSBXaWRnZXRzLCBUbmMuMROwGwYDVOQLEXRX aWRnZXQgTW3FrZXJzICdSJyBVczEpMCcGAx1UEAxgVGVzdCBUXNOIFRIc3QgVGVz ACBUZXNOIF1lc3Q0gQ0ESwHhcNOTgwMzEyMDIzMzUWhcNOTgwMzI2MDIzMpzU3WjJBP MOswC YDDVOQOQGEWJVUZEOMCYGA1UEChM TmVO0c2NhcGUgRG1lyZNOb3J5VIFB1Ymxp Y2F0aW9uczEWMB4 OGA1UEAXMNZHVgh4 9dq2t LNvb j TBaMANGCSqGS Ib3DQEBAQUA AOkAMEYkCOCkSMR aLGdfp4m00iGgi jG5KgOsyRNvwGYW7kf W 8mmi jDt ZaRjVYN4 jJcgpF 3Vnlbxbc1lX9LVjINLC5737XZdAgEDoOz YwpNDARBglghkgBhvhCEAQEEBAMC APAwHkwYDVRO JBBgwFAU67URjwCaGqZHUpSpdLx1zwJKiMwDOYJKoZIhQvcNAQEF BOADGYEAJ BfVem3vBOPBveNdLGf j1b9hucgmaMcQa 9FA db8qimKT ue9UGOIJqL bwbMKBBopsDn56p2yV3PLIsBgrcuSoBCuFFnxBngSiTS7YiYgCWqwaUAQOEXJFmD6 6hBLseqkSWulk hXHN7L NrVi0 7zNtKcaZL1FPf7d7 j2MgxX4Bo SS END CERTIFICATE You should also back up the certificate data in a safe location If your system ever loses the certificate data you can reinstall the certifica
14. on page 81 for more information 342 Sun ONE Directory Server Administration Guide June 2003 Overview of Indexing Standard Index Files in a Database Because of the need to maintain default indexes and other internal indexing mechanisms the Directory Server also maintains certain standard index files The following standard indexes exist by default You do not need to generate them e databaseName_id2ent ry db3 Contains the actual database of directory entries All other database files can be recreated from this one e databaseName_id2children db3 Restricts the scope of one level searches that is searches that examine an entry s immediate children e databaseName_dn db3 Controls the scope of subtree searches that is searches that examine an entry and all the entries in the subtree beneath it e databaseName_dn2id db3 Begins all searches efficiently by mapping an entry s distinguished name to its ID number Attribute Name Quick Reference Table The following table lists all attributes which have a primary or real name as well as an alias When creating indexes be sure to use the primary name Table 10 3 Primary Attribute Name and Their Alias Primary Attribute Name authorCn authorsn cn co dc dn drink facsimileTelephoneNumber J labeledUri mail Attribute Alias documentAuthorCommonName documentAuthorSurname countryName commonName friendlyCountryName domainComponent distingui
15. passwordRetryCount retryCountResetTime accountUnlockTime passwordHistory passwordAllowChangeTime version 3 0 acl Allow self entry modification except for nsroledn aci resource limit attributes passwordPolicySubentry and password policy state attributes allow write userdn ldap self Sun ONE Directory Server Administration Guide June 2003 Setting Individual Resource Limits Setting Resource Limits Using the Console 1 On the top level Directory tab of the Directory Server console browse the directory tree to display the user for which you wish to set resource limits 2 Double click the entry to display the custom editor and click on the Account tab in the left hand column The right panel displays the current limits set on the entry 3 Enter values in the four text fields for the resource limits described above Entering a value of 1 indicates no limit for that resource 4 Click OK when you are finished to save the new limits Setting Resource Limits From the Command Line The following attributes can be set with the ldapmodify command on a user entry to limit that user s resource usage Table 7 1 Attribute Description nsLookThroughLimit Specifies how many entries are examined during a search operation Specified as a number of entries Giving this attribute a value of 1 indicates that there is no limit nsSizeLimit Specifies the maximum number of entries the serv
16. 4 Viewing the Status of a Plug Ins sche fans ali 6B EAS led EE wa las De SOS Gale les 39 Configuring DSMI ardre rsen inaa niia ge init Sele a deg legu aside ane ghem tnd ES 40 Enabling DSME Requests 2 0siastan wie is odes osha Goleta eee wel be eae Kees ee eae eel 40 Configuring DSML Security 0c20 sus dl ed tad ok cee eee ees ARa fas odes tan 42 DSML Identity Mapping iis hs oh Lik eee beaks A EGS Sa tS See RE Sat 43 Creating Directory Entries 0 0 cece teen eee eee eee eee 45 Configuration Entries ss ii Oe aboot erik etki be hdd iat e ee ed Med Se ee 46 Modifying the Configuration Using the Console 6 60 cece cece eee eee eens 46 Modifying the Configuration From the Command Line 66 47 Modifying the dse ldif Files 3 ci iocs asa aaa de ete delete ihe i ee ie iG acho EG See 47 Managing Entries Using the Console 6 0 ccc e eens 48 Creating Directory Entries 3 oa sc ste ss ict edd te E he ta SEN OL eis eal aa ails 48 Modifying Entries With a Custom Editor 2 0 0 0 0 cece cette eee eens 52 Modifying Entries With the Generic Editor 0 6 0 0 cece eee 54 Deleting Directory Entries 53 3 6 foccssatie et tags eee ae beget ge EE eed nies wh 61 Bulk Operations Using the Console 66 61 Managing Entries From the Command Line 606 c cece eee 62 Providing LDIF TAPT ccc sds attG sea pak E dead teks oP ae oee iad sepa adh eae Ga Bee 62 Adding Entries Using ldapmodify
17. Account Common Name s Babs Jensen User ID bjensen a Password errea as Confirm Password Freres E Mail biensen example com e g user company com Phone 408 555 3922 Fax Jc408 555 4000 Indicates a required field Access Permissions Help OK Cancel Help 3 Enter values in the fields of the custom editor for the attributes you wish to provide You must enter a value for all of the mandatory attributes that are identified by an asterisk beside the field name You may leave any of the other fields blank In fields that allow multiple values you my type Return to separate the values Click the Help button for further assistance with specific fields in the custom editor for your entry type For an explanation of the Languages tab of the User and Organizational Unit editors see Setting Attributes for Language Support on page 53 For further instructions on creating groups roles and class of service entries see Chapter 5 Advanced Entry Management For instructions on creating password policies see Chapter 7 User Account Management For instructions on creating referrals see Setting Referrals on page 72 50 Sun ONE Directory Server Administration Guide June 2003 Managing Entries Using the Console 4 Click OK to create your new entry and close the custom editor dialog The new entry appears in the directory tree 5 Custom editor dialogs do not provide fields for
18. Entries with identical DNs may be created on separate masters if they are created before the servers replicate the changes to each other Upon replication the conflict resolution mechanism will automatically rename the second entry created An entry with a DN naming conflict is renamed by including its unique identifier given by the operational attribute nsuniqueid in its DN For example if the entry uid b jensen ou People dc example dc com is created simultaneously on two masters both will have the following two entries after replication e uid bjensen ou People dc example dc com e nsuniqueid 66446001 1dd211b2 uid bjensen dc example dc com The second entry needs to be renamed in such a way that it has a useful DN You can delete the conflicting entry and add it again with a non conflicting name However the surest way to keep the entry as it was created is to rename it The renaming procedure depends on whether the naming attribute is single valued or multi valued Each procedure is described below Renaming an Entry with a Multi Valued Naming Attribute To rename an conflicting entry that has a multi valued naming attribute 1 Rename the entry while keeping the old RDN value For example ldapmodify h host p port D cn Directory Manager w password dn nsuniqueid 66446001 1dd211b2 uid bjensen dc example dc com changetype modrdn newrdn uid NewValue deleteoldrdn 0 D You cannot delete the old RD
19. Show only lines containing text box and then click Refresh In addition you may also select the Do Not Show Console Logs checkbox which will filter out any error message that originated from the console s connections to the server To modify the columns of the table of log entries click View Options Use the controls of the View Options dialog to change the order of the columns add or remove columns and choose a column on which to sort the table Chapter 12 Managing Log Files 395 Errors Log Configuring the Errors Log You can change several settings for the errors log including where the directory stores the log and what you want the directory to include in the log To configure the errors log 1 On the top level Configuration tab of the Directory Server console select Logs icon and then select the Errors Log tab in the right hand panel This tab contains configuration settings for the errors log such as those shown in Figure 12 2 on page 394 2 To enable error logging select the Enable Logging checkbox Clear this checkbox if you do not want the directory to maintain an errors log Error logging is enabled by default 3 If you want to set the level of detail in the errors log click the Log Level button to display the Errors Log Level dialog Select one or more internal product components for which you want more error and debugging information Optionally select the Verbose checkbox to return the maximum amount o
20. The procedures in this section can be used for inactivating both users and roles in the same manner However when you inactivate a role you are inactivating the members of the role and not the role entry itself For more information about roles in general and how roles interact with access control in particular refer to Chapter 5 Advanced Entry Management Setting User and Role Activation Using the Console 1 On the top level Directory tab of the Directory Server console browse the directory tree to display the user or role entry you wish to inactivate or reactivate Sun ONE Directory Server Administration Guide June 2003 Solaris Packages Inactivating and Activating Users and Roles 2 Double click the entry to display its custom editor and click on the Account tab in the left hand column The right panel displays the activation status of the entry 3 Click the button to inactivate or activate the user or role corresponding to this entry A red box and bar through the user or role icon in the editor indicates that the entry will be inactivated 4 Click OK to close the dialog box and save the new activation state of the entry As a short cut to opening the custom editor you may also select the entry and choose Inactivate or Activate from the Object menu You can view the activation state of any directory object by selecting Inactivation State from the Console View gt Display menu The icons of all inactive entries
21. targetattr userPassword homePhone homePostalAddress version 3 0 acl Write example com allow write userdn ldap self and dns example com This example assumes that the ACI is added to the ou People dc example dc com entry From the console you can set this permission by doing the following 1 On the Directory tab right click ou People dc example dc com entry the in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Write example com In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area to Special Rights and select Self from the Search results list c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write right Make sure the other checkboxes are clear Chapter 6 Managing Access Control 221 Access Control Usage Examples 222 5 On the Targets tab click This Entry to enter ou People dc example dc com in the target directory entry field In the attribute table tick the checkboxes for the homePhone homePostalAddress and userPas
22. version 3 0 acl Allows use of admin for chaining allow proxy userdn l1dap proxyDN D CAUTION You may need to define other ACIs on the same entry to restrict access to the remote server that is now exposed through this server See Access Control Through Chained Suffixes on page 111 If you have configured the chaining policy for sever components you must also add ACIs that will allow those components to access the remote server For example if you allow the referential integrity plug in to chain you must add the following ACI to the base entry with the suffixDN aci targetattr target 1dap suffixDN version 3 0 acl RefInt Access for chaining allow read write search compare userdn ldap cn referential integrity postoperation cn plugins cn config The following commands give an example of creating a chained subsuffix Note that commas in the suffixDN must be escaped with a backslash only when they appear in the naming attribute in the DN ldapmodify a h hostl p portl D cn Directory Manager w password1 dn cn 1l Europe dc example dc com cn mapping tree cn config objectclass top objectclass extensibleObject objectclass nsMappingTree cn l Europe dc example dc com nsslapd state backend nsslapd backend Europe nsslapd parent suffix dc example dc com dn cn Europe cn chaining database cn plugins cn config objectclass
23. By default access is allowed at all times You can change the access times by clicking and dragging the cursor over the table You cannot select discrete blocks of time When you have finished editing the ACI click OK The ACI Editor is dismissed and the new ACT is listed in the ACI Manager window NOTE At any time during the creation of the ACI you can click the Edit Manually button to display the LDIF statement that corresponds to your input You can modify this statement but your changes will not necessarily be visible in the graphical interface Editing an ACI To edit an ACI 1 On the Directory tab right click the top entry in the subtree and choose Set Access Permissions from the pop up menu The Access Control Manager window is displayed It contains the list of ACIs belonging to the entry In the Access Control Manager window highlight the ACI that you want to edit and click Edit The Access Control Editor is displayed For details on the information you can edit using this dialog box refer to the online help Make the changes you want under the various tabs of the Access Control Editor When you have finished editing the ACI click OK The ACI Editor is dismissed and the modified ACI is listed in the ACI Manager 216 Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples Deleting an ACI To delete an ACI 1 On the Directory tab right click the top ent
24. CA 95054 With this CoS target entries the entries under ou People dc example dc com containing the building attribute will automatically have the corresponding postal address The CoS mechanism searches for a template entry that has the specifier attribute value in its RDN In this example if Babs Jensen is assigned to building B07 her postal address will be generated as follows Sun ONE Directory Server Administration Guide June 2003 Defining Class of Service CoS ldapsearch h host p port D cn Directory Manager w password b ou People dc example dc com s sub cn Jensen dn cn Babs Jensen ou People dc example dc com cn Babs Jensen building B07 postalAddres 7 Old Oak StreetSAnytown CA 95054 Creating Role Based Attributes You can create classic CoS schemes that generate attribute values for an entry based on the role possessed by the entry For example you could use role based attributes to set the server look through limit on an entry by entry basis To create a role based attribute use the nsRole attribute as the cosSpecifier in the CoS definition entry of a classic CoS Because the nsRole attribute can be multivalued you can define CoS schemes that have more than one possible template entry To resolve the ambiguity of which template entry to use you can include the cosPriority attribute in your CoS template entry For example you can create a CoS that allows members of t
25. Line You can also turn schema checking on and off by setting the nsslapd schemacheck attribute of the cn config entry ldapmodify h host p port D cn Directory Manager w password dn cn config changetype modify replace nsslapd schemacheck nsslapd schemacheck on or off The server will enforce the new schema checking policy immediately Overview of Extending the Schema When you add new attributes to your schema you must create a new object class to contain them Although it may seem convenient to just add the attributes you need to an existing object class that already contains most of the attributes you require doing so compromises interoperability with LDAP clients Interoperability of Directory Server with existing LDAP clients relies on the standard LDAP schema If you change the standard schema you will also have difficulties when upgrading your server For the same reasons you cannot delete standard schema elements For more information on object classes attributes and the directory schema as well as guidelines for extending your schema refer to Chapter 3 Designing the Schema in the Sun ONE Directory Server Deployment Guide For information on standard attributes and object classes see Part 4 Directory Server Schema in the Sun ONE Directory Server Reference Manual Chapter 9 Extending the Directory Schema 325 Overview of Extending the Schema 326 Directory Server schema is stored in attr
26. ONE Directory Server camus red iplanet com 389 EN Suffixes Q Chained sufixes Select log var Sun mps slapd exampledogs access v Lines to show 50 Show only lines containing ht C Do not show Console logs Viewing the Current Bind DN From the Console You can view the bind DN you used to log in to the Directory Server console by clicking the login icon in the lower left corner of the display The current bind DN then appears next to the login icon as shown here 2 Logged in as uid bjensen ou People dc example dc com Chapter 1 Introduction to Sun ONE Directory Server 29 Using the Directory Server Console 30 Changing Your Login Identity When you create or manage entries from the Directory Server console and when you first access the Sun ONE Server Console you are given the option to log in by providing a bind DN and a password This identifies who is accessing the directory tree and determines the access permissions granted to perform operations You can log in with the Directory Manager DN when you first start the Sun ONE Server Console At any time you can choose to log in as a different user without having to stop and restart the Console To change your login in Sun ONE Server Console 1 On the Directory Server console select the Tasks tab and click the button next to the label Log on to the Directory Server as a New User Or when in another console tab select the Console gt Log
27. The most common headers used in DSML mappings are Authorization This string is replaced with the user name contained in an HTTP Authorization header An authorization header contains both a username and its password but only the user name is substituted in this place holder From This string is replaced with the email address that may be contained in an HTTP From header host This string is replaced with the hostname and port number in the URL of the DSML request which are those of the server itself To have DSML requests perform a different identity mapping define a new identity mapping for HTTP headers 1 Edit the default DSML over HTTP identity mapping or create custom mappings for this protocol See Identity Mapping on page 376 for the definition of the attributes in an identity mapping entry These mapping entries must be located below the following entry cn HTTP BASIC cn identity mapping cn config You may create new mapping entry in one of two ways o Use the top level Directory tab of the Directory Server console to create a new entry with the appropriate object classes as described in Managing Entries Using the Console on page 48 o Use the ldapmodify tool to add this entry from the command line as described in Adding Entries Using ldapmodify on page 66 Restart the Directory Server for your new mappings to take effect Custom mappings are evaluated first and if no custom
28. To reduce the bandwidth used by replication you may configure replication to compress the data that is sent when updating consumers The replication mechanism uses the Zlib compression library which is available only on the supported Solaris and Linux platforms Both supplier and consumer must be running on a Solaris or Linux platform to enable compression The configuration of replication compression is only available by setting the ds5ReplicaTransportCompressionLevel attribute on the replication agreement entry in the master server This attribute takes one of the following values 0 No compression is performed This is the behavior by default when the ds5ReplicaTransportCompressionLevel attribute is not defined 1 Use the default compression level of the Zlib library 2 Use the best size compression level of the Zlib library 3 Use the best speed compression level of the Zlib library You should empirically test and select the compression level that gives you best results in your WAN environment for your expected replication usage You should not set this parameter in a LAN local area network where network delay is insignificant because the compression and decompression computations will slow down replication For example to use the fastest compression when sending replication updates to the consumer on east example com use the following ldapmodify command Chapter 8 Managing Replication 299 Modifying the Replicati
29. Type the new password in both text fields under the Replication Manager heading 3 Click Save once the password is confirmed The Save button will not be active if the password does not match its confirmation Otherwise you may create any new entry to act as a replication manager For example you may want several replication manager entries to have a different password for every replicated suffix Another reason to create your own replication manager is to support a different authentication model for replication for example using certificates over SSL Chapter 8 Managing Replication 269 Configuring a Dedicated Consumer The replication manager entry must contain the attributes required by the authentication method you choose when defining the replication agreement For example the default replication manager is a person object class that allows a userPassword attribute for simple authentication See Replication Over SSL on page 296 for details on using certificates to bind the replication manager The entry for this replication manager should not be located in a replicated suffix of the consumer server A suitable location for defining replication managers is in cn replication cn config CAUTION You must never bind or perform operations on the server using the DN and password of the replication manager entry The replication manager is for use only by the replication mechanism and any other use may require reinitializing th
30. ds hdsml clientauthmethod ds hdsml clientauthmethod httpBasicOnly or clientCertOnly or clientCertFirst AD When the DSML front end plug in has been modified you will need to restart the server to enforce this new security setting DSML Identity Mapping When performing basic authentication without a certificate Directory Server uses a mechanism called identity mapping to determine the bind DN to use when accepting DSML requests This mechanism extracts information from the Authorization header of the HTTP request to determine the identity to use for binding See Identity Mapping on page 376 for a complete description of this mechanism The default identity mapping for DSML over HTTP is given by the following entry in your server configuration dn cn default cn HTTP BASIC cn identity mapping cn config objectclass top objectclass nsContainer objectclass dsIdentityMapping cn default dssearchbasedn ou People userRoot dssearchfilter uid S Authorization Chapter 1 Introduction to Sun ONE Directory Server 43 Configuring DSML This mapping searches the ou People userRoot subtree for an entry whose uid attribute matches the user name given in the Authorization header The userRoot is the suffix you defined when installing the directory for example dc example dc com Within the mapping entry attributes you may use place holders of the format header where header is the name of an HTTP header
31. group entry not the DN of the bound user Proxy Indicates whether the specified DN can access the target with the rights of another entry You can grant proxy access using the DN of any user in the directory except the Directory Manager DN Moreover you cannot grant proxy rights to the Directory Manager An example is provided in Proxy Authorization ACI Example on page 235 For an overview of proxy access refer to Sun ONE Directory Server Deployment Guide All Indicates that the specified DN has all rights read write search delete compare and selfwrite to the targeted entry excluding proxy rights Rights are granted independently of one another This means for example that a user who is granted add rights can create an entry but cannot delete it if delete rights have not been specifically granted Therefore when planning the access control policy for your directory you must ensure that you grant rights in a way that makes sense for users For example it doesn t usually make sense to grant write permission without granting read and search permissions 192 Sun ONE Directory Server Administration Guide June 2003 ACI Syntax Rights Required for LDAP Operations This section describes the rights you need to grant to users depending on the type of LDAP operation you want to authorize them to perform Adding an entry e Grant add permission on the entry being added e Grant write permission on the value of each a
32. macro is that it provides a flexible way of granting access to domain level administrators to all the subdomains in the directory tree Therefore it is useful for expressing a hierarchical relationship between domains For example consider the following ACI aci target ldap ou dn dc example dc com targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dn dc example dc com It grants access to the members of cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com to all of the subdomains under dc hostedCompany1 so an administrator belonging to that group could access for example the subtree ou people dc subdomainl 1 dc subdomainl However at the same time members of cn DomainAdmins ou Groups dc subdomainl1 1 would be denied access to the ou people dc subdomainl dc hostedCompanyl and ou people dc hostedCompany1 nodes Macro Matching for attr attr Name The Sattr attrname macro is always used in the subject part of a DN For example you could define the following roledn roledn ldap cn DomainAdmins S attr ou dc HostedCompanyl dc example dc com Now assume the server receives an LDAP operation targeted at the following entry dn cn Babs Jensen ou People dc HostedCompanyl dc example dc com cn Babs Jensen sn Jensen ou Sales In order to evaluate
33. the consumer on the secure SSL port Follow the procedure in Creating Replication Agreements on page 279 for detailed instructions Specify a secure port on the consumer server and select the SSL option of either using a password or a certificate Enter a DN for the SSL option that you chose either a replication manager or a certificate After you finish configuring the replication agreement the supplier will send all replication update messages to the consumer over SSL and will use certificates if you chose that option Customer initialization will also use a secure connection if performed through the console using an agreement configure for SSL 296 Sun ONE Directory Server Administration Guide June 2003 Replication Over a WAN Replication Over a WAN Sun ONE Directory Server 5 2 introduces the ability to perform all forms of replication including multi master replication MMR between machines connected through a Wide Area Network WAN Internal improvements to the replication mechanism allow supplier servers to initialize and update consumers with reasonable delay over networks with higher latency and lower bandwidth NOTE Actual replication delay and update performance is dependent on many factors including but not limited to modification rate entry size server hardware average latency and average bandwidth Contact your Sun Professional Services representatives if you have questions about replication in your environ
34. the installation program automatically sets up PTA to allow the Configuration Administrator user usually admin to perform administrative duties 413 How Directory Server Uses PTA 414 PTA is required in this case because the admin user entry is stored under o Net scapeRoot in the configuration directory Therefore attempts to bind to the user directory as admin would normally fail PTA allows the user directory to transmit the credentials to the configuration directory which verifies them The user directory then allows the admin user to bind The user directory in this example acts as the PTA server that is the server that passes through bind requests to another directory server The configuration directory acts as the authenticating server that is the server that contains the entry and verifies the bind credentials of the requesting client You will also see the term PTA subtree used in this chapter The pass through subtree is the subtree not present on the PTA server When a user s bind DN contains this subtree the user s credentials are passed on to the authenticating directory This sequence of steps shows how pass through authentication works 1 You install the configuration directory server authenticating directory containing the pass through subtree o Net scapeRoot on the host configdir example com 2 You install the user directory server PTA directory containing data in the dc example dc com suffix on th
35. top objectclass extensibleObject objectclass nsBackendInstance 110 Sun ONE Directory Server Administration Guide June 2003 Creating Chained Suffixes cn Europe nsslapd suffix l Europe dc example dc com nsfarmserverurl ldap host2 port2 nsmultiplexorbinddn uid hostl_proxy cn config nsmultiplexorcredentials proxyPassword D ldapmodify h host2 p port2 D cn Directory Manager w password2 dn l Europe dc example dc com changetype modify changetype modify aci targetattr target ldap 1 Europe dc example dc com version 3 0 acl Allows use of admin for chaining allow proxy userdn l1dap uid hostl_proxy cn config D Access Control Through Chained Suffixes When an authenticated user accesses a chained suffix the server sends the user s identity to the remote server Access controls are always evaluated on the remote server Every LDAP operation evaluated on the remote server uses the original identity of the client application passed via the proxied authorization control Operations succeed on the remote server only if the user has the correct access controls on the subtree contained on the remote server This means that you need to add the usual access controls to the remote server with a few restrictions You cannot use all types of access control For example role based or filter based ACIs need access to the user entry Because you are accessing the d
36. 1 On the top level Configuration tab of the Directory Server console expand the Data node to display the suffix you wish to initialize 2 Right click the suffix node and select Initialize from the pop up menu Alternatively you may select the suffix node and then choose Initialize from the Object menu The Initialize Suffix dialog is displayed 3 Inthe LDIF file field enter the full path to the LDIF file you want to use for initialization or click Browse to locate it on your machine 4 Ifyou are operating the console from a machine local to the file being imported skip to step 6 If you are operating the console from a machine remote to the server containing the LDIF file select one of the following options From local machine Indicates that the LDIF file is located on the local machine From server machine Indicates that the LDIF file is located on a remote server By default the console looks for the file in the following directory ServerRoot slapd serverID 1dif Chapter 4 Populating Directory Contents 135 Importing Data Solaris Packages Other Installations Solaris Packages Other Installations Solaris Packages Other Installations 5 Click OK 6 Confirm that you wish to overwrite the data in your suffix The suffix initialization will proceed and any errors will be reported in a dialog Initializing a Suffix Using the Idif2db Command The 1dif2db command directoryserver 1dif2db in the Solaris Pack
37. 1 write 0 proxy 0 nte ou People dc example dc com ts entryLevel add 0 delete 0 read 1 write 1 proxy 0 This result shows Carla Fuente the entries in the directory where she has at least read permission and that she can modify her own entry The effective rights control does not bypass normal access permissions so a user will never see the entries for which they do not have read permission In the following example the Directory Manager can see the entries to which Carla Fuente does not have read permission Sun ONE Directory Server Administration Guide June 2003 Viewing Effective Rights ldapsearch h rousseau example com p 389 D cn Directory Manager w password c dn uid cfuente ou People dc example dc com b dc example dc com objectclass aclRights dn dc example dc com aclRights entryLevel add 0 delete 0 read 1 write 0 proxy 0 dn ou Groups dc example dc com aclRights entryLevel add 0 delete 0 read 1 write 0 proxy 0 dn cn Directory Administrators dc example dc com aclRights entryLevel add 0 delete 0 read 0 write 0 proxy 0 dn ou Special Users dc example dc com aclRights entryLevel add 0 delete 0 read 0 write 0 proxy 0 dn ou People dc example dc com aclRights entryLevel add 0 delete 0 read 1 write 0 proxy 0 dn cn Accounting Managers ou groups dc example dc com aclRights entryLevel add 0 delete 0 read 1 write 0 proxy 0 dn cn H
38. 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Billing Info Read In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area in the Add Users and Groups dialog box to Special Rights and select Self from the Search results list c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box Chapter 6 Managing Access Control 231 Access Control Usage Examples 232 4 On the Rights tab tick the checkboxes for search and read rights Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the ou subscribers dc example dc com suffix in the target directory entry field In the attribute table tick the checkboxes for the connect ionTime and accountBalance attributes All other checkboxes should be clear This task is made easier if you click the Check None button to clear the checkboxes for all attributes in the table then click the Name header to organize them alphabetically and select the appropriate ones This example assumes that you have added the connect ionTime and account Balance attributes to the schema 6 Click OK The new ACI is added to the ones listed in the Access Control Manager window ACI
39. 8 Managing Replication 289 Initializing Replicas 2 In the list of defined agreements select the replication agreement corresponding to the consumer you wish to initialize and and click Action gt Initialize remote replica A confirmation message warns you that any information already stored in the replica on the consumer will be removed 3 Click Yes in the confirmation box Online consumer initialization begins immediately The icon of the replication agreement shows a red gear to indicate the status of the initialization process 4 Click Refresh gt Refresh Now or Refresh gt Continuous Refresh to follow the status of the consumer initialization Any messages for the highlighted agreement will appear in the text box below the list For more information about monitoring replication and initialization status see Monitoring Replication Status on page 315 Initializing a Replica From the Command Line Manual replica initialization using the command line is the fastest method of consumer initialization for deployments that are replicating very large numbers of entries We suggest you use the manual process whenever you find that the online process is inappropriate due to performance concerns However the manual consumer initialization process is more complex than the online consumer initialization process To manually initialize or reinitialize a replica you need to first export the original copy of the suffix data to an L
40. Billing Info Deny In LDIF to deny subscribers permission to modify billing information in their own entry you would write the following statement aci targetattr connectionTime accountBalance version 3 0 acl Billing Info Deny deny write userdn ldap self This example assumes that the relevant attributes have been created in the schema and that the ACI is added to the ou subscribers dc example dc con entry From the console you can set this permission by doing the following 1 On the Directory tab right click the subscribers entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Billing Info Deny In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area in the Add Users and Groups dialog box to Special Rights and select Self from the Search results list Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write Make sure the o
41. Chained Suffixes Table 3 2 LDAP Controls That May be Chained Continued OID of the Control Name and Description of the Control 2 16 840 1 113730 3 4 5 Password expiring notification Notifies a client application that their password will expire in a given amount of time 2 16 840 1 113730 3 4 12 Proxied authorization old specification Allows the client to assume another identity for the duration of a request 2 16 840 1 113730 3 4 13 Replication update information Carries the universally unique identifier UUID and change sequence number CSN of a replicated operation 2 16 840 1 113730 3 4 14 Search on specific database Used with search operations to specify that the search must be done on the database which is named in the control 2 16 840 1 113730 3 4 15 Authentication response Returned to the client application with the bind response to provide the DN and authentication method used useful when SASL or certificate is employed 2 16 840 1 113730 3 4 16 Authentication request Provided with a bind request to ask the server to provide its certificate in the bind response 2 16 840 1 113730 3 4 17 Real attribute only request Indicates that the server should return only attributes that are truly contained in the entries returned and that it does not need to resolve virtual attributes 2 16 840 1 113730 3 4 18 Proxied authorization new specification Allows the client to assume another identity for the duration
42. Click OK to create the new role entry The new role appears in the directory tree with the icon for a filtered role Creating a Nested Role Nested roles allow you to create roles that contain other roles and to extend the scope of existing roles Before you create a nested role another role must exist When you create a nested role the console displays a list of the roles available for nesting A nested role may contain another nested role up to 30 levels of nesting Beyond this fixed limit the server will log an error when evaluating the role 158 Sun ONE Directory Server Administration Guide June 2003 Assigning Roles To create and add members to a nested role using the console 1 On the top level Directory tab of the Directory Server console right click the entry in the directory tree where you want to add the new role definition and select the New gt Role item Alternatively select the entry and choose the New gt Role item from the Object menu In the Create New Role dialog you must type a name for your new role in the Role Name field and you may add an optional description of the role in the Description field The group name will become the value of the cn common name attribute for the new role entry and appear in its DN Click Members in the left hand list of the dialog and select the Nested Role radio button in the right panel Click Add to add existing roles to the list of nested roles In the Rol
43. Click Save to save your changes 7 For your changes to be taken into account you must restart the Directory Server Using Referential Integrity with Replication There are certain limitations associated with the use of the referential integrity plug in when it is needed in a replication environment e It must be enabled on all servers containing master replicas e You must enable it with the same configuration on every master e Itis not useful to enable it on servers containing only hub or consumer replicas To configure the referential integrity plug in in a replication topology 1 Make sure all replicas are configured and all replication agreements are defined 2 Determine the set of attributes for which you will maintain referential integrity Also determine the update interval you wish to use on your master servers 3 Enable the referential integrity plug in on all master servers using the same set of attributes and the same update interval This procedure is described in Configuring Referential Integrity on page 82 4 Ensure that the referential integrity plug in is disabled on all consumer servers Chapter 2 Creating Directory Entries 83 Maintaining Referential Integrity 84 Sun ONE Directory Server Administration Guide June 2003 Chapter 3 Creating Your Directory Tree The directory tree consists of all of the entries in your server as identified by their distinguished name DN The hierarchical nat
44. Configuring Directory Server 5 2 as a Consumer of Directory Server 4 x 0000055 309 Updating Directory Server 5 1 Schema 6 eees 311 Using the Retro Change Log Plug In 0 0 ees 312 Enabling the Retro Change Log Plug In 0 6 cnet eens 313 Trimming the Retro Change Log 2 sc cca cl Sees eee eh ease eae Menace ke tea iS 314 Accessing Retro Charige Log rreta so ce ewnt ade Cetin caged valk ea tew te hee de 314 Monitoring Replication Status 6 ene teens 315 Command Line Tools opeis 2 3 e064 0 seed eae cb bg ee de hee tad ve sea deeded baeaeaae eres 315 Replication Status Tab ts u4 ls saalc tier halk ad Le dee A sD eae ORs heads 316 Solving Common Replication Conflicts 0020 ccc eee teenies 317 Solving Naming Conflicts vc sn ccs nd e408 Tad als Oe Wee ee dos Lee ead dale St oe aa Si 318 Solving Orphan Entry Conflicts mss sa pi deen cece EEEE E ES 320 Solving Potential Interoperability Problems 00 c cece een eens 320 Extending the Directory Schema 00 cece eee eee eee eee 323 schema Checking on 07 ae pinatenan iE ahaa pees e wks ete le den te els 323 Setting Schema Checking Using the Console 6 6 c cece cece eens 324 Setting Schema Checking From the Command Line 000 c cece cece eee eee 325 Sun ONE Directory Server Administration Guide June 2003 Overview of Extending the Schema 1 6 6 ccc cece nnn erenn 325 Modifying the Schema Files re
45. Console Generic Editor Generic Editor uid bjensen ou People dc example dc com Full name Babs Jensen prew createtimestamp 2003040822261 2z ey Show Attribute Names a Z Show Attribute Description creatorsname uid admin ou administrators ou to F entrydn uid bjensen ou people dc example v Showonly Attributes with Values Y ShowDN entryid 10 ki Fax number Jca08 555 4000 es First name Barbara Edit hassubordinates Fase Add Value Email address bjensen example com Delete Value modifersname uid admin ousadministrators ou to Add Attribute modifytimestamp 20030408002734z Delete Attribute Naming Attribute uid Change Cancel Help dn uid bjensen ou People dc example dc com In the generic editor the entry s attributes are listed alphabetically with a text box containing the value of each one All attributes including read only and operational attributes are shown The controls on the right allow you to modify the display in the editor and edit the list of attributes 3 Optionally you may modify the display of the generic editor using the controls in the View box o Select the Show Attribute Names option to view the names of attributes as they are first defined in the schema The list of attributes will be rearranged so that they are listed alphabetically by name o Select the Show Attribute Description option to list attributes by their alternate name if one is d
46. Continue when you see the Referral Error and modify the URL or Referral Authentication to fix the error Creating Smart Referrals From the Command Line To create a smart referral create an entry with referral and extensibleObject object classes The referral object class allows the ref attribute that is expected to contain an LDAP URL The extensibleObject object class allows you to use any schema attribute as the naming attribute in order to match the target entry For example define the following entry to return a smart referral instead of the entry uid bjensen Chapter 2 Creating Directory Entries 75 Encrypting Attribute Values ldapmodify a h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com objectclass top objectclass extensibleObject objectclass referral uid bjensen ref ldap east example com cn Babs 20Jensen ou Sales o east dc example dc com NOTE Any information after a space in an LDAP URL is ignored by the server For this reason you must use 20 instead of spaces in any LDAP URL you intend to use as a referral Once you have defined the smart referral modifications to the uid b jensen entry will actually be performed on the cn Babs Jensen entry on the other server The ldapmodify command will automatically follow the referral for example ldapmodify h host p port D cn Directory Manager w password dn uid b jensen ou Pe
47. DN Idap DN DN attribute bindT ype or attribute value IP_address DNS_host_name sun mon tue wed thu fri sat 0 2359 none simple ssl sasl authentication_method Wildcard Allowed yes in DN only no no no yes yes no no no The following sections further detail the bind rule syntax for each keyword Sun ONE Directory Server Administration Guide June 2003 Bind Rules Defining User Access userdn Keyword User access is defined using the userdn keyword The userdn keyword requires one or more valid distinguished names in the following format userdn ldap dn ldap dn userdn ldap dn ldap dn where dn can be a DN or one of the expressions anyone all self or parent These expressions refer to the following users e userdn ldap anyone Both anonymous and authenticated users e userdn ldap all Only authenticated users e userdn ldap self Only the same user as the target entry of the ACI e userdn ldap parent Only the parent entry of the ACI target The userdn keyword can also be expressed as an LDAP filter of the form userdn ldap suffix sub filter NOTE If a DN contains a comma the comma must be preceded by a backslash escape character Anonymous Access anyone Keyword Granting anonymous access to the directory means that anyone can access it without providing a bind DN or password a
48. Deselect the Enable access to this suffix checkbox to disable the suffix or select the checkbox to enable it Click Save to apply the change and immediately disable or enable the suffix Optionally you may set the global default referral that will be returned for all operations on this suffix while it is disabled This setting is located on the Network tab of root node of the top level Configuration tab For more information see Setting a Default Referral Using the Console on page 73 Disabling or Enabling a Suffix From the Command Line 1 Edit the nsslapd state attribute in the chained suffix entry with the following command ldapmodify h host p port D cn Directory Manager w password dn cn suffixDN cn mapping tree cn config changetype modify replace nsslapd state nsslapd state disabled or backend D where suffixDN is the full string of the suffix DN as it was defined including any spaces or backslashes to escape commas in the value Set the nssladp state attribute to the value disabled to disable the suffix and to the value backend to enable full access The suffix will be disabled immediately when the command is successful Optionally you may set the global default referral that will be returned for all operations on this suffix while it is disabled For more information see Setting a Default Referral From the Command Line on page 74 Setting Access Permissions and Referrals I
49. Directory Server as shown in the following figure To view all of the tasks and their buttons you may need to scroll through the list Chapter 1 Introduction to Sun ONE Directory Server 25 Using the Directory Server Console Figure 1 2 Tasks Tab of the Directory Server Console camus red iplanet com Sun ONE Directory Server example Console Edit View Help Sun ONE Directory Server eee Tasks Start Directory Server Stop Directory Server Restart Directory Server Back up Directory Server Tal Rastnra Dirartnry Sarver You must be logged in as a user with administrator rights in order to perform these tasks The task buttons will not be visible to users with insufficient rights Configuration Tab The Configuration tab of the Directory Server console provides interfaces and dialogs to view and modify all directory settings such as those for suffixes replication schema logs and plug ins These dialogs are only available or will only take effect if you are logged in as a user with administrator rights The left side of this tab contains a tree of all configuration functions and the right hand side displays the interface specific to managing each function These interfaces often contain other tabs dialogs or pop up windows For example the following figure shows the general settings for the entire directory 26 Sun ONE Directory Server Administration Guide June 2003 Using the Directory Server Conso
50. For more information see Chapter 6 Managing Access Control Display gt Role Count If an entry is a member of one or more roles the directory tree will show how many beside the entry For more information see Assigning Roles on page 154 Display gt Inactivation State If a user or group entry has been deactivated to prevent binding to the server the directory tree will show a red box and line through the entry s icon For more information see Inactivating and Activating Users and Roles on page 260 Layout gt View Children When you choose this layout option the tree in the left hand panel does not show leaf entries of the directory and selecting a parent node in the left hand panel displays all of its children including leaf entries in the right hand panel You may select entries in either panel Layout gt View Only Tree With this layout option the Directory tab has only one panel that displays a tree containing all entries in the directory Layout gt View Attributes In this layout the left hand panel displays a tree containing all entries in the directory and the right hand panel displays the attributes and values stored in the entry selected in the tree Display Attribute Click this menu item to see the Display Attribute dialog and choose the label for entries displayed in the Directory tab By default the label is the value of the entry s first RDN attribute for example People For base entri
51. Guide June 2003 Managing Entries From the Command Line Terminating LDIF Input on the Command Line The ldapmodify and ldapdelete utilities read the LDIF statements that you enter after the command in exactly the same way as if they were read from a file When you finish providing input enter the character that your shell recognizes as the end of file EOF escape sequence Typically the EOF escape sequence is one of the following depending on your operating system e UNIX Almost always Control D D e Windows Usually Control Z followed by a carriage return 2 lt Return gt The following example shows how to terminate input to the 1dapmodify command on a UNIX system prompt gt ldapmodify h host p port D bindDN w password dn cn Barry Nixon ou People dc example dc com changetype modify delete telephonenumber D prompt gt For simplicity and portability examples in this document do not show prompts or EOF sequences Using Special Characters When entering command options on the command line you may need to escape characters that have special meaning to the command line interpreter such as space asterisk backslash and so forth For example many DNs contain spaces and you must enclose the value in double quotation marks for most UNIX shells D cn Barbara Jensen ou Product Development dc example dc com Depending on your command line interpreter you should use
52. In addition to targeting directory entries you can also target one or more attributes or all but one or more attributes that occur in the targeted entries This is useful when you want to deny or allow access to partial information about an entry For example you could allow access to only the common name surname and telephone number attributes of a given entry Or you could deny access to sensitive information such as personal data The targeted attribute do not need to exist on the target entry or its subtree but the ACI will apply whenever they do The attributes you target do not need to be defined in the schema The absence of schema checking makes it possible to implement an access control policy before importing your data and its schema Chapter 6 Managing Access Control 187 ACI Syntax To target attributes you use the targetattr keyword and give the attribute names The targetattr keyword uses the following syntax targetattr attribute targetattr attribute You can target multiple attributes by using the targetattr keyword with the following syntax targetattr attributel attribute2 attributen targetattr attributel attribute2 attributen For example to target an entry s common name surname and uid attributes you would use the following targetattr cn sn uid Targeted attributes include all subtypes of the named attribute For example targetattr loc
53. LDIF to grant example com employees the right to add any role to their own entry except the superAdmin role you would write the following statement aci targetattr targattrfilters add nsRoleDN nsRoleDN cn superAdmin dc example dc com version 3 0 acl Roles allow write userdn ldap self and dns example com This example assumes that the ACI is added to the ou People dc example dc conm entry From the console you can set this permission by doing the following 1 On the Directory tab right click the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Roles In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area in the Add Users and Groups dialog box to Special Rights and select Self from the Search results list c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write Make sure the other checkboxes are clear Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples 5 On t
54. Meet Mae Lbaedrs edit 266 Summary of Steps for Configuring Replication s ususse s ssassn rner rr eee eens 267 Choosing Replication Managers 6 c cece een ene een nee 269 Configuring a Dedicated Consumer 6 cece teen teen nee 270 Creating the Suffix for the Consumer Replica 2 0 6 eee nen 271 Enabling a Consumer Replica 6c cece een nett n ne ees 271 Advanced Consumer Configuration 0 66 eens 271 Configuring a HUD icc ior da tte nae eines s ah ade eA heen Mais eee Fe eh 273 Creating the Suffix for the Hub Replica 6 ccc eee tenes 273 Enabling a Hub Replica 0 23 ue nenian golat eed aot ada i se E a Ses hve eeee Sede Shas 273 Advanced Hub Configuration 6 066 c cece ene eee n nee 274 Configuring d Master Replica ss 4 3 sat ete nara 3h Ss id PE TAS AN ee ea eee 276 Defining the Suffix for the Master Replica 6 cece nett 276 Enabling a Master Replica ii 0005 obendeliaeie cig daw tat EEE bees eet Ded ESRUS 276 8 Advanced Multi Master Configuration 6 6 c cece eee eens 277 Creating Replication Agreements 6 666 6 e nents 279 Configuring Fractional Replication 0 cece eee EEEO a 281 Considerations for Fractional Replication 6 ccc nee eens 282 Defining the A ttribtite Sets yg es eao eck elie E ne ote Cea RAN ede AE E 282 Enabling Fractional Replication 2 0 0 0 0 cece eee eee 284 Initializing Replicas isi
55. Name field and you may add an optional description of the group in the Description field The group name will become the value of the cn common name attribute for the new group entry and appear in its DN 3 Click Members in the left hand list of the dialog In the right panel the Static Group tab is selected by default 4 Click Add to add new members to the group The standard Search users and groups dialog box appears 152 Sun ONE Directory Server Administration Guide June 2003 Managing Groups In the Search drop down list select Users and enter a string to search for and then click Search Click the Advanced button to search specific attributes or specific attribute values Select one or more of the entries in the results and click OK Repeat this step to add all of the members you wish to this static group NOTE Static group members may be remote due to chaining You can use the referential integrity plug in to ensure that deleted member entries are automatically deleted from the static group entry For more information about using referential integrity with chaining refer to Configuring the Chaining Policy on page 113 Click Languages in the left hand list to give your group a name and descriptions string in another language These will be displayed when the console is using the corresponding locale Click OK to create your new group It appears as one of the children of the entry where it
56. ONE Directory Server Administration Guide June 2003 Managing Chained Suffixes 3 Specify SSL and the secure port of the remote server in the procedure for creating or modifying a chained suffix When using the console select the secure port checkbox in the chained suffix creation or configuration procedures See Creating Chained Suffixes Using the Console on page 105 or Modifying the Chaining Policy Using the Console on page 117 When using the command line procedures specify an LDAPS URL and the secure port of the remote server for example ldaps example com 636 See Creating Chained Suffixes From the Command Line on page 108 or Modifying the Chaining Policy From the Command Line on page 117 When you configure the chained suffix and remote server to communicate using SSL this does not mean that the client application making the operation request must also communicate using SSL The client may use either port of either the LDAP or DSML protocol Managing Chained Suffixes This section describes how to update and delete existing chained suffixes and control the chaining mechanism Configuring the Chaining Policy The chaining policy of the server determines which LDAP controls will be propagated to chained servers and which server components are allowed to access chained suffixes You should be aware of these settings and their influence on operations involving chained suffixes The chaining policy
57. Password Policy e If you selected expiring passwords you can specify how long before the password expires to send a warning to the user in the Send warning X days before password expires field When the user receives a warning the password will expire on the original date Deselect the Expire regardless of warning checkbox to extend the expiration to allow a full warning period after the warning is sent Only one warning and one extension will occur There is no grace login if the user binds after the password has expired e If you want the server to check the syntax of a user password to make sure it meets the minimum requirements set by the password policy select the Check password syntax checkbox Then specify the minimum acceptable password length in the Password minimum length text box e By default the Directory Manager cannot reset a password that violates the password policy for example reusing a password in the history Select the Allow Directory Manager to bypass Password Policy checkbox to allow this e Specify what encryption method you want the server to use when storing passwords from the Password encryption pull down menu 3 Click on the Account Lockout tab and select the Accounts may be locked out checkbox to define the account lockout policy e Enter the number of login failures and the period in which they must occur to trigger a lockout e Select the Lockout forever radi
58. Rules Examples The following are examples of the authmethod keyword e authmethod none Authentication is not checked during bind rule evaluation e authmethod simple The bind rule is evaluated to be true if the client is accessing the directory using a username and password e authmethod ssl The bind rule is evaluated to be true if the client authenticates to the directory using a certificate over LDAPS It will not be true if the client authenticates using simple authentication bind DN and password over LDAPS e authmethod sasl DIGEST MD5 The bind rule is evaluated to be true if the client is accessing the directory using the SASL DIGEST MD5 mechanism The other supported SASL mechanisms are EXTERNAL all platforms and GSSAPI only on Solaris systems Using Boolean Bind Rules Bind rules can be complex expressions that use the Boolean expressions AND OR and NOT to set very precise access rules You cannot use the Server Console to create Boolean bind rules You must create an LDIF statement The LDIF syntax for a Boolean bind rule is as follows bindRule boolean bindRule boolean bindRule For example the following bind rule will be evaluated to be true if the bind DN is a member of either the administrator s group or the mail administrator s group and if the client is running from within the example com domain groupdn ldap cn administrators dc example dc com or groupdn
59. SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Copyright c 2001 2002 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The end user documentation included with the redistribution if any must include the following acknowledgment This product includes software developed by the Apache Software Foundation http www apache org Alternately this acknowledgment may appear in the software itself if and wherever such third party acknowledgments normally appear 4 The names Xerces and Apache Software Foundation must not be used to endorse or promote products derived from Appendix A Third Party Licence Acknowledgements 429 this software without prior written permission For written permission please contact apache apache org 5 Products derived
60. Server Administration Guide June 2003 Configuring Client Authentication The following sections describe how to configure the two SASL mechanisms on the directory server See also Configuring LDAP Clients to Use Security on page 379 SASL Authentication Through DIGEST MD5 The DIGEST MD5 mechanism authenticates clients by comparing a hashed value sent by the client with a hash of the user s password However because the mechanism must read user passwords all users wishing to be authenticated through DIGEST MD5 must have CLEAR passwords in the directory Configuring the DIGEST MD5 Mechanism The following procedure explains the steps necessary to configure Directory Server to use DIGEST MD5 1 Using either the console or the ldapsearch command verify that DIGEST MD5 is a value of the supportedSASLMechanisms attribute on the root entry For example the following command will show which SASL mechanisms are enabled ldapsearch h host p port D cn Directory Manager w password s base b objectclass supportedSASLMechanisms dn supportedSASLMechanisms EXTERNAL supportedSASLMechanisms DIGEST MD5 supportedSASLMechanisms GSSAPI 2 If DIGEST MD5 is not enabled use the following ldapmodify command to enable it ldapmodify h host p port D cn Directory Manager w password dn cn SASL cn security cn config changetype modify add dsSaslPluginsEnable dsSasl
61. Stopping the Directory Server on page 20 Sun ONE Directory Server Administration Guide June 2003 Chapter 15 Using the UID Uniqueness Plug In The UID uniqueness plug in ensures that the value of a given attribute is unique among all entries of the directory or of a subtree The plug in will stop any operation that tries to add an entry which contains an existing value for the given attribute or any operation that adds or modifies the attribute to a value that already exists in the directory By default the plug in ensures the uniqueness of the uid attribute however the plug in is not enabled by default You may create new instances of the plug in to enforce unique values on other attributes The UID uniqueness plug in is limited to ensuring attribute value uniqueness on a single server This chapter contains the following sections e Overview e Enforcing Uniqueness of the uid Attribute e Enforcing Uniqueness of Another Attribute e Using the Uniqueness Plug In With Replication Overview The UID uniqueness plug in is a preoperation plug in It will check all LDAP operations before the server performs an update of the directory The plug in determines whether the operation will cause two entries to have the same attribute value in which case the server terminates the operation and returns error 19 LDAP_CONSTRAINT_VIOLATION to the client 419 Enforcing Uniqueness of the uid Attribute You can configure the plug in to
62. The server will not close the connection unless a bind request is initiated and the server determines the timeout has been exceeded If you do not specify this option or if only one authenticating server is listed in the LDAP URL no time limit will be enforced If two or more hosts are listed the default is 300 seconds five minutes The following example of a PTA plug in argument increases the number of connections to 10 but decreases the timeout to one minute 60 seconds The default values are give for all other parameters ldaps configdir example com 636 o NetscapeRoot 10 5 60 3 300 Specifying Multiple Servers and Subtrees You may configure the PTA plug in with multiple arguments to specify multiple authenticating servers multiple PTA subtrees or both Each argument contains one LDAP URL and may have its own set of connection options When there are multiple authenticating servers for the same PTA subtree they act as failover servers The plug in will establish connections to them in the order listed whenever a PTA connection reaches the timeout limit If all connections time out the authentication fails When there are multiple PTA subtrees defined the plug in will pass through the authentication request to the corresponding server according to the bind DN The following example shows four PTA plug in arguments that define two PTA subtrees each with a failover server for authentication and server specific connection param
63. Use Security 384 d Inthe Set Value dialog enter the name of the userCert bin file created in Step 6 or click Browse to locate the file e Click OK in the Set Value dialog and then click Save in the Generic Editor e To add the certificate from the command line use the ldapmodify command as shown in the following example This command uses SSL to send the certificate over a secure connection ldapmodify h host p securePort D uid bjensen dc example dc com w bindPassword Z P home bjensen netscape cert7 db version 1 dn uid bjensen dc example dc com changetype modify add userCertificate userCertificate lt file path userCert bin The spaces before and after lt are significant and must be used exactly as shown In order to use the lt syntax to specify a filename you must begin the LDIF statement with the line version 1 When ldapmodify processes this statement it will set the attribute to the value read from the entire contents of the given file 8 On the directory server install and trust the certificate of the CA that issued your user certificate if necessary This CA must be trusted for accepting connections from clients See Trusting the Certificate Authority on page 364 9 Configure the directory server for certificate based authentication as described in Using Client Authentication in Chapter 10 of the Sun ONE Server Console Server Management Guide In this procedure
64. User Account Management The NT User and Posix User tabs are provided for Directory Server Synchronization Services please see your Sun representative for details For further instructions on modifying groups roles and class of service entries see Chapter 5 Advanced Entry Management For instructions on modifying password policies see Chapter 7 User Account Management For instructions on modifying referrals see Setting Referrals on page 72 4 Click OK to save your changes to the entry and close the custom editor dialog If you modified the naming attribute for example the common name of a user entry the change will be reflected in the directory tree Setting Attributes for Language Support The custom editors for both user and organizational unit entries provide language support for internationalized directories Chapter 2 Creating Directory Entries 53 Managing Entries Using the Console 54 1 Open the custom editor for your entry as described in Invoking the Custom Editor on page 52 2 Click on the Languages tab in the left hand column 3 For user entries you may set a preferred language using the drop down list 4 For both user and organizational unit entries you may enter localized values in the given fields for any of the languages shown in the list Select a language and then enter one or more values in that language The language name appears in bold in the list when localized values ar
65. a Dedicated Consumer Creating the Suffix for the Consumer Replica If it does not already exist create an empty suffix on the consumer with the same DN as the intended master replica For instructions refer to Creating Suffixes on page 87 If the suffix exists and is not empty its contents will be lost when the replica is initialized from the master Enabling a Consumer Replica The replication wizard simplifies the task of enabling a dedicated consumer replica 1 On the top level Configuration tab of the Directory Server console expand both the Data node and the node for the suffix you wish to be a consumer replica and then select the Replication node below the suffix The replica status information is displayed in the right hand panel 2 Click the Enable replication button to begin the replication wizard 3 The Consumer Replica radio button is selected by default Click Next to continue 4 If you have not already done so you will be prompted to enter and confirm a password for the default replication manager Type the same password in each field and then click Next to continue If the default replication manager already had a password defined the wizard will skip this step 5 The replication wizard will display a status message while updating the replication configuration Click Close when it has completed The replication status now shows that the replica is ready to receive updates and the icon in the lef
66. a cascading chain you must enable ACI checking to allow perform access control before forwarding the operation again Sun ONE Directory Server Administration Guide June 2003 Configuring Cascading Chaining On all servers in a cascading chain set the maximum number of hops that allows all chaining operations in your topology Every time the same operation is forwarded to another chained suffix counts as a hop and a chained suffix will not forward the operation any more if this limit is reached You should set a number greater than the number of hops in your longest cascading chain Any operation that reaches the limit will be aborted because the servers will assume it is an accidental loop in your topology You must also set the chaining configuration to allow the loop detection control as described in Transmitting LDAP Controls for Cascading on page 130 Click Save when you have finished setting the cascading parameters Setting the Cascading Parameters From the Command Line 1 On all intermediate servers edit the chaining configuration entry for the cascading suffix with the following command ldapmodify h host p port D cn Directory Manager w password dn cn databaseName cn chaining database cn plugins cn config changetype modify replace nsCheckLocalACI nsCheckLocalACI on changetype modify replace nsHopLimit nsHopLimit maximumHops D You should set the maximumHops greater than the
67. aci attribute is a multi valued operational attribute that may be read and modified by directory users and that should itself be protected by ACIs Administrative users are usually given full access to the aci attribute and may view its values in one of the following ways You can view the aci attribute values as any other values in the Generic Editor In the top level Directory tab of the Directory Server console right click an entry with ACIs and choose the Edit With Generic Editor menu item However aci values are usually long strings that are difficult to view and edit in this dialog Instead you may then invoke the Access Control Editor by right clicking the entry in the directory tree and choosing the Set Access Permissions menu item Select an ACT and click Edit then click Edit Manually to view the corresponding aci value By switching between the Manual and Visual editors of the ACI you can compare the syntax of the aci value with its configuration Chapter 6 Managing Access Control 211 Creating ACIs Using the Console If your operating system allows it you may copy the aci value from either the Generci Editor or the Manual Access Control Editor to paste it into your LDIF file Administrative users can also view the aci attribute of an entry by running the following ldapsearch command ldapsearch h host p port D cn Directory Manager w password b entryDN s base objectclass aci The result is LDIF text that
68. activation Using the Command Line 1 Install the new server certificate in your certificate database with the following command certutil A n certificateName t u a i certFile d ServerRoot alias P slapd serverID where certificateName is a name you give to identify your certificate and certFile is the text file containing the PKCS 11 certificate in PEM format The t u option indicates that this is a server certificate for SSL communications 2 Optionally you may also use the following certutil command to verify your installed certificates certutil L d ServerRoot alias P slapd serverID The certificates listed with a trust attribute of u are the server certificates Trusting the Certificate Authority Configuring your Directory Server to trust the Certificate Authority consists of obtaining its certificate and installing it into your server s certificate database This process differs depending on the certificate authority you use Some commercial CAs provide a website that allows you to automatically download the certificate and others will email it to you upon request Sun ONE Directory Server Administration Guide June 2003 Obtaining and Installing Server Certificates Using the Console Once you have the CA certificate you can use the Certificate Install Wizard to configure the Directory Server to trust the Certificate Authority 1 On the top level Tasks tab of the Directory Server
69. agreement and attribute set definitions The dse 1dif file is where the server stores the contents of the cn config entry including the replication agreements and attribute sets Chapter 8 Managing Replication 291 Initializing Replicas Solaris Packages Other Installations The b option is the DN of the replication agreement where fractional replication is defined You can find this entry by browsing the cn config suffix as Directory Manager in the Directory Server console Select the entry under the cn replica entry for your suffix and use the Edit gt Copy DN menu item to copy this DN to the clipboard for using when typing your command The full command line syntax for the ildif tool is given in LDIF Command Line Utilities in Chapter 1 of the Sun ONE Directory Server Reference Manual You may then use the filtered 1dif file produced by fildif to initialize the consumer in this replication agreement Transfer the file to the consumer server and import it as described in the next section Importing the LDIF File to the Consumer Replica You can import the LDIF file that contains the master replica contents to the consumer replica by using the import features in the Directory Server console or by using either the 1dif2db command or 1dif2db p1 script directoryserver ldif2db or directoryserver 1dif2db task in the Solaris Packages As with all import operations these scripts will require the bind DN and password of the Directo
70. and select Delete from the pop up menu Alternatively you may select the suffix node and choose Delete from the Object menu 3 A confirmation dialog appears to inform you that entries accessible through this chained suffix will not be removed from the remote directory In addition for a parent suffix you have the choice of recursively deleting all of its subsuffixes Select Delete this suffix and all of its subsuffixes if you want to remove the entire branch Otherwise select Delete this suffix only if you want to remove only this particular suffix and keep its subsuffixes in the directory 4 Click OK to delete the suffix A progress dialog box is displayed that tells you the steps being completed by the console Sun ONE Directory Server Administration Guide June 2003 Configuring Cascading Chaining Deleting a Suffix From the Command Line To delete a suffix from the command line use the 1dapdelete command to remove its configuration entries from the directory If you wish to delete an entire branch containing subsuffixes you must find the subsuffixes of the deleted parent and repeat the procedure for each of them and their possible subsuffixes 1 Remove the suffix configuration entry using the following command ldapdelete h host p port D cn Directory Manager w password cn suffixDN cn mapping tree cn config This command makes the chained suffix and its remote entries no longer visible in the di
71. are then shown with a red bar through them The correct activation state of user entries is shown regardless of whether they are inactivated directly or through role membership Setting User and Role Activation From the Command Line To inactivate a user account or the members of a role use the ns inactivate pl script directoryserver account inactivate in the Solaris Packages To activate or reactivate a user or role use the ns activate pl script directoryserver account inactivate in the Solaris Packages The commands for these scripts are platform dependent usr sbin directoryserver account inactivate usr sbin directoryserver account activate Windows Platforms cd ServerRoot Other Installations bin slapd admin bin perl slapd serverID ns inactivate pl bin slapd admin bin perl slapd serverID ns activate pl ServerRoot slapd serverID ns inactivate pl ServerRoot slapd serverID ns activate pl The following commands show how to use the per1 scripts to inactivate and reactivate Barbara Jensen s user account ns inactivate pl h host p port D cn Directory Manager w password I uid bjensen ou People dc example dc com ns activate pl h host p port D cn Directory Manager w password I uid bjensen ou People dc example dc com Chapter 7 User Account Management 261 Setting Individual Resource Limits In both of these commands the 1 option specifies the DN of the user or role for which you wi
72. as is to become the initial index configuration of the corresponding database Chapter 10 Managing Indexes 351 Managing Browsing Indexes The set of default indexes may only be configured using the command line utilities The default index entries have exactly the same syntax as index configuration entries described in Managing Indexes From the Command Line on page 346 For example use the following 1dapmodify command to add a default index configuration entry ldapmodify a h host p port D cn Directory Manager w password dn cn drink cn default indexes cn config cn ldbm database cn plugins cn config objectClass top objectClass nsIndex cn drink nsSystemIndex false nsIndexType eq nsIndexType sub nsMatchingRule 1 3 6 1 4 1 42 2 27 9 4 76 1 D After this entry has been added any new suffix will have values of the drink attribute indexed for equality and substring searches in French To modify or delete the default index entries use the ldapmodify or ldapdelete commands to edit the set of indexes in cn default indexes cn config cn ldbm database cn plugins cn config Managing Browsing Indexes 352 Browsing indexes are special indexes used only for search operations that request server side sorting or virtual list view VLV results Using browsing indexes can improve the performance of searches that request server side sorting of a large number of results Depending on your directory con
73. authentication for the console 370 and chained suffixes 112 choosing encryption ciphers 368 client authentication 370 configuring certificate based authentication in clients 381 configuring clients to use SSL 379 configuring server authentication in clients 379 configuring SSL 366 creating a certificate database 360 enabling SSL 359 generating a certificate request 361 installing a server certificate 362 port number 35 server certificates 359 starting the server with a pin file 22 trusting the Certificate Authority 364 user certificates in clients 382 with replication 296 with the pass through authentication plug in 416 SSL authentication starting the directory server 20 with SSL 22 start slapd script 21 static groups see groups 440 Sun ONE Directory Server Administration Guide June 2003 stopping the directory server 20 stop slapd script 21 subagent configuring 409 enabling 410 starting and stopping on Unix 410 substring index see indexing subsuffixes see suffixes subtypes for binary attributes 69 for languages in LDIF update statements 69 suffixes 351 backing up the entire directory 142 chaining see chaining creating a root suffix using the console 87 creating from command line 92 creating subsuffixes using the console 90 deleting a suffix 99 exporting a single suffix using the console 140 exporting data to LDIF 138 exporting the entire directory using the console 139 exporting to LDIF from the command line 141 impo
74. be allowed or denied access based on the permissions you set Logical OR of LDAP URLs Specify several LDAP URLs or keyword expressions to create complex rules for user access For example userdn ldap uid b c example com ldap cn b dc example dc com The bind rule is evaluated to be true for users binding with either of the DN patterns Excluding a Specific LDAP URL Use the not equal operator to define user access that excludes specific URLs or DNs For example userdn ldap uid ou Accounting dc example dc com The bind rule is evaluated to be true if the client is not binding as a UID based distinguished name in the accounting subtree This bind rule only makes sense if the targeted entry is not under the accounting branch of the directory tree Defining Group Access groupdn Keyword Members of a specific group can access a targeted resource This is known as group access Group access is defined using the groupdn keyword to specify that access to a targeted entry will be granted or denied if the user binds using a DN that belongs to a specific group The groupdn keyword requires the distinguished names of one or more groups in the following format groupdn ldap groupDN ldap groupDN Chapter 6 Managing Access Control 199 Bind Rules The bind rule is evaluated to be true if the bind DN belongs to a group specified by any of the groupDNs The following section give
75. be returned as referrals for write requests o Return a referral for both read and write requests Enter one or more LDAP URLs in the list to be returned as referrals for all operations This behavior is similar to disabling access to the suffix except that the referrals may be defined specifically for this suffix instead of using the global default referral 4 Edit the list of referrals with the Add and Remove buttons Clicking the Add button will display a dialog for creating an LDAP URL of a new referral You may create a referral to the DN of any branch in the remote server For more information about the structure of LDAP URLs refer to Sun ONE Directory Server Getting Started Guide You can enter multiple referrals The directory will return all referrals in this list in response to requests from client applications 5 Click Save to apply you changes and immediately begin enforcing the new permissions and referral settings Setting Access Permissions and Referrals Using the Console In the following command suffixDN is the full string of the chained suffix as it was defined including any spaces LDAPURL is a valid URL containing the hostname port number and DN of the target for example ldap alternate example com 389 ou People dc example dc com 1 Edit the chained suffix entry with the following command Sun ONE Directory Server Administration Guide June 2003 Managing Chained Suffixes ldapmodify h h
76. be unlisted This part of the directory could be a slave server outside of the firewall and updated once a day See Granting Anonymous Access on page 218 and Setting a Target Using Filtering on page 233 Granting Anonymous Access Most directories are run such that you can anonymously access at least one suffix for read search or compare For example you might want to set these permissions if you are running a corporate personnel directory that you want employees to be able to search such as a phone book This is the case at example com internally and is illustrated in the ACI Anonymous example com example As an ISP example com also wants to advertise the contact information of all of its subscribers by creating a public phone book accessible to the world This is illustrated in the ACI Anonymous World example ACI Anonymous example com In LDIF to grant read search and compare permissions to the entire example com tree to example com employees you would write the following statement aci targetattr userPassword version 3 0 acl Anonymous example allow read search compare userdn ldap anyone and dns example com This example assumes that the aci is added to the dc example dc com entry Note that the userPassword attribute is excluded from the scope of the ACI 218 Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples From the co
77. bit encryption and SHA message authentication This cipher meets the FIPS 140 1 U S government standard for implementations of cryptographic modules rsa_fips_des_sha Triple DES Triple DES with 168 bit encryption and SHA message authentication rsa_3des_sha Triple DES FIPS FIPS Triple DES with 168 bit encryption and SHA message authentication This cipher meets the FIPS 140 1 U S government standard for implementations of cryptographic modules rsa_fips_3des_sha 368 Sun ONE Directory Server Administration Guide June 2003 Activating SSL Table 11 1 Ciphers Provided with Sun ONE Directory Server Continued Cipher Name Description Fortezza Fortezza cipher with 80 bit encryption and SHA message authentication RC4 Fortezza Fortezza RC4 cipher with 128 bit encryption and SHA message authentication None Fortezza No encryption only Fortezza SHA message authentication In order to continue using the Sun ONE Server Console with SSL you must select at least one of the following ciphers e RC4 cipher with 40 bit encryption and MD5 message authentication e No encryption only MD5 message authentication not recommended e DES with 56 bit encryption and SHA message authentication e RC4 cipher with 128 bit encryption and MD5 message authentication e Triple DES with 168 bit encryption and SHA message authentication Use the following procedure to choose the ciphers you want the server to use 1 On the top
78. by the client and completed by the server during this connection Bound As Gives the distinguished name used by the client to bind to the server If the client has not authenticated to the server this column displays not bound State e Not blocked Indicates that the server is idle or actively sending or receiving data over the connection e Blocked Indicates that the server is waiting to read or write data over the connection The probable cause is a slow network or a slow client Type Indicates whether it is an LDAP or DSML over HTTP connection 3 Click on the Suffixes node in the left hand status tree This panel displays monitoring information about the entry cache and index usage in the database cache of each suffix as shown in the following figure 400 Sun ONE Directory Server Administration Guide June 2003 Monitoring Server Activity Figure 12 3 Suffix Monitoring Panel camus red iplanet com Sun ONE Dire ver example Console Edit View Obi Sun ONE Directory Server eich Direct camus red iplanet com 389 Refresh Continuous refresh Entry cache usage Q Chained suffixes Logs Replication ancestorid cn o Net 5533 5534 entrydn Entry access dc e 158 159 99 0 27 o Net 1054 1055 99 0 37 A TOTAL fa S 23268 23298 99 D 273 Read write page evicts 0 Read only page evicts 0 Display Suffixes Set the refresh mode if desired Cl
79. can use the Directory tab and the entry editor dialogs on the Directory Server console to add modify or delete entries individually If you want to operate on several entries simultaneously see Bulk Operations Using the Console on page 61 For information on starting the Directory Server console and navigating the user interface refer to Using the Directory Server Console on page 23 Creating Directory Entries Directory Server console offers several custom templates for creating directory entries Each template is a custom editor for a specific type of object class Table 2 1 shows the object class that is used for each custom editor Sun ONE Directory Server Administration Guide June 2003 Managing Entries Using the Console Table 2 1 Entry Templates and Corresponding Object Classes Template Object Classes User inetOrgPerson for creation and editing organizationalPerson for editing person for editing Group groupOfUniqueNames and possibly others for dynamic groups and certificate groups Organizational Unit organizationalUnit Role nsRoleDefinition and others depending on choice of managed filtered or nested role Class of Service cosSuperDefinition and others depending on type of class of service Password Policy passwordPolicy Referral referral These custom editors contain fields representing all the mandatory attributes and some of the commonly used optional attributes of their respective
80. cmu edu computing CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Copyright c 1997 1998 Kungliga Tekniska H gskolan Royal Institute of Technology Stockholm Sweden All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 428 Sun ONE Directory Server Administration Guide June 2003 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes software developed by Kungliga Tekniska H gskolan and its contributors 4 Neither the name of the Institute nor the names of its contributors may be used to endorse or
81. configures the master replica to use the default change log settings To modify the change log settings On the top level Configuration tab of the Directory Server console select the Data node and then the Replication tab in the right hand panel Chapter 8 Managing Replication 277 Configuring a Master Replica 278 2 You might need to refresh the contents of this tab by checking the Enable Changelog checkbox and clicking the Reset button You should then see the change log file that you chose in the replication wizard 3 You may change the name of the change log file and update the change log parameters a Max changelog records Determines the total number of modifications to store for sending updates to consumers By default it is unlimited You may wish to limit the number of records to save disk space if your replica receives many large modifications b Max changelog age Determines the time for which the hub will store updates it must send to consumers By default it is unlimited The max age parameter is the recommended way to limit the size of the change log The replication wizard also uses the default replication manager If you have created a different replication manager entry that you wish to use you need to set the advanced configuration You may also use this dialog to set referrals for modifications and the purge delay If you are configuring a single master you may skip this procedure 1 On the top level Conf
82. console click the Manage Certificates button Alternatively with the Tasks tab showing select the Manage Certificates item from the Console gt Security menu The Manage Certificates window is displayed Select the CA Certs tab and click Install The Certificate Install Wizard is displayed If you saved the CA s certificate to a file enter the path in the field provided If you received the CA s certificate via email copy and paste the certificate including the headers into the text field provided Click Next Verify that the certificate information displayed is correct for your Certificate Authority then click Next Specify a name for the certificate then click Next Select the purpose of trusting this CA You may select either or both Accepting connections from clients Client Authentication Select this checkbox if your LDAP clients perform certificate based client authentication by presenting certificates issued by this CA Accepting connections to other servers Server Authentication Select this checkbox if your server will play a replication supplier or chaining multiplexor role over SSL with another server that has a certificate issued by this CA Click Done to dismiss the wizard Using the Command Line 1 You may also use the following command to install a trusted CA certificate certutil A n CAcertificateName t trust a i certFile d ServerRoot alias P slapd serverID where CAcertificateN
83. control rule will not work For more information refer to Using the userattr Keyword on page 201 For more information on CoS see Chapter 5 Advanced Entry Management Access control rules are always evaluated on the local server You must not specify the hostname or port number of the server in LDAP URLs used in ACI keywords If you do the LDAP URL will not be taken into account at all For more information see Appendix D LDAP URLs in the see Sun ONE Directory Server Reference Manual When granting proxy rights you cannot grant a user the right to proxy as the Directory Manager nor can you grant proxy rights to the Directory Manager Default ACIs When you install the directory server the following default ACIs are defined on the the root suffix you specified during the configuration All users have anonymous access to the directory for search compare and read operations Bound users can modify their own entry in the directory but not delete it They cannot modify the aci nsroledn and passwordPolicySubentry attributes nor any of their resource limit attributes password policy state attributes or account lockout state attributes The configuration administrator by default uid admin ou Administrators ou TopologyManagement o Net scapeRoot has all rights except proxy rights All members of the Configuration Administrators group have all rights except proxy rights All members of the Directory Adm
84. directory tree also have a repeating pattern For example the following ACI is located on the dc hostedCompany1 dc example dc com node aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc hostedCompanyl dc example dc com This ACI grants read and search rights to the DomainAdmins group to any entry in the dc hostedCompanyl dc example dc com tree Chapter 6 Managing Access Control 241 Advanced Access Control Using Macro ACIs Figure 6 4 Example Directory Tree for Macro ACIs dc hostedcompany1 dc example dc com ou groups ou people cn domainAdmins cn deptAdmins cn helpdesk cn all dc subdomain1 ou groups ou people cn domainAdmins cn deptAdmins cn helpdesk cn all dc subdomain1 1 l 7 l T l l ou groups ou people The following ACI is located on the dc hostedCompany1 dc example dc com node 242 Sun ONE Directory Server Administration Guide June 2003 Advanced Access Control Using Macro ACIs aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc hostedCompanyl dc example dc com The following ACI is located on the dc subdomain1 dc hostedCompanyl dc example dc com node aci targetattr targetfilter objectC
85. enforce uniqueness in one or more subtrees in the directory or among entries of a specific object class This configuration determines the set of entries for which unique attribute values will be enforced An operation may be terminated only if it targets an entry of this set and if the attribute value is not unique among all entries of this set You may define several instances of the UID uniqueness plug in if you wish to enforce the uniqueness of other attributes Define one plug in instance for each attribute and set of entries where you want its value to be unique You may also have several plug in instances for the same attribute to enforce separate uniqueness in several sets of entries A given attribute value will be allowed only once in each set When you enable attribute uniqueness on an existing directory the server does not check for the uniqueness among existing entries Uniqueness is only enforced when an entry is added or when the attribute is added or modified By default the UID uniqueness plug in is disabled because it affects the operation of multi master replication You may enable the UID uniqueness plug in when using replication but you should be aware of the behavior described in Using the Uniqueness Plug In With Replication on page 425 Enforcing Uniqueness of the uid Attribute 420 This section explains how to enable and configure the default uniqueness plug in for the uid attribute in your directory
86. entries The specifier attribute must contain an RDN relative domain name that when combined with the template base DN determines the template containing the CoS values The CoS definition entry is an instance of the cosSuperDefinition object class and also inherits from one of the following object classes to specify the type of CoS e 6 cosPointerDefinition e 6 cosIndirectDefinition e 6cosClassicDefinition The CoS definition entry contains the attributes specific to each type of CoS for naming the virtual CoS attribute the template DN and the specifier attribute in target entries if needed By default the CoS mechanism will not override the value of an existing attribute with the same name as the CoS attribute However the syntax of the CoS definition entry allows you to control this behavior The CoS template entry is an instance of the cosTemplate object class The CoS template entry contains the value or values of the attributes generated by the CoS mechanism The template entries for a given CoS are stored in the directory tree at the same level as the CoS definition When possible definition and template entries should be located in the same place for easier management Also you should name them in a way that suggests the functionality they provide For example a definition entry DN such as cn C1CosGenerateEmployeeType ou People dc example dc com is more descriptive than cn ClassicCos1 ou People dc example dc com
87. es Chapter 2 Creating Directory Entries 69 Managing Entries From the Command Line 70 Modifying an Attribute Value The following example shows how you may modify a single valued attribute and all values of a multi valued attribute using the replace syntax in LDIF ldapmodify h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com changetype modify replace sn sn Morris replace cn cn Barbara Morris cn Babs Morris When using the replace syntax all current values of the specified attribute will be removed and all given values will be added Deleting an Attribute Value The following example shows how to delete an attribute entirely and delete only one value of a multi valued attribute ldapmodify h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com changetype modify delete facsimileTelephoneNumber delete cn cn Babs Morris When using the delete syntax without specifying an attribute value pair all values of the attribute will be removed If you specify an attribute value pair only that value will be removed Modifying One Value of a Multi Valued Attribute In order to modify one value of a multi valued attribute with the ldapmodify command you must perform two operations as shown in the following example ldapmodify h host p port D cn Directory Manager w
88. examples using the groupdn keyword NOTE If a group DN contains a comma the comma must be escaped by a backslash Single LDAP URL groupdn ldap cn Administrators dc example dc com The bind rule is evaluated to be true if the bind DN belongs to the Administrators group If you wanted to grant the Administrators group permission to write to the entire directory tree you would create the following ACI on the dc example dc com node aci version 3 0 acl Administrators write allow write groupdn ldap cn Administrators dc example dc com Logical OR of LDAP URLs groupdn ldap cn Administrators dc example dc com ldap cn Mail Administrators dc example dc com The bind rule is evaluated to be true if the bind DN belongs to either the Administrators or the Mail Administrators group Defining Role Access roledn Keyword Members of a specific role can access a targeted resource This is known as role access Role access is defined using the roledn keyword to specify that access to a targeted entry will be granted or denied if the user binds using a DN that belongs to a specific role The roledn keyword requires one or more valid distinguished names in the following format roledn ldap dn ldap dn ldap dn The bind rule is evaluated to be true if the bind DN belongs to the specified role NOTE If a DN contains a comma the comma must be escaped by a backs
89. file you may skip the remaining steps However be sure the root entry in your LDIF file contains the access control instructions ACIs required by your deployment Select the top level Directory tab of the console The new suffix is not yet visible in the directory tree If you are not logged in as the directory manager do so now by selecting the Console gt Log in as New User menu item Enter the DN and password of the directory manager to log in By default the directory manager DN is cn Directory Manager Right click on the root node of the directory tree the one containing the server hostname and port Select the New Root Object item from the pop up menu and select the DN of the new root suffix Alternatively select the root node of the directory tree and then choose the New Root Object item from the Object menu In the New Object dialog that is displayed select a single object class for the root object This object class will determine what other attributes may be added to the root entry By convention root objects for suffix DNs containing dc naming attributes belong to the domain object class Usually root objects are simple objects and contain little data Click OK in the New Object dialog when you have selected the object class The console now displays the generic editor for the new root object The set of default ACIs is automatically added to the new object See Default ACIs on page 183 for additional informat
90. from this software may not be called Apache nor may Apache appear in their name without prior written permission of the Apache Software Foundation THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE COPYRIGHT Copyright c 1997 2000 Messaging Direct Ltd All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED B
91. group access 197 Boolean bind rules 210 compatibility with earlier versions 248 creating from console 212 dynamic targets 198 from specific domain 207 from specific IP address 206 logging information 247 overview 179 180 permissions 191 placement of ACIs 181 rights 192 SASL authentication 209 simple authentication 209 SSL authentication structure of ACIs target DN containing comma 235 target DN containing comma and 186 targeting 185 targeting attribute values 190 targeting attributes 187 Index targeting entries 186 targeting using filters 188 using the Access Control Editor 212 value matching 201 Access Control Editor displaying 213 access control instruction ACI See ACI access log see logs account lockout see password policies accounts see user accounts ACI assessment attribute 181 authmethod keyword 209 bind rules 185 194 creating from console 215 dayofweek keyword 209 deleting from console 217 dns keyword 207 editing from console 216 evaluation 182 examples of use 217 groupdn keyword 199 inheritance 204 ip keyword 206 name 185 permissions 185 191 precedence rule 182 proxy rights example 235 replication 247 rights 192 roledn keyword 200 structure 431 syntax 184 targattrfilters keyword 190 target 184 target DN containing comma 235 target DN containing comma and 186 target keywords 186 target overview 185 targetattr keyword 187 targetfilter keyword 188 userattr and parent 204 userattr keyword
92. host name is as follows dns DNS_Hostname or dns DNS_Hostname CAUTION The dns keyword requires that the naming service used on your machine is DNS If the name service is not DNS you should use the ip keyword instead The dns keyword requires a fully qualified DNS domain name Granting access to a host without specifying the domain creates a potential security threat For example the following expression is allowed but not recommended dns legend eng You should use a fully qualified name such as dns legend eng example com Chapter 6 Managing Access Control 207 Bind Rules The dns keyword allows wildcards For example dns example com The bind rule is evaluated to be true if the client accessing the directory is located in the named domain This can be useful for allowing access only from a specific domain Note that wildcards will not work if your system uses a naming service other than DNS In such a case if you want to restrict access to a particular domain use the ip keyword as described in Defining Access From a Specific IP Address on page 206 Defining Access at a Specific Time of Day or Day of Week You can use bind rules to specify that binding can only occur at a certain time of day or on a certain day of the week For example you can set a rule that will allow access only if it is between the hours of 8 am and 5 pm Monday through Friday The time used to evaluate access
93. in as New User menu item A login dialog box appears 2 Enter the new DN and password and click OK Enter the full distinguished name of the entry with which you want to bind to the server For example if you want to bind as the Directory Manager then enter the following DN in the Distinguished Name text box cn Directory Manager The Directory Manager DN and password are further explained in the following section Using the Online Help The online help provides context sensitive information for most tabs and dialogs of the Directory Server console The Help button is usually located in the bottom right hand corner of these interfaces The keyboard shortcut for invoking the context sensitive help on any screen is always Alt P Invoking the online help will display an HTML based page in the Console s built in browser From there you may click the Launch in Browser button to open the same page in an external browser such as Netscape Communicator Within the online help links to further information will also open an external browser window Each online help page gives an explanation of the fields and buttons contained in the corresponding tab or dialog Use this information to guide you when interpreting entering or modifying values through the console Sun ONE Directory Server Administration Guide June 2003 Using the Directory Server Console The help system for Sun ONE Directory Server is dependent upon Sun ONE Administrat
94. in from the Directory Server console 1 On the top level Configuration tab of the Directory Server console expand the Plugins node and select the referential integrity postoperation plug in The settings for the plug in are displayed in the right hand panel Check the Enable plug in check box to enable the plug in clear it to disable it Set the value of Argument 1 to modify the update interval in seconds Common values are o 0 Update immediately after every operation Be advised that immediate referential integrity checks after every delete an modify operation may significantly impact server performance o 90 Updates occur every 90 seconds o 3600 Updates occur every hour o 10 800 Updates occur every 3 hours o 28 800 Updates occur every 8 hours o 86 400 Updates occur once a day o 604 800 Updates occur once a week Set the value of Argument 2 to the absolute path of the referential integrity log file you wish to use Argument 3 is not used but it must be present The attributes monitored for referential integrity are listed beginning with Argument 4 Click the Add and Delete buttons to manage this list and add your own attributes NOTE For best performance the attributes updated by the referential integrity plug in should also be indexed For information see Chapter 10 Managing Indexes 82 Sun ONE Directory Server Administration Guide June 2003 Maintaining Referential Integrity 6
95. in the Directory Server on page 409 3 Restart SNMP as described in Starting and Stopping the SNMP Subagent on page 410 On UNIX Platforms To set up SNMP support for your Directory Server on a UNIX machine other than AIX you must configure and start the master agent using the Administration Server Console If you are using the default port settings 161 for SNMP then Administration Server and Directory Server must be run as root user If you reconfigure the master agent to use ports higher than 1000 then it is not necessary to be root user By default the master agent uses port 161 which conflicts with the default port of the native SNMP agent on most platforms You must either disable the native SNMP agent before starting the master agent or plan to configure the master agent to use another port To disable the native SNMP agent refer to your platform documentation To configure and start the master agent follow the instructions in Configuring the Master Agent on UNIX Systems in Chapter 11 of the Sun ONE Server Console Server Management Guide On AIX Platforms On the AIX platform you do not need to set up the master agent Instead when the SNMP daemon is running on AIX it supports SMUX which replaces the master agent However you need to change the AIX SNMP daemon configuration If you are using the default port settings 199 for SMUX then Administration Server and Directory Server must be run as root user
96. in the directory If in addition you are using filtered roles the evaluation of this type of ACI uses a lot of resources on the server Example With LDAPURL Bind Type The following is an example of the userattr keyword associated with a bind based on an LDAP filter userattr myfilter LDAPURL The bind rule is evaluated to be true if the bind DN matches the filter specified in the myfilter attribute of the targeted entry The myfilter attribute can be replaced by any attribute that contains an LDAP filter Example With Any Attribute Value The following is an example of the userattr keyword associated with a bind based on any attribute value userattr favoriteDrink Beer The bind rule is evaluated to be true if the bind DN and the target DN include the favoriteDrink attribute with a value of Beer Chapter 6 Managing Access Control 203 Bind Rules Using the userattr Keyword With Inheritance When you use the userattr keyword to associate the entry used to bind with the target entry the ACI applies only to the target specified and not to the entries below it In some circumstances you might want to extend the application of the ACI several levels below the targeted entry This is possible by using the parent keyword and specifying the number of levels below the target that should inherit the ACI When you use the userattr keyword in association with the parent keyword the syntax is as follows userattr parent
97. in this column designates whether or not the attribute is multivalued A multivalued attribute may appear any number of times in an entry but a single valued attribute may only appear once Sun ONE Directory Server Administration Guide June 2003 Managing Attribute Definitions Table 9 2 Attribute Syntax Definitions Syntax Name Definition Binary formerly bin Boolean Country String DN formerly dn DirectoryString formerly cis GeneralizedTime 1A5String formerly ces Integer formerly int OctetString Postal Address TelephoneNumber formerly te1 URI Indicates that values for this attribute are treated as binary data Indicates that this attribute has one of only two values True or False Indicates that values for this attribute are limited to a two letter country code specified by ISO 3166 for example FR Indicates that values for this attribute are DNs distinguished names Indicates that values for this attribute may contain any UTF 8 encoded character and are not treated as case sensitive Indicates that values for this attribute are encoded as printable strings The time zone must be specified It is strongly recommended to use GMT Indicates that values for this attribute may contain only a subset of the ASCII characters and are treated as case sensitive Indicates that valid values for this attribute are numbers Same behavior as binary Indicates that values for this attribute ar
98. index entries are located in the same place we recommend using descriptive cn values to name your browsing indexes Each vlvSearch entry must have at least one vlvIndex entry The vivSort attribute is a list of attribute names that defines the attribute to sort on and the sorting order The dash in front of an attribute name indicates reverse ordering You may define more than one index for a search by defining several vlvIndex entries With the previous example you could add the following entry ldapmodify a h host p port D cn Directory Manager w password dn cn Sort sn givenname uid cn Browsing ou People cn databaseName cn ldbm database cn plugins cn config objectClass top objectClass vlvIndex cn Sort sn givenname uid vivSort sn givenname uid D Chapter 10 Managing Indexes 355 Managing Browsing Indexes Solaris Packages Other Installations To modify a browsing index configuration edit the corresponding vlvSearch or vivIndex entry To remove a browsing index so it is no longer maintained by the server remove individual v1vIndex entry or if there is only one remove both the vivSearch entry and the vlvIndex entry When you remove a vlvIndex entry you may also remove the corresponding database file for example ServerRoot slapd serverID db dbName dbName_vlv Sortsngivennameuid db3 Running the vivindex Command Once you have created the browsing index entries or modified existing ones you mu
99. ins without signatures will also be flagged This is the recommended option if you have custom unsigned plug ins Your plug ins will be loaded but you will still be able to view the status of all signed plug ins Sun ONE Directory Server Administration Guide June 2003 3 Verifying Plug In Signatures Reject plug ins with invalid signatures The server will verify the signature of all plug ins defined in the configuration and will only load plug ins with valid signatures The server will display a warning message on startup and in the error log that indicates which plug ins have an invalid signature or no signature This is the most secure option however you will not be able to load custom unsigned plug ins Click Save and then restart the directory server as described in Starting and Stopping the Directory Server on page 20 Viewing the Status of a Plug In 1 On the top level Configuration tab of the Directory Server console expand the Plugins node in the configuration tree and select the plug in you wish to verify The current configuration of the plug in is displayed in the right hand panel The Signature state field shows the signature verification status of the plug in with one of the following values O Unknown This signature state occurs in all plug ins when the server is configured to not verify plug in signatures The following states are visible only if you verify plug in signatures Va
100. ldap cn mail administrators dc example dc com and dns example com The trailing semicolon is a required delimiter that must appear after the final bind rule Boolean expressions are evaluated in the following order e Innermost to outermost parenthetical expressions first e All expressions from left to right e NOT before AND or OR operators 210 Sun ONE Directory Server Administration Guide June 2003 Creating ACIs From the Command Line The Boolean or and Boolean AND operators have no order of precedence Consider the following Boolean bind rules bindRule_A OR bindRule_B bindRule_B OR bindRule_A Because Boolean expressions are evaluated from left to right in the first case bind rule A is evaluated before bind rule B and in the second case bind rule B is evaluated before bind rule A However the Boolean nor is evaluated before the Boolean oR and Boolean AND Thus in the following example bindRule_A AND NOT bindRule_B bind rule B is evaluated before bind rule A despite the left to right rule Creating ACIs From the Command Line You can create access control instructions manually using LDIF statements and add them to your directory tree using the ldapmodify command Because ACI values can be very complex it is useful to view existing values and copy them to help create new ones Viewing aci Attribute Values ACIs are stored as one or more values of the aci attribute on an entry The
101. ldbm database cn plugins cn config changetype modify replace dsEncryptionAlgorithm dsEncryptionAlgorithm clearText where attributeName is the type name of the attribute to encrypt and databaseName is the symbolic name of the database corresponding to the suffix NOTE Do not delete the attribute encryption configuration entry It will be removed automatically the next time that the suffix is initialized If you have changed the configuration to encrypt one or more attributes and these attributes had values before the import operation some of those unencrypted values may still be visible in the database cache To clear the database cache a Stop the directory server as described in Starting and Stopping the Directory Server on page 20 b As root or having administrator privileges delete the database cache files from your file system ServerRoot slapd serverID db __db c Start the directory server again The server will automatically create new database cache files Performance of operations in this suffix may be slightly impacted until the cache is filled again Initialize the suffix with an LDIF file as described in Importing Data on page 132 If you exported your suffix in Step 1 use that file to ensure your suffix has the latest contents If you exported your suffix with encrypted attributes in Step 1 you must use that file to initialize now because the encrypted values will be unretrieva
102. mapping is successful then the default mapping is evaluated If all mappings fail to determine the bind DN for the DSML request the DSML request will be forbidden and rejected error 403 44 Sun ONE Directory Server Administration Guide June 2003 Chapter 2 Creating Directory Entries This chapter discusses how to use the Directory Server console and the ldapmodify and ldapdelete command line utilities to modify the contents of your directory including the basic types of structural entries user entries and referrals It also covers how attributes are stored with the optional attribute encryption feature new in Directory Server 5 2 During the planning phase of your directory deployment you should characterize the types of data that your directory will contain You should read Chapter 2 Designing and Accessing Directory Data in the Sun ONE Directory Server Deployment Guide before creating entries and modifying the default schema This chapter assumes some knowledge of LDAP schema and the object classes and attributes it defines For an introduction to the schema and the definition of all object classes and attributes provided in Directory Server refer to Part 4 Directory Server Schema in the Sun ONE Directory Server Reference Manual NOTE You cannot modify your directory unless the appropriate access control instructions ACIs have been defined For further information see Chapter 6 Managing Access Control
103. modification except for passwordPolicySubentry allow write userdn ldap self Chapter 7 User Account Management 259 Resetting User Passwords Resetting User Passwords The directory stores password values in the userPassword attribute of the user entry Depending on the access control settings for the server users may set the value of userPassword in accordance with the password policy you specify using standard tools such as ldapmodify for example In case permanent account lockout occurs account UnlockTime an operational attribute for the user is 0 and passwordUnlock is off in the password policy you can reset the password as Directory Manager to unlock the user account For example assume Example com directory user Barbara Jensen gets permanently locked out after forgetting and guessing her password ldapmodify h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com changetype modify replace userPassword userPassword ChAnGeMe If passwordMust Change is on in the password policy Barbara will have to change her password after the next bind Remember to tell her that you changed her password to ChAnGeMe preferably through a secure channel Inactivating and Activating Users and Roles 260 You can temporarily inactivate a single user account or a set of accounts Once inactivated a user cannot bind to the directory The authentication operation will fail
104. number of hops in your longest cascading chain Any operation that reaches the limit will be aborted because the servers will assume it is an accidental loop in your topology You must also set the chaining configuration to allow the loop detection control as described in Transmitting LDAP Controls for Cascading on page 130 On all other servers in a cascading chain edit the chaining configuration entry for the cascading suffix with the following command ldapmodify h host p port D cn Directory Manager w password dn cn databaseName cn chaining database cn plugins cn config changetype modify replace nsHopLimit nsHopLimit maximumHops AB where maximumHops has the same definition as in the previous step Chapter 3 Creating Your Directory Tree 129 Configuring Cascading Chaining 130 Transmitting LDAP Controls for Cascading By default a chained suffix does not transmit the Proxy Authorization control However when one chained suffix contacts another this control is needed to transmit the user identification required for access control on the remote server The intermediate chained suffixes must allow this control to chain Recently a second protocol was defined for the Proxy Authorization control Because different server versions may use either control you should configure all cascading servers to allow both the old and the new Proxy Authorization control to chain The Loop Detection control is a
105. object class 161 nsRoleDN attribute type 162 163 nsRoleFilter attribute type 162 nsRoleScopeDN attribute type 163 nsSimpleRoleDefinition object class 161 nsSystemIndex attribute type 347 O object classes changeLogEntry 312 cosClassicDefinition 176 cosIndirectDefinition 175 cosPointerDefinition 174 cosSuperDefinition 170 cosTemplate 165 dsIdentityMapping 377 managing on an entry using the console 59 nsComplexRoleDefinition 162 nsFilteredRoleDefinition 162 nsIndex 347 nsManagedRoleDefinition 161 nsNestedRoleDefinition 163 nsRoleDefinition 161 nsSimpleRoleDefinition 161 passwordPolicy 256 referral 75 see also schema P parent access 198 parent keyword 198 pass through authentication PTA 413 configuring the plug in 415 connection parameters 416 specifying failover servers 417 using SSL 416 pass through authentication PTA See PTA plug in password policies account lockout 250 Index 437 and replication 251 assigning to users 257 configuring the global password policy from the command line 253 configuring the global password policy using the console 252 creating an individual policy from the command line 256 creating an individual policy using the console 255 password length 250 protecting with ACIs 259 syntax checking 250 password policy replication considerations 270 passwordCheckSyntax attribute type 254 passwordLockout attribute type 254 passwordLockoutDuration attribute type 254 passwordMaxFailure attribut
106. one that does not require stopping the server and one that uses the minimum amount of disk space Chapter 8 Managing Replication 293 Initializing Replicas Binary Copy Without Stopping the Server The following procedure is recommended for performing a binary copy because it uses the normal backup functionality to create a copy of the server s database files Performing a normal backup ensures all database files are in a coherent state without requiring you to stop the server However this procedure has certain limitations that you should take into consideration The backup and restore operations create copies of the database files on the same machine thereby doubling the amount of disk space required by those files on each machine Additionally the actual copy operation on these files may take significant time if your directory contains gigabytes of data See Binary Copy Using Minimum Disk Space on page 294 if your disk space is limited or your database files are extremely large 1 Install Directory Server on the target machine for the new replica create a new instance of the server if necessary and then configure it according to the Binary Copy Restrictions on page 293 2 Create all replication agreements in your replication topology that involve this replica This includes agreements from suppliers to this replica and if it is not a dedicated consumer from this replica to its consumers 3 Select a fully configu
107. only when SSL is configured and enabled on the server However no attributes are encrypted by default Attribute encryption is configured at the suffix level This means that an attribute is encrypted for every entry in which it appears in a suffix If you want to encrypt an attribute in an entire directory you must enable encryption for that attribute in every suffix CAUTION Attribute encryption affects all data and index files associated with a suffix If you modify the encryption configuration of an existing suffix you must first export its contents make the configuration change and then re import the contents The console will help you perform these steps In addition when turning on encryption you must manually delete the database cache files that may still contain unencrypted values Preferably you should enable any encrypted attributes before loading or creating data in a new suffix If you choose to encrypt an attribute that some entries use as a naming attribute values that appear in the DN will not be encrypted but values stored in the entry will be encrypted You may select the userPassword attribute for encryption however this provides no real security benefit unless the password is stored in the clear as is the case for DIGEST MD5 SASL authentication If the password already has an encryption mechanism defined in the password policy further encryption provides little additional security but will impact performan
108. or if using SSL a certificate The credentials provided in the bind operation and the circumstances of the bind determine whether access to the directory is allowed or denied Every permission set in an ACI has a corresponding bind rule that details the required credentials and bind parameters 194 Sun ONE Directory Server Administration Guide June 2003 Bind Rules A simple bind rule might require that the person accessing the directory must belong to a specific group A complex bind rule can state that a person must belong to a specific group and must log in from a machine with a specific IP address between 8 am and 5 pm Bind rules define who can access the directory when and from where More specifically bind rules can specify e Users groups and roles that are granted access e Location from which an entity must bind e Time or day on which binding must occur e Type of authentication that must be in use during binding Additionally bind rules can be complex constructions that combine these criteria by using Boolean operators See Using Boolean Bind Rules on page 210 for more information The server evaluates the logical expressions used in ACIs according to a three valued logic similar to the one used to evaluate LDAP filters as described in RFC 2251 Lightweight Directory Access Protocol v3 In summary this means that if any component in the expression evaluates to Undefined for example if the evaluation of
109. ou people dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsComplexRoleDefinition objectclass nsFilteredRoleDefinition cn TempFilter nsRoleFilter amp objectclass person status contractor description filtered role for temporary employees dn cn PolTempl dc example dc com objectclass top objectclass nsContainer dn cn cn TempFilter ou people dc example dc com cn PolTempl dc example dc com objectclass top objectclass extensibleObject objectclass LDAPsubentry objectclass costemplate cosPriority 1 passwordPolicySubentry cn TempPolicy dc example dc com dn cn PolCoS dc example dc com objectclass top objectclass LDAPsubentry objectclass cosSuperDefinition objectclass cosClassicDefinition cosTemplateDN cn PolTempl dc example dc com cosSpecifier nsRole cosAttribute passwordPolicySubentry operational The users who have the status of contractor now become subject to the password policy cn TempPolicy dc example dc com Protecting the Individual Password Policy To prevent users from modifying which password policy applies to them you must also add an ACI such as the following to the root entry ldapmodify h host p port D cn Directory Manager w password dn dc example dc com changetype modify add aci aci targetattr passwordPolicySubentry version 3 0 acl Allow self
110. password description proxy entry to be used for chaining from hosti D Setting Default Chaining Parameters Chaining parameters determine how the server connects to a chained server and processes operations on that chained suffix These parameters are configured on each chained suffix Directory Server provides default values that are used every time a chained suffix is created You may edit these default values to specify the chaining parameters on all new chained suffixes Every new chained suffix created after you modify the default parameters will have the values you specify However once a suffix is created you may only modify the parameters as described in Managing Chained Suffixes on page 113 Sun ONE Directory Server Administration Guide June 2003 Creating Chained Suffixes The attributes and default values for the chaining parameters are described below Please refer to Chained Suffix Plug in Attributes in Chapter 5 of the Sun ONE Directory Server Reference Manual for a description of allowed values Client Return Parameters nsReferralOnScopedSearch When on by default clients searches with a scope entirely within the chained suffix will recieve a referral to the remote server This avoids transmitting the search results twice When set to off you should set the size and time limit parameters to avoid long searches on chained suffixes nsslapd sizelimit This parameter determines the number of entries
111. password dn uid bjensen ou People dc example dc com changetype modify delete mobile mobile 408 555 7845 add mobile mobile 408 555 5487 Sun ONE Directory Server Administration Guide June 2003 Managing Entries From the Command Line Renaming an Entry Using Idapmodify When you rename an entry you modify its relative distinguished name RDN which is the left most attribute value pair in the entry s DN This attribute is called the naming attribute and it must also exist with the same value among the entry s attributes When renaming an entry you cannot change any other part of the DN such that the entry moves to a different subtree To move an entry to a completely different branch you must create a new entry in the other subtree using the old entry s attributes and then delete the old entry Also you cannot rename an entry that has any children because the RDN of a parent is used in the DN of its children and all entries in a DN must exist To move an entire tree you must recreate it in the new location Use the changetype modrdn keywords to rename an entry with an LDIF statement The following example will rename the uid naming attribute for Barbara Morris ldapmodify h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com changetype modrdn newrdn uid bmorris deleteoldrdn 1 The newrdn line gives the new naming attribute using the at
112. promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright C 1987 1988 Student Information Processing Board of the Massachusetts Institute of Technology Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation and that the names of M I T and the M LT S I P B not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission M I T and the M LT S LP B make no representations about the su
113. referral to any entry on the same server or on a different server For example you may define the entry with the following DN uid bjensen ou People dc example dc com to be a smart referral which points to another entry on the server east example com cn Babs Jensen ou Sales o east dc example dc com The way the directory uses smart referrals conforms to the standard specified in section 4 1 11 of RFC 2251 http www ietf org rfc rfc2251 txt Creating Smart Referrals Using the Console 1 On the top level Directory tab of the Directory Server console expand the directory tree to display the entry that you wish to be the parent of the smart referral 2 Right click the parent entry select the New gt Referral menu item Alternatively you may left click the parent entry to select it and then choose the Object gt New gt Referral menu item The custom editor dialog for referral entries is displayed The custom editor for referrals is displayed 74 Sun ONE Directory Server Administration Guide June 2003 10 Setting Referrals On the General tab of the editor enter a name for the referral and select its naming attribute from the drop down list The name will be the value of the naming attribute you select Optionally you may enter a description string for this referral On the URLs tab of the editor click the Construct button to define the URL of the smart referral Enter the elements of an LDAP URL in dialog
114. replicated See Initializing Replicas below Initializing Replicas Once you have created a replication agreement you must initialize the consumer replica before replication will actually begin During initialization you physically copy data from the supplier replica to the consumer replica 284 Sun ONE Directory Server Administration Guide June 2003 Initializing Replicas Certain error conditions or configuration changes require you to reinitialize replicas When reinitializing the contents of the replicated suffix are deleted on the consumer and replaced with the contents of the suffix on the master This ensures that the replicas are in sync and replication updates may resume Also all of the initialization methods described here automatically rebuild the indexes of the consumer replica so that the consumer is ready to respond optimally to client read requests When to Initialize Replica initialization must be done after both replicas have been configured and before any replication can occur Once the data in the suffix has been entirely copied to the consumer the supplier can begin replaying update operations to the consumer Under normal operations the consumer should never have to be initialized again However if the data in a single master replica is restored from a backup for any reason then you should reinitialize all of the replicas that it updates With multi master replication consumers may not need to be rei
115. s s 1 s N 7 N I 1 1 1 ou People ou Groups ou People ou Groups XN x Pa S 1 s T a fe Ng aw A suffix may also be a branch of another in which case it is called a subsuffix The parent suffix does not include the contents of the subsuffix for administrative operations and the subsuffix is therefore managed independently of its parent However LDAP operation results contain no information about suffixes and directory clients are unaware of whether entries are part of root suffixes or subsuffixes The following figure shows a directory with a single root suffix and multiple subsuffixes for a large corporate entity Figure 3 2 One Root Suffix with Multiple Subsuffixes m a 2 dc example dc com s X AN N S ou Contractors ou Groups ou People l Europe s Ca ig i Pit TA ee Pa oe P N I ou People ou Groups 7 7 s a gt a A suffix corresponds to an individual database within the server However databases and their files are now managed internally by the server and database terminology has been dropped as of Sun ONE Directory Server 5 2 86 Sun ONE Directory Server Administration Guide June 2003 Creating Suffixes Chained suffixes create a virtual directory tree by referencing suffixes on other servers With chained suffixes Directory Server performs the operation on the remote suffix and returns the
116. sending updates to its consumer You must create a replication agreement for every consumer that you wish to be updated Create replication agreements in the following order 1 Between masters in a multi master set starting with the master containing the original copy of the suffix to replicate Chapter 8 Managing Replication 279 Creating Replication Agreements 280 2 Between masters and dedicated consumers not replicated through hubs 3 Between masters and hub replicas 4 Between hub replicas and their consumers For example in the multi master replication topology with 2 masters and 3 dedicated consumers shown in Figure 8 1 on page 267 you would create eight replication agreements in the following order e Between one master and the other e Between the other master and the first one e Between one master and each of the 3 dedicated consumers e Between the other master and each of the three dedicated consumers To create a replication agreement 1 On the top level Configuration tab of the Directory Server console expand both the Data node and the node for the supplier suffix and then select the Replication node below the suffix The replica status information is displayed in the right hand panel 2 Click the New button beside the list of defined replication agreements 3 Inthe Replication Agreement dialog select from the menu an existing server containing the consumer replica or click the Other button to defi
117. should be aware of the following repercussions You need to change the configuration or user directory port or secure port number configured for the Administration Server See Network Settings in Chapter 7 of the Sun ONE Server Console Server Management Guide If you have other Sun ONE Servers installed that point to the configuration or user directory you need to update those servers to point to the new port number Use the following procedure to modify the port or secure port on which the directory server listens for incoming LDAP requests To modify the ports for DSML requests see Configuring DSML on page 40 1 On the top level Configuration tab of the Directory Server console select the root node with the server name and then select the Network tab in the right hand panel The tab displays the server s current port settings for the LDAP protocol Enter the port number you want the server to use for non SSL communications in the Port field The default value is 389 If you have activated SSL on this server as described in Chapter 11 Implementing Security you may allow connections on a secure port a Select the option to use both secure and non secure ports b Enter the port number you want the server to use for SSL communications in the Secure Port field The default value is 636 The encrypted port number that you specify must not be the same port number as you are using for normal LDAP communicat
118. that appears The elements of the URL include the host name and LDAP port number of the directory server that holds the referral entry and the DN of the target entry on the server By default the target DN is the same DN as that of the smart referral entry However the target DN can be any suffix subtree or leaf entry Click OK in the LDAP URL construction dialog The URL is displayed in the new referral text box Click Add beside the new referral text box to add the referral to the list You may defined more than one URL to return as referrals for this entry Use the Construct Add Delete and Change buttons to create and manage the Referral List Click the Referral Authentication button to display a dialog where you may set the credentials that the Directory Server console will use to bind when follow the referral to the remote server You may define the bind DN and password that will be used when accessing a server All referrals to the same server will use the same credentials Use the Add Edit and Delete buttons to manage the list of servers and corresponding credentials Then click OK when you are done In the custom editor for referrals click OK to save your smart referral entry In the directory tree of the console you should see the target subtree or entry in place of the smart referral entry If you smart referral entry with a yellow warning icon the URL or the credentials were invalid Double click the entry click
119. that the server has a trusted certificate They use the SSL protocol to provide data encryption but cannot guarantee confidentiality nor protect against impersonation Configuring Server Authentication in Clients When a client establishes an SSL connection with a server it must trust the certificate presented by the server In order to do so the client must e Have a certificate database e Trust the Certificate Authority CA that issues the server certificate e Specify the SSL options of the LDAP client Netscape Communicator is a client application that uses SSL to communicate with web servers over the HTTP protocol You can use Communicator to manage the certificates that your LDAP client will also use Alternatively you may use the certutil command line tool to manage certificate databases Managing Client Certificates Through Communicator The following procedure describes how to use Netscape Communicator to manage a certificate database on the client machine Chapter 11 Implementing Security 379 Configuring LDAP Clients to Use Security 380 1 Upon startup Netscape Communicator will ensure that a certificate database exists or it will create one if needed The certificate database will be stored ina file along with other Communicator preferences for example home username netscape cert7 db on a UNIX system If you use this procedure find the certificate database created by Communicator and remember the path for
120. the Command Line 1 If the suffix on which you wish to configure attribute encryption contains any entries whatsoever you must first export the contents of that suffix to an LDIF file See Exporting Data on page 138 for more information If the suffix contains encrypted attributes you may leave them encrypted in the exported LDIF if you plan to reinitialize the suffix using this LDIF file in Step 5 To enable encryption for an attribute use the 1dapmodi fy command to add the following configuration entry ldapmodify a h host p port D cn Directory Manager p password dn cn attributeName cn encrypted attributes cn databaseName cn ldbm database cn plugins cn config objectclass top objectclass dsAttributeEncryption cn attributeName dsEncryptionAlgorithm cipherName where attributeName is the type name of the attribute to encrypt databaseName is the symbolic name of the database corresponding to the suffix and cipherName is one of the following o ckm_des_cbc DES block cipher o ckm_des3_cbc Triple DES block cipher o ckm_rc2_cbc RC2 block cipher o ckm_rc4 RC4 stream cipher To make an attribute no longer encrypted use the ldapmodify command to modify the following configuration entry Chapter 2 Creating Directory Entries 79 Encrypting Attribute Values ldapmodify h host p port D cn Directory Manager p password dn cn attributeName cn encrypted attributes cn databaseName cn
121. the Data node and any suffix node to display the parent suffix Right click on the parent suffix node and select New Chained Subsuffix from the pop up menu Alternatively you may select the parent suffix node and choose New Chained Subsuffix from the Object menu The New Chained Sub Suffix dialog is displayed Enter the DN of the entry on the remote server to which you want to chain The remote entry does not necessarily have to be the base entry of a remote suffix For a root suffix enter the full DN of the remote entry in the Suffix DN field You may enter any DN that is an entry in the remote directory tree That entry will be the base of the chained root suffix and everything below it will be available through the chained suffix For a subsuffix enter the subsuffix RDNs of the entry that will be chained That entry will be the base of the chained subsuffix The complete subsuffix name that appears below the text field must be an entry that exists in the remote server Enter the hostname of the remote server containing the suffix data including the domain if necessary Enter the port number for accessing the remote server and select the checkbox if this is the secure port When using a secure port the chaining operation will be encrypted over SSL For more information refer to Chaining Using SSL on page 112 The text at the bottom of the dialog will show the full URL of the remote server Enter the bind DN and pas
122. the LDIF file in the LDIF File field or click Browse to locate the file Browse is not enabled if you are running the console on a remote server When the Browse button is not enabled the file is stored by default in the following directory ServerRoot slapd serverID 1dif If you are running the console on a machine remote to the server two radio buttons are displayed beneath the LDIF file field Select To local machine to indicate that you are exporting to an LDIF file in the machine from which you run the console Select To server machine to indicate that you are exporting to an LDIF file located on the server s machine Chapter 4 Populating Directory Contents 139 Exporting Data 140 4 5 If you want to export the whole directory select the All suffixes radio button If you want to export only a subtree of the directory select the Subtree radio button and then enter the DN at the base of the subtree in the text box You can also click Browse to select a subtree Click OK to export the directory contents to the file Exporting a Single Suffix to LDIF Using the Console To export one suffix to LDIF from the Directory Server console while the server is running 1 On the top level Configuration tab of the Directory Server console expand the Data node to display the suffix you wish to export Right click the suffix node and select Export from the pop up menu Alternatively yo
123. the bottom of the tab and click the button beside Import from LDIF The Import LDIF dialog is displayed 2 Inthe LDIF File field of the Import LDIF dialog enter the full path to the LDIF file you want to import or click Browse to select the file in the local file system If you are accessing a directory on a remote machine the field name appears as LDIF file on console machine This label reminds you that you are browsing the local file system not that of the remote directory server machine 3 Set the following options as desired a Add Only The LDIF file may contain modify and delete instructions in addition to the default add instructions Select this checkbox if you want the console to perform only add instructions and ignore all others in the LDIF file b Continue on Error Select this checkbox if you want the console to continue with the import even if errors occur For example you might use this option if you are importing an LDIF file that contains some entries that already exist in the suffix The console notes errors such as existing entries in the rejects file while perfoming the import operation When this checkbox is not selected the import operation will stop after the first error it encounters All prior entries in the LDIF file will have been successfully imported and will remain in the directory Chapter 4 Populating Directory Contents 133 Importing Data Solaris Packages Othe
124. the login has sufficient access rights the configuration entries are viewed as normal entries and may be modified directly However you should always use the dialogs available through the Configuration Tab to change the configuration settings safely Several options are available through the View menu to change the layout and contents of the Directory Tab New layout options include viewing all entries in a single tree including leaf entries and also displaying attributes in the right hand pane The default is to view leaf entries on the right and not in the left hand tree The View gt Display options enable ACI counts role counts and inactivation state icons for all entries in the directory tree In the previous figure ACI counts and leaf entries are displayed in the left hand tree and attribute values for the selected entry are displayed in the right hand pane For more information see Directory Tree View Options on page 32 Sun ONE Directory Server Administration Guide June 2003 Using the Directory Server Console Status Tab The status tab displays server statistics and log messages The tree on the left lists all status items and when selected the contents of each is displayed in the right hand pane For example the following figure shows a table of log entries Figure 1 5 Status Tab of the Directory Server Console camus red iplanet com Sun ONE Directory Server example Console Edit View Object Help Sun
125. the roledn part of the ACI the server reads the value of the ou attribute stored in the targeted entry and substitutes this value in the subject to expand the macro In the example the roledn is expanded as follows Sun ONE Directory Server Administration Guide June 2003 Access Control and Replication roledn ldap cn DomainAdmins ou Sales dc HostedCompanyl dc example dc com The Directory Server then evaluates the ACI according to the normal ACI evaluation algorithm When the attribute named in the macro is multi valued each value is used in turn to expand the macro and the first one that provides a successful match is used Access Control and Replication ACIs are stored as attributes of entries therefore if an entry containing ACIs is part of a replicated suffix the ACIs are replicated like any other attribute ACIs are always evaluated on the Directory Server that services the incoming LDAP requests This means that when a consumer server receives an update request it will return a referral to the master server before evaluating whether the request can be serviced or not on the master Logging Access Control Information To obtain information on access control in the error logs you must set the appropriate log level To set the error log level from the console 1 On the top level Directory tab of the Directory Server console right click the cn config node and choose Edit With Generic Editor from the p
126. the suffix through the replication wizard c Optionally configure the advanced replica settings On all servers containing a hub replica if applicable a Create an empty suffix for the hub replica b Enable the hub replica on the suffix through the replication wizard c Optionally configure the advanced replica settings On all servers containing a master replica a Choose or create a suffix on one of the masters that will be the master replica b Enable the master replica on the suffix through the replication wizard c Optionally configure the advanced replica settings Configure the replication agreements on all supplier replicas in the following order a Between masters in a multi master set b Between masters and their dedicated consumers c Between masters and hub replicas Optionally you may configure fractional replication and initialize the consumer and hub replicas at this stage In the case of multi master replication initialize all masters from the same master replica containing the original copy of the data Configure replication agreements on all hub replicas supplied directly from a master These agreements are between the hub replicas and their consumers Optionally you may initialize the consumer replicas at this stage Repeat this step for every level of hubs in your cascading replication Sun ONE Directory Server Administration Guide June 2003 Choosing Replication Managers NOTE It is ve
127. they can update the employee directory This is illustrated in the ACI HR example ACI HR In LDIF to grant the HR group all rights on the employee branch of the directory you would use the following statement aci targetattr version 3 0 acl HR allow all userdn ldap cn HRgroup ou People dc example dc com This example assumes that the ACI is added to the ou People dc example dc com entry From the console you can set this permission by doing the following Chapter 6 Managing Access Control 225 Access Control Usage Examples 226 1 On the Directory tab right click the example com people entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type HR In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area to Users and Groups and type HRgroup in the Search for field This example assumes that you have created an HR group or role For more information on groups and roles see Chapter 5 Advanced Entry Management c Click the Add button to list the HR group in the list of users who are granted access permission d Click OK to dismiss th
128. to RFC 2307 http www ietf org rfc rfc2307 txt Before you configure or enable replication between a 5 2 and 5 1 server you must update the schema on the 5 1 server On both versions of the server the schema files are located in ServerRoot slapd serverID config schema 1 Copy the file 11r c2307 1dif from the 5 2 server to the 5 1 server e If you havea Solaris package installation of the 5 1 server you must also delete the outdated 10rfc2307 1dif file e Ifyou have a zip file installation of the 5 1 server on any other platform you will overwrite the existing 11rfc2307 1dif file 2 The following schema files are affected by this change and must also be copied from the 5 2 server to overwrite the existing files on the 5 1 server o 20subscriber ldif o 30ns common ldif o 50ns admin ldif o 50ns certificate ldif o 50ns directory ldif o 50ns legacy ldif o 50ns mail ldif o 50ns mlm 1dif o 50ns msg ldif o 50ns netshare ldif 3 Restart the 5 1 server then proceed with the configuration of replication and initialization of replicas There may be some schema attributes that are replicated between servers as they synchronize other schema elements but this is the normal behavior of the replication mechanism 4 You may need to update any applications which rely on the old version of the schema The new 11rfc2307 1dif file includes the following modifications o The automount and automount Information attributes were re
129. to bring the master up to date from the contents of the other masters If that is not possible you should only restore a multi master replica in one of the following ways Sun ONE Directory Server Administration Guide June 2003 Restoring Data from Backups e The simplest way is to not restore a backup but to reinitialize the intended master from one of the other masters This insures that the latest data is sent to the intended master and that the data will be ready for replication See Initializing a Replica Using the Console on page 289 or Initializing a Replica From the Command Line on page 290 e For replicas with millions of entries it can be faster to use the new binary copy feature to restore a more recent backup taken from one of the other masters See Initializing a Replica Using Binary Copy on page 293 e If you have a backup of your master that is not older than the maximum age of the change log contents on any of the other masters then it may be used to restore this master See Advanced Multi Master Configuration on page 277 for a description of change log age When the old backup is restored the other masters will use their change logs to update this master with all modifications that have been processed since the backup was saved Regardless of how you restore or reinitialize the master replica will remain in read only mode after the initialization This behavior allows the replica to synchro
130. to configure and then select the Replication node below the suffix In the right hand panel click the Advanced button to display the Advanced Replica Settings dialog On the Bind DN tab use the Add and Delete buttons to create a list of DNs that are valid replication managers A supplier can then use any one of these DNs in its agreement with this replica You can add a new DN by typing its name or browsing the directory To configure replication using certificates over SSL enter the DN of the certificate entry as one of the replication managers Click OK when you are done or select the Optional tab for more advanced configuration On the Optional tab of the Advanced Replica Settings dialog the list of LDAP URLs specifies additional referrals for modification requests sent to this hub Use the Add or Delete buttons to create a list of LDAP URLs The replication mechanism automatically configures hubs to return referrals for all known masters in the replication topology These default referrals assume that clients will use simple authentication over a regular connection If you want to give clients the option of binding to masters using SSL for a secure connection add referrals of the form ldaps servername port that use a secure port number If you have added one or more LDAP URLs as referrals selecting the checkbox below the list will force the server to send referrals exclusively for these LDAP URLs and not for the master repl
131. to reinitialize the suffix using this LDIF file in the next step You will now be prompted to initialize the suffix from an LDIF file Click Initialize suffix now to open the initialization dialog and then enter the name of an LDIF file to load into the directory If you exported your suffix with encrypted attributes in the previous step you must use that file to initialize now because the encrypted values will be unrecoverable once the suffix is reinitialized As it is loaded and the indexes are created all values of the specified attributes will be encrypted Click Close if you do not wish to initialize the suffix at this time You may import data at a later time using the procedures described in Importing Data on page 132 If you have changed the configuration to encrypt one or more attributes and these attributes had values before the import operation some of those unencrypted values may still be visible in the database cache To clear the database cache a Stop the directory server as described in Starting and Stopping the Directory Server on page 20 78 Sun ONE Directory Server Administration Guide June 2003 Encrypting Attribute Values b As root or having administrator privileges delete the database cache files from your file system ServerRoot slapd serverID db __db c Start the directory server again The server will automatically new database cache files Configuring Attribute Encryption From
132. to the remote server that is the target of a chained suffix 1 On the top level Directory tab of the Directory Server console expand the directory tree 2 Right click on the cn config entry and select New gt User item from the pop up menu Alternatively select the cn config entry and choose the New gt User item from the Object menu 3 Fill in the fields of the Create New User dialog with values to describe the proxy identity for example Chapter 3 Creating Your Directory Tree 101 Creating Chained Suffixes 102 First Name proxy Last Name host1 Common Name host1 chaining proxy User ID host1_proxy Password password Confirm Password password where host1 is the name of the server containing the chained suffix You should use a different proxy identity for each server that has a suffix chained to this server 4 Click OK to save this new proxy identity Creating a Proxy Identity From the Command Line This procedure uses host1 and host2 to refer to the local server containing the chained suffix and the remote server that is the target of a chained suffix respectively 1 Use the following command to create the proxy identity on hos 2 ldapmodify a h host2 p port2 D cn Directory Manager w password2 dn uid hostl1_proxy cn config objectclass top objectclass person objectclass organizationalPerson objectclass inetorgperson uid hostl_proxy cn hostl chaining proxy sn host1 userpassword
133. use by your client applications 2 Use Communicator to browse the website of the Certificate Authority that issued the certificate for the directory server you wish to access Communicator will automatically retrieve the Certificate Authority s certificate and ask you if it should be trusted For example if you are using an internally deployed Sun ONE Certificate Server you will go to a URL of the form https hostname 444 3 Trust the Certificate Authority s certificate when prompted to do so by Communicator You should trust the CA certificate for server authentication This step may not be possible depending on the CA s website If Communicator does not automatically prompt you to trust the CA certificate use the following procedure to do it manually Managing Client Certificates Through the Command Line Use the certutil tool to manage certificates through the command line This tool is available with the Sun ONE Directory Server Resource Kit For more information see Chapter 30 Security Tools in the Sun ONE Directory Server Resource Kit Tools Reference 1 On the client host machine create a certificate database with the following command certutil N d path P prefix The tool will prompt the user for a password to protect the certificates The tool will then create the following files path prefixcert7 db and path prefixkey3 db The certificate database should be created individually by the users of th
134. virtual operational attributes They are not stored in the directory and they will not be returned unless explicitly requested These attributes are generated by Directory Server in response to the Get Effective Rights control For this reason neither of these attributes may be used in filters or search operations of any kind The following example shows how a user may view her rights in the directory In the results a 1 means that permission is granted and a 0 means that permission is denied ldapsearch J aclRigh aclRigh an Ou MAS Be Or kek She 4 On ei 27D oe A h rousseau example com p 389 D uid cfuente ou People dc example dc com w password b dc example dc com objectclass aclRights ts en ts en dn dc example dc com dn ou Groups tryLevel tryLevel add 0 delete 0 read 1 write 0 proxy 0 dc example dc com add 0 delete 0 read 1 write 0 proxy 0 aclRigh aclRigh dn cn aclRigh aclRigh aclRigh Peopl ts en ts en HR Managers ou groups dc example dc com e ts en dn cn Accounting Managers ou groups dc example dc com dn uid bjensen ou People dc example dc com tryLevel tryLevel tryLevel dc example dc com add 0 delete 0 read 1 write 0 proxy 0 add 0 delete 0 read 1 write 0 proxy 0 add 0 delete 0 read 1 write 0 proxy 0 dn uid cfu ts entryLevel add 0 delete 0 read
135. which is not the same highly scalable database as regular entries As a result if many entries and particularly entries that are likely to be updated frequently are stored under cn config performance will probably suffer However it can be useful to store special user entries such as the Replication Manager supplier bind DN entry under cn config in order to centralize configuration information Modifying the Configuration Using the Console The recommended method for modifying the configuration is to use the top level Configuration tab of the Directory Server console The panels and dialogs of this tab provide task based controls to help you set up your configuration quickly and efficiently In addition the console interface manages the complexity and interdependence of the configuration for you 46 Sun ONE Directory Server Administration Guide June 2003 Configuration Entries The console interface to the configuration is described in the procedures of this document that are titled Using the Console These procedures explain how to use the panels and dialogs of the Configuration tab to achieve the specific management task The interface itself makes it clear how to save your configuration and when you need to restart the server for your changes to take effect Modifying the Configuration From the Command Line Because the cn config subtree is accessible through LDAP the ldapsearch ldapmodify and ldapdelete commands ca
136. will only allow you to enter values that have the correct syntax for the setting By default the label of the setting and the value that you type will be highlighted in red until its syntax is correct The Save button will be disabled until all settings have valid syntax You may choose italic font for highlighting incorrect values as described in Visual Configuration Preferences on page 32 Chapter 1 Introduction to Sun ONE Directory Server 27 Using the Directory Server Console 28 Directory Tab The Directory Tab of the console displays the directory entries as a tree for easy navigation In this tab all entries and the attributes they contain can be browsed displayed and edited Figure 1 4 Directory Tab of the Directory Server Console camus red iplanet com Sun ONE Directory Server example Sun ONE Directory Server camus red iplanet com 389 Version 5 2 Babs Jensen Q 3 de example de com 6 acis 408 555 4000 gy Groups Barbara Q E3 People 5 acis bjensen example com ibi op E3 Special Users person s Directory Administrators organizationalPerson Gj o NetscapeRoot 3 acis inetorgperson cn schema 5 acis Jensen 408 555 3922 3 cn monitor 5 acis bjensen a cn config 4 acis SSHAWAwevyy Fv 60D gquRavvv0o5g2NR uid hjensen ou P eople dc example dc com If the bind DN given during
137. with an attribute value stored in the targeted entry For more details see Defining Access Based on Value Matching on page 201 e By using the target filter keyword With the target filter keyword you may specify an attribute value that appears only in the desired entry For example during the installation of the directory server the following ACT is created aci targetattr targetfilter o NetscapeRoot version 3 0 acl Default anonymous access allow read search userdn ldap anyone This ACI can apply only to the o Net scapeRoot entry because that is the only entry with an attribute o having the value Net scapeRoot The risk associated with these methods is that your directory tree might change in the future and you would have to remember to modify this ACI Defining Permissions Permissions specify the type of access you are allowing or denying You can either allow or deny permission to perform specific operations in the directory The various operations that can be assigned are known as rights There are two parts to setting permissions e Allowing or denying access e Assigning rights Allowing or Denying Access You can either explicitly allow or deny access permissions to your directory tree For more guidelines on when to allow and when to deny access refer to Designing Access Control in Chapter 7 of the Sun ONE Directory Server Deployment Guide Chapter 6 Managing Access Contro
138. with the given baseObjectClass For example if you have user entries in many branches such as ou Employees and ou Contractors specify markerObjectClass organizationalUnit Because the scope of branches under the marker object classes may be quite large you may further restrict the enforcement of attribute uniqueness to certain entries according on their object class Click on Add to add a third plug in argument and set it to the following value Argument 3 requiredOb jectClass entryObjectClass Within the subtree of entries with the baseObjectClass the plug in will enforce uniqueness only in operations that target entries with the entryObjectClass For example if you have traditional user entries specify requiredObjectClass inetorgperson Click Save when you are done editing the uid uniqueness plug in You will be reminded that you must restart the server for the changes to take effect Restart the server to begin enforcing unique values for the uid attribute Configuring the Plug In From the Command Line The following procedure describes how to enable and configure the uid uniqueness plug in using the ldapmodify command The DN of the plug in configuration entry is cn uid uniqueness cn plugins cn config 1 Enable or disable the plug in by setting the nsslapd pluginEnabled attribute to on or off respectively Chapter 15 Using the UID Uniqueness Plug In 421 Enforcing Uniqueness of the uid Attribute 422 l
139. 1G had als ka Gaal to alt 181 ACV Evaluation 2 4 4 226 8244824 Sed beet tau ee ned a ete ede aed tae 181 ACEI i tations asee s Avene esa aed oe is i Me te ose Gea ON ae ees A aE 182 Default ACIS scene Ses ee AREA RS GS ee A es 2a 183 ACT Syntax 8 ivi Sho het Sadia de peek iec wh it she Sk a E BN tid che add Seba eed ee Be 184 Defining Targets 223ctiigguliegt okt bobbed eet hie hacia A a O td lal helt 185 Defining Permissions i 0 4 sae rsd 225 ni del seis ads nde ie a eee ea Ae LIS ean Th 191 Bind Rules ss lt lt 92 pgeetcirite Mad ested dene Be OS Sa RAG Peat Bae San Bah ite Pe ees ooh ees 194 Bind RuleSyntax oasis eas he hb Sea pe ods Glee See Hebe Peg Thi ee edt eal ok 195 Defining User Access userdn Keyword 666 cece teen nnn es 197 Defining Group Access groupdn Keyword 006 cece cence eee eee 199 Defining Role Access roledn Keyword 1 0 0 0 c ccc eee nnn 200 Defining Access Based on Value Matching 0 cece cece 201 Defining Access From a Specific IP Address 0 0 2 0 cece eens 206 Defining Access from a Specific Domain 66 207 Defining Access at a Specific Time of Day or Day of Week 2 00 c cece ence eee eee 208 Defining Access Based on Authentication Method 0 000 cece cece eens 209 Using Boolean Bind Rules 4 i205 2 chp ii ois es net dds eee ads Re E E wade 210 Creating ACIs From the Command Line 6 6 e cece cee rererere nnn 211 Viewing aci
140. 1ldif usr sbin directoryserver start ServerRoot slapd serverID stop slapd ServerRoot slapd serverID db21dif r s dc example dc com a ServerRoot slapd serverID 1dif example_master 1ldif ServerRoot slapd serverID start slapd You can then filter the LDIF file if necessary and transfer it to the consumer hosts to initialize the consumer replicas Filtering an LDIF File for Fractional Replication If you have configured fractional replication you should filter out any unused attributes before copying the exported LDIF file to the consumer servers Directory Server provides the fildif tool for this purpose This tool filters the given LDIF file to keep only the attributes allowed by the attribute set defined in your replication agreement This tool will read the server s configuration to determine the attribute set definition In order to read the configuration file the fildif tool must be run as root For example the following command filters the file exported from the dc example dc com suffix in the previous example CAMUS var Sun mps slapd camus var Sun mps shared bin fildif i S CAMUS ldif example_master 1ldif o SCAMUS ldif filtered 1ldif c SCAMUS config dse ldif b cn rousseau example com 389 cn replica cn dc example dc com cn mapping tree cn config The i and o options are the input and output files respectively The c option is the configuration file that contains the replication
141. 201 using macro ACIs 240 value based 190 wildcard in target 187 wildcards 199 ACI attribute overview 180 ACI placement 181 ACIs chained suffixes 111 protecting password policies 259 with retro change log 315 ACL See ACI add right 192 Administration Server master agents and 406 agents master agent Unix 406 Windows 406 subagent configuring 409 enabling 410 starting and stopping on Unix 410 all keyword 198 allowing access 191 anonymous access 209 example 218 overview 197 anyone keyword 197 approximate index see indexing attribute ACI 180 181 targeting 187 attribute types 432 Sun ONE Directory Server Administration Guide June 2003 cosAttribute 171 cosIndirectSpecifier 175 cosPriority 173 cosSpecifier 176 cosTemplateDN 176 ds5BeginReplicaAcceptUpdates 288 ds5ReferralDelayAfterInit 288 ds5ReplicaTransportCompressionLevel 299 dsMappedDN 377 dsMatching pattern 377 dsMatching regexp 377 dsSearchBaseDN 377 dsSearchFilter 377 dsSearchScope 377 nsIndexType 348 nsMatchingRule 348 nsRole 155 nsRoleDN 162 163 nsRoleFilter 162 nsRoleScopeDN 163 nsSystemIndex 347 passwordCheckSyntax 254 passwordLockout 254 passwordLockoutDuration 254 passwordMaxFailure 254 passwordMinLength 254 passwordMustChange 260 passwordUnlock 254 ref 75 see also schema attribute uniqueness see UID uniqueness plug in attributes adding a binary value from the command line 69 adding to an entry using the console 57 removing a value using the c
142. 27 class of service CoS templates cannot be chained 166 creating chained suffixes from the command line 108 creating chained suffixes using the console 105 deleting a chained suffix 126 LDAP controls 114 managing chained suffixes 113 monitoring chained suffix usage 403 overview 101 proxy authorization for cascading 130 server components 115 setting the chaining policy for controls and components 117 SSL configuration 112 temporarily disabling chained suffixes 118 change log 305 changeLogEntry object class 312 ciphers 368 class of service see CoS classic CoS see CoS collation order see indexing with matching rule command line utilities ldapmodify 66 start slapd 21 Index 433 stop slapd 21 commas in DNs 63 ACI targets and 186 235 compare right 192 compatibility ACIs 248 connections monitoring 400 console see Directory Server console consumer replica configuration 271 CoS 163 classic CoS 165 creating all types of CoS using the console 168 classic CoS from the command line 176 indirect CoS from the command line 175 pointer and classic CoS template entries using the console 167 pointer CoS from the command line 174 template entries from the command line 174 deleting a CoS definition 169 editing a CoS definition 169 generating operational attributes 171 indirect CoS 164 limitations 165 multi valued attributes merge schemes 172 overriding real attribute values 171 pointer CoS 164 priority among templates 173 role
143. 5nIEN1lcnRpZml1jYXR1IAQUA5SX1AT JAJBgUrDgMCGQUAOF OWGAYJKoZI A2WjJABgkqhkiG9wO0BCQOxFgQU7 7mUWWIWttkH8 9eLwTr fOtz tBswDQYJUKoZI hvcNAQEBBOAEGYAzZwvgwotOdKNkXWx1P pUNpHesL6U0cvxXcm3 7mEQyikRvLs hy3X0JutFhEXaCfU4UX7 6A3Zzedr21yOYEGkKiPCu3g8 jnkFEG ux0ZMeOPiulF f 9PUfqpnz 6phaql 9eBZxZ MBFLxt1zZJHG42Ext un4ZzQIg For more information about plug in signatures see Verifying Plug In Signatures on page 38 If you do not verify plug in signatures you do not need these attributes The configuration will show that your new plug in instance is not signed but the plug in will still function normally The rest of the command specifies the plug in arguments that depend on how you wish to determine the subtrees where uniqueness is enforced To define one or more subtrees according to their base DN the first argument must be the name of attribute that should have unique values and the subsequent arguments are the full DNs of the base entries of the subtrees nsslapd pluginarg0 attribute_name nsslapd pluginargl1 subtreeBaseDN nsslapd pluginarg2 subtreeBaseDN D To define subtrees according to the objectclass of their base entries the first argument must contain att ribute attribute_name to specify the name of the attribute that should have unique values The second argument must be the baseObjectClass that determines the base entry of subtrees where uniqueness is enforced Optionally you may specif
144. 7 Restoring Your Server from the Command Line 6 60 c cece eee eens 147 Restoring the dse ldif Configuration File 6 ccc cece teen ees 148 Advanced Entry Management 00 cece eee eee eens 151 Managing Groups srn sere dani se Sheetal be Lia aa eee hae ae Ae aye HESS Poe Ys 152 6 Assigning Roles asenn einai ial Ba sled alla Sat Rants Guin E pete WEP A A loa ES ahah a pete Sami 154 Aout Roles ii dest vesieet punts gaat oo nds eee ar dee etal Akane as t Weleaats 155 Assigning Roles Using the Console 0 6 e cece nt eet eens 156 Managing Roles From the Command Line 006 c cece eee ete eee ees 161 Defining Class of Service CoS i eak pede deck T deed Aa E S Coa eh E eae es 163 About CoS o 24 kein or cle kontean 8 RaeE Ga aa woe edie oe nae esata Bates Bee eons coke 164 CoS Limitations sosse euere ese eal ce ata ee a behead hawt eed ied deeegdeeaewi ogee de 165 Managing CoS Using the Console 1 2 Misdan inbes rendes Tiani enhi Vanaisa gni is 166 Managing CoS From the Command Line 0 ccc ene eee eee eee 169 Creating Role Based Attributes 0 ccc cee ete nneees 177 Managing Access Control 0c cece eee eee eee eee eens 179 Access Control Principles 3 ici sec ete vided as hai detainee i EEE gay el iad eeu dale aah 180 ACT StH Chun lt a Bice Bee ot ene FGA ad Cg eG eens tet Nad A Roe ea naa Dak Sena 180 ACD Placement 3 sien a ee ee ei ee nad e ae a haan wate es
145. 97 Read only replicas of a suffix also return referrals to the master server when a client requests a write operation e You can create entries that are known as smart referrals When a client specifically access a smart referral the server will instead return the referral it defines The Directory Server console automatically follows smart referrals so they appear to be local entries on the top level Directory tab In all cases a referral is an LDAP URL that contains the hostname port number and optionally a DN on another server For more information see Appendix D LDAP URLs in the Sun ONE Directory Server Reference Manual For conceptual information on how you can use referrals in your directory deployment see the Sun ONE Directory Server Deployment Guide The following sections describe the procedures for defining your directory s default referrals and defining smart referrals Setting the Default Referrals Default referrals are returned to client applications that submit operations on a DN not contained within any of the suffixes maintained by your directory Default referrals are sometimes called global referrals because they apply to all suffixes in the directory The server will return all referrals that are defined but the order in which they are returned is not defined Setting a Default Referral Using the Console 1 On the top level Configuration tab of the Directory Server console select the server node at the r
146. APsubentry objectclass cosSuperDefinition objectclass cosIndirectDefinition cosIndirectSpecifier attributeName cosAttribute attributeName override merge Classic CoS objectclass top bbjectclass LDAPsubentry objectclass cosSuperDefinition objectclass cosClassicDefinition cosTemplateDN DN cosSpecifier attributeName cosAttribute attributeName override merge In all cases cosAttribute is multi valued with each value defining an attribute that will be generated by the CoS mechanism You can use the following attributes in your CoS definition entries for more information about these attributes refer to the Sun ONE Directory Server Reference Manual Sun ONE Directory Server Administration Guide June 2003 Defining Class of Service CoS Table 5 3 CoS Definition Entry Attributes Attribute Purpose Within the CoS Definition Entry cosAttribute attributeName override merge cosIndirectSpecifier attributeName cosSpecifier attributeName cosTemplateDN DN Defines the name of the virtual attribute for which you want to generate a value This attribute is multivalued each value giving the name of an attribute whose value will be generated from the template The override and merge qualifiers specify how the CoS attribute value is computed in special cases described below this table The attributeName may not contain any subtypes Attribute names with subtypes will be ignored but other values of cosAttrib
147. Administration Guide Sun ONE Directory Server Version 5 2 816 6698 10 June 2003 Copyright 2003 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A All rights reserved U S Government Rights Commercial software Government users are subject to the Sun Microsystems Inc standard license agreement and applicable provisions of the FAR and its supplements This distribution may include materials developed by third parties Parts of the product may be derived from Berkeley BSD systems licensed from the University of California UNIX is a registered trademark in the U S and in other countries exclusively licensed through X Open Company Ltd Sun Sun Microsystems the Sun logo Java Solaris SunTone Sun tm ONE The Network is the Computer the SunTone Certified logo and the Sun tm ONE logo are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International Inc in the U S and other countries Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems Inc Mozilla Netscape and Netscape Navigator are trademarks or registered trademarks of Netscape Communications Corporation in the United States and other countries Products covered by and information contained in this service manual are controlled by U S Export Control laws and m
148. Attribute Values essnee 0d 504 RG Sa ek La Ree Tees Eas ek ee 211 Creating ACIs Using the Console 6 6 enn enn nnn nees 212 Viewing the ACISOf an Entry in 3 ih ooh Ad bey tdi Dei ee eee ee de hae Deak ES 213 Creating a New ACI 20 05 suenss oie op Gah ca sad natadahe ai Gn sae eee Ae Me ean Ys 215 Editing am ACL tsi siod ce hi eet lta heaves Geet ReAG Pawns ea tee E eau WY sae E Boi 216 Deleting an AGIs serp ica eee A ees pods Cte Getta eels Ven Cee wee Sar emit 217 Access Control Usage Examples 0 treeneri kni enn a apiet aii 217 Defining Permissions for DNs That Contain a Comma 06066 e eee eee 235 Proxy Authorization ACI Example 0006 c ccc een eens 235 Viewing Effective Rights rera ts nics lath ak wed TE fecha Peg ails ware esas RD ok 236 Sun ONE Directory Server Administration Guide June 2003 Using the Get Effective Rights Control 2200 06 ccc cent ete nren 237 Advanced Access Control Using Macro ACIs 6 66 c cece rererere rero 240 Macro AClL Example mera endinn iy Goliad Aste Ge esi See eee sed Peds eS 241 Macto ACT Syntax oreinen test idl ined tad hte ee te oes aa ae dele ied Sad A Ok 244 Access Control and Replication sssr 0c ee Bada 25 EERE eR da A watery fan Gee Eia ss 247 Logging Access Control Information 000 c cee eet nenen 247 Compatibility with Earlier Releases 0 6 6 0 0 arera rererere rererere 248 User Account Management 2000 e eee
149. CI only ACI Company333 In LDIF to grant Company333 full access to their own branch of the directory under the conditions stated above you would write the following statement aci target ou Company333 ou corporate clients dc example dc com targetattr version 3 0 acl Company333 allow all roledn ldap cn DirectoryAdmin ou Company333 ou corporate clients dc example dc com and authmethod ss1 and dayofweek Mon Tues Wed Thu and timeofday gt 0800 and timeofday lt 1800 and ip 255 255 123 234 This example assumes that the ACI is added to the ou Company333 ou corporate clients dc example dc com entry From the console you can set this permission by doing the following 1 On the Directory tab right click the Company333 entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Company333 In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed Chapter 6 Managing Access Control 229 Access Control Usage Examples 230 b Set the Search area to Users and Groups and type DirectoryAdmin in the Search For field This example assumes that you have
150. DIF file If you are initializing a fractional replica then you should filter the file to keep only the replicated attributes Then you transfer that file to all of the consumer servers and import it In a multi master replication deployment you can use the LDIF file exported from the original master to initialize both the other masters and any consumers In a cascading replication environment you can use the same file to initialize both the hub replicas and their consumers In all cases you must start with an LDIF file that has been exported from a configured master replica You cannot use an arbitrary LDIF to initialize all replicas because it does not contain replication data You must first import your LDIF file into a master replica and then export it with the following procedure 290 Sun ONE Directory Server Administration Guide June 2003 Solaris Packages Other Installations Initializing Replicas Exporting a Replica to LDIF You can store the replica contents in an LDIF file by using the db21dif r or db21dif pl r commands For more information see Exporting to LDIF From the Command Line on page 141 You must use the r option to export a replica with these commands The following example will export the entire dc example dc com replica to a file called example_master 1dif usr sbin directoryserver stop usr sbin directoryserver db2ldif r s dc example dc com a var ds5 slapd serverID 1dif example_master
151. Directory Server Administration Guide June 2003 Configuring a Hub 7 Click OK to save the advanced replication configuration for this replica Configuring a Hub Hub replicas act as both consumers and masters to further distribute replicated data to a larger number of consumers They must both receive replication updates from their suppliers and send replication updates to their consumers Hub replicas do not accept modifications but instead return referrals to the masters Configuring a hub server consists of preparing an empty suffix to hold the replica and enabling replication on that suffix using the replication wizard Optional advanced configuration includes choosing a different replication manager setting referrals setting the purge delay and setting the change log parameters The following sections give the steps for configuring one hub server Repeat all procedures on each server that will contain a hub replica of a given suffix Creating the Suffix for the Hub Replica If it does not already exist create an empty suffix on the hub server with the same DN as the intended master replica For instructions refer to Creating Suffixes on page 87 If the suffix exists and is not empty its contents will be lost when the replica is initialized from the master Enabling a Hub Replica The replication wizard simplifies the task of enabling a hub replica 1 On the top level Configuration tab of the Directory Server con
152. Directory Server Reference Manual NOTE You should always use the attribute s primary name not the attribute s alias when creating indexes The primary name of the attribute is the first name listed for the attribute in the schema for example uid for the userid attribute See Table 10 3 on page 343 for a list of all primary and alias attribute names Modifying an Index Configuration Entry To configure the indexes that have already been defined on an attribute modify the corresponding index entry For example the following command on the previously defined sn index configuration will remove the sounds like index and change the language to Canadian French ldapmodify h host p port D cn Directory Manager w password dn cn sn cn index cn databaseName cn ldbm database cn plugins cn config changetype modify delete nsIndexType nsIndexType approx replace nsMatchingRule nsMatchingRule 1 3 6 1 4 1 42 2 27 9 4 78 1 sD 348 Sun ONE Directory Server Administration Guide June 2003 Solaris Packages Managing Indexes Running the db2index pl Script Once you have created an indexing entry added additional index types to an existing indexing entry or modified its collation order run the db2index p1 script directoryserver db2index task in the Solaris Packages to generate the new indexes This script reads the contents of the suffix and reindexes the given attribute according to its configurati
153. ED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 1995 1996 The President and Fellows of Harvard University All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY HARVARD AND ITS CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL HARVARD OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INC
154. However if you have exceptionally large or small directory entries or if you have very high modification rates to replicate you may want to modify these parameters to test their effect on replication performance over a WAN These two network parameters are configurable in every replication agreement This allows you to tailor the replication performance according to the specific network conditions of each consumer You do not need to interrupt replication to modify the window and group size parameters 1 Select the Configuration tab on the Directory Server console and expand both the Data node and the node for the replicated suffix 2 Select the Replication node below the suffix and in the right pane select the replication agreement you want to configure and click Edit 3 Select the Network tab of the Replication Agreement dialog and enter new values for the window size in the range 1 to 1000 and for the group size in the range 1 to 100 The group size must be less than or equal to the window size 4 Click OK to save the new values and close the Replication Agreement dialog The new parameter values take effect immediately with the next replication updates sent to the corresponding consumer Scheduling Replication Activity If immediate synchronization between your replicas is not critical one way to replicate data over a WAN is to schedule updates during periods of low network usage Updates may perform significantly fas
155. If you reconfigure the master agent to use ports higher than 1000 then it is not necessary to be root user 408 Sun ONE Directory Server Administration Guide June 2003 Configuring SNMP in the Directory Server AIX uses several configuration files to filter its communications One of them snmpd conf needs to be changed so that the SNMP daemon accepts the incoming messages from the SMUX subagent For more information see the online manual page for snmpd conf You need to add a line to define each subagent For example you might add this line to the snmpd conf smux 1 3 6 1 4 1 1 1450 7 JP_address net_mask where IP_address is the IP address of the host the subagent is running on and net_mask is the network mask of the host NOTE Do not use the loopback address 127 0 0 1 Always use the real IP address of the host If you need more information see your AIX platform documentation On Windows Platforms It is important to note that the master agent on Windows is the SNMP Service and not the SNMP agent as is the case on other platforms Using information stored in the Windows registry the SNMP Service invokes a DLL to access monitoring information in the directory server To set up SNMP support for Directory Server on a Windows machine you must first install and configure the SNMP service through the Windows control panel Refer to your Windows operating system documentation for instructions Configuring SNMP in the Di
156. LDAP and 636 with LDAPS You may also set the optional connection parameters described in the following sections If the PTAsubtree exists in the PTAhost the plug in will not pass the bind request to the authenticatingHost and the bind will be processed locally without any pass through 2 Restart the server as described in Starting and Stopping the Directory Server on page 20 Chapter 14 Using the Pass Through Authentication Plug In 415 Configuring the PTA Plug In 416 Configuring PTA to Use a Secure Connection Because the PTA plug in must send bind credentials including the password to the authenticating directory we recommend using a secure connection To configure the PTA directory to communicate with the authenticating directory over SSL e Configure and enable SSL in both the PTA and authenticating directories as described in Chapter 11 Implementing Security e Create or modify the PTA plug in configuration to use LDAPS and the secure port in the LDAP URL for example ldaps configdir example com 636 o Net scapeRoot Setting the Optional Connection Parameters The PTA plug in arguments accept a set of optional connection parameters after the LDAP URL ldap s host port subtree maxconns maxops timeout Idapver connlife The parameters must be given in the order shown Although these parameters are optional if you specify one of them you must specify them all If you do not wish to customize a
157. LUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 2001 Carnegie Mellon University All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name Carnegie Mellon University must not be used to endorse or promote products derived from this software without prior written permission For permission or any other legal details please contact Office of Technology Transfer Carnegie Mellon University 5000 Forbes Avenue Pittsburgh PA 15213 3890 412 268 4387 fax 412 268 7395 tech transfer andrew cmu edu 4 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by Computing Services at Carnegie Mellon University http www
158. N For example disgruntled employee Joe cn Joe ou eng dc example dc com might want to create an entry in the Human Resources branch of the tree to use or misuse the privileges granted to Human Resources employees He could do this by creating the following entry dn cn Trojan Horse ou Human Resources dc example dc com objectclass top cn Trojan Horse manager cn Joe ou eng dc example dc com To avoid this type of security threat the ACI evaluation process does not grant add permission at level 0 that is to the entry itself You can however use the parent keyword to grant add rights below existing entries You must specify the number of levels below the parent for add rights For example the following ACI allows child entries to be added to any entry in the dc example dc com that has a manager attribute that matches the bind DN aci target ldap dc example dc com targetattr version 3 0 acl parent access allow add userattr parent 0 1 manager USERDN This ACI ensures that add permission is granted only to users whose bind DN matches the manager attribute of the parent entry Defining Access From a Specific IP Address Using bind rules you can indicate that the bind operation must originate from a specific IP address This is often used to force all directory updates to occur from a given machine or network domain The LDIF syntax for setting a bind rule based on an I
159. N value in this step because it also contains the nsuniqueid operational attribute which cannot be deleted 2 Remove the old RDN value of the naming attribute and the conflict marker attribute For example ldapmodify h host p port D cn Directory Manager w password dn uid NewValue dc example dc com changetype modify delete uid uid bjensen delete nsds5ReplConflict sD Sun ONE Directory Server Administration Guide June 2003 Solving Common Replication Conflicts Renaming an Entry with a Single Valued Naming Attribute When the naming attribute is single valued for example dc domain component you cannot simply rename the entry to another value of the same attribute Instead you must give it a temporary name 1 Rename the entry using a different naming attribute and keep the old RDN For example ldapmodify h host p port D cn Directory Manager w password dn nsuniqueid 66446001 1dd211b2 dc HR dc example dc com changetype modrdn newrdn o TempName deleteoldrdn 0 AD You cannot delete the old RDN value in this step because it also contains the nsuniqueid operational attribute which cannot be deleted Change the desired naming attribute to a unique value and remove the conflict marker attribute For example ldapmodify h host p port D cn Directory Manager w password dn o TempName dc example dc com changetype modify replace dc dc uniqueValue delete nsds5Rep
160. OST p SUP_PORT D SUP_MGRDN w SUP_MGRPW f tmp ldif s If you want the update operation to occur over an SSL connection you must modify the ldapmodify command in the script with the appropriate parameters and values For more information see Configuring LDAP Clients to Use Security on page 379 Replication With Earlier Releases This section provides information on how to configure replication with earlier releases of Sun ONE Directory Server Sun ONE Directory Server 5 1 and 5 2 are fully compatible with regards to any replication configuration with the following exceptions e Fractional replication is not possible and must not be configured between Directory Server 5 2 masters and 5 1 consumer replicas 308 Sun ONE Directory Server Administration Guide June 2003 Replication With Earlier Releases e Before configuring an agreement between a 5 2 master and a 5 1 consumer you must set nsslapd schema repl useronly to on in cn config Otherwise the schema in 5 2 will create conflicts when replicated to 5 1 With this setting only user defined schema elements those stored in the file 99user 1dif will be replicated See Replicating Schema Definitions on page 335 e In Directory Server 5 2 the schema file 11rfc2307 1dif has been altered to conform to RFC 2307 You must update the corresponding file on your 5 1 server as described in Updating Directory Server 5 1 Schema on page 311 e A5 2 m
161. P address is as follows ip IPaddressList or ip IPaddressList The PaddressList is a list of one or more comma separated elements from among any of the following e A specific IPv4 address 123 45 6 7 e AnIPv4 address with wildcards to specify a subnetwork 12 3 45 206 Sun ONE Directory Server Administration Guide June 2003 Bind Rules e An IPv4 address or subnetwork with subnetwork mask 123 4526 AF255299 255 115 e An IPv6 address in any of its legal forms as defined by RFC 2373 http www ietf org rfc rfc2373 txt The following addresses are equivalent o 6 12AB 0000 0000 CD30 0000 0000 0000 0000 o 12AB CD30 0 0 0 0 o 12AB 0 0 CD30 e AnIPv6 address with a subnet prefix length 12AB CD30 0 0 0 0 60 The bind rule is evaluated to be true if the client accessing the directory is located at the named IP address This can be useful for allowing certain kinds of directory access only from a specific subnet or machine From the Server Console you can define specific machines to which the ACI applies through the Access Control Editor For more information see Creating ACIs Using the Console on page 212 Defining Access from a Specific Domain A bind rule can specify that the bind operation must originate from a particular domain or host machine This is often used to force all directory updates to occur from a given machine or network domain The LDIF syntax for setting a bind rule based on the DNS
162. PluginsEnable DIGEST MD5 replace dsSaslPluginsPath dsSaslPluginsPath ServerRoot lib sasl 3 Use the default identity mapping for DIGEST MD5 or create new ones as described in DIGEST MD5 Identity Mappings on page 372 Chapter 11 Implementing Security 371 Configuring Client Authentication 4 Ensure that the password is stored in CLEAR for all users who will access the server through SSL using DIGEST MD5 See Chapter 7 User Account Management for instructions on how to configure password storage schemes CAUTION When storing CLEAR passwords in the directory you must ensure that access to password values is properly restricted through ACIs as described in Chapter 6 Managing Access Control You may wish to further protect CLEAR passwords by configuring attribute encryption in that suffix as described in Encrypting Attribute Values on page 76 5 Restart the directory server if you modified the SASL configuration entry or one of the DIGEST MD5 identity mapping entries DIGEST MD5 Identity Mappings Identity mappings for SASL mechanisms try to match credentials of the SASL identity with a user entry in the directory See Identity Mapping on page 376 for complete description of this mechanism Authentication will fail if the mapping cannot find a DN that corresponds to the SASL identity The SASL identity is a string called the Principal that represents a user in a fo
163. R Managers ou groups dc example dc com aclRights entryLevel add 0 delete 0 read 1 write 0 proxy 0 dn uid bjensen ou People dc example dc com aclRights entryLevel add 0 delete 0 read 1 write 0 proxy 0 dn uid cfuente ou People dc example dc com aclRights entryLevel add 0 delete 0 read 1 write 1 proxy 0 In the output above the directory manager can see that Carla Fuente cannot even view the Special Users nor the Directory Administrators branches of the directory tree In the following example the directory manager can see that Carla Fuente cannot modify the mail and manager attributes in her own entry ldapsearch h rousseau example com p 389 D cn Directory Manager w password c dn uid cfuente ou People dc example dc com b dc example dc com uid cfuente aclRights version 1 dn uid cfuente ou People dc example dc com aclRights attributeLevel mail search 1 read 1 compare 1 write 0 selfwrite_add 0 selfwrite_delete 0 proxy 0 mail cfuente example com Chapter 6 Managing Access Control 239 Advanced Access Control Using Macro ACIs aclRights attributeLevel write 1 selfwrite_add uid cfuente aclRights attributeLevel l uid search 1 read 1 compare 1 L selfwrite_delete 1 proxy 0 write 1 selfwrite_add givenName Carla aclRights attributeLevel write 1 selfwrite_add sn Fuente acl
164. Remove Engineering Group Permissions Show Inherited ACIs OK Cancel Help New Edit Selecting the Show Inherited ACIs checkbox will also list all ACIs defined by parents of the selected entry and that apply to it However inherited ACIs cannot be edited or removed you must manage them on the entry where they are defined 3 Click New to define new access permissions on the selected object and its entire subtree The ACI editor is displayed as shown in following figure Chapter 6 Managing Access Control 213 Creating ACIs Using the Console 214 Figure 6 3 The ACI Editor Dialog Edit ACI for ou People dc example dc com ACI name Disallow override of CoS generated dept nun Target directory entry ou People dc example dc com This Entry Browse Filter for sub entries J objectclass inetorgperson These attributes are affected for all entries Name OID ipServicePort 138311115 nsBaseDN nsBaseDN oid Check None nsNumPeoplec ontainers 2 16 840 1 113730 3 1 810 departmentNumber 2 16 840 1 113730 3 1 2 nsmsgmsgalarmnoticetemplate nsmsgmsgalarmnoticetemplat nsCalDisplayPrefs 2 16 840 1 113730 3 1 118 ka J J E J vi J J Edit Manually The ACI name at the top of the dialog is the description of ACI that will appear in the Access Control Management Dialog Giving descriptive ACI names will make it easier to manage ACIs throughout the directory especially when viewing the
165. Rights attributeLeve l write 1 selfwrite_add cn Carla Fuente L givenNam search 1 read 1 compare L selfwrite_delete 1 proxy 0 l sn search 1 read 1 compare 1 L selfwrite_delete 1 proxy 0 l cn search 1 read 1 compare 1 L selfwrite_delete 1 proxy 0 aclRights attributeLevel compare 0 write 1 selfwrite_add 1 selfwrite_delet HA wnbWHIg2HPiY 5 userPassword SS aclRights attributeLevel l userPassword search 0 read 0 1 proxy 0 ECwe 6MWBGx2KMiZ8JImjF800w l manager search 1 read 1 compare 1 manager ac write 0 selfwrite_add 0 selfwrite_delete 0 proxy 0 uid bjensen ou People dc example dc com l1Rights attributeLevel telephoneNumber search 1 read 1 compare 1 write 1 selfwrite_add 1 selfwrite_delete 1 proxy 0 telephoneNumber 234 aclRights attributeLevel write 1 selfwrite_add 555 7898 l objectClass search 1 read 1 compare 1 L selfwrite_delete 1 proxy 0 objectClass top objectClass person objectClass organizationalPerson objectClass inetorgperson aclRights entryLevel add 0 delete 0 read 1 write 0 proxy 0 The format of the aclRights and aclRightsInfo logs attributes is described in detail in Understanding the Effective Rights Results in Chapter 7 of the Sun ONE Directory Server Deployment Guide Advanced Access Control Using Macro ACIs In organizations that use repeating directory tree structures it is possi
166. S OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Copyright c 1990 1993 1994 1995 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission 427 THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMIT
167. SSL Choosing Encryption Ciphers A cipher is the algorithm used to encrypt and decrypt data Generally speaking the more bits a cipher uses during encryption the stronger or more secure it is Ciphers for SSL are also identified by the type of message authentication used Message authentication is another algorithm which computes a checksum that guarantees data integrity For a more complete discussion of cipher algorithms and their strength see Ciphers Used With SSL in Appendix B of the Sun ONE Server Console Server Management Guide When a client initiates an SSL connection with a server the client and server must agree on a cipher to use to encrypt information In any two way encryption process both parties must use the same cipher normally the strongest one supported by both parties Sun ONE Directory Server provides the following ciphers for SSL 3 0 and TLS Table 11 1 Ciphers Provided with Sun ONE Directory Server Cipher Name Description None No encryption only MD5 message authentication rsa_null_md5 RC4 128 bits RC4 cipher with 128 bit encryption and MD5 message authentication rsa_rc4_128_mdb5 RC4 Export RC4 cipher with 40 bit encryption and MD5 message authentication rsa_rc4_40_md5 RC2 Export RC2 cipher with 40 bit encryption and MD5 message authentication rsa_rc2_40_md5 DES or DES Export DES with 56 bit encryption and SHA message authentication rsa_des_sha DES FIPS FIPS DES with 56
168. Server console you may select multiple entries for deletion using Control click or Shift click combinations Confirm that you wish to delete the entry or the subtree and all of its contents The server deletes the entry or entries immediately There is no undo If you deleted more than one entry the console will display an information dialog with the number of entries deleted and any errors that may have occurred Bulk Operations Using the Console You can use an LDIF file to add multiple entries to perform a mix of operations or to import an entire suffix To add entries using an LDIF file and the Directory Server console Chapter 2 Creating Directory Entries 61 Managing Entries From the Command Line 1 Define the entries or operations in an LDIF file using the syntax shown in the previous sections If you are only adding entries or initializing a suffix you do not need changet ype keywords and your LDIF file may contain just entries If you are performing a mix of operations every DN should be followed by a changetype and if applicable the specific operation or attribute values 2 Import the LDIF file from the Directory Server console See Importing LDIF Files on page 133 for more information If you are performing a mix of operations be sure to deselect Add only on the Import LDIF dialog so that the server will perform all LDIF operations Managing Entries From the Command Line 62 The ldapmodify and ldapd
169. ServerRoot slapd serverID logs referint After a specified time known as the update interval the server performs a search on all attributes for which referential integrity is enabled and matches the entries resulting from that search with the DNs of deleted or modified entries present in the log file If the log file shows that the entry was deleted the corresponding attribute is deleted If the log file shows that the entry was changed the corresponding attribute value is modified accordingly When the default configuration of the referential integrity plug in is enabled it performs integrity updates on the member uniquemember owner seeAlso and nsroledn attributes immediately after every delete or rename operation You can however configure the behavior of the referential integrity plug in to suit your own needs e Record referential integrity updates in a different file e Modify the update interval If you want to reduce the impact referential integrity updates has on your system you may want to increase the amount of time between updates Chapter 2 Creating Directory Entries 81 Maintaining Referential Integrity Select the attributes to which you apply referential integrity If you use or define attributes containing DN values you may want the referential integrity plug in to monitor them Configuring Referential Integrity Use the following procedure to enable or disable referential integrity and configure the plug
170. Servers tab the text box displays the ACI needed to allow the proxied operation through chaining You must add this ACI to the entry with the suffixDN on the remote server If you defined any failover servers you should add the ACI to all of them Use the Copy ACI button to copy the ACI text to your system s clipboard for pasting Once this ACI is added to the base entry on the remote server the chained suffix will be visible in the directory tree of the local server CAUTION You may need to define other ACIs on the same entry to restrict access to the remote server that is now exposed through chaining See Access Control Through Chained Suffixes on page 111 10 If you have configured the chaining policy for server components you must also add ACIs that will allow those components to access the remote server For example if you allow the referential integrity plug in to chain you must add the following ACI to the base entry whose DN was given in Step 2 aci targetattr target 1dap suffixDN version 3 0 acl RefInt Access for chaining allow read write search compare userdn ldap cn referential integrity postoperation cn plugins cn config Chapter 3 Creating Your Directory Tree 107 Creating Chained Suffixes 108 Creating Chained Suffixes From the Command Line You may also use the ldapmodify command line utility to create chained suffixes in your directory Because chained root suf
171. Stopping the Directory Server on page 20 Trimming the Retro Change Log The entries in the change log can be removed automatically after a specified period of time To configure the period of time after which entries are deleted automatically from the change log you must set the nsslapd changelogmaxage configuration attribute in the cn Retro Changelog Plugin cn plugins cn config entry This attribute can only be set from the command line for example ldapmodify h host p port D cn Directory Manager p password dn cn Retro Changelog Plugin cn plugins cn config changetype modify replace nsslapd changelogmaxage nsslapd changelogmaxage IntegerTimeunit where Integer represents a number and Timeunit can be one of the following s for seconds m for minutes h for hours d for days or w for weeks There should be no space between the Integer and Timeunit variables for example nsslapd changelogmaxage 2d The retro change log will be trimmed at the next operation on the change log Accessing Retro Change Log The change log supports search operations It is optimized for searches that include filters of the form amp changeNumber gt X changeNumber lt yY Sun ONE Directory Server Administration Guide June 2003 Monitoring Replication Status As a general rule you should not perform add or modify operations on the retro change log entries although you can delete entries to trim the size of the ch
172. Sun ONE Directory Server Administration Guide June 2003 Replicating Schema Definitions Use the following procedure to modify the schema files on a master server 1 Add a new schema file or modify an existing one in the schema directory ServerRoot slapd serverID config schema Schema files in this directory are writable only by the system user defined during installation For more information see Modifying the Schema Files on page 326 Run the schema_push p1 script with the appropriate command given above This script does not actually push the schema to replicas instead it writes a special attribute into the schema files so that they will be replicated as soon as they are loaded Restart the server The server will load all schema files and the replication mechanism will replicate the new schema to its consumers Limiting Schema Replication By default whenever the replication mechanism replicates the schema it sends the entire schema to its consumers There are two situations where this is not desirable Modifications to cn schema using the console or from the command line are limited to the user defined schema elements all of the standard schema is unchanged If you modify the schema often sending the large set of unchanged schema elements every time has a performance impact You may improve replication and server performance by replicating only the user defined schema elements When a master on Directory S
173. To enforce uniqueness for another attribute see Enforcing Uniqueness of Another Attribute on page 423 Configuring the Plug In Using the Console When using the console you must not modify the default uid uniqueness plug in to enforce uniqueness of another attribute If you do not wish to have a uid uniqueness plug in leave it disabled and create a new plug in instance for another attribute as described in Enforcing Uniqueness of Another Attribute on page 423 1 On the top level Configuration tab of the Directory Server console expand the Plug Ins node and select the uid uniqueness plug in 2 Inthe right hand panel select the checkbox to enable the plug in Do not modify the fields for the initialization function or the plug in module path Sun ONE Directory Server Administration Guide June 2003 Enforcing Uniqueness of the uid Attribute Modify the plug in arguments according to how you wish to specify the subtrees where uniqueness is enforced To specify the base DN of a single subtree edit the value of Argument 2 To specify more than one subtree click Add to add more arguments and enter the base DN of a subtree in each new text field To specify subtrees by the object class of their base entries set the arguments to the following values Argument 1 attribute uid Argument 2 markerOb ject Clas s baseObjectClass The plug in will enforce uid uniqueness in the subtree below every entry in the directory
174. TransportCompressionLevel attribute type 299 dse ldif file backing up 143 restoring from a backup 148 dsIdentityMapping object class 377 dsMappedDN attribute type 377 dsMatching pattern attribute type 377 dsMatching regexp attribute type 377 dsSearchBaseDN attribute type 377 dsSearchFilter attribute type 377 dsSearchScope attribute type 377 dynamic groups see groups E encryption 368 end of file marker in LDIF input 63 entries adding attributes using the console 57 bulk operations in LDIF 61 creating with the console 48 defining role membership 159 deleting entries using the console 61 deleting from the command line 71 managing from command line 62 managing object classes using the console 59 managing with the console 48 modifying from the command line 66 modifying with Generic Editor 54 ordering in LDIF files 64 targeting 186 viewing role membership 159 entry cache monitoring 401 EOF marker in LDIF input 63 equality index see indexing error log access control information 247 errors log see logs exporting LDIF 138 from the command line 141 using the console 139 F files databaseName_dn db2 343 databaseName_dn2id db2 343 databaseName_id2children db2 343 databaseName_id2entry db2 343 filtered role example 162 filtered roles see roles Fortezza 369 G general access overview 198 groupdn keyword 199 groupdnattr keyword 201 groups 152 access control 197 access control example 225 access to direc
175. Updates is automatically deleted so that update operations are again refused after the initialization To Set the Automatic Referral Delay The ds5ReferralDelayAfterInit configuration attribute determines the number of seconds after any initialization for which a replica will return referrals After this delay the replica will automatically begin processing update operations from clients This attribute is specific to each replica and should be set to a value according to the criteria described in Convergence After Multi Master Initialization on page 286 Changing the value of this attribute will dynamically affect the corresponding replica if it has been recently initialized and is still not accepting updates You may lengthen or shorten the delay in progress by modifying this value If the delay has already elapsed and the replica is accepting updates setting this attribute will have no effect 288 Sun ONE Directory Server Administration Guide June 2003 Initializing Replicas The default value of this attribute is 1 which means the replica will refuse update operations indefinitely In this case you may define a delay to automatically allow updates when the delay elapses as measured since the initialization Setting a delay that has already elapsed will cause the replica to begin accepting updates immediately 1 Set the ds5ReferralDelayAfterInit attribute with the following command ldapmodify h host p port D c
176. Users and enter a string to search for and then click Search Click the Advanced button to search specific attributes or specific attribute values Select one or more of the entries in the results and click OK Repeat this step to add all of the members you wish to this static group 6 When you have finished adding entries to the role click OK The new role appears in the directory tree with the icon for a managed role and all member entries will be given the attribute nsRoleDN with the value of the DN of this new role entry 7 Once the role is created you may also assign this role to any entry by adding the nsRoleDN attribute to the entry with the value of the DN of the role entry Creating a Filtered Role Entries are members of a filtered role if they possess attributes or attribute values that are selected by the LDAP filter in the role s definition NOTE The filter string of a filtered role may be based on any attribute except other virtual attributes generated by the CoS mechanism see About CoS on page 164 To create and add members to a filtered role using the console Chapter 5 Advanced Entry Management 157 Assigning Roles On the top level Directory tab of the Directory Server console right click the entry in the directory tree where you want to add the new role definition and select the New gt Role item Alternatively select the entry and choose the New gt Role item from the Object menu In th
177. Y MESSAGING DIRECT LTD AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL MESSAGING DIRECT LTD OR ITS EMPLOYEES OR AGENTS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE END COPYRIGHT COPYRIGHT Copyright c 2000 Fabian Knittel All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain any existing copyright notice and this entire permission notice in its entirety including the disclaimer of warranties 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Redistributions in binary form must reproduce all prior and current copyright notices this list of conditions and the following disclaimer in the d
178. ab on the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix 2 Inthe right panel select the Change gt Promote Demote Replica menu item 3 The replication wizard will only let you select a new role that is allowed and then step through the configuration procedure for the new replica role You should be aware of the following effects O When demoting a master to a hub the replica will become read only and be configured for sending referrals to the remaining masters The new hub will retain all of its consumers whether hubs or dedicated consumers Demoting a single master to a hub will create a topology without a master replica The wizard will allow you to do this under the assumption that you will define a new master However it is better to add a new master as a multi master and allow it to be initialized before demoting the other one When demoting a hub to a consumer all replication agreements will be deleted If the hub s consumers were not updated by other hubs or masters they will no longer be updated You should create new agreements on the remaining hubs or masters to update these consumers When promoting a consumer to a hub its change log is enabled and you may define new agreements with consumers When promoting a hub to a master the replica will accept modification requests and you may define new agreements with other master
179. able of Additional Indexes 3 To modify the indexes of an attribute select or deselect the checkboxes for each type of index you wish to maintain for that attribute in the table of Additional Indexes 4 If you want to create an index for an attribute containing values in a language other than English enter the OID of the collation order you want to use in the Matching Rules field You can index the attribute using multiple languages by listing multiple OIDs separated by commas but no whitespace For the list of supported locales and the OID of their associated collation order see Appendix C Directory Internationalization in the Sun ONE Directory Server Reference Manual 5 Toremove all indexes for an attribute select its row in the table and click the Delete attribute button Chapter 10 Managing Indexes 345 Managing Indexes Click Save to save the new index configuration If you removed all indexes of an attribute the server will remove the index files for that attribute and the configuration is finished If you modified the indexes of an attribute or added a new one proceed with the following step A warning dialog informs you that you must update the database files to begin using the new index You may either reindex the suffix or reinitialize it If you added or modified only one or two indexes or if your suffix must not be unavailable you should reindex the suffix Click on the Reindex Suffix button to display
180. acl Create Group allow read search add userdn ldap uid ou People dc example dc com and dns example com NOTE This ACI does not grant write permission which means that the entry creator cannot modify the entry This example assumes that the ACI is added to the ou social committee dc example dc com entry From the console you can set this permission by doing the following 1 On the Directory tab right click the Social Committee entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager Click New to display the Access Control Editor On the Users Groups tab in the ACI name field type Create Group In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area to Special Rights and select All Authenticated Users from the Search results list c Click the Add button to list All Authenticated Users in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box On the Rights tab tick the checkbox for read search and add Make sure the other checkboxes are clear On the Targets tab click This Entry to display the ou social committee dc example dc com suffix in the target directory entry field On the Hosts tab
181. ad only Client Request gt This document also uses the terms supplier and consumer to refer to the roles of two servers participating in a replication agreement The supplier is the server that sends replication updates and the consumer is the server that receives them The diagram above demonstrates the following relationships e A single master is a supplier not a consumer e A master in multi master replication is both a supplier and a consumer of other masters e A hub is always a supplier and a consumer e A dedicated consumer is only a consumer Many replication settings apply to the replica in the supplier or consumer role of an agreement regardless of its type Summary of Steps for Configuring Replication The following steps assume you are replicating a single suffix If you are replicating more than one suffix you may configure them in parallel on each server In other words you may repeat each step to configure replication on multiple suffixes Chapter 8 Managing Replication 267 Summary of Steps for Configuring Replication 268 To configure any replication topology you should proceed in the following order 1 Define your replication manager entry on all servers except single masters Or simply decide to use the default replication manager on all servers On all servers containing a dedicated consumer replica a Create an empty suffix for the consumer replica b Enable the consumer replica on
182. ady to receive updates from a legacy supplier 6 Make sure that the schema on the 5 2 replica server defines all attributes and object classes used by the contents that will be replicated from the 4 x master 7 Initialize the 5 2 replica by importing an LDIF replica file created on the 4 x master The first entry in this file contains the copiedfrom attribute required by the 4 x replication mechanism Enabling 4 x compatibility on a server configures the legacy replication plug in that is installed by default This plug in processes updates from the legacy supplier and performs the updates on the contents of the replicated suffix NOTE As long as 4 x compatibility is enabled this replica will return referrals for any modification requests from clients Even though Directory Server 5 2 is configured as a master replica it will not perform modification requests on this suffix Instead it will return a referral to the 4 x supplier server To complete the legacy replication setup you must now configure the legacy supplier to replicate to the 5 2 Directory Server For instructions on configuring a replication agreement on a 4 x Directory Server refer to the documentation provided with your legacy Directory Server 310 Sun ONE Directory Server Administration Guide June 2003 Replication With Earlier Releases Updating Directory Server 5 1 Schema In Directory Server 5 2 the schema file 11r c2307 1dif has been altered to conform
183. ae aT s AEA EA EAE E 395 AUGIE LOR 328 tet beak a 2h sec eed goths aad Gale tie de E be an ieee eed od a 397 Monitoring Server Activity sii ses wis sla deirim sienio BOON GA ee i EALE A ee EG 398 Monitoring Your Server Using the Console 006 cece cece eet ene 398 Monitoring Your Server From the Command Line 0 0 c cece eee eee 403 Monitoring Directory Server Using SNMP 00sec e eee eee eee 405 SNMP in Sun ONE Servet e scce cereri cece neve dae Pe been tae ved end di seve eadeetaviees 406 Overview of the Directory Server MIB 0 c ccc cee eee eens 407 Setting Up SNMP siesta ita Satake 3 ban diye oa he a SA Gaede SeB ular wad Mis EE 407 On UNIX Platforms r enp guess ate nee ee habe Ra ate DRG 2 teed aot AAS RUAS Mah ade 408 On AIX Platforms 2 000 ose sacs ee dae hs QE Gaede wee Dee eee dG Gd edd de ada Ge eae 408 On Windows Platforms u reedi eean saat bth oes eh Sed As ea eat tie eed hal aed Sod A 409 Configuring SNMP in the Directory Server 6 c ccc neee eee eees 409 Starting and Stopping the SNMP Subagent 66 c cece eet eens 410 On UNIX and AIX Platforms 0 000 0c cen ent n nnne nn eens 410 On Windows Platforms ose siccxcaze iy bate ded acd wads aot bad stad Sd ees Sd ache 411 Using the Pass Through Authentication Plug In 00 00 eee eee eee eee 413 How Directory Server Uses PTA edir konoa adie dh hed Gas Maa nba oe EE EE 413 Configuring the PIA Pl g Ihe Ai
184. ages initializes a suffix and overwrites the existing data The script requires you to shut down the server before proceeding with the import By default the script first saves and then merges any existing o Net scapeRoot configuration information with the o Net scapeRoot configuration information in the files being imported CAUTION This script overwrites the data in your suffix To import LDIF with the server stopped 1 As root from the command line stop the server with the following command usr sbin directoryserver stop ServerRoot slapd serverID stop slapd 2 Run the command located in usr sbin directoryserver ldif2db ServerRoot slapd serverID 1dif2db 3 Start the server with the appropriate command usr sbin directoryserver start ServerRoot slapd serverID start slapd The following examples use the 1dif2db command to import two LDIF files into a single suffix UNIX shell script use directoryserver ldif2db on Solaris Packages installations var Sun mps slapd example ldif2db n Databasel i var Sun mps slapd example ldif demo ldif i var Sun mps slapd example ldif demo2 1ldif 136 Sun ONE Directory Server Administration Guide June 2003 Solaris Packages Importing Data Windows batch file C Program Files Sun MPS slapd example ldif2db bat n Databasel i C Program Files Sun MPS slapd example ldif demo ldif i C Program Files Sun MPS slapd example ldif demo2 1ldif Tabl
185. ained Suffixes Both root suffixes and subsuffixes may be chained to another server and both procedures may be performed through the console or from the command line However before you create any chained suffixes you should create a proxy identity on the remote server The local server will use the proxy identity to bind to the remote server when forwarding an operation through the chained suffix If you are configuring many chained suffixes with identical parameters you should also set default values for the chaining parameters of new chained suffixes At any time before or after creating chained suffixes you may also set the chaining policy for LDAP controls and server components as described in Configuring the Chaining Policy on page 113 Creating a Proxy Identity The proxy identity is a user on the remote server that the local server will use to bind and forward the chained operation For security reasons you should never use the Directory Manager or the Administrative user admin for proxying Instead create a new identity that will be used only for chained operations from a given server Create this identity on all servers that will be chained and on all failover servers defined in Creating Chained Suffixes Using the Console on page 105 or Modifying the Chaining Policy Using the Console on page 117 Creating a Proxy Identity Using the Console This procedure applies to the Directory Server console connected
186. ality will also target locality fr You may also target subtypes specifically for example targetattr locality fr quebec Targeting Both an Entry and Attributes By default the entry targeted by an ACI containing a targetattr keyword is the entry on which the ACI is placed That is if you put the ACI aci targetattr uid accessControlRules on the ou Market ing dc example dc com entry then the ACI applies to the entire Marketing subtree However you can also explicitly specify a target using the target keyword as follows aci target ldap uid ou Marketing dc example dc com targetattr uid accessControlRules The order in which you specify the target and the targetattr keywords is not important Targeting Entries or Attributes Using LDAP Filters You can use LDAP filters to target a set of entries that match certain criteria To do this use the target filter keyword with an LDAP filter The ACI will apply to all entries that match the filter in the subtree below the entry containing the ACI The syntax of the target filter keyword is targetfilter LDAPfilter where LDAPfilter is a standard LDAP search filter For more information on filter syntax see LDAP Search Filters in Chapter 4 of the Sun ONE Directory Server Getting Started Guide 188 Sun ONE Directory Server Administration Guide June 2003 ACI Syntax For example suppose that all entries representing employees have a
187. alization message Provides status on the last initialization of the consumer Last initialization started Indicates when the most recent initialization of the consumer replica started Last initialization ended Indicates when the most recent initialization of the consumer replica ended Common Replication Conflicts Multi master replication uses a loose consistency replication model This means that the same entries may be modified simultaneously on different servers When updates are sent between the two servers the conflicting changes need to be resolved Mostly resolution occurs automatically based on the timestamp associated with the change on each server The most recent change takes precedence However there are some cases where change conflicts require manual intervention in order to reach a resolution Entries that have a change conflict that cannot be resolved automatically by the replication process contain the operational attribute nsds5ReplConflict as a conflict marker Search for entries that contain this attribute periodically to find entries with conflicts For example you could use the following 1dapsearch command ldapsearch h host p port D cn Directory Manager w password b dc example dc com nsds5ReplConflict Note that the nsds5Rep1Conflict attribute is indexed by default Chapter 8 Managing Replication 317 Solving Common Replication Conflicts 318 Solving Naming Conflicts
188. all optional attributes of their respective object classes If you wish to add optional attributes that are not displayed in the custom editor follow the instructions in Modifying Entries With the Generic Editor on page 54 Creating Other Types of Entries Follow these steps to create an entry of any object class other than those listed in Table 2 1 on page 49 You may also use this procedure to create an entry of any custom object classes you may have defined in the directory schema 1 On the top level Directory tab of the Directory Server console expand the directory tree to display the entry that you wish to be the parent of the new entry 2 Right click the parent entry and select the New gt Other item from the submenu Alternatively you may left click the parent entry to select it and then select the Object gt New gt Other menu item The New Object dialog will be displayed 3 In the object class list of the New Object dialog select an object class that defines your new entry then click OK If you selected an object class listed in Table 2 1 on page 49 the corresponding custom editor will be displayed see Creating an Entry Using a Custom Editor on page 49 In all other cases the generic editor is displayed 4 When creating a new entry the generic editor contains a field for each required attribute of the object class you selected You must enter a value for all the required attributes Some fields have a gene
189. alog to create the subsuffix The subsuffix appears automatically under its parent suffix in the Configuration tab See Managing Suffixes on page 95 to further configure the new suffix Chapter 3 Creating Your Directory Tree 91 Creating Suffixes 10 A new subsuffix does not contain any entries not even an entry for the RDN Consequently it will not be accessible in the directory nor visible in the Directory tab of the console until it has been initialized and given the appropriate access permissions If you will initialize the suffix from an LDIF file you may skip the remaining steps However be sure the parent suffix and the new entries in your LDIF file contain the access control instructions ACIs required by your deployment On the top level Directory tab of the console expand the directory tree to display the parent of the subsuffix The new subsuffix will not be visible yet If you are not logged in as the directory manager do so now by selecting the Console gt Log in as New User menu item Enter the DN and password of the directory manager to log in By default the directory manager DN is cn Directory Manager Right click on the parent of the subsuffix and select the New item from the pop up menu In the list of new objects select the type of object that corresponds to the RDN of the subsuffix For example choose the OrganizationalUnit item if you created the ou Contractors subsuffix If the object class of yo
190. ame is a name you give to identify the trusted CA certFile is the text file containing the PKCS 11 certificate of the CA in PEM encoded text format and the trust is one of the following codes o T This CA is trusted to issue client certificates Use this code if your LDAP clients perform certificate based client authentication by presenting certificates issued by this CA Chapter 11 Implementing Security 365 Activating SSL o C This CA is trusted to issue server certificates Use this code if your server will play a replication supplier or chaining multiplexor role over SSL with another server that has a certificate issued by this CA o CT This CA is trusted to issue both client and server certificates Use this code if both cases above apply to this CA Optionally you may also use the following certut il command to verify your installed certificates certutil L d ServerRoot alias P slapd serverID The certificates listed with a trust attribute of u are the server certificates and those with CT are trusted CA certificates Activating SSL Once you have installed your server certificate and trusted the CA s certificate you are ready to activate SSL Most of the time you want your server to run with SSL enabled If you temporarily disable SSL make sure you re enable it before processing operations that require confidentiality authentication or data integrity 366 Before you can activate SSL you must create a
191. ame of the specifier attribute in the Attribute Name field Be sure to select an attribute which contains DN values Click Change to select the attribute from a list o Using both its DN and the value of one of the target entry s attributes This choice will define a classic CoS enter both the base DN for a template and an attribute name Click Browse to select the parent entry of the potential target entries and click Change to select the attribute from a list Click OK to create the CoS definition entry Editing an Existing CoS 1 On the top level Directory tab of the Directory Server console double click the CoS definition entry or right click on it and select Edit With Custom Editor from the pop up menu The custom editor for Class of Service entries is displayed Edit the name and description fields as desired Click the Attributes tab in the left hand list to add or remove virtual attributes that will be generated by the CoS mechanism Click the Template tab in the left hand list to redefine the name of the template specifier attribute or the template entry DN This dialog also allows you to redefine the type of your CoS definition Click OK to save your changes Deleting a CoS 1 On the top level Directory tab of the Directory Server console browse the directory tree to display the CoS definition entry Right click the CoS entry and select Delete from the pop up menu A dialog box appears asking you to co
192. ame other entries either as a list of members or as a filter for members Roles provide the same functionality and more through a mechanism that generates the nsrole attribute on each member of a role CoS also generates a virtual attribute allowing entries to share a common attribute value without having to store it in each entry NOTE Sun ONE Directory Server 5 2 introduces the ability to perform searches based on the values of the roles and CoS virtual attributes Filter strings used in any operation may now include the nsRole attribute or any attribute generated by a CoS definition and perform any of the comparison operations on the value of this attribute However virtual CoS attributes cannot be indexed and therefore any search involving a CoS generated attribute will be unindexed To take full advantage of the features offered by roles and class of service it is best to determine your directory topology in the planning phase of your directory deployment Refer to Chapter 4 Designing the Directory Tree in the Sun ONE Directory Server Deployment Guide for a description of these mechanisms and how they can simplify your topology This chapter contains the following sections e Managing Groups e Assigning Roles e Defining Class of Service CoS 151 Managing Groups Managing Groups Groups are a mechanism for associating entries for ease of administration such as for defining ACIs Groups definitions are special en
193. ample dayofweek Mon Tue Wed Thu Fri The bind rule is true if the directory is being accessed on one of the days listed Defining Access Based on Authentication Method You can set bind rules that state that a client must bind to the directory using a specific authentication method The authentication methods available are e None Authentication is not required This is the default It represents anonymous access e Simple The client must provide a user name and password to bind to the directory e SSL The client must bind to the directory over a Secure Sockets Layer SSL or Transport Layer Security TLS connection In the case of SSL the connection is established to the LDAPS second port in the case of TLS the connection is established through a Start TLS operation In both cases a certificate must be provided For information on setting up SSL see Chapter 11 Implementing Security e SASL The client must bind to the directory over a Simple Authentication and Security Layer SASL connection Note that Sun ONE Directory Server does not provide a SASL module You cannot set up authentication based bind rules through the Access Control Editor The LDIF syntax for setting a bind rule based on an authentication method is as follows authmethod authentication_method where authentication_method is none simple ssl or sasl sasl_mechanism For example Chapter 6 Managing Access Control 209 Bind
194. ample com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Write Subscribers In the list of users granted access permission do the following Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area to Special Rights and select Self from the Search results list c Click the Add button to list Self in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for write Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the dc subscribers dc example dc com suffix in the target directory entry field a In the filter for subentries field type the following filter unlistedSubscriber yes b Inthe attribute table tick the checkboxes for the homePhone homePostalAddress and mail attributes All other checkboxes should be clear This task is made easier if you click the Check None button to clear the checkboxes for all attributes in the table then click the Name header to organize them alphabetically and select the appropriate ones 6 If you wa
195. an LDIF file using the 1dif2db p1 script You do not need root privileges to run the script but you must authenticate as the directory manager Chapter 4 Populating Directory Contents 137 Exporting Data UNIX shell script use directoryserver ldif2db task on Solaris Packages installations var Sun mps slapd example ldif2db pl D cn Directory Manager w password n Databasel i var Sun mps slapd example ldif demo 1ldif Windows batch file C Program Files Sun MPS bin slapd admin bin perl exe C Program Files Sun MPS slapd example ldif2db pl D cn Directory Manager w password n Databasel i C Program Files Sun MPS slapd example ldif demo ldif The following table describes the 1dif2db p1 options used in the examples Table 4 3 Description of ldif2db pl Options Used in the Examples Option Description D Specifies the DN of the directory manager w Specifies the password of the directory manager n Specifies the name of the database into which you are importing the data i Specifies the full path name of the LDIF file s to be imported This option is required You can use multiple i arguments to import more than one LDIF file at a time When you import multiple files the server imports the LDIF files in the order in which you specify them from the command line For more information about using this perl script see Idif2db pl in Chapter 2 of the Sun ONE Directory Server Reference Manua
196. an use Sun ONE Server Console you must follow these steps to no longer require but allow client authentication 1 Modify the cn encryption cn config entry with the following command ldapmodify h host p port D cn Directory Manager w password dn cn encryption cn config changetype modify replace nsSSLClientAuth nsSSLClientAuth allowed 2 Restart Directory Server as described in Starting and Stopping the Server From the Command Line Unix on page 21 You can now start Sun ONE Server Console Configuring Client Authentication 370 Client authentication is a mechanism for the server to verify the identity of the client Client authentication may be performed either using a certificate presented by the client or through a SASL based mechanism such as DIGEST MD5 On the Solaris operating system the Directory Server now supports the GSSAPI mechanism through SASL which allows the authentication of a client through Kerberos V5 Certificate based authentication uses the client certificate obtained through the SSL protocol to find a user entry for identification That entry must then contain the same certificate for the user to be authenticated This mechanism is also known as EXTERNAL because it is external to the SASL mechanisms Certificate based authentication is fully described in Using Client Authentication in Chapter 10 of the Sun ONE Server Console Server Management Guide Sun ONE Directory
197. and resizing them You can also modify the contents of the table by clicking the View Options button and selection only those columns you wish to see Table 8 2 below describes the replication parameters you may select to display in the table for each agreement on this server Table 8 2 Replication Parameters on the Directory Server Console Status Tab Table Header Description Suffix Names the suffix or subsuffix that is being replicated Remote Replica Contains the hostname and port of the consumer server Description Contains the description string provided in this replication agreement State Indicates whether the agreement is disabled initializing the consumer or replicating normally through incremental updates Sun ONE Directory Server Administration Guide June 2003 Solving Solving Common Replication Conflicts Table 8 2 Replication Parameters on the Directory Server Console Status Tab Continued Table Header Description Summary Contains the latest event start or end of initialization or update and the last message received Sent updates Cumulates the total number of individual updates sent to the consumer since replication was enabled or the server was restarted Last update started Indicates when the most recent replication update started Last update ended Indicates when the most recent replication update ended Last update message Provides the status for the most recent replication updates Last initi
198. and Line 1 Create a request for a server certificate with the following command certutil R s cn serverName ou division o company 1 city st state c country a d ServerRoot alias P slapd serverID The s option specifies the DN of the requested server certificate Certificate Authorities usually require all of the attributes shown in this example in order to completely identify the server See Step 4 above for a description of each attribute 2 The certutil tool will prompt you for the password to the server s key database This is the password set in Creating a Certificate Database on page 360 The tool will then generate a PKCS 10 certificate request in the PEM encoded text format Installing the Server Certificate Transmit the request from the previous section to your Certificate Authority according to its procedures For example you may be asked to send the certificate request in an email or you may be able to enter the request through the CA s website Sun ONE Directory Server Administration Guide June 2003 Obtaining and Installing Server Certificates Once you have sent your request you must wait for the CA to respond with your certificate Response time for your request varies For example if your CA is internal to your company it may only take a day or two to respond to your request If your selected CA is external to your company it could take several weeks to respond to your request
199. and click Next to continue Enter a Replica ID choose a unique integer between 1 and 65534 inclusive The replica ID must be unique among all master replicas for a given suffix Master replicas of different suffixes on the same server may use the same replica ID as long as it is unique among each replica s other masters Click Next If you have not already done so you will be prompted to select the change log file The default change log file is shown in the text field If you do not wish to use the default type in a filename for the change log or click Browse to display a file selector If the change log has already been enabled the wizard will skip this step Click Next If you have not already done so you will be prompted to enter and confirm a password for the default replication manager The replication manager is not used in the case of single master replication but you must still enter a password to proceed Type the same password in each field and then click Next to continue If the default replication manager already had a password defined the wizard will skip this step The replication wizard will display a status message while updating the replication configuration Click Close when it has completed The replication status now shows the replica ID of this master and the icon in the left hand pane changes to show that replication is active for this suffix Advanced Multi Master Configuration By default the wizard
200. and restart it Directory Tree View Options On the top level Directory tab of the Directory Server console the items of the View menu allow you to display additional information in the directory tree and select what appears in the right hand panel The following View options affect the contents of the Directory tab e Follow Referrals When this checkbox is selected the directory tree will show the entries and all children of the target of the referral as if they were in the directory When the checkbox is empty referrals are shown as referral entries For more information see Creating Smart Referrals on page 74 e Sort Objects When this checkbox is empty entries are displayed in the order in which they are returned by the server When this checkbox is selected entries at the same level in the directory tree are sorted according their display attribute describe below For information on how to sort large subtrees without impacting server performance see Browsing Indexes for the Console on page 353 Entries displayed by the following attributes will be sorted cn givenname o ou sn and then uid Entries displayed by other attributes will not be sorted Sun ONE Directory Server Administration Guide June 2003 Using the Directory Server Console Display gt ACI Count If an entry contains one or more access control instructions ACIs in the aci attribute the directory tree will show how many beside the entry
201. and the directory can grant access rights and resource limits to the user depending upon the identity established during authentication This chapter describes tasks for user account management including configuring the password and account lockout policy for your directory inactivating accounts or groups of users so they cannot access the directory and limiting system resources available to users depending upon their bind DNs Directory Server 5 2 introduces the individual password policy You may define any number of different password policies and apply any one of them to a given user or group of users This makes it much easier to control how different types of users may access the directory This chapter contains the following sections e Overview of Password Policies e Configuring the Global Password Policy e Managing Individual Password Policies e Resetting User Passwords e Inactivating and Activating Users and Roles e Setting Individual Resource Limits 249 Overview of Password Policies Overview of Password Policies 250 A secure password policy minimizes the risks associated with easily guessed passwords by enforcing the following e Users must change their passwords according to a schedule e Users must provide non trivial passwords e Accounts may be locked after a number of binds with the wrong password As of Directory Server 5 2 you may have both individual and global password policies An individual passw
202. ange log The only time you will need to perform a modify operation on the retro change log is to modify the default access control policy When the retro change log is created by default the following access control rules apply e Read search and compare rights are granted to all authenticated users userdn anyone not to be confused with anonymous access where userdn al1 to the retro change log top entry cn changelog e Write and delete access are not granted except implicitly to the Directory Manager You should not grant read access to anonymous users because the change log entries can contain modifications to sensitive information such as passwords You may wish to further restrict access to the retro change log contents if even authenticated users should not be allowed to view its contents To modify the default access control policy that applies to the retro change log you should modify the aci attribute of the cn changelog entry Refer to Chapter 6 Managing Access Control for more information about setting aci attributes Monitoring Replication Status You can monitor replication status using the new command line tools and using the Directory Server console Command Line Tools There are three new command line tools for monitoring your replication deployment e repldisc Discovers and constructs a table of all known servers in a replication deployment e insync Indicates the synchronization state be
203. ange role membership in a filtered or nested role you must edit the role definition Select the role and click Edit to display the custom editor for Roles Make changes to the role and click OK to save the new role definition Click OK once you have finished modifying the roles to save your changes Modifying a Role Entry 1 2 On the Directory Server console select the Directory tab Browse the navigation tree to locate the definition entry of an existing role Roles are children of the entry where they were created Double click the role The Edit Entry dialog box appears Click General in the left pane to change the role name and description Click Members in the left pane to change the members of managed and nested roles or to change the filter of a filtered role Click OK to save your changes Deleting a Role Deleting a role deletes only the entry of the role definition not its members To delete a role 1 Inthe Directory Server console select the Directory tab 2 Browse the navigation tree to locate the definition entry of your role Roles are children of the entry where they were created 3 Right click the role and select Delete A dialog box appears asking you to confirm the deletion Click Yes 4 The Deleted Entries dialog box appears to inform you that the role was successfully deleted Click OK NOTE Deleting a role deletes the role entry but does not delete the nsRoleDN attribute for each role m
204. applies to all chained suffixes on the server The default settings are intended to allow the transparent completion of normal operations However if your operations involve LDAP controls or you are using server components such as the referential integrity plug in you should ensure the chaining policy is configured for your needs It is best to configure the chaining policy before creating any chained suffixes so that the policy will be applied as soon as chained suffixes are enabled However you may also modify the policy at any later time Chapter 3 Creating Your Directory Tree 113 Managing Chained Suffixes 114 Chaining Policy of LDAP Controls LDAP controls are sent by clients as part of a request to modify the operation or its results in some way The server chaining policy determines which controls the server will forward to a chained suffix along with the operation By default the following controls are forwarded to the remote server of a chained suffix Table 3 1 LDAP Controls Allowed to Chain by Default OID of the Control Name and Description of the Control 1 2 840 113556 1 4 473 Server side sorting Associated with a search to sort the resulting entries according to their attribute values 1 3 6 1 4 1 1466 29539 12 Chaining loop detection Tracks of the number of times the server chains with another server When the count reaches a number you configure the operation is abandoned and the client application is
205. ar X Open Company Ltd Sun Sun Microsystems le logo Sun Java Solaris SunTone Sun tm ONE The Network is the Computer le logo SunTone Certified et le logo Sun tm ONE sont des marques de fabrique ou des marques d pos es de Sun Microsystems Inc aux Etats Unis et dans d autres pays Toutes les marques SPARC sont utilis es sous licence et sont des marques de fabrique ou des marques d pos es de SPARC International Inc aux Etats Unis et dans d autres pays Les produits protant les marques SPARC sont bas s sur une architecture d velopp e par Sun Microsystems Inc Mozilla Netscape et Netscape Navigator sont des marques de Netscape Communications Corporation aux Etats Unis et dans d autres pays Les produits qui font l objet de ce manuel d entretien et les informations qu il contient sont r gis par la l gislation am ricaine en mati re de contr le des exportations et peuvent tre soumis au droit d autres pays dans le domaine des exportations et importations Les utilisations finales ou utilisateurs finaux pour des armes nucl aires des missiles des armes biologiques et chimiques ou du nucl aire maritime directement ou indirectement sont strictement interdites Les exportations ou r exportations vers des pays sous embargo des Etats Unis ou vers des entit s figurant sur les listes d exclusion d exportation am ricaines y compris mais de mani re non exclusive la liste de personnes qui font objet d un ordre de ne pas pa
206. arning to the user In the Send warning X days before password expires text enter the number of days before password expiration to send a warning When the user receives a warning the password will expire on the original date Deselect the Expire regardless of warning checkbox to extend the expiration to allow a full warning period after the warning is sent Only one warning and one extension will occur There is no grace login if the user binds after the password has expired e If you want the server to check the syntax of a user password to make sure it meets the minimum requirements set by the password policy select the Check password syntax checkbox Then specify the minimum acceptable password length in the Password minimum length text box e By default the Directory Manager cannot reset a password that violates the password policy for example reusing a password in the history Select the Allow Directory Manager to bypass Password Policy checkbox to allow this e Specify what encryption method you want the server to use when storing passwords from the Password encryption pull down menu 5 Click on the Lockout tab and select the Accounts may be locked out checkbox to define the account lockout policy e Enter the number of login failures and the period in which they must occur to trigger a lockout e Select the Lockout forever radio button to make a lockout permanent until the Directory Ma
207. aster that has been demoted to a hub will still appear in the list of referrals on a 5 1 consumer However due to the internal mechanism for demotion the port number for the demoted replica will be zero This referral URL will not be usable and most clients will automatically try the referrals to the other masters when they are not able to follow this one However you may need to increase the hop limit for referrals on clients that access these 5 1 replicas A 5 2 consumer replica does not display nor return the unusable referral URL to a demoted master Sun ONE Directory Server 5 2 can be involved in replication scenarios with 4 x releases of Directory Server under the following conditions e Directory Server 5 2 is configured as a master but replicated only as a consumer to a Directory Server 4 x supplier e Aconsumer replica cannot be a consumer to both legacy 4 x suppliers and 5 2 suppliers However a 5 2 server may have different replicas where one is supplied by a legacy Directory Server and the other is supplied by a 5 2 Directory Server e A Directory Server 5 2 replica that has been configured as a consumer to a legacy 4 x supplier cannot act as a hub replica for this suffix in the topology The main advantage of being able to use a Directory Server 5 2 as a consumer of a legacy Directory Server is to ease the migration of a replicated environment For more information on the steps to follow to migrate a replicated environment s
208. at matches an LDAP filter e Equal indicates that the target is the object specified in the expression and not equal indicates the target is any object not specified in the expression e expression is dependent on the keyword and identifies the target The quotation marks around expression are required The following table lists each keyword and the associated expressions Table 6 1 LDIF Target Keywords Keyword Valid Expressions Wildcard Allowed target Idap distinguished_name yes targetattr attribute yes targetfilter LDAP filter yes targattrfilters LDAP_operation LDAP_filter yes Targeting a Directory Entry Use the target keyword and a DN inside an LDAP URL to target a specific directory entry and any entries below it The targetted DN must be located in the subtree below the entry where the ACI is defined The target expression has the following syntax target ldap distinguished_name target ldap distinguished_name The distinguished name must be in the subtree rooted at the entry where the ACI is defined For example the following target may be used in an ACI on ou People dc example dc com target ldap uid bjensen ou People dc example dc com NOTE If the DN of the entry to which the access control rule applies contains a comma you must escape the comma with a single backslash For example target ldap uid cfuentes o Example Bolivia S A
209. ata via chained suffixes only the data in the proxy control can be verified Consider designing your directory in a way that ensures the user entry is located in the same suffix as the user s data All access controls based on the IP address or DNS domain of the client may not work as the original domain of the client is lost during chaining The remote server views the client application as being at the same IP address and in the same DNS domain as the chained suffix The following restrictions apply to the ACIs you create to use with chained suffixes ACIs must be located on the same server as the groups they use If the groups are dynamic all users in the group must be located with the ACI and the group If the group is static it may refer to remote users Chapter 3 Creating Your Directory Tree 111 Creating Chained Suffixes 112 e ACIs must be located on the same server as any role definitions they use and with any users intended to have those roles e ACTs that refer to values of a user s entry for example userattr subject rules will work if the users are remote Though access controls are always evaluated on the remote server you can also choose to have them evaluated on both the server containing the chained suffix and the remote server This poses several limitations e During access control evaluation contents of user entries are not necessarily available for example if the access control is evaluated on the s
210. atabase configuration entry located in cn databaseName cn ldbm database cn plugins cn config and all entries below it The following command uses the ilash tool of the Sun ONE Directory Server Resource Kit DSRK For information on downloading and using the DSRK please see Downloading Directory Server Tools on page 16 ilash call http host port user cn Directory Manager ieee Enter password for cn Directory Manager password example com dcd cn config config ddelet subtr cn databaseName cn ldbm database cn plugins cn config Removed cn aci cn index cn databaseName cn ldbm database cn plugins cn config Removed cn entrydn cn index cn databaseName cn ldbm database cn plugins cn config pres Removed cn encrypted attributes cn databaseName cn ldbm database cn plugins cn config Removed cn index cn databaseName cn ldbm database cn plugins cn config Removed cn monitor cn databaseName cn ldbm database cn plugins cn config Removed cn databaseName cn ldbm database cn plugins cn config This output shows all of the index configuration entries that were associated with the database and that needed to be removed When the database configuration is entirely deleted the server will remove all database files and directories associated with this suffix 100 Sun ONE Directory Server Administration Guide June 2003 Creating Chained Suffixes Creating Ch
211. ate techie Sn ha p leben Me eae Sele EE 364 Activating SSL rr e EEE EE aoc eee tek otis Sep eee eae Meek R E Se auae ee ws 366 10 Choosing Encryption Ciphers 6 6 ene ete eee n ne ees 368 Allowing Client Authentication 2 0 0 0 0 aa mai iai eee eet na id ia 370 Configuring Client Authentication 2 0 6 6 ccc een ete eens 370 SASL Authentication Through DIGEST MD5 6 66 ccc eee 371 SASL Authentication Through GSSAPI Solaris Only 0 2 2 0 cece cence eee 373 Identity Mapping nises ried ida eheue tee eee ree han arate eee loads 376 Configuring LDAP Clients to Use Security 0 6 ees 379 Configuring Server Authentication in Clients 0 00 c cece cee eens 379 Configuring Certificate Based Authentication in Clients 0 cece eee eee eee eee 381 Using SASL DIGEST MD5 in Clients 2 2 000 c cent ete rinni 385 Using Kerberos SASL GSSAPT in Clients 2 0 0 0 ccc cnet tenes 387 Managing Log Files srep reisean aeaa eee eee eee eee 389 Defining Log File Policies sisi ontisah cates Cot Hohe te ee ON ae esa eags et aes 390 Defining a Log File Rotation Policy 00 ccc cece cee eee rnrn 390 Defining a Log File Deletion Policy 0 06 cece ccc nee ete ees 390 Manual Log File Rotation sca of ci ao Shoe Ba ene A PRE ETA Oe Oe ea dae ae 391 Access LOB geiaio cick eet tk ads ae at eee tea eth Mel hay Se eee ae USE rk 3 GIN cet 391 Errors LOG ai tate aa cen E ad Ms Be TRAA E e iy eae
212. ates with the Principal of bjensen example com this mapping will define the bind DN uid b jensen ou people dc example dc com If this DN exists in the directory the mapping will succeed the client will be authenticated and all operations performed during this connection will use this bind DN The dsMatching pattern is compared to the dsMat ching regexp using the Posix regexec 3C and regcomp 3C function calls Directory Server uses extended regular expressions and all comparisons are case insensitive For more information please refer to the man pages for these functions The attributes values that may contain place holders must encode any and characters that are not part of a place holder even if no place holder is used You must encode these characters with the following values as 24 as 7B and as 7D Using place holders and substitutions allows you to create mappings that extract a username or any other value from the protocol specific credentials and use its value to define a mapped DN or perform a search for a corresponding DN anywhere in the directory You should define the mappings that extract the expected credentials provided by your directory clients and map them to your specific directory structure CAUTION Creating a poorly defined mapping is a security hole For example a mapping to a hard coded DN without pattern matching will always succeed thereby authenticating clients who might not be direct
213. ation agreement 279 ensuring synchronization 306 initializing cascading replicas 286 initializing consumers from the command line 290 initializing multi master replicas 285 monitoring status 315 of ACIs 247 over WAN 297 purge delay 272 referential integrity configuration 83 replica ID 277 replicate_now sh script 307 with SSL 296 resetting user passwords 260 resource limits setting using command line 263 resource limits on users 262 resources monitoring 399 restoring backups dse ldif server configuration file 148 from the command line 147 148 replication considerations 144 using the console 147 retro change log ACIs 315 trimming 314 retro change log plug in enabling 313 overview 312 rights list of 192 roledn keyword 200 roles 154 access to directory 200 creating filtered roles from the command line 162 filtered roles using the console 157 managed roles from the command line 161 managed roles using the console 156 nested roles from the command line 163 nested roles using the console 158 defining an entry s role membership 159 deleting a role definition 160 editing a role definition 159 filtered example 162 filtered roles 155 inactivating members 260 managed roles 155 modifying a role definition 160 nested roles 155 object classes and attributes 161 role based class of service CoS 177 used to assign individual password policies 258 viewing an entry s role membership 159 root DN see Directory Manager root suff
214. ation in the text fields to define your new object class 0 i Name Enter a unique name for the object class Parent Select an existing object class to be the parent By default top is selected and must be used if your object class does not inherit from any other The required and allowed attributes inherited from the parent and its parents are shown in the corresponding lists Typically if you want to add new attributes for user entries the parent would be the inetOrgPerson object class If you want to add new attributes for corporate entries the parent is usually organization or organizationalUunit If you want to add new attributes for group entries the parent is usually groupOfNames or groupOfUniqueNames OID Optional Enter an object identifier for your attribute OIDs are described in Table 9 3 on page 332 If you do not specify an OID the Directory Server automatically uses objectClassName oid Note that for strict LDAP v3 compliance you must provide a valid numeric OID 4 Define the attributes that entries using your new object class will contain 0 To define attributes that must be present select one or more of them in the Available Attributes list and then click the Add button to the left of the Required Attributes box Chapter 9 Extending the Directory Schema 333 Managing Object Class Definitions 334 o To define attribute that may be present select one or more of them in the Available Attrib
215. ation updates and allow read operations but it will return referrals for all write operations from clients You may define the referrals as described in Advanced Multi Master Configuration on page 277 A master will revert to read write mode under the following conditions e Set the dsSBeginReplicaAcceptUpdates configuration attribute to start to explicitly allow update operations You should verify that the new master replica has converged with the other masters before enabling updates This may be done using either the replication configuration panel on the Directory Server console or through the command line see the procedures below Manual intervention is the recommended method for enabling updates on an initialized master because it allows you to verify that the new master is fully synchronized with the other masters before allowing updates 286 Sun ONE Directory Server Administration Guide June 2003 Initializing Replicas If you have previously set the ds5referralDelayAfterInit attribute the master replica will automatically switch to the normal read write mode after the given delay This attribute may be set independently for each master replica on a server If you choose to set this attribute you should determine a delay that is always sufficient to allow the master replica to converge with the other masters after initialization This delay will depend on the size and length of expected initializations and the rate of c
216. ations on the chained suffix In any case the operation will be limited by any time settings on the remote server Set the Connection Management parameters to control how the server manages the network connection and the binding with the remote server eo Maximum LDAP connection s Maximum number of simultaneous LDAP connections that the chained suffix establishes with the remote server The default value is 10 connections Maximum TCP connection s The maximum number of simultaneous TCP connections that the chained suffix establishes with the remote server The default value is 3 connections Maximum binds per connection Maximum number of simultaneous bind operations per LDAP connection The default value is 10 outstanding bind operations per connection Maximum bind retries Number of times a chained suffix attempts to rebind to the remote server upon error A value of 0 indicates that the chained suffix will try to bind only once The default value is 3 attempts Maximum operations per connection Maximum number of simultaneous operations per LDAP connection The default value is 10 operations per connection Bind timeout or No bind timeout Amount of time in seconds before the bind attempts to the chained suffix will time out The default value is 15 seconds Timeout before abandon or No Timeout Number of seconds before the server checks to see if an operation has been abandoned The default value is 2 seconds Connect
217. atively you may select the suffix node and choose Delete from the Object menu A confirmation dialog appears to inform you that all suffix entries will be removed from the directory In addition for a parent suffix you have the choice of recursively deleting all of its subsuffixes Select Delete this suffix and all of its subsuffixes if you want to remove the entire branch Otherwise select Delete this suffix only if you want to remove only this particular suffix and keep its subsuffixes in the directory Click OK to delete the suffix A progress dialog box is displayed that tells you the steps being completed by the console Deleting a Suffix From the Command Line To delete a suffix from the command line use the 1dapdelete command to remove its configuration entries from the directory Chapter 3 Creating Your Directory Tree 99 Managing Suffixes If you wish to delete an entire branch containing subsuffixes you must find the subsuffixes of the deleted parent and repeat the procedure for each of them and their possible subsuffixes 1 Remove the suffix configuration entry using the following command ldapdelet h host p port D cn Directory Manager w password v cn suffixDN cn mapping tree cn config This command removes the suffix from the server starting with the base entry at the suffixDN Now the suffix is no longer visible nor accessible in the directory Remove the corresponding d
218. attribute you may remove its configuration entry and database file For example the following command will unconfigure all indexes for the sn attribute in the database named databaseName Chapter 10 Managing Indexes 349 Managing Indexes ldapdelete h host p port D cn Directory Manager w password cn sn cn index cn databaseName cn ldbm database cn plugins cn config Once you have deleted this entry the indexes for the sn attribute will no longer be maintained in the suffix corresponding to the databaseName database To save disk space you may also delete the corresponding index file because it will no longer be used by the server In this example you could delete the following file ServerRoot s1lapd serverID db databaseName databaseName_sn db3 Reindexing a Suffix If your index files become corrupt you will need to reindex the suffix to recreate the index files in the corresponding database directory There are two ways to reindex a suffix using the Directory Server console either reindexing or reinitialization Reindexing a Suffix When you reindex a suffix the server examines all of the entries it contains and rebuilds the index files During reindexing the contents of the suffix are available for read and write operations However the server must scan the entire suffix for every attribute that is reindexed and this may take up to several hours for suffixes with millions of entries depending on the ind
219. attributes Parent The parent identifies the object class from which an object class inherits its attributes and structure Object classes automatically inherit the required and allowed attributes from their parent object class OID The object identifier of the object class An OID is a string usually of dotted decimal numbers that uniquely identifies the schema object For more information about OIDs or to request a prefix for your enterprise send mail to the IANA Internet Assigned Number Authority at iana iana org or visit the IANA website at http www iana org Sun ONE Directory Server Administration Guide June 2003 Managing Object Class Definitions Creating Object Classes If you are creating several object classes that inherit from one another you must create the parent object classes first If your new object class will use custom attributes you must also define those first NOTE The console only allows you to create structural object classes These object classes must inherit from a parent To define auxiliary and abstract object classes you must use the command line utilities To add your own definition of an object class to the schema 1 On the top level Configuration tab of the Directory Server console select the Schema node in the configuration tree then select the Object Classes tab in the right hand panel Click Create to display the Create Object Class dialog Enter the following inform
220. attrn represents the target attributes o Fn represents filters that apply only to the associated attribute When creating an entry if a filter applies to an attribute in the new entry then each instance of that attribute must satisfy the filter When deleting an entry if a filter applies to an attribute in the entry then each instance of that attribute must also satisfy the filter When modifying an entry if the operation adds an attribute then the add filter that applies to that attribute must be satisfied if the operation deletes an attribute then the delete filter that applies to that attribute must be satisfied If individual values of an attribute already present in the entry are replaced then both the add and delete filters must be satisfied For example consider the following attribute filter targattrfilters add nsroleDN nsRoleDN cn superAdmin amp amp telephoneNumber telephoneNumber 123 This filter can be used to allow users to add any role nsRoleDN attribute to their own entry except the superAdmin role It also allows users to add a telephone number with a 123 prefix 190 Sun ONE Directory Server Administration Guide June 2003 ACI Syntax NOTE You cannot create value based ACIs from the Server Console Targeting a Single Directory Entry There is no explicit way to target a single entry However it can be done e By creating a bind rule that matches user input in the bind request
221. ay be subject to the export or import laws in other countries Nuclear missile chemical biological weapons or nuclear maritime end uses or end users whether direct or indirect are strictly prohibited Export or reexport to countries subject to U S embargo or to entities identified on U S export exclusion lists including but not limited to the denied persons and specially designated nationals lists is strictly prohibited DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID Copyright 2003 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 Etats Unis Tous droits r serv s Droits du gouvernement am ricain utlisateurs gouvernmentaux logiciel commercial Les utilisateurs gouvernmentaux sont soumis au contrat de licence standard de Sun Microsystems Inc ainsi qu aux dispositions en vigueur de la FAR Federal Acquisition Regulations et des suppl ments a celles ci Cette distribution peut comprendre des composants d velopp s par des tierces parties Des parties de ce produit pourront tre d riv es des syst mes Berkeley BSD licenci s par l Universit de Californie UNIX est une marque d pos e aux Etats Unis et dans d autres pays et licenci e exclusivement p
222. based CoS 177 template entry 165 used to assign individual password policies 258 cosAttribute attribute type 171 cosClassicDefinition object class 176 cosIndirectDefinition object class 175 cosIndirectSpecifier attribute type 175 cosPointerDefinition object class 174 cosPriority attribute type 173 cosSpecifier attribute type 176 cosSuperDefinition object class 170 cosTemplate object class 165 cosTemplateDN attribute type 176 434 Sun ONE Directory Server Administration Guide June 2003 D database cache monitoring 402 dayofweek keyword 209 db2bak utility 143 db2index pl perl script 349 db2ldif utility 141 exporting a replica 291 defining access control policy 212 delete right 192 deleting ACI 217 denying access 191 precedence rule 182 DES cipher 369 DIGEST MD5 see SASL directory entries managing from command line 62 directory entries see entries Directory Manager configuring 34 privileges 34 directory server binding to 30 changing bind DN 30 configuration 34 controlling access 179 deleting entries using the console 61 login 30 managing entries using the console 48 MIB 407 modifying entries using the console 54 monitoring 398 monitoring with SNMP 405 overview 20 performance counters 398 starting and stopping 20 Directory Server console starting the console 23 dn db2 file 343 dn2id db2 file 343 dns keyword 207 ds5BeginReplicaAcceptUpdates attribute type 288 ds5ReferralDelayAfterInitattribute type 288 ds5Replica
223. bjectClass vlvIndex cn by MCC entryDN vivSort cn givenname o ou sn uid To delete a browsing index for the Directory Server console 1 On the top level Directory tab of the Directory Server console browse the directory tree to display an entry where you have created a browsing index 2 Right click the entry and select Delete Browsing Index from the pop up menu Alternatively left click the entry to select it and choose Delete Browsing Index from the Object menu This menu item will only be active if the chosen entry has a Browsing Index for the console 3 A Delete Browsing Index dialog box appears asking you to confirm that you want to delete the index Click Yes to delete the browsing index Browsing Indexes for Client Searches Customized browsing indexes for sorting client search results must be defined manually Creating a browsing index or virtual list view VLV index from the command line involves two steps e Add new browsing index entries or edit existing browsing index entries using the ldapmodify utility or the Directory tab of the Directory Server console e Running the vivindex directoryserver vlvindex in the Solaris Packages script to generate the new set of browsing indexes to be maintained by the server Specifying the Browsing Index Entries A browsing index is specific to a given search on a given base entry and its subtree The browsing index configuration is defined in the database configuration of t
224. ble once the suffix is reinitialized As the file is loaded and the corresponding indexes are created all values of the specified attributes will be encrypted 80 Sun ONE Directory Server Administration Guide June 2003 Maintaining Referential Integrity Maintaining Referential Integrity Referential integrity is a plug in mechanism that ensures relationships between related entries are maintained Several types of attributes such as those for group membership contain the DN of another entry Referential integrity can be used to ensure that when an entry is removed all attributes which contain its DN are also removed For example if a user s entry is removed from the directory and referential integrity is enabled the server also removes the user from any groups of which the user is a member If referential integrity is not enabled the user must be manually removed from the group by the administrator This is an important feature if you are integrating the directory server with other Sun ONE products that rely on the directory for user and group management How Referential Integrity Works When the referential integrity plug in is enabled it performs integrity updates on specified attributes immediately after a delete or rename operation By default the referential integrity plug in is disabled Whenever you delete or rename a user or group entry in the directory the operation is logged to the referential integrity log file
225. ble to optimize the number of ACIs used in the directory by using macros Reducing the number of ACIs in your directory tree makes it easier to manage your access control policy and improves the 240 Sun ONE Directory Server Administration Guide June 2003 efficiency of ACI memory usage Advanced Access Control Using Macro ACIs Macros are placeholders that are used to represent a DN or a portion of a DN in an ACI You can use a macro to represent a DN in the target portion of the ACI in the bind rule portion or in both In practice when Directory Server gets an incoming LDAP operation the ACI macros are matched against the resource targeted by the LDAP operation to deterime a matching substring if any If there is a match the bind rule side macro is expanded using the matched substring and access to the resource is determined by evaluating that expanded bind rule Macro ACI Example The benefits of macro ACIs and how they work are best explained using an example Figure 6 4 on page 242 shows a directory tree in which using macro ACIs is an effective way of reducing the overall number of ACIs In this illustration note the repeating pattern of subdomains with the same tree structure ou groups ou people This pattern is also repeated across the tree because the example com directory tree stores the following suffixes dc hostedCompany2 dc example dc com and dc hostedCompany3 dc example dc com The ACIs that apply in the
226. buted directory server based on the industry standard Lightweight Directory Access Protocol LDAP Sun ONE Directory Server software is part of the Sun Open Net Environment Sun ONE Sun s standards based software vision architecture platform and expertise for building and deploying Services On Demand Sun ONE Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in your intranet over your extranet with your trading partners or over the public Internet to reach your customers Purpose of This Guide This Administration Guide describes all of the procedures you need to configure and maintain a directory service based on the Sun ONE Directory Server It includes the procedures for configuring all Directory Server features from the console and from the command line when appropriate Prerequisites This guide describes how to administer the directory server and its contents However this manual does not describe many of the basic directory and architectural concepts that you need to successfully design and deploy your directory service You should be familiar with those concepts which are covered in the Sun ONE Directory Server Deployment Guide Typographical Conventions When you have done the preliminary planning for your directory deployment you can configure your system and install the Sun ONE Directory Server The instructions for installing the various Directory Server com
227. by the client application with this copy to positively identify the user e Configure the server for certificate based authentication as described in Using Client Authentication in Chapter 10 of the Sun ONE Server Console Server Management Guide e Specify the SSL options of the LDAP client for certificate based authentication These procedures require the certutil tool to manage certificates through the command line This tool is available with the Sun ONE Directory Server Resource Kit For more information see Chapter 30 Security Tools in the Sun ONE Directory Server Resource Kit Tools Reference Obtaining and Installing a User Certificate Client certificates must be requested and installed by each user wishing to access the directory with certificate based authentication This procedure assumes the user has already configured a certificate database as described in Configuring Server Authentication in Clients on page 379 1 Create a request for a user certificate with the following command certutil R s cn Babs Jensen ou Sales o example com 1 city st state c country a d path P prefix The s option specifies the DN of the requested certificate Certificate Authorities usually require all of the attributes shown in this example in order to completely identify the owner of the certificate The certificate DN will be mapped to the user s directory DN through the certificate mapping mechanism i
228. cate the template specific to each target This indirect CoS uses the manager attribute of the target entry to identify the CoS template entry The template entry is the manager s user entry and it must contain the value of the attribute to generate The following command creates the indirect CoS definition entry containing the cosIndirectDefinition object class ldapmodify a h host p port D cn Directory Manager w password dn cn generateDeptNum ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass cosSuperDefinition objectclass cosIndirectDefinition cosIndirectSpecifier manager cosAttribute departmentNumber Next add the cosTemplate object class to the template entries and make sure they define the attribute to be generated In this example all manager entries will be templates ldapmodify h host p port D cn Directory Manager w password dn cn Carla Fuentes ou People dc example dc com changetype modify add objectclass objectclass cosTemplate add departmentNumber departmentNumber 318842 Chapter 5 Advanced Entry Management 175 Defining Class of Service CoS 176 With this CoS target entries the entries under ou People dc example dc com containing the manager attribute will automatically have the department number of their manager The departmentNumber attribute is virtual on the target entries because it does not exist in the se
229. ce identifier followed by an optional realm that is often a domain name For example the following are all valid user Principals bjensen bjensen Sales bjensen EXAMPLE COM bjensen Sales EXAMPLE COM Initially there are no GSSAPI mappings defined in the directory You should define a default mapping and any custom mappings you need according to how your clients define the Principal they use To define identity mappings for GSSAPI 1 Create new mapping entries under cn GSSAPI cn identity mapping cn config See Identity Mapping on page 376 for the definition of the attributes in an identity mapping entry Examples of GSSAPI mappings are located in the following file ServerRoot slapd serverID 1dif identityMapping_Examples ldif The default GSSAPI mapping suggested in this file assumes that the Principal contains only a user ID and this determines a user in a fixed branch of the directory Chapter 11 Implementing Security 375 Identity Mapping dn cn default cn GSSAPI cn identity mapping cn config objectclass dsIdentityMapping objectclass nsContainer objectclass top cn default dsMappedDN uid Principal ou people dc example dc com Another example in this file shows how to determine the user ID when it is contained in a Principal that includes a known Realm dn cn same_realm cn GSSAPI cn identity mapping cn config objectclass dsIdentityMapping objectclass dsPatternMatc
230. ce of every bind operation Configuring Attribute Encryption Using the Console 1 Select the Configuration tab in the Directory Server console expand the Data node and select the suffix for which you wish to encrypt attribute values Select the Attribute Encryption tab in the right panel Chapter 2 Creating Directory Entries 77 Encrypting Attribute Values This tab contains a table listing the name and encryption scheme of all currently encrypted attributes for this suffix To enable encryption for an attribute a Click the Add Attribute button to display a list of attributes b Select the attribute you want to encrypt from the list and click OK The attribute is added to the Attribute Name column of the table c Select the Encryption Scheme for this attribute from the drop down list next to the attribute name To make an attribute no longer encrypted select the attribute name from the table and click the Delete Attribute button Click Save You will be prompted to export the contents of the suffix to an LDIF file before the configuration change is made Click Export suffix to open the export dialog or click Continue to modify the attribute encryption configuration without exporting The new configuration will then be saved If you have not already exported the suffix you must do so now in order to save its contents If the suffix contains encrypted attributes you may leave them encrypted in the exported LDIF if you plan
231. certificate database obtain and install a server certificate and trust the CA s certificate as described in Obtaining and Installing Server Certificates on page 359 Then the following procedure will activate SSL communications and enable encryption mechanisms in the directory server 1 On the top level Configuration tab of the Directory Server console select the root node with the server name and then select the Encryption tab in the right hand panel The tab displays the current server encryption settings Indicate that you want encryption enabled by selecting the Enable SSL for this Server checkbox Check the Use this Cipher Family checkbox Select the certificate that you want to use from the drop down menu Click Cipher Settings and select the ciphers you want to use in the Cipher Preference dialog For more information about specific ciphers see Choosing Encryption Ciphers on page 368 Sun ONE Directory Server Administration Guide June 2003 Activating SSL Set your preferences for client authentication Do not allow client authentication With this option the server will ignore the client s certificate or the SASL security mechanism and require a bind DN and password Allow client authentication This is the default setting With this option authentication is performed on the client s request For more information about certificate based authentication see Configuring Client A
232. certificate into his or her certificate database All users may import the same certificate located in certFile Specifying SSL Options for Server Authentication To perform server authentication in SSL with the 1dapsearch tool users only need to specify the path of their certificate database When establishing the SSL connection through the secure port the server will send its certificate The ldapsearch tool will then find in the user s certificate database the trusted CA certificate of the CA that issued the server certificate The following command shows how a user would specify his or her certificate database if it was created by Netscape Communicator ldapsearch h host p securePort D uid bjensen dc example dc com w bindPassword Z P home bjensen netscape cert7 db b dc example dc com givenname Richard Configuring Certificate Based Authentication in Clients The default mechanism for client authentication uses certificates to securely identify users to the directory server In order to perform certificate based authentication of clients you must Chapter 11 Implementing Security 381 Configuring LDAP Clients to Use Security 382 e Obtain a certificate for every directory user and install it where the client application may access it e Configure the user s directory entry with a binary copy of the same certificate During authentication the server will match the certificate presented
233. chFilter filterString A filter string to perform the mapping search LDAP search filters are defined in RFC 2254 http www ietf org rfc rfc2254 txt Additionally a mapping entry may also contain the dsPatternMat ching object class which allows it to use the following attributes e dsMatching pattern patternString Specifies a string on which to perform pattern matching e dsMatching regexp regularExpression Specifies a regular expression to apply to the pattern string All of the attribute values above except for dsSearchScope may contain place holders of the format keyword where keyword is the name of an element in the protocol specific credentials During the mapping the place holder will be substituted for the actual value of the element as provided by the client Chapter 11 Implementing Security 377 Identity Mapping After all place holders have been substituted any pattern matching that is defined will be performed The matching pattern will be compared to the regular expression If the regular expression does not match the pattern string this mapping fails If it does match the matching values of regular expression terms in parentheses will be available as numbered place holders for use in other attribute values For example the following mapping could be defined for SASL dsMatching pattern Principal dsMatching regexp dsMappedDN uid 1 o0u people dc 2 dc 3 If a client authentic
234. cified in the owner attribute of the targeted entry For example you can use this mechanism to allow a group to manage employees status information You can use an attribute other than owner as long as the attribute you use contains the DN of a group entry The group you point to can be a dynamic group and the DN of the group can be under any suffix in the directory However the evaluation of this type of ACI by the server is very resource intensive If you are using static groups that are under the same suffix as the targeted entry you can use the following expression 202 Sun ONE Directory Server Administration Guide June 2003 Bind Rules userattr ldap dc example dc com owner GROUPDN In this example the group entry is under the dc example dc com suffix The server can process this type of syntax more quickly than the previous example Example With ROLEDN Bind Type The following is an example of the userattr keyword associated with a bind based ona role DN userattr exampleEmployeeReportsTo ROLEDN The bind rule is evaluated to be true if the bind DN belongs to the role specified in the exampleEmployeeReportsTo attribute of the targeted entry For example if you create a nested role for all managers in your company you can use this mechanism to grant managers at all levels access to information about employees that are at a lower grade than themselves The DN of the role can be under any suffix
235. ckoutDuration 300 replace passwordUnlock passwordUnlock on Managing Individual Password Policies 254 An individual password policy is defined in a subentry with the passwordPolicy object class The policy may be defined anywhere in your directory tree with a DN of the form cn policy name subtree After defining the password policy using the Directory Server console or the command line utilities you assign the password policy by setting the passwordPolicySubentry attribute in the desired user entry In this section we use the example of implementing a password policy for temporary employees at Example com whose subtree root is dc example dc com Sun ONE Directory Server Administration Guide June 2003 Managing Individual Password Policies Defining a Policy Using the Console 1 On the top level Directory tab of the Directory Server console display the entry where you wish to define the individual password policy subentry Right click on the entry and select New gt Password Policy Alternatively you may left click the entry to select it and choose New gt Password Policy from the Object menu The custom editor for Password Policy entries is displayed In the General fields enter a name and optional description for this policy The name will become the value of the cn naming attribute for the subentry that defines the policy Click on the Password tab to set the following aspects of the policy Specify that
236. click Add to display the Add Host Filter dialog box In the DNS host filter field type example com Click OK to dismiss the dialog box Chapter 6 Managing Access Control 227 Access Control Usage Examples 228 7 To create the value based filter that will allow employees to add only group entries to this subtree switch to manual editing by clicking the Edit Manually button Add the following to the beginning of the LDIF statement targattrfilters add objectClass objectClass groupOfNames The LDIF statement should read as follows targetattr targattrfilters add objectClass objectClass groupOfNames target ldap ou social committee dc example dc com version 3 0 acl Create Group allow read search add userdn ldap all and dns example com 8 Click OK The new ACI is added to the ones listed in the Access Control Manager window ACI Delete Group In LDIF to grant example com employees the right to modify or delete a group entry which they own under the ou Social Comittee branch you would write the following statement aci target ou social committee dc example dc com targetattr targattrfilters del objectClass objectClass groupOfNames version 3 0 acl Delete Group allow write delete userattr owner GROUPDN This example assumes that the aci is added to the ou social committee dc example dc com entry Using the console is no
237. cn index cn databaseName cn ldbm database cn plugins cn config objectClass top objectClass nsIndex cn sn nsSystemIndex false nsIndexType pres nsIndexType eq nsIndexType sub nsIndexType approx nsMatchingRule 1 3 6 1 4 1 42 2 27 9 4 76 1 Index configuration entries have the nsIndex object class and the nsSystemIndex attribute must be present and its value must be false You cannot create a new system index Only the existing system indexes defined internally by Directory Server will be maintained Chapter 10 Managing Indexes 347 Managing Indexes The values of the nsIndexType attribute list the indexes that will be maintained for the given attribute Use any of the values shown above to define the corresponding index You may also use the single value none to explicitly disable indexes for the attribute for example in order to temporarily disable indexing of the attribute If you do not include the ns IndexType attribute in your index configuration entry all indexes will be maintained by default The optional nsMat chingRule attribute contains the OID of a language collation order for internationalized indexes For the list of supported locales and the OID of their associated collation order see Appendix C Directory Internationalization in the Sun ONE Directory Server Reference Manual For more information about index configuration attributes see Default Index Attributes in Chapter 5 of the Sun ONE
238. created an administrators role with a cn of DirectoryAdmin c Click the Add button to list the administrators role in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box On the Rights tab click the Check All button On the Targets tab click This Entry to display the ou Company 333 ou corporate clients dc example dc com suffix in the target directory entry field On the Hosts tab click Add to display the Add Host Filter dialog box In the IP address host filter field type 255 255 123 234 Click OK to dismiss the dialog box The IP address must be a valid IP address for the host machine that the Company333 administrators will use to connect to the example com directory On the Times tab select the block time corresponding to Monday through Thursday and 8 am to 6 pm A message appears below the table that specifies what time block you have selected To enforce SSL authentication from Company333 administrators switch to manual editing by clicking the Edit Manually button Add the following to the end of the LDIF statement and authmethod ssl The LDIF statement should be similar to aci targetattr target ou Company333 ou corporate clients dc example dc com version 3 0 acl Company333 allow all roledn ldap cn DirectoryAdmin ou Company333 ou corporate clients dc example dc com and dayofweek Mon Tues Wed Thu and timeof
239. ction time By default connections are unlimited which is defined by the value 0 Error Detection Parameters e nsmaxresponsedelay Maximum amount of time a remote server may take to respond to the initiation of an LDAP request for a chained operation This period is given in seconds After this delay the local server will test the connection The default delay period is 60 seconds e nsmaxtestresponsedelay Duration of the test to check whether the remote server is responding The test is a simple search request for an entry which does not exist This period is given in seconds If no response is recieved during the test delay the chained suffix assumes the remote server is down The default test response delay period is 15 seconds If you have defined only one remote server for this chained suffix all chained operations to remote server will be blocked for 30 seconds to protect against overloading If you have defined failover servers chained operations will begin using the next alternate server defined Sun ONE Directory Server Administration Guide June 2003 Creating Chained Suffixes Setting Default Chaining Parameters Using the Console 1 On the top level Directory tab of the Directory Server console expand the directory tree and select the following entry cn default instance config cn chaining database cn plugins cn config Double click this entry or select the Object gt Edit with Generic Editor menu item Modify
240. ctory e CoS Definition Entry Identifies the type of CoS you are using and the name of the CoS attribute that will be generated Like the role definition entry it inherits from the LDAPsubent ry object class The scope of the CoS is the entire subtree below the parent of the CoS definition entry Multiple definitions may exist for the same CoS attribute which may therefore be multivalued e Template Entry Contains the values of one or more virtual attributes All entries within the scope of the CoS will use the values defined here There may also be multiple template entries in which case the generated attribute may be multivalued There are three types of CoS each of which corresponds to a different interaction between the CoS definition and template entries e Pointer CoS The CoS definition entry directly identifies the template entry by its DN All target entries will have the same value for the CoS attribute as given in the template e Indirect CoS The CoS definition identifies an attribute called the indirect specifier whose value in a target entry must contain the DN of a template With indirect CoS each target entry may use a different template and thus have a different value for the CoS attribute Sun ONE Directory Server Administration Guide June 2003 Defining Class of Service CoS e Classic CoS The CoS definition identifies the base DN of the template and a specifier which is the name of an attribute in target
241. ctory Server Administration Guide June 2003 Restoring Data from Backups ServerRoot slapd serverID config The dse 1dif startoOk file records a copy of the dse 1dif file at server start up The dse ldif bak file contains a backup of the most recent changes to the dse 1ldif file Copy the file with the most recent changes to your directory To restore the dse 1dif configuration file 1 As root from the command line stop the server with the following command Solaris Packages usr sbin directoryserver stop Other Installations ServerRoot slapd serverID stop slapd 2 Change to the directory containing the configuration files 3 Overwrite the dse 1dif file with a backup configuration file known to be good For example you might type the following cp dse ldif startOK dse ldif 4 Start the server with the appropriate command Solaris Packages usr sbin directoryserver start Other Installations ServerRoot slapd serverID start slapd Chapter 4 Populating Directory Contents 149 Restoring Data from Backups 150 Sun ONE Directory Server Administration Guide June 2003 Chapter 5 Advanced Entry Management Beyond the hierarchical structure of data in a directory managing entries that represent users often requires creating groups and sharing common attribute values Sun ONE Directory Server provides this advanced entry management functionality through groups roles and class of service CoS Groups are entries that n
242. d during server installation or configuration 4 Click the Start or Stop button to perform the desired action When stopping the Directory Server you will be asked to confirm that you want to stop the service Chapter 1 Introduction to Sun ONE Directory Server 21 Starting the Server with SSL Enabled Starting and Stopping the Server From the Console All Platforms When the Directory Server console is running you may start stop and restart your directory server through its graphical interface For instructions on running the console see Starting Directory Server Console on page 23 1 On the top level Tasks tab of the Directory Server console click the button beside Start Directory Server Stop Directory Server or Restart Directory Server as appropriate When you successfully start or stop your Directory Server from the Directory Server console the console displays a message dialog stating that the server has been either started or shut down In case of an error the console will show all messages pertaining to the error Starting the Server with SSL Enabled 22 Before enabling SSL you must install and configure certificates on your server For instructions on managing certificates and enabling SSL see Chapter 11 Implementing Security For information on certificates certificate databases and obtaining a server certificate see Chapter 10 Using SSL and TLS with Sun ONE Servers
243. d from four to one However the real benefit is a factor of how many repeating patterns you have down and across your directory tree Chapter 6 Managing Access Control 243 Advanced Access Control Using Macro ACIs 244 Macro ACI Syntax To simplify the discussion in this section the ACI keywords used to provide bind credentials such as userdn roledn groupdn and userattr are collectively called the subject of the ACI The subject determines to whom the ACI applies Macro ACIs include the following types of expressions to replace a DN or part of a DN e dn For matching in the target and direct substitution in the subject e dn For substituting multiple RDNs that work in subtrees of the subject e Sattr attributeName For substituting the value of the attributeName attribute from the target entry into the subject Table 6 3 shows in what parts of the ACI you can use DN macros Table 6 3 Macros in ACI Keywords Macro ACI Keyword dn target targetfilter userdn roledn groupdn userattr dn targetfilter userdn roledn groupdn userattr Sattr attrName userdn roledn groupdn userattr The following restrictions apply e When using the dn and dn macros ina subject you must define a target that contains the dn macro e You can combine the Sdn macro but not San with the Sattr attrName macro in a subject Matching for dn in the Target The dn macro in the target of an ACI de
244. d the behaviors implied by each are complimentary Also the qualifiers may be specified in any order after the attribute name NOTE When there are multiple CoS definitions for the same attribute they must all have the same override and merge qualifiers When different pairs of qualifiers occur in CoS definitions one of the combinations is selected arbitrarily among all definitions Cos Attribute Priority If there are multiple CoS definitions or multivalued specifiers but no merge schemes qualifier the Directory Server uses a priority attribute to select a single template that defines the single value of the virtual attribute The cosPriority attribute represents the global priority of a particular template among all those being considered A priority of zero is the highest priority Templates that contain no cosPriority attribute are considered the lowest priority When two or more templates provide an attribute value but have the same or no priority a value is chosen arbitrarily Template priorities are not taken into account when using the merge schemes qualifier When merging all templates being considered define a value regardless of any priority they define The cosPriority attribute is defined on CoS template entries as described in the following section NOTE The cosPriority attribute must not have a negative value Also attributes generated by indirect CoS do not support priority Do not use cosPriority in template e
245. d turn off schema checking in the consumer server if the attribute set that you replicate does not allow all replicated entries to follow the schema Replication of non conforming entries will not cause errors because the replication mechanism bypasses schema checking on the consumer However the consumer will contain non conforming entries and should have schema checking turned off to expose a coherent state to its clients Fractional replication is configured in the replication agreement of master replicas with hubs and dedicated consumers Configuration of fractional replication between two master replicas in a multi master replication environment is not supported Also if several masters have replication agreements with the same replica all these agreements must replicate the same set of attributes The fractional replication functionality provided in Sun ONE Directory Server 5 2 is not backward compatible with previous versions of Directory Server When configuring a fractional replication agreement both the master and consumer replicas must be on Directory Server 5 2 instances Defining the Attribute Set An attribute set is a list of attributes that will be replicated exclusive of all others when fractional replication is enabled on a replica You may define any number of attribute sets on the master server and then associate one of them with a replication agreement 1 On the top level Configuration tab of the Directory Server consol
246. dMaxFailure 3 passwordUnlock on passwordLockoutDuration 3600 passwordResetFailureCount 600 The definition of all possible attributes in a password policy is given in cn Password Policy in Chapter 4 of the Sun ONE Directory Server Reference Manual Assigning Password Policies Assigning individual password policies consists of pointing to the appropriate policy subentry Either you add the policy to a single entry as the value of passwordPolicySubentry or you manage the policy with CoS and roles You must also set access control to prevent users from modifying the password policy that applies to them Using the Console The Directory Server console provides an interface for managing the password policy assigned to a user or group Chapter 7 User Account Management 257 Managing Individual Password Policies 1 On the top level Directory tab of the Directory Server console display the user or group entry where you wish to assign or modify the individual password policy 2 Right click the entry and select Set Password Policy from the pop up menu Alternatively you may left click the entry to select it and then choose Set Password Policy from the Object menu 3 The Password Policy dialog tells you which password policy applies to this entry e If the global policy applies click Assign to select a password policy subentry anywhere in the directory tree e If an individual policy is already defined you may rep
247. dapmodify h host p port D cn Directory Manager w password dn cn uid uniqueness cn plugins cn config changetype modify replace nsslapd pluginEnabled nsslapd pluginEnabled on or off D Modify the plug in arguments according to how you wish to specify the subtrees where uniqueness is enforced To specify the base DN of a single subtree modify the value of nsslapd pluginargl ldapmodify h host p port D cn Directory Manager w password dn cn uid uniqueness cn plugins cn config changetype modify replace nsslapd pluginArgl nsslapd pluginArgl1 subtreeBaseDN sD To specify more than one subtree add more arguments with the full base DN of a subtree as the value of each argument ldapmodify h host p port D cn Directory Manager w password dn cn uid uniqueness cn plugins cn config changetype modify add nsslapd pluginArg2 nsslapd pluginArg2 subtreeBaseDN add nsslapd pluginArg3 nsslapd pluginArg3 subtreeBaseDN AD To specify subtrees according to the object class of their base entries set the arguments to the following values Uniqueness of the uid attribute will be enforced in the subtree below every entry with the baseObjectClass Optionally you may specify the entryObjectClass in the third argument so that the plug in enforces uniqueness only in operations that target entries with this object class ldapmodify h host p port D cn Directory Manager w pas
248. day gt 0800 and timeofday lt 1800 and ip 255 255 123 234 and authmethod ssl Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples 9 Click OK The new ACI is added to the ones listed in the Access Control Manager window Denying Access If your directory holds business critical information you might specifically want to deny access to it For example example com wants all subscribers to be able to read billing information such as connection time or account balance under their own entries but explicitly wants to deny write access to that information This is illustrated in ACI Billing Info Read and ACI Billing Info Deny respectively ACI Billing Info Read In LDIF to grant subscribers permission to read billing information in their own entry you would write the following statement aci targetattr connectionTime accountBalance version 3 0 acl Billing Info Read allow search read userdn ldap self This example assumes that the relevant attributes have been created in the schema and that the ACI is added to the ou subscribers dc example dc com entry From the console you can set this permission by doing the following 1 On the Directory tab right click the subscribers entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager
249. default change log settings To modify these settings 1 On the top level Configuration tab of the Directory Server console select the Data node and then the Replication tab in the right hand panel You might need to refresh the contents of this tab by checking the Enable Changelog checkbox and clicking the Reset button You should then see the change log file that you chose in the replication wizard You may change the name of the change log file and update the change log parameters a Max changelog records Determines the total number of modifications to store for sending updates to consumers By default it is unlimited You may wish to limit the number of records to save disk space if your replica receives many large modifications b Max changelog age Determines the time for which the hub will store updates it must send to consumers By default it is unlimited The max age parameter is the recommended way to limit the size of the change log 274 Sun ONE Directory Server Administration Guide June 2003 Configuring a Hub The replication wizard also uses the default replication manager If you have created a different replication manager entry that you wish to use you need to set the advanced configuration You may also use this dialog to set referrals for modifications and the purge delay 1 On the top level Configuration tab of the Directory Server console expand both the Data node and the node for the suffix you wish
250. desired Select the DN of a chained suffix in the list to view its statistics The table to the right lists the count of all different operations performed on the chained suffix Monitoring Your Server From the Command Line You can monitor your directory server s current activities from any LDAP client by performing a search operation on the following entries e cn monitor e cn monitor cn ldbm database cn plugins cn config e cn monitor cn dbName cn ldbm database cn plugins cn config e cn monitor cn dbName cn chaining database cn plugins cn config where dbName is the database name of the suffix that you want to monitor Note that except for information about each connection by default the cn monitor entry is readable by anyone including clients bound anonymously The following example shows how to view the general server statistics ldapsearch h host p port D cn Directory Manager w password s bas b cn monitor objectclass For the description of all monitoring attributes available in these entries please see to the corresponding section of the Sun ONE Directory Server Reference Manual e Monitoring Attributes in Chapter 4 e Database Monitoring Attributes in Chapter 5 e Database Monitoring Attributes under cn dbName in Chapter 5 e Chained Suffix Monitoring Attributes in Chapter 5 Chapter 12 Managing Log Files 403 Monitoring Server Activity 404 Sun ONE Directory Ser
251. ding is also used in the following cases e The client provides a valid Authorization header but no certificate when clientCertOnly is specified e The client provides a valid certificate but no Authorization header when httpBasicOnly is specified Regardless of the ds hdsml clientauthmethod attribute value if a certificate is provided but it cannot be matched to an entry or if the HTTP Authorization header is specified but cannot be mapped to a user entry the DSML request will be rejected with error message 403 Forbidden To set the DSML security requirements through the console 1 On the top level Configuration tab of the Directory Server console select the root node in the configuration tree and select the Encryption tab in the right hand panel 42 Sun ONE Directory Server Administration Guide June 2003 3 Configuring DSML You must have already configured and enabled SSL as described in Chapter 11 Implementing Security Select one of the choices for the drop down menu in the DSML Client Authentication field Click Save and then restart the server to enforce this new security setting To set the DSML security requirements through the command line 1 Run the following ldapmodify command to edit the attribute of the DSML front end plug in ldapmodify h host p LDAPport D cn Directory Manager w passwd dn cn DSMLv2 SOAP HTTP cn frontends cn plugins cn config changetype modify replace
252. ditional attribute nsslapd parent suffix parentSuffixDN The suffixDN is the full DN of the new suffix For a root suffix the convention is to use the domain component dc naming attribute for example dc example dc org In the case of a subsuffix the suffixDN includes the RDN of the subsuffix and the DN of its parent suffix for example ou Contractors dc example dc com NOTE Suffix names are in the DN format but are treated as a single string Therefore all spaces are significant and are part of the suffix name Access to this suffix will need to respect the same spacing used in the suffixDN string The databaseName is a name for the internally managed database associated with this suffix The name must be unique among the databaseNames of all suffixes and by convention it is the value of the first naming component of the suffixDN The databaseName is also the name of the directory containing database files for the suffix and therefore should contain only ASCII 7 bit alphanumeric characters hyphens and underscores _ For a subsuffix the parentSuffixDN is the exact DN of the parent suffix 2 Create the database configuration entry with the following command ldapmodify a h host p port D cn Directory Manager w password dn cn databaseName cn ldbm database cn plugins cn config objectclass top objectclass extensibleObject objectclass nsBackendInstance cn databaseName nsslapd suffix suff
253. e LDAP client application in a location that is accessible only to them for example a protected subdirectory of their home directory 2 Contact the Certificate Authority that issued the certificate for the directory server you wish to access and request their CA certificate You may send email or access their website to obtain a PEM encoded text version of their PKCS 11 certificate Save this certificate in a file Sun ONE Directory Server Administration Guide June 2003 Configuring LDAP Clients to Use Security For example if you are using an internally deployed Sun ONE Certificate Server you will go to a URL of the form https hostname 444 From the top level Retrieval tab select Import CA Certificate Chain and copy the encoded certificate there Alternatively if you obtain your client and server certificates from the same CA you may reuse the CA certificate obtained through the procedure for Trusting the Certificate Authority on page 364 3 Import the CA certificate as a trusted CA for issuing server certificates used in SSL connections Use the following command certutil A n certificateName t C a i certFile d path P prefix where certificateName is a name you give to identify this certificate certFile is the text file containing the PKCS 11 certificate of the CA in PEM encoded text format and path and prefix are the same as in Step 1 Every user of the LDAP client application must import the CA
254. e following location http wwws sun com software download Installation instructions and reference documentation for the DSRK tools is available in the Sun ONE Directory Server Resource Kit Tools Reference For developing directory client applications you may also download the Sun ONE LDAP SDK for C and the Sun ONE LDAP SDK for Java from the same location Additionally Java Naming and Directory Interface INDI technology supports accessing the Directory Server using LDAP and DSML v2 from Java applications Information about JNDI is available from http java sun com products jndi The JNDI Tutorial contains detailed descriptions and examples of how to use JNDI It is available at http java sun com products jndi tutorial Suggested Reading Sun ONE Directory Server product documentation includes the following documents delivered in both HTML and PDF 16 Sun ONE Directory Server Administration Guide June 2003 Suggested Reading Sun ONE Directory Server Getting Started Guide Provides a quick look at many key features of Directory Server 5 2 Sun ONE Directory Server Deployment Guide Explains how to plan directory topology data structure security and monitoring and discusses example deployments Sun ONE Directory Server Installation and Tuning Guide Covers installation and upgrade procedures and provides tips for optimizing Directory Server performance Sun ONE Directory Server Administration Guide G
255. e modify add jpegphoto binary jpegphoto binary lt file path filename jpg The spaces before and after lt are significant and must be used exactly as shown In order to use the lt syntax to specify a filename you must begin the LDIF statement with the line version 1 When ldapmodify processes this statement it will set the attribute to the value read from the entire contents of the given file Adding an Attribute with a Language Subtype Language and pronunciation subtypes of attributes designate localized values When you specify a language subtype for an attribute the subtype is added to the attribute name as follows attribute Lang CC where attribute is an existing attribute type and CC is the two letter country code to designate the language You may optionally add a pronunciation subtype to a language subtype to designate a phonetic equivalent for the localized value In this case the attribute name becomes attribute Lang CC phonetic To perform an operation on an attribute with a subtype you must explicitly match its subtype For example if you want to modify an attribute value that has the lang fr language subtype you must include lang fr in the modify operation as follows ldapmodify h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com changetype modify replace homePostalAddress lang fr homePostalAddress lang fr 34 avenue des Champs Elys
256. e select the Data node and then the Replication tab in the right hand panel Sun ONE Directory Server Administration Guide June 2003 Configuring Fractional Replication 2 Click the Manage Replicated Attribute Sets button at the bottom of the Replication tab You may have to scroll down to see this button 3 Click Add to define a new attribute set or select an existing one from the list and click Edit to modify it In the Attribute Set dialog box that is displayed select or deselect the checkbox in the Replicate column to include or exclude the corresponding attribute from the set A checked box next to an attribute name indicates that it will be replicated By default all attributes are selected and it is recommended that you deselect only those attributes you specifically do not wish to replicate If you wish to start over with your selection the Check All button will select all attributes again When you deselect a number of attributes the directory server will replicate all attributes except the ones which are deselected If new attributes are later defined in the schema and used in replicated entries those new attributes will be replicated unless you edit the attribute set to deselect them Clicking the Check None button will deselect all attributes and you may then select the attributes to include in your set When you define your exact set of attributes after clicking on Check None only the selected attributes will be replicat
257. e 4 2 Description of ldif2db Options Used in the Examples Option Description n Specifies the name of the database into which you are importing the data CAUTION If you a specify a database in the n option that does not correspond to the suffix contained in the LDIF file all of the data contained in the database is deleted and the import fails Make sure that you do not misspell the database name i Specifies the full path name of the LDIF file s to be imported This option is required You can use multiple i arguments to import more than one LDIF file at a time When you import multiple files the server imports the LDIF files in the order in which you specify them from the command line For more information about using this command see Idif2db in Chapter 2 of the Sun ONE Directory Server Reference Manual Initializing a Suffix Using the Idif2db pl Perl Script As with the 1dif2db command the 1dif2db p1 script directoryserver 1dif2db task in the Solaris Packages overwrites the data in a suffix you specify This script requires the server to be running in order to perform the import CAUTION This script overwrites the data in your suffix The command for this script is platform dependent usr sbin directoryserver ldif2db task Windows Platforms cd ServerRoot Other Installations bin slapd admin bin perl slapd serverID 1dif2db pl ServerRoot slapd serverID 1dif2db pl The following examples import
258. e Add Users and Groups dialog box 4 On the Rights tab click the Check All button All checkboxes are ticked except for Proxy rights 5 Click OK The new ACI is added to the ones listed in the Access Control Manager window Granting Rights to Add and Delete Group Entries Some organizations want to allow employees to create entries in the tree if it can increase their efficiency or if it can contribute to the corporate dynamics At example com for example there is an active social committee that is organized into various clubs tennis swimming skiing role playing etc Any example com employee can create a group entry representing a new club This is illustrated in the ACI Create Group example Any example com employee can become a member of one of these groups This is illustrated in ACI Group Members under Allowing Users to Add or Remove Themselves From a Group on page 233 Only the group owner can modify or delete a group entry This is illustrated in the ACI Delete Group example Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples ACI Create Group In LDIF to grant example com employees the right to create a group entry under the ou Social Committee branch you would write the following statement aci target ldap ou social committee dc example dc com targetattr targattrfilters add objectClass objectClass groupOfNames version 3 0
259. e Create New Role dialog you must type a name for your new role in the Role Name field and you may add an optional description of the role in the Description field The group name will become the value of the cn common name attribute for the new role entry and appear in its DN Click Members in the left hand list of the dialog and select the Filtered Role radio button in the right hand panel Enter an LDAP filter in the text field to define the filter that will determine role members Or click Construct to be guided through the construction of an LDAP filter If you click Construct the Construct LDAP Filter dialog appears Disregard the LDAP Server Host Port Base DN and Search scope fields because you cannot specify these in a filtered role definition a Search only for users in a filtered role This will add the component objectclass person to the filter If you do not want this component you must edit the LDAP filter in the text field of the Create New Role dialog b Refine the filter by selecting an attribute from the Where drop down list and setting the matching criteria To add additional filters click More To remove unnecessary filters click Fewer c Click OK to use your filter in the filtered role definition You may then edit the filter in the text field to modify any component Click Test to try your filter A Filter Test Result dialog will display the entries that currently match your filter
260. e Generally create ACIs that use the following keywords roledn userattr authmethod Sun ONE Directory Server Administration Guide June 2003 Creating ACIs Using the Console TIP In the Access Control Editor you can click on the Edit Manually button at any time to check the LDIF representation of the changes you make through the graphical interface Viewing the ACls of an Entry 1 On the top level Directory tab of the Directory Server console browse the directory tree to display the entry for which you wish to set access control You must have directory administrator or directory manager priveleges to edit ACIs 2 Right click the entry and select Set Access Permissions from the pop up menu Alternatively left click the entry to select it and choose Set Access Permissions from the Object menu The Access Control Management dialog is displayed as shown in the following figure It lists the description of all ACIs defined on the selected entry and allows you to edit or remove them and create new ones Figure 6 2 The Access Control Management Dialog EI Manage Access Control for ou People dc example dc com An Access Control Instruction ACI is a set of permissions used to control howvand when users can access information This object is currently using the following Access Control Instructions Allow self entry modification Accounting Managers Group Permissions HR Group Permissions QA Group Permissions h ai
261. e Selector dialog box that appears select one or more roles from the list of available roles and click OK Click OK to create the nested role entry The new role appears in the directory with the icon for a nested role To modify the scope of the nested role use the command line procedure shown in Example of a Nested Role Definition on page 163 Viewing and Editing an Entry s Roles 1 On the top level Directory tab of the Directory Server console browse the directory tree to display the entry for which you want to view or edit a role Right click the entry and select Set Roles from the pop up menu Alternatively you may left click the entry to select it and choose Set Roles from the Object menu The Set Roles dialog is displayed Select the Managed Roles tab to display the managed roles to which this entry belongs You may perform the following actions To add a new managed role click Add and select an available role from the Role Selector window Click OK in the Role Selector window To remove a managed role select it and click Remove To edit a managed role associated with an entry select it in the table and click Edit The role is displayed in the custom editor for Roles Make any changes to the role and click OK to save the new role definition Chapter 5 Advanced Entry Management 159 Assigning Roles 160 Select the Other Roles tab to view the filtered or nested roles to which this entry belongs To ch
262. e defined Certain languages also have pronunciation fields where you may enter phonetical representation of the localized values 5 Click OK to save your changes to the entry and close the custom editor dialog Modifying Entries With the Generic Editor The generic editor allows you to see all readable attributes of an entry and edit its writable attributes according to the bind DN used to log into the console It allows you add and remove attributes set multivalued attributes and manage the object classes of the entry When adding attributes you may define subtypes for binary attributes and language support Invoking the Generic Editor To invoke the generic editor for any entry in the directory 1 On the top level Directory tab of the Directory Server console expand the directory tree to display the entry that you wish edit 2 Right click the entry and select the Edit With Generic Editor item Several alternate actions also invoke the generic editor o _Left click the entry to select it then select the Object gt Edit With Generic Editor menu item o Double click on the entry if its object class is not listed in Table 2 1 on page 49 The generic editor will be used by default for object classes that do not have a custom editor The generic editor is displayed as shown in the following figure Sun ONE Directory Server Administration Guide June 2003 Managing Entries Using the Console Figure 2 2 Directory Server
263. e directory and entry cache hits Values for these variables are also mixed in with operation variables in the attributes of the cn snmp cn monitor entry of the directory See Monitoring Attributes in Chapter 4 of the Sun ONE Directory Server Reference Manual Interaction Table Contains statistics about the last 5 directory servers with which this directory server has communicated The objects of this table are described in SNMP Monitoring in Chapter 8 of the Sun ONE Directory Server Deployment Guide Entity Table Contains variables that describe this instance of Directory Server such as its server ID and version The objects of this table are described in SNMP Monitoring in Chapter 8 of the Sun ONE Directory Server Deployment Guide Before you can use the directory s MIB you must compile it along with the MIBs that you will find in the following directory ServerRoot plugins snmp mibs For information on how to compile MIBs see your SNMP product documentation Setting Up SNMP The steps for setting up SNMP monitoring for your directory depend on whether your host platform is UNIX AIX or Windows Chapter 13 Monitoring Directory Server Using SNMP 407 Setting Up SNMP 1 Set up SNMP on your platform as described in the following sections o On UNIX Platforms on page 408 o On AIX Platforms on page 408 o On Windows Platforms on page 409 2 Follow the instrcutions for Configuring SNMP
264. e encoded as dstring dstring where each dstring component is encoded as a value with DirectoryString syntax Backslashes and dollar characters within dstring must be quoted so that they will not be mistaken for line delimiters Many servers limit the postal address to 6 lines of up to thirty characters For example 1234 Main St Anytown CA 12345SUSA Indicates that values for this attribute are in the form of telephone numbers It is recommended to use telephone numbers in international form Indicates that the values for this attribute contain a URL with an optional prefix such as http https ftp ldap or ldaps The URI values have the same behavior as A5String see RFC 2396 http www ietf org rfc rfc2396 txt Chapter 9 Extending the Directory Schema 329 Managing Attribute Definitions Creating Attributes To add your own definition of an attribute to the schema 1 On the top level Configuration tab of the Directory Server console select the Schema node in the configuration tree then select the Attributes tab in the right hand panel 2 Click Create to display the Create Attribute dialog 3 Enter the following information in the text fields to define your new attribute Only the attribute name and syntax are required o Attribute Name Enter a unique name for the attribute also called its attribute type Attribute names must begin with a letter and only contain ASCII letters digits and
265. e existing change log will be deleted from the old location and a new one will be kept in the new location 3 Click Save in the Replication tab 4 Restart the Directory Server 5 Reinitialize your consumers as described in Initializing Replicas on page 284 Keeping Replicas in Sync After you stop a directory server involved in replication for regular maintenance when it comes back online you need to ensure that it gets updated through replication immediately In the case of a master in a multi master environment the directory information needs to be updated by another master in the multi master set In other cases after a hub replica or a dedicated consumer is taken offline for maintenance when they come back online they need to be updated by the master replica This section describes the replication retry algorithm and how to force replication updates to occur without waiting for the next retry NOTE The procedures described in this section can be used only when replication is already set up and consumers have been initialized Replication Retry Algorithm When a supplier is unsuccessful in an attempt to replicate to a consumer it retries periodically in incremental time intervals The retry pattern is as follows 20 40 80 160 then 300 seconds The supplier will then retry every 300 seconds 5 minutes Note that even if you have configured replication agreements to always keep the supplier replica and the c
266. e following search ldapsearch h host p port D uid bjensen dc example dc com w password b dc example dc com objectclass mail The following ACI is used to determine whether user b jensen can be granted access for searching aci targetattr mail version 3 0 acl self access to mail allow read search userdn ldap self The search result list is empty because this ACI does not allow bjensen the right to search on the objectclass attribute If you want the search operation described above to be successful you must modify the ACI to read as follows aci targetattr mail objectclass version 3 0 acl self access to mail allow read search userdn ldap self Permissions Syntax In an ACI statement the syntax for permissions is allow deny rights where rights is a list of 1 to 8 comma separated keywords enclosed within parentheses Valid keywords are read write add delete search compare selfwrite proxy or all In the following example read search and compare access is allowed provided the bind rule is evaluated to be true aci target ldap dc example dc com version 3 0 acl example allow read search compare bindRule Bind Rules Depending on the ACIs defined for the directory for certain operations you need to bind to the directory Binding means logging in or authenticating yourself to the directory by providing a bind DN and password
267. e for Binary Copy Without Stopping the Server on page 294 1 Install Directory Server on the target machine for the new replica create a new instance of the server if necessary and then configure it according to the Binary Copy Restrictions on page 293 2 Create all replication agreements in your replication topology that involve this replica This includes agreements from suppliers to this replica and if it is not a dedicated consumer from this replica to its consumers 3 Stop the target server that will be initialized or reinitialized as described in Starting and Stopping the Directory Server on page 20 4 Select a fully configured and initialized replica of the same type that you wish to initialize either master hub or consumer and stop this server as well If you are cloning a master replica in a multi master configuration you should ensure that it is fully up to date with all of the latest changes from the other masters before stopping it 5 Copy or transfer all database files including transaction logs from the source replica machine to the target machine for example using the ftp command Unless the files have been relocated database files and transaction logs are located in the ServerRoot slapd serverID db directory If you are initializing a master or hub replica you must also copy all files in the change log located in ServerRoot slapd serverID changelog by default 6 Restart both the
268. e host userdir example com 3 During the installation of the user directory you are prompted to provide an LDAP URL that points to the configuration directory server for example ldap configdir example com o NetscapeRoot 4 The installation program configures and enables the PTA plug in in the user directory with the LDAP URL you provided The user directory is now configured as a PTA directory It will send all bind requests for entries whose DN contains o Net scapeRoot to the configuration directory configdir example com 5 When installation is complete the admin user attempts to bind to the user directory to begin creating the user data The admin entry is stored in the configuration directory as uid admin ou Administrators ou TopologyManagement o Net scapeRoot So the user directory passes the bind request through to the configuration directory as defined by the PTA plug in configuration 6 The configuration directory authenticates the bind credentials including the password and sends the confirmation back to the user directory 7 The user directory allows the admin user to bind Sun ONE Directory Server Administration Guide June 2003 Configuring the PTA Plug In Configuring the PTA Plug In PTA plug in configuration information is specified in the cn Pass Through Authentication cn plugins cn config entry on the PTA server If you installed the user and configuration directories on different server i
269. e replicas Once you have chosen the replication manager for each consumer 1 Write down or remember the replication manager DN that you chose or created You will need this DN and its password later when creating the replication agreement with this consumer on its supplier 2 If you define a password expiration policy you must remember to exclude the replication manager or else replication will fail when the password expires To disable password expiration on the replication manager entry create a password policy in which passwords do not expire and assign it to the replication manager entry For more information see Managing Individual Password Policies on page 254 Configuring a Dedicated Consumer 270 A dedicated consumer is a read only copy of a replicated suffix It receives updates from master servers that bind as the special Replication Manager to make changes Configuring the consumer server consists of preparing an empty suffix to hold the replica and enabling replication on that suffix using the replication wizard Optional advanced configuration includes choosing a different replication manager setting referrals or setting the purge delay The following sections give the steps for configuring one dedicated consumer replica on its server Repeat all procedures on each server that will contain a dedicated consumer replica of a given suffix Sun ONE Directory Server Administration Guide June 2003 Configuring
270. e replication agreement as described in Disabling a Replication Agreement on page 302 An agreement must be disabled to modify the fractional replication configuration Select the disabled agreement and click Edit Select the Replicated Attributes tab in the Replication Agreement dialog that appears Select the Replicate only a set of attributes checkbox Select an existing attribute set from the drop down list or click New to define a new attribute set as described in Defining the Attribute Set on page 282 You may also click Manage Replicated Attribute Sets to view and modify existing set definitions Fractional replication allows only one attribute set to be associated with a replication agreement That set should contain the exact list of attributes you wish to replicate Click OK when you have chosen an attribute set An informational message warns you that you have configured fractional replication and that you need to reinitialize the consumer replica Click OK to dismiss the message Click Enable to reactivate the replication agreement Depending on the attributes that are replicated you should consider disabling schema checking on the consumer server If other masters also have replication agreements with this replica you must repeat this procedure to enable fractional replication with the same attribute set on all of them You must now initialize the consumer replica or reinitialize it if it was already
271. e suffix Referrals can also be used to temporarily point a client application to a different server For example you might add a referral to a suffix so that the suffix points to a different server while backing up the contents of the suffix The replication mechanism relies on write permissions and referrals to configure the suffix for replication Enabling replication promoting a replica or demoting a replica will modify the referral settings CAUTION If the suffix is replicated modifying the referrals may affect the replicated behavior of this suffix Setting Access Permissions and Referrals Using the Console 1 On the top level Configuration tab of the Directory Server console expand the Data node and select the suffix where you wish to set a referral 2 Inthe right panel select the Settings tab You will only be able to set permissions and referrals if the chained suffix is enabled If you have enabled replication for this suffix you will see a note informing you that the contents of this tab may be updated automatically 3 Select one of the following radio buttons to set the response to any write operation on entries in this suffix o Process write and read requests This radio button is selected by default and represents the normal behavior of a suffix Referrals may be defined but they will not be returned Chapter 3 Creating Your Directory Tree 97 Managing Suffixes o Process read requests and return a ref
272. e to the list the Class of Service Behavior column contains a drop down list Click in this cell to select the override behavior o Does not override target entry attribute The CoS attribute value will be generated only if there is no corresponding attribute value already stored in the same attribute of the target entry o Overrides target entry attribute The value of the attribute generated by the CoS will override any value for that attribute in the target entry o Overrides target entry attribute and is operational The attribute will override any target value and be an attribute operational so that it is not visible to client applications unless explicitly requested NOTE You can only make an attribute operational if it is also defined as operational in the schema Click the Template tab in the left hand list Select how the template entry is identified and then fill in the corresponding fields This will determine the type of CoS you wish to define o By its DN This choice will define a pointer CoS enter the DN of a template entry in the Template DN field Click Browse to select the template DN from the directory or type Ctrl V to paste the DN that you copied after creating the template entry Sun ONE Directory Server Administration Guide June 2003 6 Defining Class of Service CoS o Using the value of one of the target entry s attributes This choice will define an indirect CoS enter the n
273. e type 254 passwordMinLength attribute type 254 passwordMustChange attribute type 260 passwordPolicy object class 256 passwords resetting user passwords 260 see also password policies passwordUnlock attribute type 254 performance counters monitoring the server 398 permissions ACI syntax 185 allowing or denying access 191 assigning rights 192 overview 191 precedence rule 182 pointer CoS see CoS port number directory server configuration 34 for SSL communications 35 precedence rule ACI 182 presence index see indexing proxy authorization 235 ACT example 235 with cascading chaining 130 proxy DN 236 438 Sun ONE Directory Server Administration Guide June 2003 proxy right 192 R RC4 cipher 369 read right 192 read only mode suffixes 131 realm inSASL DIGEST MD5 385 ref attribute type 75 referential integrity attributes 81 disabling 82 enabling 82 log file 81 overview 81 with replication 83 295 referral object class 75 referrals creating smart referrals 74 default referrals 73 global referrals 73 setting suffix level referrals 97 reindexing by reinitializing a suffix 351 replicate_now sh script 307 replication 265 and access control 247 change log 305 choosing the replication manager entry 269 compatibility with earlier versions 308 configuring a dedicated consumer replica 271 configuring a hub replica 273 configuring a master replica 276 configuring legacy replication 309 consumer referrals 272 creating a replic
274. each suffix and index configuration entries are stored with the corresponding database configuration Running the db2index p1 perl script directoryserver db2index task in the Solaris Packages to generate the new set of indexes to be maintained by the server 346 Sun ONE Directory Server Administration Guide June 2003 Managing Indexes CAUTION You must not delete system indexes as deleting them can significantly affect Directory Server performance System indexes are located in the following entries cn index cn databaseName cn ldbm database cn plugins cn config cn default indexes cn config cn ldbm database cn plugins cn config Take care when deleting default indexes because they can also affect how Directory Server works Creating an Index Configuration Entry To create an index for an attribute that is not already indexed you must create a new entry for that attribute in the configuration of the corresponding database Index configuration entries have the following DN cn attributeName cn index cn databaseName cn ldbm database cn plugins cn config where databaseName is the name of the database corresponding to the suffix in which you wish to create the index For example the following command will create presence equality substring and sounds like indexes for values of the sn surname attribute in French ldapmodify a h host p port D cn Directory Manager w password dn cn sn
275. ections that the chained suffix establishes with the remote server The default value is 10 connections Chapter 3 Creating Your Directory Tree 103 Creating Chained Suffixes 104 e nsBindConnectionsLimit The maximum number of simultaneous TCP connections that the chained suffix establishes with the remote server The default value is 3 connections e nsConcurrentBindLimit Maximum number of simultaneous bind operations per LDAP connection The default value is 10 outstanding bind operations per connection e nsBindRetryLimit Number of times a chained suffix attempts to rebind to the remote server upon error A value of 0 indicates that the chained suffix will try to bind only once The default value is 3 attempts e nsConcurrentOperationsLimit Maximum number of simultanous operations per LDAP connection The default value is 10 operations per connection e nsBindTimeout Amount of time in seconds before the bind attempts to the chained suffix will time out The default value is 15 seconds e nsAbandonedSearchCheckInterval Number of seconds before the server checks to see if an operation has been abandoned The default value is 2 seconds e nsConnectionLife How long a connection made between the chained suffix and remote server remains open so that it may be reused It is faster to keep the connections open but it uses more resources For example if you are using a dial up connection you may want to limit the conne
276. ectory Server 5 2 supports only US ASCII letters Therefore use approximate indexing only with English values Substring index sub Provides efficient searches of attribute value substrings such as cn john This is a costly index to maintain because of the many possible substrings for every value Substring indexes are limited to a minimum of two characters for each entry Matching rule index Speeds up searches in international directories by associating the OID of a localized matching rule also called collation order with the attributes to be indexed Browsing index Improves the response time of searches performed with the virtual list view VLV control You may create a browsing index on any branchpoint in the directory tree to improve display performance of a very populated subtree for example ou People dc example dc com System Indexes System indexes are indexes that cannot be deleted or modified They are required for Directory Server to function properly and efficiently The following table lists the system indexes created automatically in every suffix Sun ONE Directory Server Administration Guide June 2003 Overview of Indexing Table 10 1 System Indexes in Every Suffix Attribute Eq Pres Purpose aci X Allows the directory server to quickly obtain the access control information maintained in the directory entrydn X Speeds up entry retrieval based on DN searches nsUniqueld X Used to searc
277. ed If new attributes are later defined in the schema and used in replicated entries those new attributes will not be replicated unless you edit the attribute set to select them NOTE The attributes objectClass nsUniqueld and nsDS50ruv and the RDN naming attribute are always replicated regardless of whether you exclude them in the attribute set This is because objectClass and the naming attribute are required for LDAP modifications and the nsUniqueId and nsDs50ruv attributes are required for replication to work correctly Excluding ACI attributes will have an effect on the access control in the consumer replica Excluding the userPassword attribute will result in no users being able to authenticate to the consumer replica 4 Optionally enter or modify the description string for this attribute set This is the text that will appear in the list of defined sets and when editing the replication agreement that will use this set If no description is provided the server will generate a description based on the attributes that are excluded or included 5 Click Save when you are finished Chapter 8 Managing Replication 283 Initializing Replicas Enabling Fractional Replication Fractional replication can be enabled only on existing replication agreements 1 10 Create the replication agreement as described in Creating Replication Agreements on page 279 or select a previously defined agreement to modify Disable th
278. ed Users from the Search results list c Click the Add button to list All Authenticated Users in the list of users who are granted access permission d Click OK to dismiss the Add Users and Groups dialog box 4 On the Rights tab tick the checkbox for selfwrite Make sure the other checkboxes are clear 5 On the Targets tab type dc example dc com suffix in the target directory entry field In the attribute table tick the checkbox for the member attribute All other checkboxes should be clear This task is made easier if you click the Check None button to clear the checkboxes for all attributes in the table then click the Name header to organize them alphabetically and select the appropriate ones 6 Click OK The new ACI is added to the ones listed in the Access Control Manager window Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples Defining Permissions for DNs That Contain a Comma DNs that contain commas require special treatment within your LDIF ACI statements In the target and bind rule portions of the ACI statement commas must be escaped by a single backslash The following example illustrates this syntax dn o example com Bolivia S A objectClass top objectClass organization aci target ldap o example com Bolivia S A targetattr version 3 0 acl aci 2 allow all groupdn ldap cn Directory Administrators o example com Bolivia S A
279. ee Chapter 2 Upgrading From Previous Versions in the Sun ONE Directory Server Installation and Tuning Guide Configuring Directory Server 5 2 as a Consumer of Directory Server 4 x If you intend to use Directory Server 5 2 as a consumer of a 4 x release of Directory Server you must configure it as follows Chapter 8 Managing Replication 309 Replication With Earlier Releases 1 Enable the replica as a master replica as described in Enabling a Master Replica on page 276 Even though the replica will be a consumer to the 4 x supplier it must be configured as a master replica 2 On the top level Configuration tab on the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix 3 Inthe right panel select Change gt Enable 4 x compatibility for this replica Alternatively select Enable 4 x compatibility from the Object menu 4 Inthe Enabling 4 x Compatibility window specify a Bind DN and password that the legacy supplier server will use to bind You may use any administrative entry for the bind DN including the default replication manager For more information on the Bind DN see Choosing Replication Managers on page 269 If the supplier will use this server s secure port for replication updates you may enter the DN of the server s certificate entry to use secure authentication 5 Click OK This consumer replica is now re
280. eee 249 Overview of Password Policies susini coe niea ie cence ene tne tne eee e nets 250 Preventing Dictionary Style Attacks 0 c cc eens 250 Password Policies in a Replicated Environment 6 6 660 c cece eect eee eee eee 251 Configuring the Global Password Policy 6 c cece rnnr errre rnnr eens 252 Configuring the Password Policy Using the Console 0 c ccc eee eee 252 Configuring the Password Policy From the Command Line 00 cece cece 253 Managing Individual Password Policies 06 ees 254 Defining a Policy Using the Console 6 srann rnern rerne eee tenets 255 Defining a Policy From the Command Line 0 6 cette eens 256 Assigning Password Policies ini poci eienenn ia EE e tenn eens 257 Resetting User Passwords irei 4 nb cyte acdsee tal bien E dd tage uae eee ee Stk 260 Inactivating and Activating Users and Roles 6 c cece een nee 260 Setting User and Role Activation Using the Console 000 c cece cece eee eee 260 Setting User and Role Activation From the Command Line 0000 eee eee eee 261 Setting Individual Resource Limits 1 0 0 6 0 cece eee een eens 262 Setting Resource Limits Using the Console 0 cece eee een nes 263 Setting Resource Limits From the Command Line 0 0 susor renr e eee eee 263 Managing Replication 00 cece eee 265 Introd uct Onis 126 dpi a SA Seana aa dnd Maw kare A
281. efined in the schema The alternate name is usually a more explicit description of the attribute The list of attributes will be rearranged so that they are listed alphabetically by description Chapter 2 Creating Directory Entries 55 Managing Entries Using the Console 56 o Deselect the Show only Attributes with Values checkbox to list all attributes that are explicitly allowed by the schema for the entry s object classes If the entry includes the extensibleOb ject object class all attributes are implicitly allowed but they are not listed By default only the attributes with a defined value are shown o Select or deselect the Show DN checkbox to toggle the display of the entry s distinguished name beneath the list of attributes o The Refresh button will access the server to update the values of all attributes according to the current contents of the entry CAUTION Clicking the Refresh button will immediately remove any modifications you have made in the generic editor without saving them The controls for setting attribute values managing object classes and changing the naming attribute of an entry are described in the following sections Modifying Attribute Values 1 Open the generic editor as described in Invoking the Generic Editor on page 54 2 Scroll through the list of attributes and click on the value you wish to modify The selected attribute is highlighted and an editing cursor appears in the te
282. either single or double quotation marks for this purpose Refer to your operating system documentation for more information In addition if you are using DNs that contain commas you must escape the commas with a backslash For example D cn Patricia Fuentes ou People o example com Bolivia S A Note that LDIF statements after the 1dapmodi fy command are being interpreted by the command not by the shell and therefore do not need special consideration Chapter 2 Creating Directory Entries 63 Managing Entries From the Command Line 64 Schema Checking When adding or modifying an entry the attributes you use must be required or allowed by the object classes in your entry and your attributes must contain values that match their defined syntax When modifying an entry Directory Server performs schema checking on the entire entry not only the attributes being modified Therefore the operation may fail if any object class or attribute in the entry does not conform to the schema For more information see Schema Checking on page 323 Ordering of LDIF Entries In any sequence of LDIF text for adding entries either on the command line or in a file parent entries must be listed before their children This way when the server process the LDIF text it will create the parent entries before the children entries For example if you want to create entries in a People subtree that does not exist in your directory the
283. elete command line utilities provide full functionality for adding editing and deleting your directory contents You can use them to manage both the configuration entries of the server and the data in the user entries The utilities can also be used to write scripts to perform bulk management of one or more directories The ldapmodify and 1dapdelete commands are used in procedures throughout this book The following sections describe all basic operations you will need to perform these management procedures Further functionality all command line options and return values of these commands are described in Chapter 4 Idapmodify and Chapter 5 Idapdelete of the Sun ONE Directory Server Resource Kit Tools Reference Input to the command line utilities is always in LDAP Data Interchange Format LDIF that you can provide either directly from the command line or through an input file LDIF is a textual representation of entries attributes and their values LDIF is a standard format described in RFC 2849 http www ietf org rfc rfc2849 txt The following section provides information about LDIF input and subsequent sections describe the LDIF for each type of modification Providing LDIF Input When providing LDIF input to the command line utilities there are special considerations to remember for command line input special characters schema checking and the ordering and size of entries Sun ONE Directory Server Administration
284. ember To do this enable the Referential Integrity Plug In and configure it to manage the nsRoleDN attribute For more information see Maintaining Referential Integrity on page 81 Sun ONE Directory Server Administration Guide June 2003 Assigning Roles Managing Roles From the Command Line Roles are defined in entries that the directory administrator may access through command line utilities Once you create a role you assign members to it as follows e Members of a managed role have the nsRoleDN attribute in their entry e Members of a filtered role are entries that match the filter specified in the nsRoleFilter attribute e Members of a nested role are members of the roles specified in the nsRoleDN attributes of the nested role definition entry All role definitions inherit from the LDAPsubent ry and nsRoleDefinition object classes The following table lists additional object classes and associated attributes specific to each type of role Table 5 1 Object Classes and Attributes Used to Define Roles Role Type Object Classes Attributes Managed Role nsSimpleRoleDefinition Description optional nsManagedRoleDefinition Filtered Role nsComplexRoleDefinition nsRoleFilter nsFilteredRoleDefinition Description optional Nested Role nsComplexRoleDefinition nsRoleDN nsNestedRoleDefinition Description optional Example of a Managed Role Definition To create a role that will be assigned to all marketing staff
285. ement that is being duplicated 5 Make sure a hostname is selected in the list and click OK to create the new replication agreement for that consumer server 6 The new agreement duplicates all configuration information of the existing one This implies that you must have exactly the same replication manager entry using the same password defined on the two servers If you wish to modify the configuration of the new agreement to change the replication manager DN for example select it from the list and click Edit Disabling a Replication Agreement When a replication agreement is disabled the master stops sending updates to the designated consumer Replication to that server is stopped but all settings in the agreement are preserved You may resume replication by re enabling the agreement at a later time See Enabling a Replication Agreement below for information about resuming the replication mechanism after an interruption To disable a replication agreement 1 On the top level Configuration tab on the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix 2 Inthe right panel select the replication agreement you want to disable 3 Select Action gt Disable agreement in the box below the list of agreements 4 Click Yes to confirm that you want to disable the replication agreement The icon for the agreement in the list changes to show it i
286. emove the glue object class and the nsds5Rep1Conflict attribute to keep the entry as a normal entry or you can delete the glue entry and its child entries e The server creates a minimal entry with the glue and extensibleObject object classes In such cases you must modify the entry to turn it into a meaningful entry or delete it and all of its child entries Solving Potential Interoperability Problems For reasons of interoperability with applications that rely on attribute uniqueness such as a mail server you might need to restrict access to the entries that contain the nsds5Rep1Conflict attribute If you do not restrict access to these entries then the applications requiring one attribute only will pick up both the original entry and the conflict resolution entry containing the nsds5Rep1lConflict and operations will fail To restrict access you need to modify the default ACI that grants anonymous read access using the following command ldapmodify h host p port D cn Directory Manager w password dn dc example dc com changetype modify delete aci aci target ldap dc example dc com targetattr userPassword version 3 0 acl Anonymous read search access Sun ONE Directory Server Administration Guide June 2003 Solving Common Replication Conflicts allow read search compare userdn ldap anyone add aci aci target ldap dc example dc com targetattr userPassword target
287. ens 92 Managing Suffixes lt j casi tr meats Saas net ees dette fathers od Sad aaa Meat REGE 95 Sun ONE Directory Server Administration Guide June 2003 Disabling or Enabling a Suffix erreso eret piirrin ent eee 96 Setting Access Permissions and Referrals 000 c cece eee t ee eee 97 Deleting a Supixe css erosta enh e Ruths Ge leas Ae ae Sa Rae 6 Mees Ges SES 99 Creating Chained Suffixes zose tishar sci ceed tak lh os Pe nes tea aes ode tes Pak A EA 101 Creating a Proxy Identity ssns 222 eta nee deb as Lad Ee ASA ache aa eee SNS 101 Setting Default Chaining Parameters 66 6 ees 102 Creating Chained Suffixes Using the Console 6 cece cece eee eens 105 Creating Chained Suffixes From the Command Line 000 c cece eee eens 108 Access Control Through Chained Suffixes 2 0 0 6 ccc nents 111 Chaining Using SSL se sakeses i eee ae eee gid ba ee ERASER Ew La VESEN 112 Managing Chained Suffixes is waco aeis gel aiee dog eae tad dee TEE ea ve ds Bids 113 Configuring the Chaining Policy 0 cece eee eee ene ees 113 Disabling or Enabling a Chained Suffix 06 6 es 118 Setting Access Permissions and Referrals 0 0 c cece eens 119 Modifying the Chaining Parameters 6 c cece teens 121 Optimizing Thread Usage sec ottida aah pE eos He eae ded dee IEE 125 Del etingia Chained Suffix rss seed See eyes Hau hen bee VSR yes Ware aed aa ee 126 Configuring Cascading Chainin
288. entication mechanism over SASL c The GSSAPI authentication over SASL that allows use of the Kerberos V5 security mechanism Configure your clients to use SSL when communicating with the directory server including any of the optional authentication mechanisms you wish to use Some of the steps above may also be performed with the certutil tool to manage certificates through the command line This tool is available with the Sun ONE Directory Server Resource Kit For more information see Chapter 30 Security Tools in the Sun ONE Directory Server Resource Kit Tools Reference Obtaining and Installing Server Certificates This section describes the process of creating a certificate database obtaining and installing a certificate for use with your Directory Server and configuring Directory Server to trust the Certificate Authority s CA certificate Chapter 11 Implementing Security 359 Obtaining and Installing Server Certificates 360 Creating a Certificate Database The first time you configure SSL on your server you must set the password for your security device If you are not using an external hardware security device the internal security device is a certificate and key database stored in the following files ServerRoot alias slapd serverID cert7 db ServerRoot alias slapd serverID key3 db If your serverID contains upper case letters you must use the command line procedure below to create your certificate database
289. entry is propagated to other entries that might have referenced its DN such as lists of group members Using this plug in with chaining helps simplify the management of static groups when the group members are located in chained suffixes When this plug in accesses chained suffixes it requires write permission on the remote server e cn uid uniqueness cn plugins cn config The UID uniqueness plug in ensures that all new values of a specified attribute are unique on the server Allowing this plug in to chain will ensure uniqueness in the entire directory tree Sun ONE Directory Server Administration Guide June 2003 Managing Chained Suffixes NOTE The following components cannot be chained e Roles plug in e Password policy component e Replication plug ins Modifying the Chaining Policy Using the Console 1 On the Configuration tab of the Directory Server console select the Data node and in the right hand panel select the Chaining tab 2 Select one or more LDAP controls from the right hand list and click Add to allow them to chain Create the list of controls that you allow to chain by using the Add and Delete buttons LDAP controls are listed by their OID See Chaining Policy of LDAP Controls on page 114 for the name and description of each control 3 Server components allowed to chain are listed in the bottom of the same tab Select one or more component names from the right hand list and click Add to allow
290. er Reference Manual Chapter 4 Populating Directory Contents 141 Backing Up Data Backing Up Data Backing up your data saves a snapshot of the contents or your directory in case the database files later become corrupted or deleted You can back up your suffixes using the Directory Server console or a command line script CAUTION Never stop the server during a backup operation All backup procedures described here store a copy of the server files on the same host by default You should then copy and store your backups on a different machine or file system for greater security NOTE You cannot use these backup methods to back up a chained suffix on a remote server Separate servers must be backed up independently Backing Up Your Server Using the Console When you back up your server from the Directory Server console the server copies all of the database contents and associated index files to a backup location You can perform a backup while the server is running To back up your server from the Server Console 1 On the top level Tasks tab of the Directory Server console click the button beside Back Up Directory Server The Backup Directory dialog box is displayed 2 Inthe Directory text box enter the full path of the directory where you want to store the backup If you are running the console on the same machine as the directory click Browse to find a local directory Or click Use default to store
291. er console does not support all ACIs for editing visually Also setting access control for a large number of directory entries is much faster using the command line Therefore understanding ACI syntax is the key to creating secure directories with effective access contol The aci attribute has the following syntax aci target version 3 0 acl name permission bindRules where e target specifies the entry attributes or set of entries and attributes for which you want to control access The target can be a distinguished name one or more attributes or a single LDAP filter The target is optional When the target is not specified the ACI applies to the entire entry where it is defined and all of its children e version 3 0 isa required string that identifies the ACI version 184 Sun ONE Directory Server Administration Guide June 2003 ACI Syntax e name isa name for the ACI The name can be any string that identifies the ACI The ACI name is required and should describe the effect of the ACI e permission specifically states what rights you are either allowing or denying for example read or search rights e bindRules specify the credentials and bind parameters that a user has to provide to be granted access Bind rules can also be based on user or group membership or connection properties of the client You can have multiple targets and permission bind rule pairs This allows you to refine a both the entry and attribute
292. er returns to a client application in response to a search operation Giving this attribute a value of 1 indicates that there is no limit nsTimeLimit Specifies the maximum time the server spends processing a search operation Giving this attribute a value of 1 indicates that there is no time limit nsIdleTimeout Specifies the time a connection to the server can be idle before the connection is dropped The value is given in seconds Giving this attribute a value of 1 indicate that there is no limit For example you might set the size limit for an entry by performing an ldapmodify as follows Chapter 7 User Account Management 263 Setting Individual Resource Limits ldapmodify h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com changetype modify add nsSizeLimit nsSizeLimit 500 The ldapmodify statement adds the nsSizeLimit attribute to Barbara Jensen s entry and gives it a search return size limit of 500 entries 264 Sun ONE Directory Server Administration Guide June 2003 Chapter 8 Managing Replication Replication is the mechanism by which directory contents are automatically copied from a Directory Server to one or more others Write operations of any kind entry additions modifications or even deletions are automatically mirrored to other Directory Servers For a complete description of replication concepts replication scenarios and how to plan
293. er the corresponding custom editor or the generic editor When using a custom editor the most common fields are easily accessible and the interface helps you define values for complex attributes such as those in a role or class of service definition The generic editor allows more advanced operations on an entry such as adding object classes adding allowed attributes and handling multivalued attributes To edit an entry with the generic editor see Modifying Entries With the Generic Editor on page 54 NOTE The custom editors can be used to edit only the object classes listed in Table 2 1 on page 49 Entries that contain other structural object classes for example a custom class that inherits from inetorgperson can only be edited through the generic editor Entries that contain auxiliary object classes in addition to one of the listed object classes can be managed with the custom editor However none of the attributes defined by the auxiliary class will be visible in the custom editor For a definition of an auxiliary object class see Object Classes in Chapter 9 of the Sun ONE Directory Server Reference Manual Invoking the Custom Editor To edit an entry whose object class is listed in Table 2 1 on page 49 52 Sun ONE Directory Server Administration Guide June 2003 Managing Entries Using the Console 1 On the top level Directory tab of the Directory Server console expand the directory tree to display the entr
294. erral for write requests Select this radio button if you wish to make your suffix read only and enter one or more LDAP URLs in the list to be returned as referrals for write requests o Return a referral for both read and write requests Select this radio button if you wish to deny both read and write access This behavior is similar to disabling access to the suffix except that the referrals may be defined specifically for this suffix instead of using the global default referral 4 Edit the list of referrals with the Add and Remove buttons Clicking the Add button will display a dialog for creating an LDAP URL of a new referral You may create a referral to the DN of any branch in the remote server For more information about the structure of LDAP URLs refer to Sun ONE Directory Server Getting Started Guide You can enter multiple referrals The directory will return all referrals in this list in response to requests from client applications Click Save to apply you changes and immediately begin enforcing the new permissions and referral settings Setting Access Permissions and Referrals From the Command Line In the following command suffixDN is the full string of the suffix DN as it was defined including any spaces LDAPURL is a valid URL containing the hostname port number and DN of the target for example ldap phonebook example com 389 ou People dc example dc com Edit the suffix s configuration entry with the follo
295. ers you will not be able to perform write operations on the real value of that attribute in any entry in the CoS scope Multivalued CoS Attributes When you specify the merge schemes qualifier the generated CoS attribute may be multivalued There are two ways for a CoS attribute to be multivalued e With indirect or classic CoS the specifier attributes in target entries may be multivalued In this case each value determines a template and the value from each template is part of the generated value e There can be multiple CoS definition entries of any type containing the same attribute name in their cosAttribute In this case if all definitions contain the merge schemes qualifier the generated attribute will contain all values computed by each definition Sun ONE Directory Server Administration Guide June 2003 Defining Class of Service CoS The two situations may occur together and define even more values However in all cases duplicate values will only be returned once in generated attribute In the absence of the merge schemes qualifier the cosPriority attribute of the template entry will be used to determine a single value among all templates for the generated attribute as described in the next section The merge schemes qualifier never merges a real value defined in the target with generated values from the templates The merge qualifier is independent of the override qualifier all pairings are possible an
296. ersion3 0 aci allow mod of nsRoleDN by self except for critical values allow write userdn ldap self Example of a Filtered Role Definition To set up a filtered role for sales managers assuming they all have the isManager attribute run the following 1dapmodify command ldapmodify a h host p port D cn Directory Manager w password dn cn ManagerFilter ou sales ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsComplexRoleDefinition objectclass nsFilteredRoleDefinition cn ManagerFilter nsRoleFilter isManager True Description filtered role for sales managers Notice that the nsFilteredRoleDefinition object class inherits from the LDAPsubentry nsRoleDefinition and nsComplexRoleDefinition object classes The nsRoleFilter attribute specifies a filter that will find all employees in the ou sales organization that have subordinates for example ldapsearch h host p port D cn Directory Manager w password b ou People dc example dc com s sub cn Fuentes dn cn Carla Fuentes ou sales ou People dc example dc com cn Carla Fuentes isManager TRUE nsRole cn ManagerFilter ou sales ou People dc example dc com 162 Sun ONE Directory Server Administration Guide June 2003 Defining Class of Service CoS NOTE The filter string of a filtered role may be based on any attribute except ot
297. erver containing the chained suffix and the entry is located on a remote server For performance reasons clients cannot do remote inquiries and evaluate access controls e The chained suffix does not necessarily have access to the entries being modified by the client application When performing a modify operation the chained suffix does not have access to the full entry stored on the remote server If performing a delete operation the chained suffix is only aware of the entry s DN If an access control specifies a particular attribute then a delete operation will fail when being conducted through a chained suffix By default access controls set on the server containing the chained suffix are not evaluated To override this default use the nsCheckLocalACc I attribute in the cn databaseName cn chaining database cn plugins cn config entry However evaluating access controls on the server containing the chained suffix is not recommended unless using cascading chaining For more information see Configuring Cascading Chaining on page 127 Chaining Using SSL You can configure the server to communicate with the remote server using SSL when performing an operation on a chained suffix Using SSL with chaining involves the following steps 1 Enable SSL on the remote server 2 Enable SSL on the server that contains the chained suffix For more information on enabling SSL refer to Chapter 11 Implementing Security Sun
298. erver 5 2 replicates to a consumer on Directory Server 5 1 the schema for the configuration attributes of these versions differ and create conflicts In this case you must replicate only the user defined schema elements as described below Use the following command to limit schema replication so that only the user defined schema is replicated ldapmodify h host p port D cn Directory Manager w password dn cn config changetype modify replace nsslapd schema repl useronly nsslapd schema repl useronly on The default value of off will make the entire schema be replicated when necessary Chapter 9 Extending the Directory Schema 337 Replicating Schema Definitions 338 Sun ONE Directory Server Administration Guide June 2003 Chapter 10 Managing Indexes Like a book index Directory Server indexes speed up searches by associating search strings with references to the directory contents Indexes are tables of attribute values that are stored in separate database files Indexes are created and managed independently for each suffix in the directory Once you create an index in the suffix configuration the server maintains the index automatically For an introduction to indexing its costs and benefits an explanation of the nsslapd allidsthreshold attribute and how to improve performance of Directory Server see Chapter 7 Tuning Indexing in the Sun ONE Directory Server Installation and Tuning Guide This chap
299. erver root var Sunimps Product name Sun ONE Directory Server Vendor Sun Microsystems Inc Version 5 2 B Administration Server i 24 Sun ONE Directory Server Administration Guide June 2003 Using the Directory Server Console To edit the name and description of your directory server click the Edit button Enter the new name and description in the text boxes Click OK to set the new name and description The name will appear in the tree on the left as shown in the previous figure Double click the name of your Directory Server in the tree or click the Open button to display the Directory Server console for managing this directory server Navigating the Directory Server Console The Directory Server console provides the interface for browsing and performing administration operations on your Directory Server instance It always displays four tabs from which you can access all Directory Server functionality Tasks Tab Contains buttons for administrative tasks such as restarting the server Configuration Tab Provides access to all parameters for managing the server Directory Tab Displays and edits the data entries contained in the directory Status Tab Displays the statistics logs and replication status of the server Tasks Tab The Tasks tab is the first interface visible when opening the Directory Server console It contains buttons for all of the major administrative tasks such as starting or stopping the
300. es targetattr homePostalAddress homePhone mail version 3 0 acl Anonymous World allow read search userdn ldap anyone This example assumes that the ACI is added to the ou subscribers dc example dc com entry It also assumes that every subscriber entry has an unlistedSubscriber attribute which is set to yes or no The target definition filters out the unlisted subscribers based on the value of this attribute For details on the filter definition refer to Setting a Target Using Filtering on page 233 From the console you can set this permission by doing the following Chapter 6 Managing Access Control 219 Access Control Usage Examples 1 On the Directory tab right click the Subscribers entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Anonymous World Check that All Users is displayed in the list of users granted access permission 4 On the Rights tab tick the checkboxes for read and search rights Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the dc subscribers dc example dc com suffix in the target directory entry field a Inthe filter for subentries field type the following filter unlistedSubscriber yes b Inthe attr
301. es For example you might enter dc example dc org for a new suffix DN NOTE Suffix names contain attribute value pairs in the DN format but are treated as a single string Therefore all spaces are significant and are part of the suffix name Chapter 3 Creating Your Directory Tree 87 Creating Suffixes By default the location of database files for this suffix is chosen automatically by the server Also by default the suffix will maintain only the system indexes no attributes will be encrypted and replication will not be configured To modify any of the defaults click the Options button to display the new suffix options a The name of the database is also the name of the directory containing database files The default database name is the value of the first naming attribute in the suffix DN possibly with a number appended for uniqueness To use a different name select the Use Custom radio button and enter a new unique database name Database names may only contain ASCII 7 bit alphanumeric characters hyphens and underscores _ For example you might name the new database example_2 You may also choose the location of the directory containing database files By default it is a subdirectory of the following path ServerRoot slapd serverID db Enter a new path or click Browse to find a new location for the database directory The new path must be accessible on the directory server host To speed up the c
302. es 71 DNs with commas 63 ldapmodify utility DNs with commas 63 modifying entries 66 LDIF access control keywords groupdnattr 201 userattr 201 bulk operations using the console 61 ordering of entries 64 Idif2db utility 136 ldif2db pl perl script 137 Idif2ldap utility 134 legacy servers replication 309 logs 389 access log 391 audit log 397 configuring access log 393 audit log 397 errors log 396 disk space usage of the access log 393 errors log 395 file rotation policy 390 manual file rotation 391 viewing access log 391 audit log 397 errors log 395 macro ACIs example 241 Overview 240 syntax 244 managed roles see roles master agent Unix 406 Windows 406 master replica configuration 276 matching rule index see indexing metaphone phonetic algorithm in approximate indexing 340 MIB directory server 407 netscape Idap mib 407 monitoring chained suffix usage 403 connections 400 database cache 402 entry cache 401 from the command line 403 log files 389 replication status 315 resource usage 399 using the console 398 with SNMP 405 multi master replication see replication N nested roles see roles netscape Idap mib 407 nsComplexRoleDefinition object class 162 nsFilteredRoleDefinition object class 162 nsIndex object class 347 nsIndexType attribute type 348 nsManagedRoleDefinition object class 161 nsMatchingRule attribute type 348 nsNestedRoleDefinition object class 163 nsRole attribute type 155 nsRoleDefinition
303. es that do not have an RDN the label is entire DN for example dc example dc com To use a different attribute to display entries in the directory tree choose the other radio button and select an attribute Entries without the chosen attribute will still use the entry s first RDN attribute By default only the attribute value is used in the label If you select the Show attribute name checkbox the label will look like ou People Refresh After certain operations you must refresh the display of the directory tree to view the new value Selecting this item will reload the entire directory tree from the server Chapter 1 Introduction to Sun ONE Directory Server 33 Configuring LDAP Parameters Configuring LDAP Parameters 34 The LDAP parameters are the basic settings in your directory server such as the distinguished name DN of the Directory Manager the global read only setting the port configuration and the ability to track all directory modification times Configuring the Directory Manager The Directory Manager is the privileged server administrator comparable to the root user in UNIX Access control does not apply to the entry you define as Directory Manager You initially defined this entry during installation The default is cn Directory Manager The DN of the directory manager is stored in the nsslapd rootDN attribute and the password in the nsslapd rootpw attribute of the cn config branch Use the Director
304. eters nsslapd pluginarg0 ldaps configdir example com o NetscapeRoot 10 10 60 3 300 nsslapd pluginargl ldaps configbak example com o NetscapeRoot 3 5 300 3 300 nsslapd pluginarg2 ldaps east example com ou East ou People dc example dc com 10 10 300 3 300 nsslapd pluginarg3 ldaps eastbak example com ou East ou People dc example dc com 3 5 300 3 300 Chapter 14 Using the Pass Through Authentication Plug In 417 Configuring the PTA Plug In 418 Modifying the PTA Plug In Configuration You can reconfigure the PTA plug in at any time to enable or disable it or to change the authenticating hosts or PTA subtrees 1 Edit the PTA plug in configuration entry cn Pass Through Authentication cn plugins cn config to modify the nsslapd pluginenabled and nsslapd pluginargN attributes You may use either the console or the ldapmodify utility to edit the configuration For example the following command will enable the PTA plug in with SSL and the connection parameters shown above dn cn Pass Through Authentication cn plugins cn config changetype modify replace nsslapd pluginenabled nsslapd pluginenabled on replace nsslapd pluginarg0 nsslapd pluginarg0 ldaps configdir example com 636 o NetscapeRoot 10 10 60 3 300 replace nsslapd pluginargl nsslapd pluginargl ldaps configbak example com 636 o NetscapeRoot 3 5 300 3 300 D Restart the server as described in Starting and
305. etimes unpredictable because filters do not directly name the object for which you are managing access The set of entries targeted by a filtered ACT is likely to change as attributes are added or deleted Therefore if you use LDAP filters in ACIs you should verify that they target the correct entries and attributes by using the same filter in an ldapsearch operation Chapter 6 Managing Access Control 189 ACI Syntax Targeting Attribute Values Using LDAP Filters You can use access control to target specific attribute values This means that you can grant or deny permissions on an attribute if that attribute s value meets the criteria defined in the ACI An ACI that grants or denies access based on an attribute s value is called a value based ACI For example you might grant all users in your organization permission to modify the nsRoleDN attribute in their own entry However you would also want to ensure that they do not give themselves certain key roles such as Top Level Administrator LDAP filters are used to check that the conditions on attribute values are satisfied To create a value based ACI you must use the targattrfilters keyword with the following syntax targattrfilters add attr1 F1 amp amp attr2 F2 amp amp attrn Fn del attr1 F1 amp amp attr2 F2 amp amp attrn Fn where o add represents the operation of creating an attribute o del represents the operation of deleting an attribute o
306. except certain critical roles see Restricting Access to Key Roles on page 223 e Grant the example com Human Resources group all rights on the entries in the People branch see Granting a Group Full Access to a Suffix on page 225 Chapter 6 Managing Access Control 217 Access Control Usage Examples e Grant all example com employees the right to create group entries under the Social Committee branch of the directory and to delete group entries that they own see Granting Rights to Add and Delete Group Entries on page 226 e Grant all example com employees the right to add themselves to group entries under the Social Committee branch of the directory see Allowing Users to Add or Remove Themselves From a Group on page 233 e Grant access to the directory administrator role of Company333 and Company999 on their respective branches of the directory tree with certain conditions such as SSL authentication time and date restrictions and specified location see Granting Conditional Access to a Group or Role on page 228 e Grant individual subscribers access to their own entries see Granting Write Access to Personal Entries on page 220 e Deny individual subscribers access to the billing information in their own entries see Denying Access on page 231 e Grant anonymous access to the world to the individual subscribers subtree except for subscribers who have specifically requested to
307. exes you configure Also during reindexing indexes are not available and server performance will be impacted To reindex a suffix using the console 1 On the top level Configuration tab of the Directory Server console expand the Data node to display the suffix want to reindex 2 Right click the suffix configuration node and select Reindex from the pop up menu Alternatively you may left click the node to select it and then choose Reindex from the Object menu The Reindex Suffix dialog is displayed with a list of all attributes that are indexed in the chosen suffix 3 Select the checkbox beside each attribute you wish to reindex Use the Check All and Check Non buttons to help you make your selection Because all indexes for a given attribute are stored in the same database file you must reindex all of them together 4 Click OK The console displays a confirmation message about possible unexpected search results and performance impact during the reindexing 350 Sun ONE Directory Server Administration Guide June 2003 Managing Indexes 5 Click Yes to begin reindexing The console displays a dialog with any messages about the reindexing Close the dialog when done To reindex a suffix from the command line follow the instructions in Running the db2index pl Script on page 349 and specify all attributes for which you wish to rebuild an index file Reinitializing a Suffix When you reinitialize a suffix its conten
308. f runtime output including trivial messages Changing these values from the defaults may cause your errors log to grow very rapidly so you must plan to have plenty of disk space It is recommended that you do not change your logging level unless you are asked to do so by Sun ONE Customer Support 4 Inthe Log File field enter the full path and filename you want the directory to use for the errors log The default is file is ServerRoot slapd serverID logs error 5 Set the maximum number of logs log size and periodicity of archiving For information on these parameters see Defining a Log File Rotation Policy on page 390 6 Set the maximum size of combined archived logs minimum amount of free disk space and maximum age for a log file For information on these parameters see Defining a Log File Deletion Policy on page 390 7 When you have finished making changes click Save 396 Sun ONE Directory Server Administration Guide June 2003 Audit Log Audit Log The audit log contains detailed information about changes made to each suffix as well as to server configuration Unlike the access log and errors log the audit log is not enabled by default Before viewing the log you must enable it Configuring the Audit Log You can use the Directory Server console to enable and disable audit logging and to specify where the audit log file is stored To configure the audit log 1 On the top level Configura
309. f logs log size and periodicity of archiving 394 Sun ONE Directory Server Administration Guide June 2003 Errors Log For information on these parameters see Defining a Log File Rotation Policy on page 390 Set the maximum size of combined archived logs minimum amount of free disk space and maximum age for a log file For information on these parameters see Defining a Log File Deletion Policy on page 390 When you have finished making changes click Save Errors Log The errors log contains detailed messages of errors and events the directory experiences during normal operations Viewing the Errors Log 1 On the top level Status tab of the Directory Server console select Logs icon and then select the Errors Log tab in the right hand panel This tab displays a table containing the latest entries in the selected errors log such as the one shown in Figure 12 1 on page 392 For an explanation of error messages see Appendix A Error Codes in the Sun ONE Directory Server Reference Manual To refresh the current display click Refresh Select the Continuous checkbox if you want the display to refresh automatically every ten seconds To view an archived errors log select it from the Select Log pull down menu To specify a different number of messages enter the number you want to view in the Lines to show text box and click Refresh To filter the log messages you may enter a string in the
310. f you wish to limit access to a chained suffix without disabling it completely you may modify the access permissions to allow read only access In this case you must define a referral to another server for write operations You may also deny both read and write access and define a referral for all operations on the suffix For more information on referrals in general refer to the Sun ONE Directory Server Deployment Guide Chapter 3 Creating Your Directory Tree 119 Managing Chained Suffixes 120 Setting Access Permissions and Referrals Using the Console 1 On the top level Configuration tab of the Directory Server console expand the Data node and select the chained suffix where you wish to set a referral 2 Inthe right panel select the Settings tab You will only be able to set permissions and referrals if the chained suffix is enabled 3 Select one of the following radio buttons to set the response to any write operation on entries in this suffix o Process write and read requests This radio button is selected by default and represents the normal behavior Both read and write operations will be forwarded to the remote server and the results will be returned to the client Referrals may be defined but they will not be returned to clients o Process read requests and return a referral for write requests The server will forward only read requests and return their results to the client Enter one or more LDAP URLs in the list to
311. ffix The aci attribute is multi valued which means that you can define several ACIs for the same entry or subtree You can create an ACI on an entry that does not apply directly to that entry but to some or all of the entries in the subtree below it The advantage of this is that you can place at a high level in the directory tree a general ACI that effectively applies to entries more likely to be located lower in the tree For example at the level of an organizationalUnit entry ora locality entry you could create an ACI that targets entries that include the inetorgperson object class You can use this feature to minimize the number of ACIs in the directory tree by placing general rules at high level branch points To limit the scope of more specific rules you should place them as close as possible to leaf entries NOTE ACIs placed in the root DSE entry with the DN apply only to that entry ACI Evaluation To evaluate the access rights to a particular entry the server compiles a list of the ACIs present on the entry itself and on the parent entries back up to the base of the entry s root suffix During evaluation the server processes the ACIs in this order ACIs are evaluated in all of the suffixes and subsuffixes between an entry and the base of its root suffix but not across chained suffixes on other servers NOTE The Directory Manager is the only priveleged user to whom access control does not apply When a client i
312. figuration the server may refuse to perform searches that request sorting when no browsing index is defined This prevents large sorting operations from overloading server resources Browsing indexes apply to an entry that is the base of your searches and you must create a separate index for every search filter you use in sorted requests For example if your client applications often request a sorted list of all users you would create a browsing index on ou People for the filter string used by your clients As with other indexes there is a performance cost during update operations needed to maintain a browsing index You should carefully plan and test the deployment of browsing indexes Sun ONE Directory Server Administration Guide June 2003 Managing Browsing Indexes Browsing Indexes for the Console The Directory Server console often performs searches of the entire directory to refresh the contents of it panels If you have configured the console to sort the entries in the directory tree as described in Directory Tree View Options on page 32 you should create browsing indexes for the console The browsing indexes for the console are specific to the searches performed by the console They are also created using the console To create a browsing index for the console 1 On the top level Directory tab of the Directory Server console browse the directory tree to display the parent of a large subtree that needs to be sorted
313. filter nsds5ReplConflict version 3 0 acl Anonymous read search access allow read search compare userdn ldap anyone ay The new ACI will keep entries that contain the nsds5Rep1Conflict attribute from being returned in search results Chapter 8 Managing Replication 321 Solving Common Replication Conflicts 322 Sun ONE Directory Server Administration Guide June 2003 Chapter 9 Extending the Directory Schema Sun ONE Directory Server comes with a standard schema that includes hundreds of object classes and attributes While the standard object classes and attributes should meet most of your requirements you may need to extend your schema by creating new object classes and attributes This chapter describes how to extend your schema in the following sections e Schema Checking e Overview of Extending the Schema e Managing Attribute Definitions e Managing Object Class Definitions e Replicating Schema Definitions schema Checking When schema checking is on the Directory Server ensures that all import add and modify operations conform to the currently defined directory schema e The object classes and attributes of each entry conform to the schema e The entry contains all required attributes for all of its defined object classes e The entry contains only attributes that are allowed by its object classes NOTE When modifying an entry Directory Server performs schema checking on the entire ent
314. fixes and chained subsuffixes are managed internally in the same way by the server the procedure for creating them from the command line is nearly the same 1 Create the chained suffix entry under cn mapping tree cn config with the following command for a chained root suffix ldapmodify a h host p port D cn Directory Manager w password dn cn suffixDN cn mapping tree cn config objectclass top objectclass extensibleObject objectclass nsMappingTree cn suffixDN nsslapd state backend nsslapd backend databaseName iD For a chained subsuffix use the same command with an additional attribute nsslapd parent suffix parentSuffixDN In the case of a chained subsuffix the suffixDN is the RDN of the subsuffix and the DN of its parent suffix for example 1 Europe dc example dc com The suffixDN must be the DN of an entry available through the remote server but it does not necessarily have to be the base entry of a remote suffix NOTE Suffix names are in the DN format but are treated as a single string Therefore all spaces are significant and are part of the suffix name In order for the server to access the remote entry the suffixDN string must respect the same spacing used in the remote suffixes The databaseName is a nickname that is used by the chaining plug in component to identify this chained suffix The name must be unique among the databaseNames of all suffixes and by convention it is the val
315. for example ou People dc example dc com containing thousands of user entries 2 Right click the parent entry and select Create Browsing Index from the pop up menu Alternatively left click the entry to select it and choose Create Browsing Index from the Object menu The Create Browsing Index dialog box shows you the status of the index creation The console creates the browsing index configuration entries shown below and then generates the contents of the index file 3 Click Close to close the Create Browsing Index dialog box The new index is immediately active for any console refresh operations and it will be maintained for any new data that you add to your directory You do not have to restart your server The browsing index configuration for the console consists of the following entries The vlvSearch entry defines the base scope and filter of the search that will be indexed The vivSort attribute of the vlvIndex entry shows the attributes supported for sorting in the Directory tab the order in which they are sorted dn cn MCC entryDN cn databaseName cn l1dbm database cn plugins cn config objectClass top objectClass vlivSearch cn MCC entryDN vivBase entryDN vivScope 1 vivFilter objectclass objectclass ldapsubentry dn cn by MCC entryDN cn MCC entryDN cn databaseName cn ldbm database cn plugins cn config Chapter 10 Managing Indexes 353 Managing Browsing Indexes objectClass top o
316. for replication in your directory deployment see Chapter 6 Designing the Replication Process in the Sun ONE Directory Server Deployment Guide Sun ONE Directory Server 5 2 introduces many new replication features e Multi master replication MMR over wide area networks WANs allows you to create replication agreements between geographically distant masters to distribute your data more effectively e MMR now supports four simultaneous fully connected masters which provides additional failover protection e Binary copy can make the initialization of large replicas much faster e Fractional replication allows you to specify the set of attributes that will be replicated to distribute your data more efficiently e New command line tools help you monitor your replication deployment This chapter describes the tasks to be performed on the masters hubs and consumer servers to set up all types of replication scenarios This chapter includes the following topics e Introduction e Summary of Steps for Configuring Replication e Choosing Replication Managers e Configuring a Dedicated Consumer 265 Introduction Configuring a Hub Configuring a Master Replica Creating Replication Agreements Configuring Fractional Replication Initializing Replicas Enabling the Referential Integrity Plug In Replication Over SSL Replication Over a WAN Modifying the Replication Topology Replication With Earlier Releases Using the Retro Chan
317. g ss e tecisiseiri erren aiad naniii ni aiios fera enn DERE 127 Setting the Cascading Parameters 6 cece eee teen nnn ees 128 Transmitting LDAP Controls for Cascading 000 cece eee nent eee 130 Populating Directory Contents 0 2c eee eee 131 Setting Suffix Read Only Mode siriana aaa u ead gd eka iow Ea ey Shp eee eet 131 Importing Data srst ene ch the dood ad eg ted heme ee deen pede ple ede 4k ee ey Reed yea 132 Importing LDIF Files vio seo ae Eee Aa Stee Ms EG OL a eG Sol E NE i EE G a 3 133 Initializinga Suffix Aasaia 204 WG eet Sn eB Pa as ee ae Ee ee 135 Exporting Data sx 7 gt pranin 2208 aac e een e oie ca BAe at ad ee a QS iy RY oe A Cs 138 Exporting the Entire Directory to LDIF Using the Console 000 eee e cece eee 139 Exporting a Single Suffix to LDIF Using the Console 0 c cece cence eee 140 Exporting to LDIF From the Command Line 6 6 c cece eee eee 141 Backing Up Data airo ich Gi ata oa 55 cat cate Wintel a otras Pea Gia de EA ERA gl Mee eau 142 Backing Up Your Server Using the Console 0 0 0 cece eee eens 142 Backing Up Your Server From the Command Line 0 0 c cece cee eee 143 Backing Up the dse ldif Configuration File 0 0 6 ccc cece teenies 143 Restoring Data from Backups 66660 c cece een ees 143 Restoring Replicated Suffixes aioir inornata teen nee 144 Restoring Your Server Using the Console 6 ccc cece cece tenes 14
318. g the corresponding locale 7 Click OK to create your new group It appears as one of the children of the entry where it was created Modifying a Group Definition 1 On the top level Directory tab of the Directory Server console double click the entry representing the group you want to modify Alternatively select the entry and choose Open from the Object menu 2 Inthe Edit Entry dialog make your changes to the group information in the General Members or Languages categories You may add or remove members of a static group or add edit or remove the URLs containing filters for a dynamic group 3 Click OK when you are done modifying the group definition To view your changes in the console select Refresh from the View menu Removing a Group Definition To remove either type of group simply delete the entry that defines it Assigning Roles Roles are an alternate grouping mechanism that is designed to be more efficient and easier to use for applications Roles are defined and administered like groups but in addition member entries also have a generated attribute that indicates the roles in which they participate For example an application can simply read the roles of an entry rather than select a group and browse the members list By default the scope of a role is limited to the subtree where it is defined Sun ONE Directory Server 5 2 introduces extended scoping of the nested role allowing it to nest roles located in o
319. ge Log Plug In Monitoring Replication Status Solving Common Replication Conflicts Introduction 266 Configuring replication is a complex task Before you begin you should have a clear understanding of the way that replication will be deployed in your organization for example whether to use single master multi master or cascading replication with hubs The unit of replication is a suffix or a subsuffix all the entries of that suffix will be replicated together In your intended deployment you must identify each suffix as either a master a hub or a dedicated consumer for the data it contains A replicated suffix on a server is called a replica A master is the replica that accepts both read and write operations from clients Hubs and dedicated consumers are read only replicas which receive updates only through the replication mechanism A hub receives updates either from a master or another hub and forwards them to another hub or a dedicated consumer A dedicated consumer only receives updates from either a master or a hub The following diagram show the relationship between replicas in common replication scenarios Sun ONE Directory Server Administration Guide June 2003 Summary of Steps for Configuring Replication Figure 8 1 Common Replication Scenarios Single Master Cascading with Hubs Multi Master Replica Type Replication Update MS master supplier consumer H hub DC dedicated consumer rlo re
320. ght hand panel On the Passwords tab set the following aspects of the policy Specify that users must change their password the first time they log on by selecting the User must change password after reset checkbox If you select this checkbox only the Directory Manager is authorized to reset the users s password A regular administrative user cannot force the user to update their password To allow users to change their own passwords select the User may change password checkbox To limit how often users may change their own password enter the number of days in the Allow changes in X day s text box To allow users to change their password as often as they desire select the No Limitation checkbox To prevent users from using the same password over and over select the Keep password history checkbox and specify the number of passwords you want the server to keep for each user text box Users will not be able to set a password that still exists in the list To be effective you should also limit how often users may change their password If you do not want user passwords to expire select the Password never expires radio button Otherwise select the Password expires after X days radio button to force users to periodically change their passwords and then enter the number of days that a user password is valid 252 Sun ONE Directory Server Administration Guide June 2003 Configuring the Global
321. gy This chapter includes the following topics e Access Control Principles e Default ACIs e ACI Syntax e Bind Rules e Creating ACIs From the Command Line e Creating ACIs Using the Console e Access Control Usage Examples e Viewing Effective Rights e Advanced Access Control Using Macro ACIs e Access Control and Replication e Logging Access Control Information e Compatibility with Earlier Releases 179 Access Control Principles Access Control Principles 180 The mechanism by which you define access is called access control When the server receives a request it uses the authentication information provided by the user in the bind operation and the access control instructions ACIs defined in the server to allow or deny access to directory information The server can allow or deny permissions such as read write search or compare The permission level granted to a user may be dependent on the authentication information provided Using access control you can control access to the entire directory a subtree of the directory specific entries in the directory including entries defining configuration tasks or a specific set of entry attributes You can set permissions for a specific user all users belonging to a specific group or role or all users of the directory Finally you can define access for a specific client identified by its IP address or DNS name ACI Structure Access control instructions are stored in
322. h 1424 http www ietf org rfc rfc1421 txt and used to represent a base64 encoded certificate request in US ASCII characters The content of the request will look similar to the following example Seran BEGIN NEW CERTIFICATE REQUEST MIIBr jCCARCCAQAwb jELMAkGA1UBhMCVXMxEzARBgGNVBAgTCkNBE1GT1LJOSUEXLD AgBgGVBAoTI251dHNjJYXBLIGNvb11bm1jYXRpb25zIGNvcnBvcmF 0aWuMRwwGgYDV QODEXNt ZWxsb24umV0c2NhcGUuY2 9tMIG fMANDGCSQGS Ib3DQEBAUAA4GNADCBiQK BgCwAbskGh6SKYOgHy UCSLnm30k3X3u83Us 7u0EfgSLROf K41leNqqwRftGR83e mqgP LDOfOZLTLIVGJaHIn411lgGtJD n zMyahxtV7 T8GOFFigk fuxJaxMjr2j71 VEL1LxO41fZgwqCm4qdecv3G N9Ydb j veMVXWOv4 XwI DAQABAAwWDOYJUKoZIhvcNAQ EBOADGYEAZy ZAm8UmP 9POYwNy 4Pmypk7 9t 2nvzKbwKVb97G MT gwlpLRsuBoKi nMfLgkKp1038K5Py2VGW1E47 rhm3yVOrliwV Z8Leoc I ae END NEW CERTIFICATE REQUEST Using the Console 1 On the top level Tasks tab of the Directory Server console click the Manage Certificates button Alternatively with the Tasks tab showing select the Manage Certificates item from the Console gt Security menu The Manage Certificates dialog is displayed Select the Server Certs tab and click the Request button The Certificate Request Wizard is displayed If you have installed a plug in allowing the server to communicate directly with the CA you may select it now Otherwise you must request a certificate manually by transmit
323. h as replication and chaining Each connection can account for multiple operations and therefore multiple threads Total number of remaining connections that the server can concurrently open This number is based on the number of currently open connections and the total number of concurrent connections that the server is allowed to open In most cases the latter value is determined by the operating system and is expressed as the number of file descriptors available to a task On Windows and AIX the number of allowed concurrent connections is generated by the operating system but is not based on file descriptors Refer to your operating system documentation for more information Threads may be waiting to read if the server starts to receive a request from the client and then the transmission of that request is halted for some reason Generally threads waiting to read are an indication of a slow network or slow client Number of suffixes hosted on this server This number does not include chained suffixes Chapter 12 Managing Log Files 399 Monitoring Server Activity e The Connection Status Table This table shows the following information about each currently open connection Table 12 3 Connections Status Table Column Header Description Time Opened The time on the server when the connection was established Initiated The number of operations requested during this connection Completed The number of operations not aborted
324. h for specific entries nscpEntryDN X Used internally in Directory Server for replication nsds5ReplConflict X X Used to help find replication conflicts numsubordinates X Used by the Directory Server console to enhance display performance on the Directory tab objectClass X Used to help accelerate subtree searches in the directory parentID X Enhances directory performance during one level searches Default Indexes When you create a new suffix in your directory the server configures a set of default indexes in the corresponding database directory The default indexes can be modified depending on your indexing needs although you should ensure that no server plug ins or other servers in your enterprise depend on an indexed attribute before you unconfigure its index To modify the set of default indexes that will be used when new suffixes are created see Modifying the Set of Default Indexes on page 351 The following tables lists the preconfigured default indexes in Directory Server Table 10 2 Default Indexes in Every New Suffix Attribute Eq Pres Sub Purpose cn X X X Improves the performance of the most common types of user directory searches givenName X X X Improves the performance of the most common types of user directory searches Chapter 10 Managing Indexes 341 Overview of Indexing Table 10 2 Default Indexes in Every New Suffix Continued Attribute mail mailAlternateAddress mailHost
325. h other replicas after the operation For further information on using backup and restore to initialize a replica see Initializing Replicas on page 284 Restoring the Supplier in a Single Master Scenario A suffix that is a single master supplier contains the authoritative data for the entire replication topology Therefore restoring this suffix is equivalent to reinitializing all data in the entire topology You should restore a single master only if you want to reinitialize all data from the contents of the backup to be restored If the single master data is not recoverable due to an error you may consider using the data on one of the consumers because it may contain updates that more recent than a backup In this case you need to export the data from the consumer replica to an LDIF file and reinitialize the master from the LDIF file Whether you restore a backup or import an LDIF file on a master replica you must then reinitialize all of the hubs and consumer replicas that receive updates from this replica A message will be logged to the supplier servers log files to remind you that reinitialization of the consumers is required Restoring a Supplier in a Multi Master Scenario In multi master replication the other masters each contain an authoritative copy of the replicated data You cannot restore an old backup which may be out of date with the current replica contents If possible you should allow the replication mechanism
326. hanges occurring simultaneously on the other masters A master that accepts update operations while still replicating changes after initialization may be the source of unexplained errors See Appendix A Error Codes in the Sun ONE Directory Server Reference Manual if you encounter replication errors NOTE With master replicas sending referrals because of this new behavior clients wanting to perform write operations may reach their configured hop limit You may need to increase the hop limit configuration for clients so they may reach an available master If all master replicas are initialized or reinitialized all write operations will fail because no replica will be accepting client updates In any case you should monitor initialized masters closely and set the referral attributes appropriately to maximize server response To Begin Accepting Updates Through the Console Follow these steps to explicitly allow update operations after the initialization of a multi master replica 1 On the top level Configuration tab of the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix In the right panel the console will display a message indicating that the replica has been initialized and is currently returning referrals for update operations If this message indicates the automatic referral delay is enabled you may still follow this procedure
327. he suffix containing the entry NOTE You cannot create browsing indexes in chained suffixes only local suffixes and subsuffixes 354 Sun ONE Directory Server Administration Guide June 2003 Managing Browsing Indexes There are two entries to configure a browsing index The first uses the vl vSearch object class and specifies the base scope and filter of the search operation whose results will be indexed The second entry is a child of the first and uses the vlviIndex object class to specify the attributes to sort and order in which to sort them The following example uses the ldapmodify utility to create the two browsing index configuration entries ldapmodify a h host p port D cn Directory Manager w password dn cn Browsing ou People cn databaseName cn ldbm database cn plugins cn config objectClass top objectClass vlvSearch cn Browsing ou People vivbase ou People dc example dc com vivscope 1 vivfilter objectclass inetOrgPerson dn cn Sort rev employeenumber cn Browsing ou People cn databaseName cn ldbm database cn plugins cn config objectClass top objectClass vlvIndex cn Sort rev employeenumber vivSort mployeenumber D The vlvscope is either 0 for the base entry alone 1 for the immediate children of the base or 2 for the entire subtree rooted at the base The vivfilter is the same LDAP filter that will be used in the client search operations Because all browsing
328. he Hosts tab click Add to display the Add Host Filter dialog box In the DNS host filter field type example com Click OK to dismiss the dialog box 6 To create the value based filter for roles switch to manual editing by clicking the Edit Manually button Add the following to the beginning of the LDIF statement targattrfilters add nsRoleDN nsRoleDN cn superAdmin dc example dc com The LDIF statement should read as follows targetattr targattrfilters add nsRoleDN nsRoleDN cn superAdmin dc example dc com target ldap dc example dc com version 3 0 acl Roles allow write userdn ldap self and dns example com 7 Click OK The new ACI is added to the ones listed in the Access Control Manager window Granting a Group Full Access to a Suffix Most directories have a group that is used to identify certain corporate functions These groups can be given full access to all or part of the directory By applying the access rights to the group you can avoid setting the access rights for each member individually Instead you grant users these access rights simply by adding them to the group For example when you install the Directory Server using the Typical Install process an Administrators group with full access to the directory is created by default At example com the Human Resources group is allowed full access to the ou People branch of the directory so that
329. he manager role to exceed the standard mailbox quota The manager role exists as follows dn cn ManagerRole ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsComplexRoleDefinition objectclass nsFilteredRoleDefinition cn ManagerRole nsRoleFilter isManager True Description filtered role for managers The classic CoS definition entry would be created as follows dn cn generateManagerQuota ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass cosSuperDefinition objectlass cosClassicDefinition cosTemplateDn cn managerCOS dc example dc com cosSpecifier nsRole cosAttribute mailboxquota override The CoS template name must be a combination of the cosTemplateDn and the value of nsRole which is the DN of the role For example Chapter 5 Advanced Entry Management 177 Defining Class of Service CoS 178 dn cn cn ManagerRole ou People dc example dc com ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass extensibleobject objectlass cosTemplate mailboxquota 1000000 The CoS template entry provides the value for the mailboxquota attribute An additional qualifier of override tells the CoS to override any existing mailboxquota attributes values in the target entry Target entries which are members of the role will have virtual attributes generated b
330. her virtual attributes generated by the CoS mechanism see About CoS on page 164 When filtered role members are user entries you may choose to restrict their ability to add or remove themselves from the role by protecting the filtered attributes with access control instructions ACIs Example of a Nested Role Definition The roles nested within the nested role are specified using the nsRoleDN attribute To create a role that contains both the marketing staff and sales manager members of the roles created in the previous examples use the following command ldapmodify a h host p port D cn Directory Manager w password dn cn MarketingSales ou marketing ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsComplexRoleDefinition objectclass nsNestedRoleDefinition cn MarketingSales nsRoleDN cn ManagerFilter ou sales ou People dc example dc com nsRoleDN cn Marketing ou marketing ou People dc example dc com nsRoleScopeDN ou sales ou People dc example dc com Notice the nsNestedRoleDefinition object class inherits from the LDAPsubent ry nsRoleDefinition and nsComplexRoleDefinition object classes The nsRoleDN attributes contain the DN of the marketing managed role and the sales managers filtered role Both of the users in the previous examples Bob and Carla would be members of this new nested role The scope of this f
331. hing objectclass nsContainer objectclass top cn same_realm dsMatching pattern Principal dsMatching regexp example com dsMappedDN uid 1 o0u people dc example dc com Restart the Directory Server for your new mappings to take effect Identity Mapping Several authentication mechanisms in Directory Server require a mapping from credentials of another protocol to a DN in the directory Currently this is the case for the DSML over HTTP protocol and the DIGEST MD5 and GSSAPI SASL mechanisms Each of these uses identity mapping to determine a bind DN based on protocol specific credentials provided by the client Identity mapping uses the entries in the cn identity mapping cn config configuration branch This branch includes a container for each of the protocols which must perform identity mapping cn HTTP BASIC cn identity mapping cn config Contains the mappings for DSML over HTTP connections cn DIGEST MD5 cn identity mapping cn config Contains the mappings for client authentication using the DIGEST MD5 SASL mechanism cn GSSAPI cn identity mapping cn config Must be created to contain the mappings for client authentication using the GSSAPI SASL mechanism 376 Sun ONE Directory Server Administration Guide June 2003 Identity Mapping A mapping entry defines a way of extracting the elements of the protocol specific credentials to use them in a search of the directory If that search returns a sing
332. ht click on the parent suffix node and select New Subsuffix from the pop up menu Alternatively you may select the parent suffix node and choose New Subsuffix from the Object menu The New Subsuffix dialog box is displayed Enter a unique name in the Subsuffix RDNs field The name must be in the relative distinguished name format consisting of one or more attribute value pairs separated by commas for example ou Contractors The line below the text box shows the complete DN of this subsuffix consisting of the parent suffix DN appended to the RDNs NOTE Subsuffix names contain attribute value pairs in the RDN format but are treated as a single string Therefore all spaces are significant and are part of the suffix DN By default the location of database files for this suffix is chosen automatically by the server Also by default the suffix will maintain only the system indexes no attributes will be encrypted and replication will not be configured To modify any of the defaults click the Options button to display the new suffix options 90 Sun ONE Directory Server Administration Guide June 2003 5 Creating Suffixes a The name of the database is also the name of the directory containing database files The default database name is the value of the first naming attribute in the RDN possibly with a number appended for uniqueness To use a different name select the Use Custom radio button and enter a new un
333. hyphens NOTE The attribute name may contain upper case letters but no LDAP client should rely on them Attribute names must be handled ina case insensitive manner according to section 4 1 4 of RFC 2251 http www ietf org rfc rfc2251 txt o Attribute OID optional Enter an object identifier for your attribute OIDs are described in Table 9 1 on page 328 If you do not specify an OID the Directory Server automatically uses attributeName oid Note that for strict LDAP v3 compliance you must provide a valid numeric OID o Attribute aliases optional Enter alternate names for your attribute in a comma separated list o Attribute description optional Enter a short descriptive text to explain the attribute s purpose o Syntax Select a syntax from the drop down list that describes the data to be held by the attribute Available syntaxes are described in Table 9 2 on page 329 o Multi valued By default attributes will be multi valued Deselect this checkbox if your attribute must have at most one value per entry 4 Click OK in the Create Attribute dialog to define your new attribute It will appear in the table of user defined attributes Before defining values for this attribute in directory entries you must create or edit an object class that requires or allows it as described in Managing Object Class Definitions on page 332 330 Sun ONE Directory Server Administration Guide June 2003 Managing Attribute Def
334. ibute table tick the checkboxes for the homePhone homePostalAddress and mail attributes All other checkboxes should be clear This task is made easier if you click the Check None button to clear the checkboxes for all attributes in the table then click the Name header to organize them alphabetically and select the appropriate ones 6 Click OK The new ACI is added to the ones listed in the Access Control Manager window Granting Write Access to Personal Entries Many directory administrators want to allow internal users to change some but not all of the attributes in their own entry The directory administrators at example com want to allow users to change their own password home telephone number and home address but nothing else This is illustrated in the ACI Write example com example It is also example com s policy to let their subscribers update their own personal information in the example com tree provided that they establish an SSL connection to the directory This is illustrated in the ACI Write Subscribers example 220 Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples ACI Write example com NOTE By setting this permission you are also granting users the right to delete attribute values In LDIF to grant example com employees the right to update their password home telephone number and home address you would write the following statement aci
335. ibutes of the cn schema entry of the directory Like the configuration entry this is an LDAP view of the schema that is read from files during server startup The schema files are LDIF files located in ServerRoot slapd serverID config schema This directory contains files for the standard schema used by Directory Server and other Sun ONE servers that rely on Directory Server These files are described in Schema Supported by Directory Server 5 2 in Chapter 9 of the Sun ONE Directory Server Reference Manual The standard schema itself is described in Chapter 10 Object Class Reference and Chapter 11 Attribute Reference of the Sun ONE Directory Server Reference Manual Modifying the Schema Files The schema files are read only once at startup by the server The LDIF contents of the files are added to the in memory LDAP view of the schema in cn schema Because the order of schema definitions is important schema filenames are prefixed by a number and loaded in alphanumerical order Schema files in this directory are writable only by the system user defined during installation To modify the schema definition in the files you must create or modify the desired file and then restart the server The syntax of definitions in the schema files is described in RFC 2252 http www ietf org rfc rfc2252 txt When defining the schema directly in an LDIF file you must not use the value user defined for the x ORIGIN field This val
336. ica will not receive updates until read only mode is disabled A master in a multi master replication scenario will neither have any changes to replicate nor be able to receive updates from the other masters To enable or disable the global read only mode 1 On the top level Configuration tab of the Directory Server console select the root node in the configuration tree then select the Settings tab in the right panel 2 Select or deselect the Server is read only checkbox 3 Click Save The change will take effect immediately For information on placing an individual suffix in read only mode refer to Setting Suffix Read Only Mode on page 131 Sun ONE Directory Server Administration Guide June 2003 Configuring LDAP Parameters Tracking Modifications to Directory Entries You can configure the server to maintain special attributes for newly created or modified entries creatorsName The distinguished name of the person who initially created the entry createTimestamp tThe timestamp for when the entry was created in GMT Greenwich Mean Time format modifiersName The distinguished name of the person who last modified the entry modifyTimestamp The timestamp for when the entry was last modified in GMT format NOTE When a client application to create or modify entries in a chained suffix the creatorsName and modifiersName attributes do not reflect the real creator or modifier of the entries These a
337. icas For example if you want clients to always be referred to the secure port on the master servers and not to the default port create a list of LDAP URLs for these secure ports and select this checkbox You may also use an exclusive referral if you want to designate a specific master or a Directory Server Proxy that should handle all updates Chapter 8 Managing Replication 275 Configuring a Master Replica 6 Also on the Optional tab you may change the purge delay The hub server must store internal information about updates to the replica contents and the purge delay parameter specifies how long it must keep this information It is related to the MaxAge parameter of the change log on the server that supplies updates not of its own change log The shorter of these two parameters determines the longest time that replication between the two servers may be disabled or down and still recover normally The default value of 7 days is sufficient in most cases 7 Click OK to save the advanced replication configuration for this replica Configuring a Master Replica 276 Master replicas contain the master copy of the data and centralize all modifications before propagating updates to all other replicas A master records all changes checks the status of its consumers and sends updates to them when necessary In multi master replication master replicas also receive updates from other masters Configuring a master server consists of defini
338. ick on Display Suffixes at the bottom of the panel to select which suffixes will be listed in the tables e The first table shows the following information about each entry cache Table 12 4 Entry Cache Usage Column Header Description Suffix Base DN of the suffix Hits The number of entries read from the cache instead of the disk Tries The number of entries that were requested from the cache Chapter 12 Managing Log Files 401 Monitoring Server Activity 402 Table 12 4 Entry Cache Usage Continued Column Header Description Hit Ratio The ratio of hits to tries expressed as a percentage Size MB Current size of entry cache contents from the given suffix Max Size MB Maximum size of the cache in current configuration Size Entries Current number of entries in the cache from the given suffix Max Size Entries Maximum number of cached entries in current configuration The following tables show access to the database cache of each suffix e The first table shows the access to the database cache through the configured indexes From the list of attribute names select the one for which you wish to see index statistics The table will show data only for suffixes in which the chosen attribute is indexed e The Entry Access table shows access to the database caches to retrieve entries e The Totals in the last table show all combined access to all database caches All three tables have the following columns Tab
339. id intended for proxy operations is not used The value of authid is the Principal used in identity mapping See GSSAPI Identity Mappings on page 375 for more information 388 Sun ONE Directory Server Administration Guide June 2003 Chapter 12 Managing Log Files This chapter describes how to monitor Directory Server by configuring a logging policy and analyzing the status information maintained by the server Sun ONE Directory Server provides three types of logs e Access Log List the clients which connect to the server e Errors Log Provides information about server errors e Audit Log Gives details about access to suffixes and to the configuration The status information in the server includes statistics about connections and cache activity This information is available through the Directory Server console and in monitoring entries available through the LDAP command line tools For information on using SNMP to monitor your server see Chapter 13 Monitoring Directory Server Using SNMP This chapter contains the following sections e Defining Log File Policies e Access Log e Errors Log e Audit Log e Monitoring Server Activity 389 Defining Log File Policies Defining Log File Policies The following sections describe how to define your log file creation and deletion policies Defining a Log File Rotation Policy If you want the directory to periodically archive the current log and start anew o
340. ients may use a certificate to authenticate to the Directory Server or a third party security mechanism through the Simple Authentication and Security Layer SASL Certificate based authentication uses public key cryptography to prevent forgery and impersonation of either client or server Directory Server is capable of simultaneous SSL and non SSL communications on separate ports Or for security reasons you may also restrict all communications to the secure port Client authentication is also configurable and may be either required or simply allowed to determine the level of security you enforce Enabling SSL will also enable support for the Start TLS extended operation that provides security on a regular LDAP connection Clients may bind to the non SSL port and then use the Transport Layer Security protocol to initiate an SSL connection The Start TLS operation allows more flexibility for clients and may help simplify port allocation The encryption mechanisms provided by SSL are also used for attribute encryption Enabling SSL will allow you to configure attribute encryption on your suffixes to protect data while it is stored in the directory For more information see Encrypting Attribute Values on page 76 For additional security access control to directory contents may be configured according to the client s use of SSL and certificates You may define access control instructions ACIs which require a specific authentication meth
341. ify plug in signatures but it will load every plug in regardless of the presence or validity of a signature Verifying signatures has the following advantages e A signature ona plug in provided with Directory Server indicates that it has been rigorously tested and is officially supported e Using a checksum of the plug in binary itself the signature verification can detect whether the plug in has been tampered with Therefore the signature protects sensitive code that runs in the server itself e You may configure your server to load only the signed plug ins which may help detect problems with unsigned and unsupported plug ins Configuring the Verification of Plug In Signatures 1 On the top level Configuration tab of the Directory Server console select the Plugins node in the configuration tree The current signature verification policy is displayed in the right hand panel 2 Select one of the following options o Do not verify plug in signatures All plug ins defined in the server configuration will be loaded regardless of their signature No warnings or errors will be shown because of a plug in signature o Flag plug ins with invalid signatures All plug ins defined in the server configuration will be loaded but the server will verify the signature of each one If a plug in binary is altered in any way the signature will no longer be valid and the server will display a warning message on startup and in the error log Plug
342. iguration tab of the Directory Server console expand both the Data node and the node for the suffix you wish to configure and then select the Replication node below the suffix 2 Inthe right hand panel click the Advanced button to display the Advanced Replica Settings dialog 3 On the Bind DN tab use the Add and Delete buttons to create a list of DNs that are valid replication managers A supplier can then use any one of these DNs in its agreement with this replica You can add a new DN by typing its name or browsing the directory To configure replication using certificates over SSL enter the DN of the certificate entry as one of the replication managers 4 Click OK when you are done or select the Optional tab for more advanced configuration Sun ONE Directory Server Administration Guide June 2003 Creating Replication Agreements 5 On the Optional tab of the Advanced Replica Settings dialog the list of LDAP URLs specifies additional referrals for modification requests sent to this master A master will automatically return referrals immediately after being initialized as described in Convergence After Multi Master Initialization on page 286 Use the Add or Delete buttons to create a list LDAP URLs The replication mechanism automatically configures hubs to return referrals for all known masters in the replication topology These default referrals assume that clients will use simple authentication over a regular connect
343. iles to import UNIX shell script use directoryserver ldif2ldap in Solaris Packages installations var Sun mps slapd example ldif2ldap cn Directory Manager password var Sun mps slapd example 1ldif demo ldif Windows batch file C Program Files Sun MPS slapd example ldif2ldap bat cn Directory Manager password C Program Files Sun MPS slapd example ldif demo ldif For more information about using this script see 1dif21dap in Chapter 2 of the Sun ONE Directory Server Reference Manual 134 Sun ONE Directory Server Administration Guide June 2003 Importing Data Initializing a Suffix Initializing a suffix overwrites the existing data in a suffix with the contents of an LDIF file which contains only entries for addition CAUTION When initializing suffixes from an LDIF file be careful not to overwrite the o Net scapeRoot suffix unless you are restoring data Otherwise you will delete information that will require the reinstallation of all of your Sun ONE servers You must be authenticated as the Directory Manager or Administrator in order to initialize a suffix For security reasons only the Directory Manager and Administrators have access to the root entry of a suffix for example dc example dc com Therefore only these identities may import an LDIF file that contains a root entry Initializing a Suffix From the Console CAUTION This procedure overwrites the data in your suffix
344. ilter includes the default scope which is the subtree where it is located and the subtree below any values of the nsRoleScopeDN attribute In this case the ManagerFilter isin the ou sales ou P ople dc example dc com subtree and this subtree must be added to the scope Defining Class of Service CoS The Class of Service CoS mechanism generates virtual attributes as an entry is retrieved for a client application CoS simplifies entry management and reduces storage requirements Chapter 5 Advanced Entry Management 163 Defining Class of Service CoS 164 As with groups and roles CoS relies on helper entries in your directory and may be configured through the console or through the command line The following sections describe CoS and provide the procedures for managing CoS in both ways NOTE As a new feature in Directory Server 5 2 any search operation may test the existence of a CoS generated attribute or compare its value The names of the virtual attributes may be used in any filter string whether from a client search operation or an internal filter used in a filtered role Directory Server 5 2 also supports virtual attributes in VLV virtual list view operations and in server side sorting controls just like any real attribute About CoS A CoS defines a virtual attribute and its value for any entry within the scope of the CoS called the target entries Each CoS is comprised of the following entries in your dire
345. ing options to change the default behavior e c dn DN The search results will show the effective rights of the user binding with the given DN This option allows an administrator to check the effective rights of another user The option c dn will show the effective rights for anonymous authenticaiton e X attributeName The search results will also include the effective rights on the named attributes Use this option to specify attributes that will not appear in the search results For example use this option to determine if a user has permission to add an attribute that does not currently exist in an entry When using either or both the c and x attributes the J option with the OID of the Get Effective Rights control is implied and does not need to be specified Then you must select the type of information you wish to view either the simple rights or the more detailed logging information that explains how those rights are granted or denied The type of information is determined by adding either aclRights or aclRightsInfo logs respectively as an attribute to return in the search results You may request both attributes to receive all effective rights information although the simple rights are redundant with the information in the detailed logging information Chapter 6 Managing Access Control 237 Viewing Effective Rights 238 NOTE The aclRights and aclRightsInfo logs attributes have the behavior of
346. inheritance_level attribute bindType where e inheritance_level is a comma separated list that indicates how many levels below the target will inherit the ACI You can include five levels 0 1 2 3 4 below the targeted entry zero 0 indicates the targeted entry e attribute is the attribute targeted by the userattr or groupattr keyword e bindType can be either USERDN or GROUPDN The LDAPURL and ROLEDN bind types are not supported with inheritance For example userattr parent 0 1 manager USERDN This bind rule is evaluated to be true if the bindDN matches the manager attribute of the targeted entry The permissions granted when the bind rule is evaluated to be true apply to the target entry and to all entries immediately below it Example With userattr Inheritance The example in the following figure indicates that user b jensen is allowed to read and search the cn Profiles entry as well as the first level of child entries which includes cn mail and cn news 204 Sun ONE Directory Server Administration Guide June 2003 Bind Rules Figure 6 1 Using Inheritance With the userattr Keyword cn Profiles aci targetattr version 3 0 acl profiles access allow read search userattr parent 0 1 owner USERDN owner cn bjensen ou people dc example dc com cn mail cn Profiles cn news cn Profiles mailuser bjensen newsuser bjensen In this example if y
347. inherited ACIs on a leaf entry The tabs of the Access Control Editor allow you to specify the users who are granted or denied access the targets that are being accessed or restricted and advanced parameters such as the allowed hostnames and times for the operation For details about the individual fields in the Access Control tabs please refer to the online help The tabs of the ACI editor provide a graphical display of the contents of the ACI value Click the Edit Manually button to see the ACI value and edit it textually In the text editor you may define advanced ACIs that cannot be defined through the tabs However once you edit the ACI value you may not be able to edit the ACI visually anymore even if you do not use advanced features Sun ONE Directory Server Administration Guide June 2003 Creating ACIs Using the Console Creating a New ACI 1 Display the Access Control Editor This task is explained in Viewing the ACIs of an Entry on page 213 If the view displayed is different from Figure 6 3 on page 214 click the Edit Visually button Name the ACI by typing a name in the ACI Name text box The name can be any string you want to use to uniquely identify the ACI If you do not enter a name the server uses unnamed ACT In the Users Groups tab select the users to whom you are granting access by highlighting All Users or clicking the Add button to search the directory for the users to add In the Add Use
348. inistrators group have all rights except proxy rights All members of the SIE group have all rights except proxy rights The SIE group is for administrators of this directory s server group in the Administration Server Whenever you create a new root suffix in the directory its base entry has the default ACIs listed above except for the self modification ACI For added security you should add this ACI as described in Creating a New Root Suffix Using the Console on page 87 Chapter 6 Managing Access Control 183 ACI Syntax The NetscapeRoot subtree for the Administration Server has its own set of default ACIs e All members of the Configuration Administrators group have all rights on the NetscapeRoot subtree except proxy rights This allows them to add new members to the Configuration Administrators group e All users have anonymous access to the NetscapeRoot subtree for search and read operations e The Group Expansion ACI allows members of the administrative groups to access the group definition The following sections explain how to modify these default settings to suit the needs of your organization ACI Syntax ACIs are complex structures with many possible variations Whether you create and modify ACIs using the console or from the command line you should understand the syntax of an ACI in LDIF The following sections describe the syntax of an ACI in detail TIP Because they are so complex the Directory Serv
349. initions Editing Attributes You can edit only the user defined attributes using the console Before modifying the name syntax multi valued definition of an attribute you must ensure that no entry in the directory currently uses this attribute otherwise clients will be unable to access that entry To modify the schema definition of an attribute 1 On the top level Configuration tab of the Directory Server console select the Schema node in the configuration tree then select the Attributes tab in the right hand panel 2 Select the attribute that you want to edit in the table of User Defined Attributes and click Edit 3 Modify the fields of the Edit Attribute dialog to redefine your attribute If the OID string is based on the attribute s name you should change the OID whenever you change the name OIDs are described in Table 9 1 on page 328 Available syntaxes are described in Table 9 2 on page 329 4 When you have finished editing the attribute click OK to save your changes Deleting Attributes You can delete only the user defined attributes using the console Before deleting an attribute definition you must ensure that no entry in directory currently uses this attribute otherwise clients will be unable to access that entry To delete the schema definition of an attribute 1 On the top level Configuration tab of the Directory Server console select the Schema node in the configuration tree then select the Attribu
350. ion Add and edit any attribute values necessary for your topology including any modifications to the set of ACIs If your new suffix will contain user entries you should modify the default ACI entitled Allow self entry modification except for nsroledn and aci attributes For additional security replace it with the following ACI aci targetattr nsroledn aci nsLookThroughLimit nsSizeLimit nsTimeLimit nsIdleTimeout passwordPolicySubentry passwordExpirationTime passwordExpWarned passwordRetryCount retryCountResetTime accountUnlockTime passwordHistory Chapter 3 Creating Your Directory Tree 89 Creating Suffixes passwordAllowChangeTime version 3 0 acl Allow self entry modification except for nsroledn aci resource limit attributes passwordPolicySubentry and password policy state attributes allow write userdn ldap self 10 When you have edited the entry click OK in the Generic Editor to create the root object of the new suffix The new suffix now appears in the directory tree and can be managed through the console according to the rights given by the ACIs Creating a New Subsuffix Using the Console The following procedure describes how to create a new subsuffix under an already existing root or subsuffix 1 On the top level Configuration tab of the Directory Server console expand the Data node and any suffix node to display the parent suffix Rig
351. ion If you want to give clients the option of binding to masters using SSL for a secure connection add referrals of the form ldaps servername port that use a secure port number If you have added one or more LDAP URLs as referrals selecting the checkbox below the list will force the server to send referrals exclusively for these LDAP URLs and not for the master replicas For example if you want clients to always be referred to the secure port on the master servers and not to the default port create a list of LDAP URLs for these secure ports and select this checkbox 6 Also on the Optional tab you may change the purge delay The master server must store internal information about updates to the replica contents and the purge delay parameter specifies how long it must keep this information It is related to the MaxAge parameter of the change log on a master server that supplies updates not of its own change log The shorter of these two parameters determines the longest time that replication between the two servers may be disabled or down and still recover normally The default value of 7 days is sufficient in most cases 7 Click OK to save the advanced replication configuration for this replica Creating Replication Agreements A replication agreement is a set of parameters on a supplier that configures and controls how updates are sent to a given consumer The replication agreement must be created on the supplier replica that is
352. ion you must ensure that the suffixes affected by the operation are not in read only mode The Directory Server console and the command line utilities do not automatically put the directory in read only mode before export or backup operations because this would make your directory unavailable for updates However if you have a multi master configuration you may enable read only mode on one server and your data will remain writable on the other masters 131 Importing Data To make a suffix read only follow the procedure described in Setting Access Permissions and Referrals on page 97 Alternatively you may make the entire directory server unwritable as described in Setting Global Read Only Mode on page 36 Importing Data Sun ONE Directory Server provides two methods for importing data e Importing an LDIF file allows you to add modify and delete entries in bulk in any suffix of the directory e Initializing a suffix from an LDIF file deletes the current data in the suffix and replaces it with the contents of the LDIF file Both methods are available through the Directory Server console and using the command line utilities NOTE All LDIF files you import must use UTF 8 character set encoding When importing LDIF parent entries must either exist in the directory or be added first from the file When initializing a suffix the LDIF file must contain the root entry and all directory tree nodes of the correspo
353. ion Server If you are running Directory Server console on a machine remote to your Administration Server you will need to verify the following e You may need to configure the connection restrictions enforced on the Administration Server to allow access from your machine as described in Network Settings in Chapter 7 of the Sun ONE Server Console Server Management Guide e If you wish to use an external browser to view the online help pages and your browser is configured to use proxies you must do one of the following o Disable proxies in your browser configuration In Netscape Communicator select the Edit gt Preferences menu item Then select the Advanced gt Proxies category to access the proxy configuration In Internet Explorer select Internet Options from the Tools menu o Configure the connection restrictions in the Administration Server to allow access from the proxy server CAUTION Configuring Administration Server to allow access from a proxy server creates a potential security hole in your system The Console Clipboard The Directory Server console uses your system clipboard to copy cut and paste text To reduce typing you can copy the DN or URL of an entry into the clipboard when navigating within the Directory tab Before opening a dialog or another tab where you need to paste the DN or URLina text field 1 On the top level Directory tab of the Directory Server console browse through the tree and selec
354. ion lifetime or Unlimited How long a connection made between the chained suffix and remote server remains open so that it may be reused It is faster to keep the connections open but it uses more resources For example if you are using a dial up connection you may want to limit the connection time By default connections are unlimited The error detection parameters are not available through the console See Modifying the Chaining Parameters From the Command Line on page 124 Click Save when you have finished setting your chaining parameters Chapter 3 Creating Your Directory Tree 123 Managing Chained Suffixes 124 Modifying the Chaining Parameters From the Command Line From the command line you may set all of the same parameters as when using the console and you may also configure the additional parameters described in Error Detection Parameters on page 104 1 Edit the chaining configuration entry corresponding to the suffix you wish to modify with the following command ldapmodify h host p port D cn Directory Manager w password dn cn databaseName cn chaining database cn plugins cn config changetype modify replace attributeName attributeName attributeValue changetype modify replace attributeName attributeName attributeValue D The possible attribute names and values are described in the following steps You may include several change statements in the command to change any numbe
355. ions Click Save and then restart the server See Starting and Stopping the Directory Server on page 20 for information Chapter 1 Introduction to Sun ONE Directory Server 35 Configuring LDAP Parameters 36 Setting Global Read Only Mode Each suffix in your directory may be placed in read only mode independently and may return a specific referral if one is defined Directory Server also provides a global read only mode that will apply to all suffixes and may return a global referral when one is defined The global read only mode is designed to allow administrators to prevent modifications to the directory contents while performing tasks such as reindexing the suffixes For this reason global read only mode does not apply to the following configuration branches e cn config e cn monitor e cn schema These branches should be protected at all times by Access Control Instructions ACIs against modifications by non administrative users regardless of the read only setting see Chapter 6 Managing Access Control Global read only mode will prevent update operations on all other suffixes in the directory including update operations initiated by the Directory Manager Read only mode will also interrupt replication on a suffix if it is enabled A master replica will no longer have any changes to replicate although it will continue to replicate any changes that were made before read only mode was enabled A consumer repl
356. ions contains the changes made to the entry in LDIF format newRDN In the case of modrdn operations specifies the new RDN of the entry deleteOldRdn In the case of modrdn operations specifies whether the old RDN was deleted newSuperior In the case of modrdn operations specifies the newSuperior attribute of the entry Enabling the Retro Change Log Plug In The retro change log plug in configuration information is stored in the cn Ret ro Changelog Plugin cn plugins cn config entry in dse ldif To enable the retro change log plug in from Directory Server console 1 On the top level Configuration tab on the Directory Server console expand the Plugins node and scroll down to select the Retro Changelog Plugin 2 Inthe right panel check the Enable plug in checkbox and click Save To disable the plug in clear this checkbox 3 You must restart the directory server after enabling or disabling the plug in Chapter 8 Managing Replication 313 Using the Retro Change Log Plug In 314 To enable the retro change log plug in from the command line 1 Modify the retro change log plug in configuration entry with the following command ldapmodify h host p port D cn Directory Manager w password dn cn Retro Changelog Plugin cn plugins cn config changetype modify replace nsslapd pluginenabled nsslapd pluginenabled on 2 Restart the server For information on restarting the server refer to Starting and
357. ique database name Database names may only contain ASCII 7 bit alphanumeric characters hyphens and underscores _ For example you might name the new database temps uS b You may also choose the location of the directory containing database files By default it is a subdirectory of the following path ServerRoot slapd serverID db Enter a new path or click Browse to find a new location for the database directory The new path must be accessible by the directory server application c Tospeed up the configuration of your new subsuffix you may choose to clone an existing suffix either its parent or any other suffix Select the Clone Suffix Configuration and choose the suffix you wish to clone from the drop down menu Then select any of the following configurations to clone e Clone index configuration The new suffix will maintain the same indexes on the same attributes as the cloned suffix e Clone attribute encryption configuration The new suffix will enable encryption for the same list of attributes and the same encryption schemes as in the cloned suffix e Clone replication configuration The new suffix will be the same replica type as the cloned suffix all replication agreements will be duplicated if it is a supplier and replication will be enabled d Click OK when you have configured all of the new suffix options The new subsuffix dialog will show all the options you chose Click OK in the new subsuffix di
358. itability of this software for any purpose It is provided as is without express or implied warranty Copyright c 1996 Regents of the University of Michigan All rights reserved Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission This software is provided as is without express or implied warranty Copyright 1992 Network Computing Devices Inc Permission to use copy modify and distribute this software and its documentation for any purpose and without fee is hereby granted provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation and that the name of Network Computing Devices may not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission Network Computing Devices makes no representations about the suitability of this software for any purpose It is provided as is without express or implied warranty NETWORK COMPUTING DEVICES DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL NETWORK COMPUTING DEVICES BE LIABLE FOR ANY
359. ives the procedures for using the console and command line to manage your directory contents and configure every feature of Directory Server Sun ONE Directory Server Reference Manual Details the Directory Server configuration parameters commands files error messages and schema Sun ONE Directory Server Plug In API Programming Guide Demonstrates how to develop Directory Server plug ins Sun ONE Directory Server Plug In API Reference Details the data structures and functions of the Directory Server plug in API Sun ONE Server Console Server Management Guide Discusses how to manage servers using the Sun ONE Administration Server and Java based console Sun ONE Directory Server Resource Kit Tools Reference Covers installation and features of the Sun ONE Directory Server Resource Kit including many useful tools Other useful information can be found on the following Web sites Product documentation online http docs sun com coll S1_slDirectoryServer_52 Sun software http wwws sun com software Sun ONE Services http www sun com service sunps sunone Sun Support Services http www sun com service support Sun ONE for Developers http sunonedev sun com Training http suned sun com About This Guide 17 Suggested Reading 18 Sun ONE Directory Server Administration Guide June 2003 Chapter 1 Introduction to Sun ONE Directory Server The Sun ONE Directory Server product includes a Director
360. ix is the target of the same number of operations as local suffixes Setting Thread Resources Using the Console 1 On the top level Configuration tab of the Directory Server console click on the Performance node and select the Miscellaneous tab in the right hand panel 2 Enter anew value for the Max number of threads field 3 Click OK to save your changes and confirm the message that you will need to restart the server for the changes to take effect 4 Restart the directory server to use the new number of threads Chapter 3 Creating Your Directory Tree 125 Managing Chained Suffixes 126 Setting Thread Resources From the Command Line 1 Edit the global configuration entry to modify the number of threads with the following command ldapmodify h host p port D cn Directory Manager w password dn cn config changetype modify replace nsslapd threadnumber nsslapd threadnumber newThreadNumber D 2 Restart the directory server to use the new number of threads Deleting a Chained Suffix Deleting a chained suffix will make it inaccessible through the local directory tree but it will not delete the entries or suffix on the chained server You may delete a parent suffix and keep its subsuffixes in the directory as new root suffixes Deleting a Chained Suffix Using the Console 1 On the Configuration tab of the Directory Server console expand the Data node 2 Right click on the suffix you wish to remove
361. ixDN D where databaseName and suffixDN must have the same value as those used in the previous step Chapter 3 Creating Your Directory Tree 93 Creating Suffixes 94 When this entry is added to the directory the database module of the server will automatically create the database files in the following directory ServerRoot slapd serverID db databaseName To make the server create the database files in another location create the database configuration entry with the following attribute nsslapd directory path databaseName The server will automatically create a directory named databaseName in the give location to hold the database files 3 Create the base entry of the root suffix or subsuffix For example the base entry of the dc example dc org root suffix can be created with the following command h host ldapmodify a p port dn dc example dc org objectclass top objectclass domain dc example D D cn Directory Manager w password You must include the first naming attribute of the DN and its value You must also include all attributes that are required by the schema of the base entry s object class By convention root suffix DNs using domain components dc have the domain object class which does not require any other attributes You should also add access control instructions ACI attributes to a root suffix to enforce your access policy The following are the aci attribute value
362. ixes see suffixes S SASL 357 configuring DIGEST_MDS5 in clients 385 configuring DIGEST MD5 on the server 371 configuring GSSAPI on the server 374 configuring Kerberos on the server 373 DIGEST MD5 realm 385 GSSAPI 373 identity mapping for DIGEST MD5 372 identity mapping mechanism 376 identity mappings for GSSAPI and Kerberos 375 Kerberos 373 using Kerberos in clients 387 SASL authentication 209 schema 323 checking 323 deleting attribute type definitions 331 deleting attributes from an object class 334 deleting object class definitions 335 editing attribute type definitions 331 modifying object class definitions 334 optional MAY attributes of an object class 334 required MUST attributes of an object class 333 viewing attribute type definitions 328 viewing object class definitions 332 schema checking 323 and access control 187 search right 192 Secure Sockets Layer see SSL 22 security 357 client authentication 370 self access 198 self keyword 198 selfwrite right 192 Index 439 example 233 ServerRoot 14 setting access controls 212 simple authentication 209 Simple Authentication and Security Layer SASL See SASL authentication Simple Sockets Layer See SSL SNMP agents 406 master agent Unix 406 Windows 406 monitoring the directory server 405 overview 406 subagent configuring 409 configuring master host 410 configuring master port 410 enabling 410 starting and stopping on Unix 410 SSL 357 allowing client
363. l Exporting Data You can export the contents of your directory using the plain text LDAP Data Interchange Format LDIF LDIF is a textual representation of entries attributes and their values LDIF is a standard format described in RFC 2849 http www ietf org rfc rfc2849 txt Exporting data can be useful for the following e Backing up the data in your server 138 Sun ONE Directory Server Administration Guide June 2003 Exporting Data Copying your data to another directory server Exporting your data to another application Repopulating suffixes after a change to your directory topology The export operations do not export the configuration information cn config CAUTION Do not stop the server during an export operation Exporting the Entire Directory to LDIF Using the Console You can export some or all of your directory data to LDIF depending upon the location of the final exported file When the LDIF file is on the server you can export only the data contained in the local suffixes on the server If the LDIF file is remote to the server you can export all of the suffixes and chained suffixes To export directory data to LDIF from the Directory Server console while the server is running 1 On the top level Tasks tab of the Directory Server console scroll to the bottom of the tab and click the button beside Export to LDIF The Export dialog is displayed Enter the full path and file name of
364. l 191 ACI Syntax Assigning Rights Rights detail the specific operations a user can perform on directory data You can allow or deny all rights or you can assign one or more of the following rights Read Indicates whether users can read directory data This permission applies only to the search operation Write Indicates whether users can modify an entry by adding modifying or deleting attributes This permission applies to the modify and modrdn operations Add Indicates whether users can create entries This permission applies only to the add operation Delete Indicates whether users can delete entries This permission applies only to the delete operation Search Indicates whether users can search for the directory data Users must have Search and Read rights in order to view the data returned as part of a search result This permission applies only to the search operation Compare Indicates whether the users can compare data they supply with data stored in the directory With compare rights the directory returns a success or failure message in response to an inquiry but the user cannot see the value of the entry or attribute This permission applies only to the compare operation Selfwrite Indicates whether users can add or delete their own DN in an attribute of the target entry This right is used only for group management Selfwrite works with proxy authorization it grants the right to add or delete the proxy DN from the
365. lConflict ap Rename the entry back to the intended naming attribute For example ldapmodify h host p port D cn Directory Manager w password dn o TempName dc example dc com changetype modrdn newrdn dc uniqueValue deleteoldrdn 1 D By setting the value of the deleteoldrdn attribute to 1 you delete the temporary attribute value pair o TempName If you want to keep this attribute you can set the value of the deleteoldrdn attribute to 0 Chapter 8 Managing Replication 319 Solving Common Replication Conflicts 320 Solving Orphan Entry Conflicts When a delete operation is replicated and the consumer server finds that the entry to be deleted has child entries the conflict resolution procedure creates a glue entry to avoid having orphaned entries in the directory In the same way when an add operation is replicated and the consumer server cannot find the parent entry the conflict resolution procedure creates a glue entry representing the parent so that the new entry is not an orphan entry Glue entries are temporary entries that include the object classes glue and xtensibleOb ject Glue entries can be created in several ways e If the conflict resolution procedure finds a deleted entry with a matching unique identifier the glue entry is a resurrection of that entry with the addition of the glue object class and the nsds5Rep1Conflict attribute In such cases you can either modify the glue entry to r
366. lace it remove it or edit it Clicking Edit Policy will invoke the custom editor for the named policy subentry Assigning or replacing a password policy will invoke a directory browser dialog where you may find password policy subentries shown with a small key icon 4 Click OK in the Password Policy dialog if you have changed the policy The new policy will take effect immediately From the Command Line To assign a password policy to a user or a group entry add the DN of the password policy as the value of passwordPolicySubent ry attribute For example the following command will assign cn TempPolicy dc example dc com to Barbara Jensen ldapmodify h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com changetype modify add passwordPolicySubentry passwordPolicySubentry cn TempPolicy dc example dc com Using Roles and CoS When grouping users with roles you can use CoS to point to the appropriate policy subentry Refer to Chapter 5 Advanced Entry Management for details on using Roles and CoS As an example the following command will create a filtered role for temporary employees at Example com and assign cn TempPolicy dc example dc com to those having the role 258 Sun ONE Directory Server Administration Guide June 2003 Managing Individual Password Policies ldapmodify a h host p port D cn Directory Manager w password dn cn TempFilter
367. lapd pluginEnabled on or off In this first part of the command plug in_name should be a short and descriptive name that includes the name of the attribute for example cn mail uniqueness The ServerRoot and library extension depend on your platform Finally specify the enabled state of your new instance as either on or off when the server is restarted If you verify plug in signatures in your server you must include the signature in the new uniqueness plug in configuration Because your uniqueness plug in is a new instance of the UID uniqueness plug in you must use the same signature information which is located in the following file Chapter 15 Using the UID Uniqueness Plug In 423 Enforcing Uniqueness of Another Attribute 424 ServerRoot plugins signatures plugin signatures This file is readable only to the user identity that was used when installing the server for example root In this file locate the information under the entry dn cn uid uniqueness cn plugins cn config Use the same values given in the file to add the following attributes to your new plug in instance You must also include the ds signedP lugin objectclass objectClass ds signedPlugin ds pluginDigest O207yVLYsC8FInPrvbAKYq7Rj00 ds pluginSignature MIIBjJwYJKoZIhvcNAQcCoI IBgDCCAXwCAQEXxCzAJBg UrDgMCGgUAMASGCSQqGS Ib3DQEHATGCAVswggF XAgEBMF YwT TELMAkGA1UEBhMC VVMxGTAXBgNVBAOTEFN1biBNaWNyb3N5c3R1IbXMxI zAhBgNVBAMTG1BsdWdpbi BTaWduaW
368. lash 200 Sun ONE Directory Server Administration Guide June 2003 Bind Rules The roledn keyword has the same syntax and is used in the same way as the groupdn keyword Defining Access Based on Value Matching You can set bind rules to specify that an attribute value of the entry used to bind to the directory must match an attribute value of the targeted entry For example you can specify that the bind DN must match the DN in the manager attribute of a user entry in order for the ACI to apply In this case only the user s manager would have access to the entry This example is based on DN matching However you can match any attribute of the entry used in the bind with the targeted entry For example you could create an ACI that allowed any user whose favoriteDrink attribute is beer to read all the entries of other users that have the same value for favoriteDrink Using the userattr Keyword The userattr keyword can be used to specify which attribute values must match between the entry used to bind and the targeted entry You can specify e Auser DN e Agroup DN e Arole DN e An LDAP filter in an LDAP URL e Any attribute type The LDIF syntax of the userattr keyword is as follows userattr attrName bindType or if you are using an attribute type that requires a value other than a user DN group DN role DN or an LDAP filter userattr attrName attr Value where e attrName is the name of the a
369. lass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc subdomainl dc hostedCompanyl dc example dc com The following ACI is located on the dc hostedCompany2 dc example dc com node aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc hostedCompany2 dc example dc com The following ACI is located on the dc subdomainl dc hostedCompany2 dc example dc com node aci targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dc subdomainl dc hostedCompany2 dc example dc com In the four ACIs shown above the only difference is the DN specified in the groupdn keyword By using a macro for the DN it is possible to replace these ACIs by a single ACI at the root of the tree on the dc example dc com node This ACI reads as follows aci target ldap ou Groups dn dc example dc com targetattr targetfilter objectClass nsManagedDomain version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dn dc example dc com Note that the target keyword which was not previously used needs to be introduced In the example above the number of ACIs is reduce
370. ld not be used for large values such as attributes intended to contain binary data for example jpegPhoto Managing Indexes e Maintaining indexes requires more resources therefore only attributes that are commonly searched should be indexed Entry creation will require more CPU time because the server must examine all indexed attributes and generate new entries for each one contained in the new entry e The size of each index file is proportional to directory contents e Attributes that are not indexed can still be specified in search requests although the search performance will not be comparable to that of indexed searches depending on the type of search Managing Indexes Using the Console If you plan to modify or add indexes on many attributes you should first make the suffix read only and then export its contents to LDIF It will then be faster to reindex the suffix by reinitializing it from the LDIF file 1 On the top level Configuration tab of the Directory Server console expand the Data node and select the suffix want to index Then select the Indexes tab in the right hand panel The table of System Indexes cannot be modified Add modify or remove indexes on attributes in the table of Additional Indexes 2 To add an index on an attribute that is not yet indexed click on the Add Attribute button In the dialog that is displayed select one or more attributes to index and click OK The new attributes appear in the t
371. le Figure 1 3 Configuration Tab of the Directory Server Console camus red iplanet com Sun ONE Directory Server example Console Edit View Object Help Sun ONE Directory Server ares Configuration b Settings Data Q Q de example de com _ Server is read only E Replication Disable Track entry modification ti o NetscapeRoot Wir ym ion times fa Performance Directory Manager L anager DN cn Directory Manager schema Directory M DN cn Directory M Gi Backups i Logs Manager password encryption Salted Secure Hashing Algorithm f Q G Plugins 7 bit check ACL Plugin Newpassnord FERRARA REESE When you select a configurable item in the left hand tree the current settings for that item will appear in one or more tabs in the right hand panel For the explanation and behavior of these settings please refer to the chapter in this guide that describes each functionality Depending on the setting some changes will take effect immediately when saved and others not until the server is restarted The console will display a dialog informing you when the server needs to be restarted Unsaved changes in a tab are signalled by a red mark next to the tab name Unsaved changes will remain on the tab even if you configure another item or view one of the other major tabs The Save and Reset buttons apply to all tabs of a given configurable item but do not affect the unsaved settings of other items Most text fields
372. le user entry the mapping has succeeded and the connection will use this entry as the bind DN for all operations If the search returns zero or more than one entry the mapping fails and any other mappings are applied Each branch should contain a default mapping for that protocol and any number of custom mappings The default mapping has the RDN cn default and custom mappings may have any other RDN that uses cn as the naming attribute All of the custom mappings are evaluated first in a non deterministic order until one of them succeeds If all custom mappings fail the default mapping is applied last If the default mapping also fails authentication of the client fails A mapping entry must contain the top Container and dsIdentityMapping object classes The entry may then contain the following attributes e dsMappedDN DN A literal string that defines a DN in the directory This DN will be used for binding if it exists when the mapping is performed You may also define the following attributes to perform a search in case this DN does not exist e dsSearchBaseDN DN The base DN for a search If omitted the mapping will search all root suffixes in the entire directory tree e dsSearchScope base one sub The scope for a search either the search base itself one level of children below the base or the entire subtree below the base The default scope for mapping searches is the entire subtree when this attribute is omitted e dsSear
373. le 12 5 Access to Database Cache Column Header Description Suffix Base DN of the suffix Hits The number of entries read through the index Tries The number of entries requested from through the index Hit Ratio The ratio of hits to tries expressed as a percentage Pages read in The number of pages read from disk into the suffix cache Pages written out The number of pages written from the cache back to disk A suffix page is written to disk whenever a read write page has been modified and then subsequently removed from the cache to make room for new pages e Below the tables the following page evicts are cumulative for all database caches Pages discarded from the cache have to be written to disk possibly affecting server performance The lower the number of page evicts the better Sun ONE Directory Server Administration Guide June 2003 Monitoring Server Activity o Read write page evicts Indicates the number of read write pages discarded from the cache to make room for new pages This value differs from Pages Written Out in that these are discarded read write pages that have not been modified o Read only page evicts Indicates the number of read only pages discarded from the caches to make room for new pages 4 If applicable click on the Chained Suffixes node in the left hand status tree This panel displays information about access to the chained suffixes configured in your directory Set the refresh mode if
374. level Configuration tab of the Directory Server console select the root node with the server name and then select the Encryption tab in the right hand panel The tab displays the current server encryption settings Make sure SSL is enabled for your server as described in Activating SSL on page 366 2 Click Cipher Settings The Cipher Preference dialog box is displayed 3 Inthe Cipher Preference dialog box specify which ciphers you want your server to use by selecting or deselecting the checkbox beside their name Unless you have a security reason to not use a specific cipher you should select all of the ciphers except for none MD5 CAUTION Avoid selecting the cipher with no encryption and only MD5 message authentication because the server will use this option if no other ciphers are available on the client In this situation the connection is not secure because no encryption is used Chapter 11 Implementing Security 369 Configuring Client Authentication 4 Click OK in the Cipher Preference dialog then click Save in the Encryption Tab Allowing Client Authentication If you have configured Directory Server to require client authentication and Sun ONE Server Console to connect using SSL you can no longer use Sun ONE Server Console to manage any of your Sun ONE servers You will have to use the appropriate command line utilities instead However if you wish to change your directory configuration so that you c
375. lid signature The plug in configuration provides a signature that matches the checksum of the plug in binary This plug in is officially supported The following states are visible only if you flag but not reject invalid signatures Invalid signature The plug in configuration contains a signature which does not match the checksum of the plug in binary This state indicates that the plug in may have been tampered with No signature The plug in configuration did not provide a signature for the server to verify Chapter 1 Introduction to Sun ONE Directory Server 39 Configuring DSML Configuring DSML In addition to processing requests in the Lightweight Directory Access Protocol LDAP Sun ONE Directory Server 5 2 now also responds to requests sent in the Directory Service Markup Language version 2 DSMLv2 DSML is another way for a client to encode directory operations but the server processes DSML as any other request with all of the same access control and security features In fact DSML processing allows many other types of clients to access your directory contents Directory Server supports the use of DSMLv2 over the Hypertext Transfer Protocol HTTP 1 1 and uses the Simple Object Access Protocol SOAP version 1 1 as a programming protocol to transport the DSML content For more information about these protocols and examples of DSML requests see Appendix A Accessing Data using DSMLv2 over HTTP SOAP in the Sun ONE Di
376. ll parameters specify their default values given below Make sure there is a space between the subtree parameter and the optional parameters You can configure the following optional parameters for each LDAP URL e maxconns The maximum number of connections the PTA server can open simultaneously to the authenticating server This parameter limits the number of simultaneous binds that can be passed through to the authenticating server The default value is 3 e maxops The maximum number of bind requests the PTA directory server can send simultaneously to the authenticating directory server within a single connection This parameter further limits the number of simultaneous pass through authentications The default is value is 5 e timeout The maximum delay in seconds that you want the PTA server to wait for a response from the authenticating server The default value is 300 seconds five minutes e Idapver The version of the LDAP protocol you want the PTA server to use when connecting to the authenticating server The allowed values are 2 for LDAPv2 and 3 for LDAPv3The default value is 3 Sun ONE Directory Server Administration Guide June 2003 Configuring the PTA Plug In e connlife The time limit in seconds within which the PTA server will reuse a connection to the authenticating server If a bind in the PTA subtree is requested by a client after this time has expired the server closes the PTA connection and opens a new one
377. lso needed to prevent loops during cascading chaining By default it is allow to be forwarded with chained operations but you should verify this configuration If a server does not allow this control to chain any loop involving that server will not be detected Follow the steps in Configuring the Chaining Policy on page 113 to ensure that the following three controls are allowed to chain e 2 16 840 1 113730 3 4 12 Proxy Authorization control old specification e 2 16 840 1 113730 3 4 18 Proxy Authorization control new specification e 1 3 6 1 4 1 1466 29539 12 Loop Detection control Sun ONE Directory Server Administration Guide June 2003 Chapter 4 Populating Directory Contents The data managed by your directory server is often imported in bulk Directory Server provides tools for importing and exporting entire suffixes It also provides tools for making backups of all suffixes at once and for restoring all data from a backup This chapter describes the following procedures for populating your directory e Setting Suffix Read Only Mode e Importing Data e Exporting Data e Backing Up Data e Restoring Data from Backups Setting Suffix Read Only Mode Before performing certain export or backup operations on your Directory Server you can enable read only mode on any given suffix to ensure you have a faithful image of the state of its contents at a given time Also before performing an import or restore operat
378. ma 327 Managing Attribute Definitions Managing Attribute Definitions 328 The Directory Server console provides an interface to view all attributes in your schema and to can create edit and delete your own attribute definitions Viewing Attributes To view information about all attributes that currently exist in your directory schema 1 On the top level Configuration tab of the Directory Server console select the Schema node in the configuration tree then select the Attributes tab in the right hand panel This tab contains tables that list all the standard read only and user defined attributes in the schema Holding the mouse over a line of a table will display the description string for the corresponding attribute The following tables describe the fields of the attribute tables Table 9 1 Columns of Tables in the Attributes Tab Column Heading Description Name The name sometimes called the type of the attribute OID The object identifier of the attribute An OID is a string usually of dotted decimal numbers that uniquely identifies the schema object For more information about OIDs or to request a prefix for your enterprise send mail to the IANA Internet Assigned Number Authority at iana iana org or visit the IANA website at http www iana org Syntax The syntax describes the allowed format of values for this attribute the possible syntaxes are listed in Table 9 2 on page 329 Multivalued The checkbox
379. master server contains schema definitions in the 98mySchema 1dif file when it is started and you then define replication agreements to other servers either masters hubs or dedicated consumers When you subsequently initialize the replicas from this master the replicated schemas will contain the definitions from 98mySchema 1dif but they will be stored in 99user 1dif on the replica servers After the schema has been replicated during consumer initialization modifying the schema in cn schema on the master will also replicate the entire schema to the consumer Therefore any modifications to the master schema through the command line utilities or through the console will be replicated to the consumers These modifications will be stored in 99user 1dif on the master and by the same mechanism as above they will also be stored in 99user 1dif on the consumers Modifying Replicated Schema Files The replication mechanism cannot detect any changes you make directly to the LDIF files that contain the schema Therefore if you update your schema as described in Modifying the Schema Files on page 326 your changes will not be replicated to consumers even after restarting the master Directory Server 5 2 provides the following script to push the changes in a schema file to consumers Windows platforms cd ServerRoot bin slapd admin bin perl slapd serverID schema_push pl Other Installations ServerRoot slapd serverID schema_push pl 336
380. mechanism automatically configures consumers to return referrals for all known masters in the replication topology These default referrals assume that clients will use simple authentication over a regular connection If you want to give clients the option of binding to masters using SSL for a secure connection add referrals of the form 1daps servername port that use a secure port number If you have added one or more LDAP URLs as referrals selecting the checkbox below the list will force the consumer to send referrals exclusively for these LDAP URLs and not for the master replicas For example if you want clients to always be referred to the secure port on the master servers and not to the default port create a list of LDAP URLs for these secure ports and select this checkbox You may also use an exclusive referral if you want to designate a specific master or a Directory Server Proxy that should handle all updates Also on the Optional tab you may change the purge delay The consumer server must store internal information about updates to the replica contents and the purge delay parameter specifies how long it must keep this information It is related to the MaxAge parameter of the change log on its supplier server The shorter of these two parameters determines the longest time that replication between the two servers may be disabled or down and still recover normally The default value of 7 days is sufficient in most cases Sun ONE
381. member nsCalXItemId nsLIProfileName nsRoleDN nswcalCALID owner pipstatus pipuid seeAlso sn telephoneNumber uid uniquemember Eq X Pres Sub Purpose X X Improves the performance of the most common types of user directory searches Used by the Sun ONE Messaging Server Used by the Sun ONE Messaging Server Improves Sun ONE server performance This index is also used by the referential integrity plug in See Maintaining Referential Integrity on page 81 for more information Used by the Sun ONE Calendar Server Used by roaming feature of Sun ONE Messaging Server Improves the performance of role based operations Used by the Sun ONE Calendar Server Improves Sun ONE server performance This index is also used by the referential integrity plug in See Sun ONE Directory Server Administration Guide for more information Used by Sun ONE Servers Used by Sun ONE Servers Improves Sun ONE server performance This index is also used by the referential integrity plug in See Maintaining Referential Integrity on page 81 for more information Improves the performance of the most common types of user directory searches Improves the performance of the most common types of user directory searches Improves Sun ONE server performance Improves Sun ONE server performance This index is also used by the referential integrity plug in See Maintaining Referential Integrity
382. ment Internal parameters of the replication mechanism are optimized by default for WANs However if you experience slow replication due to the factors mentioned above you may wish to empirically adjust the window size and group size parameters You may also be able to schedule your replication to avoid peak network times thus improving your overall network usage Finally Directory Server on the Solaris and Linux platforms supports the compression of replication data to optimize bandwidth usage Configuring Network Parameters The following two parameters determine how the replication mechanism groups entries to send them more efficiently over the network They affect how suppliers and consumers exchange replication update messages and acknowledgements e Window Size default value 10 Represents the maximum number of updates messages that can be sent without immediate acknowledgement from the consumer Ina WAN environment it is more efficient to send many messages at once instead of waiting for an acknowledgement after each one e Group Size default value 1 Represents the maximum number of data modifications that can be bundled into a single update message Depending on the size of your data and the properties of your network it might be more efficient to send larger messages and thus have a larger group size Chapter 8 Managing Replication 297 Replication Over a WAN 298 The default values work best in most conditions
383. most Directory Server administrative tasks through the Administration Server a second server that Sun ONE provides to help you manage Directory Server and all other Sun ONE servers Sun ONE Server Console is the graphical interface to the Administration Server Directory Server console is a part of Sun ONE Server Console designed specifically for use with Sun ONE Directory Server You can perform most Directory Server administrative tasks from the Directory Server console You can also perform administrative tasks manually by editing the configuration files or by using command line utilities For more information about the Sun ONE Server Console see Sun ONE Server Console Server Management Guide Starting and Stopping the Directory Server 20 If you are not using Secure Sockets Layer SSL you can start and stop the Directory Server using the methods listed here If you are using SSL see Starting the Server with SSL Enabled on page 22 NOTE On UNIX systems except for installations from Solaris Packages rebooting the system does not automatically start the slapd server process This is because the installation does not automatically create startup or run command rc scripts See your operating system documentation for details on writing these scripts Sun ONE Directory Server Administration Guide June 2003 Starting and Stopping the Directory Server Starting and Stopping the Server From the Command Line Unix If y
384. moved o The list of allowed attributes of the ipHost object class no longer includes o ou owner seeAlso serialNumer Chapter 8 Managing Replication 311 Using the Retro Change Log Plug In o The list of mandatory attributes of the ieee802Device object class no longer includes cn o The list of allowed attributes of the ieee802Device object class no longer includes description 1 o ou owner seeAlso serialNumber o The list of mandatory attributes for the bootableDevice object class no longer includes cn o The list of allowed attributes of the bootableDevice object class no longer includes description 1 o ou owner seeAlso serialNumber o The OID of the nisMap object class is now 1 3 6 1 1 1 2 9 Using the Retro Change Log Plug In 312 The retro change log plug in can be used when you want a Directory Server 5 2 master replica to maintain a 4 x style change log This is sometimes necessary for applications such as Sun ONE Meta Directory that have a dependency on the Directory Server 4 x change log format because they read information from the change log The retro change log plug in does not allow Directory Server 5 2 to be a supplier to a legacy 4 x consumer replica Only Directory Server 5 2 consumers of 4 x suppliers are supported as described in Replication With Earlier Releases on page 308 The retro change log plug in operates independently of the replication protocol and has no effec
385. mples of template entries along with examples of each type of CoS definition entry Example of a Pointer CoS The following command creates a pointer CoS definition entry that has the cosPointerDefinition object class This definition entry uses the CoS template entry given above to share a common postal code among all entries in the ou People dc example dc com tree ldapmodify a h host p port D cn Directory Manager w password dn cn pointerCoS ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass cosSuperDefinition objectclass cosPointerDefinition cosTemplateDn cn ZipTemplate ou People dc example dc com cosAttribute postalCode Sun ONE Directory Server Administration Guide June 2003 Defining Class of Service CoS The CoS template entry cn ZipTemplate ou People dc example dc com supplies the value stored in its post alCode attribute to all entries located under the ou People dc example dc com suffix If you search for any entry that does not have a postal code in the same subtree you will see the value of the generated attribute ldapsearch h host p port D cn Directory Manager w password b ou People dc example dc com s sub cn Jensen dn cn Babs Jensen ou People dc example dc com cn Babs Jensen postalCode 95054 Example of an Indirect CoS Indirect CoS names an attribute in the cosIndirect Specifier attributre to lo
386. n cn Barbara Jensen telephoneNumber 408 555 3922 facsimileTelephoneNumber 408 555 4000 mail bjensen example com userPassword clearPassword The changetype add keywords indicate that the entry with the given DN should be created with all of the subsequent attributes All other options and LDIF conventions are the same In both examples you may use the f filename option to read the LDIF from a file instead of from the terminal input The LDIF file must contain the same format as used for the terminal input according to the use of the a option Modifying Entries Using ldapmodify Use changetype modify keywords to add replace or remove attributes and their values in an existing entry When you specify changetype modify you must also provide one or more change operations to indicate how the entry is to be modified The three possible LDIF change operations are shown in the following example Chapter 2 Creating Directory Entries 67 Managing Entries From the Command Line 68 dn entryDN changetype modify add attribute attribute value replace attribute attribute newValue delete attribute attribute value Use a hyphen ona line to separate operations on the same entry and a blank line to separate groups of operations on different entries You may also give several attribute value pairs for each operation to add replace with or delete all of them together Adding an Attribute Value The foll
387. n Directory Manager w password dn cn replica cn suffixName cn mapping tree cn config changetype modify replace ds5ReferralDelayAfterInit ds5ReferralDelayAfterInit seconds D Initializing a Replica Using the Console Online replica initialization using the console is the easiest way to initialize or reinitialize a consumer However if you are initializing a large number of entries more than 1 2 million this process can be very time consuming and you may find manual consumer initialization using the command line to be a more efficient approach refer to Initializing a Replica From the Command Line on page 290 for more information NOTE When a consumer replica is being initialized using the console all operations including searches on the suffix are referred to the master servers until the initialization process is completed Initializing a replica with fractional replication configured is transparent when using the Directory Server console Only the selected attributes will be sent to the consumer during the initialization Performing Online Replica Initialization To initialize or reinitialize a replica using the console 1 On the top level Configuration tab of the Directory Server console expand both the Data node and the node for the suffix of the master replica and then select the Replication node below the suffix The replica status information is displayed in the right hand panel Chapter
388. n Step 9 The path and prefix locate the user s certificate and key databases The certutil tool will prompt the user for the password to their key database The tool will then generate a PKCS 10 certificate request in PEM encoded text format 2 Save the encoded certificate request in a file and transmit it to your Certificate Authority according to its procedures For example you may be asked to send the certificate request in an email or you may be able to enter the request through the CA s website Sun ONE Directory Server Administration Guide June 2003 Configuring LDAP Clients to Use Security Once you have sent your request you must wait for the CA to respond with your certificate Response time for your request varies For example if your CA is internal to your company it may only take a day or two to respond to your request If your selected CA is external to your company it could take several weeks to respond to your request When the CA sends a response download or copy the PEM encoded text of your new certificate to a text file You should also back up the encoded certificate in a safe location If your system ever loses the certificate data you can reinstall the certificate using your backup file Install the new user certificate in your certificate database with the following command certutil A n certificateName t u a i certFile d path P prefix where certificateName is a name you give to ide
389. n an LDAP connection that was originally not encrypted As of Directory Server 5 2 StartTLS is supported on Windows platforms as well as on Unix platforms Directory Server 5 2 now also supports the Generic Security Services API GSSAPI over the Simple Authentication and Security Layer SASL This allows you to use the Kerberos Version 5 security protocol in the Solaris operating environment An identity mapping mechanism then associates the Kerberos principal with an identity in the directory This chapter contains the following sections e Introduction to SSL in the Directory Server e Summary of Steps for Enabling SSL e Obtaining and Installing Server Certificates e Activating SSL e Configuring Client Authentication e Identity Mapping e Configuring LDAP Clients to Use Security 357 Introduction to SSL in the Directory Server Introduction to SSL in the Directory Server 358 The Secure Sockets Layer SSL provides encrypted communications and optional authentication between a Directory Server and its clients SSL may be enabled for both the LDAP and DSML over HTTP protocols to provide security for any connection to the server In addition the replication and chaining suffix mechanisms may be configured to use SSL for secure communications between servers Using SSL with simple authentication bind DN and password will encrypt all data sent to and from the server to guarantee confidentiality and data integrity Optionally cl
390. n be used to view and modify the server configuration The cn config entries and all entries below it may be modified using the procedures and LDIF format described in Managing Entries From the Command Line on page 62 However you must know the meaning of these entries the purpose of their attributes and the values which are allowed These important considerations are explained in the procedures of this document that are titled From the Command Line These procedures will show you an example of the configuration entries and attributes that you may set For the complete description of all configuration entries and attributes including the range of allowed values see the Sun ONE Directory Server Reference Manual Modifying the configuration from the command line is thus not as straightforward as using the console However a few rare configuration settings are not available through the console and only the command line procedure will be given You may also use the command line procedures to automate your configuration tasks by writing scripts that use the command line tools Modifying the dse ldif File The dse 1dif file contains the configuration that the server will read and use when it is started or restarted The LDIF contents of this file are the cn config entry and its subtree The file is readable and writable only to the system user defined during installation Modify the configuration by editing directly the contents
391. n list an entry representing the People container before the entries within the subtree dn dc example dc com dn ou People dc example dc com People subtree entries dn ou Group dc example dc com Group subtree entries You can use the ldapmodify command line utility to create any entry in the directory however the root of a suffix or subsuffix is a special entry that must be associated with the necessary configuration entries See Creating Suffixes From the Command Line on page 92 to add a new root suffix or subsuffix and its associated configuration entries Managing Large Entries Before adding or modifying entries with very large attribute values you may need to configure the server to accept them To protect against overloading the server clients are limited to sending data no larger than 2 MB by default If you add an entry larger than this or modify an attribute to a value which is larger the server will refuse to perform the operation and immediately close the connection For example binary data such as multi media contents in one or more attributes of an entry may exceed this limit Sun ONE Directory Server Administration Guide June 2003 Managing Entries From the Command Line Also the entry defining a large static group may contain so many members that their representation exceeds the limit However such groups are not recommended for performance reasons and you should consider redesigning your di
392. nager resets the user password e Otherwise select the Lockout duration radio button and enter the number of minutes the user account will be temporarily locked 6 Click OK in the custom editor to save your policy and create its subentry Defining a Policy From the Command Line For this password policy imagine you want passwords of temporary employees to expire after 100 days 8 640 000 seconds with a warning about the expiration returned to the user upon binds starting 3 days 259 200 seconds before the password expires Turn on syntax checking to force minimal checks for password security and enforce lock outs to prevent intruders from trying to crack the password through a dictionary attack For other aspects of the policy you apply the default values 256 Sun ONE Directory Server Administration Guide June 2003 Managing Individual Password Policies Define this password policy in the Example com subtree by adding the following subentry under dc example dc com ldapmodify a h host p port D cn Directory Manager w password dn cn TempPolicy dc example dc com objectClass top objectClass passwordPolicy objectClass LDAPsubentry cn TempPolicy passwordStorageScheme SSHA passwordChange on passwordMustChange on passwordCheckSyntax on passwordExp on passwordExp on passwordMinLength 6 passwordMaxAge 8640000 passwordMinAge 0 passwordWarning 259200 passwordInHistory 6 passwordLockout on passwor
393. nd regardless of the circumstances of the bind You can limit anonymous access to specific types of access for example access for read or access for search or to specific subtrees or individual entries within the directory Anonymous access using the anyone keyword also allows access by any authenticated user For example if you want to allow anonymous read and search access to the entire example com tree you would create the following ACI on the dc example dc com node aci version 3 0 acl anonymous read search allow read search userdn ldap anyone Chapter 6 Managing Access Control 197 Bind Rules General Access all Keyword You can use bind rules to indicate that a permission applies to anyone who has successfully bound to the directory The a11 keyword therefore allows access by all authenticated users This allows general access while preventing anonymous access For example if you want to grant read access to the entire tree to all authenticated users you would create the following ACI on the dc example dc com node aci version 3 0 acl all read allow read userdn ldap all Self Access self Keyword Specifies that users are granted or denied access to their own entries In this case access is granted or denied if the bind DN matches the DN of the targeted entry For example if you want to grant all users in the example com tree write access to their userPassword attribute you would c
394. nd shows how this mapping would be defined ldapmodify a h host p port D cn Directory Manager w password dn cn unqualified username cn DIGEST MD5 cn identity mapping cn config objectclass dsIdentityMapping objectclass dsPatternMatching objectclass nsContainer objectclass top cn unqualified username dsMatching pattern Principal dsMatching regexp u com dsSearchBaseDN dc 2 dsSearchFilter uid 1 2 Restart the Directory Server for your new mappings to take effect SASL Authentication Through GSSAPI Solaris Only The Generic Security Services API GSSAPI over SASL allows you to use a third party security system such as Kerberos V5 to authenticate clients The GSSAPI library is available only on the Solaris platform Sun recommends you install the Kerberos V5 implementation in the Sun Enterprise Authentication Mechanism SEAM 1 0 1 server The server will use this API to validate the identity of the user Then the SASL mechanism will apply the GSSAPI mapping rules to obtain a DN that is the bind DN for all operations during this connection Configuring the Kerberos System Configure the Kerberos software according to the manufacturer s instructions If you are using the SEAM 1 0 1 server this includes the following steps 1 Configure the files in etc krb5 Chapter 11 Implementing Security 373 Configuring Client Authentication 374 2 Create the Kerberos databa
395. nding suffix The following table shows the differences between an import and an initialization Table 4 1 Comparison of Importing Data Versus Initializing a Suffix Domain of Comparison Importing Data Initializing Suffixes Overwrites content No Yes LDAP operations Add modify delete Add only Performance Slower Fast Response to server failure Best effort all changes made Atomic all changes are up to the point of the failure lost after a failure remain LDIF file location On console machine Local to console or local to server Imports configuration Yes No information cn config 132 Sun ONE Directory Server Administration Guide June 2003 Importing Data Importing LDIF Files When you perform an import operation the Directory Server console performs an ldapmodify operation to add new entries to the directory Entries are specified in an LDIF file which may also contain update statements to modify or delete existing entries as part of the import operation The imported entries may target any suffix managed by your Directory Server and any chained suffix or chained sub suffix defined in your configuration As with any other operation that adds entries the server will index all new entries as they are imported Importing LDIF Using the Console You must be logged in as the Directory Manager or an Adminstrator in order to perform an import 1 On the top level Tasks tab of the Directory Server console scroll to
396. ne you can define a log file rotation policy from Directory Server console You can configure the following parameters e The total number of logs you want the directory to keep When the directory reaches this number of logs it deletes the oldest log file in the folder before creating a new log The default is 10 logs Do not set this value to 1 If you do the directory will not rotate the log and the log will grow indefinitely e The maximum size in MB for each log file If you don t want to set a maximum size type 1 in this field The default is 100 MB Once a log file reaches this maximum size or the maximum age defined in the next step the directory archives the file and starts a new one If you set the maximum number of logs to 1 the directory ignores this attribute e How often the directory archives the current log file and creates a new one by entering a number of minutes hours days weeks or months The default is every day If you set the maximum number of logs to 1 the directory ignores this attribute Defining a Log File Deletion Policy If you want the directory to automatically delete old archived logs you can define a log file deletion policy from Directory Server console NOTE The log deletion policy only makes sense if you have previously defined a log file rotation policy Log file deletion will not work if you have just one log file The server evaluates and appliesthe log file deletion policy at the
397. ne one When you click the Other button enter the fully qualified name of a consumer server as well as its LDAP port number Check the box for a secure port if using SSL on this port to enable secure connections for replication updates 4 Enter the DN and password of the replication manager entry on the consumer server By default the DN is that of the default replication manager If you chose a consumer with a secure port you can click the Options button to determine the meaning of the DN field If you connect using a password the supplier will use simple authentication and communication over an encrypted SSL connection If you connect using a certificate the DN field is the DN of the entry containing the certificate and no password is required 5 Optionally type a description string for this agreement The consumer server name and port number and the description string will appear in the list of replication agreements for this master replica 6 Click OK when done A confirmation dialog is displayed asking if you wish to test the connection parameters you have just entered Sun ONE Directory Server Administration Guide June 2003 Configuring Fractional Replication 7 Click Yes if you wish to test the connection to the given server and port number using the given replication manager and password If the connection fails you will still have the choice of using this agreement for example if the parameters are correct b
398. nfirm the deletion Click Yes Managing CoS From the Command Line Because all configuration information and template data is stored as entries in the directory you can use the LDAP command line tools to configure and manage your CoS definitions This section shows how to create CoS definition and template entries from the command line Chapter 5 Advanced Entry Management 169 Defining Class of Service CoS 170 In addition if your CoS values need to be secure you should define access control instructions ACIs for both CoS definition and template entries as well as for the specifier attribute in the target entries See Chapter 6 Managing Access Control for procedures to create ACIs from the command line Creating the CoS Definition Entry From the Command Line All CoS definition entries have the LDAP subent ry object class and inherit from the cosSuperDefinition object class In addition each type of CoS inherits from specific object classes and contains the corresponding attributes The following table lists the object classes and attributes associated with each type of CoS definition entry Table 5 2 Object Classes and Attributes in CoS Definition Entries CoS Type CoS Definition Entry Pointer CoS objectclass top objectclass LDAPsubentry objectclass cosSuperDefinition objectclass cosPointerDefinition cosTemplateDN DN cosAttribute attributeName override merge Indirect CoS objectclass top objectclass LD
399. ng and Stopping the Server From the Command Line Unix 00 eee eee 21 Starting and Stopping the Server From the Control Panel Windows 0000e 000s 21 Starting and Stopping the Server From the Console All Platforms 0000 0005 22 Starting the Server with SSL Enabled 0 ccc ene een nee es 22 Using the Directory Server Console unna c cece en nnn rererere 23 Starting Directory Server Consoles 0 0 ence geese ee eee ee ea bed se ee Eee eee nee 23 Navigating the Directory Server Console 000 ccc cnet nents 25 Viewing the Current Bind DN From the Console 6 060 c ccc een eens 29 Changing Your Login Identity crespos eseted cc eee E E E 30 Usingthe Online Help i rrente a cue deg Be E a etter Ea etai 30 The Console Clip oa rd ses ninimo eee te ne aE ESN E EDE BE E y ala E E a 31 Console Settings eenn so aTa RAS Pet E Mi ee Te es PIA eee Pet ey 31 Configuring LDAP Parameters sssr hoia ipit ee eke oes SA Galas toe haa aoha aia e Sek EA 34 Configuring the Directory Manager 6 c cece eee nnn teens 34 Changing Directory Server Port Numbers 0000s 34 Setting Global Read Only Mode 0 0 c ccc cette nee nee ee 36 Tracking Modifications to Directory Entries 066 37 Verifying Pliig In Signatures e riian saaa antaa a eae ew He ae eee ett Ri Ladd Hb ee 38 Configuring the Verification of Plug In Signatures ccc cece cece eee 38
400. ng any service packs or patches e Both machines must have the same version of Directory Server installed including binary format 32 bits or 64 bits service pack and patch level e Both servers must have the same directory tree divided into the same suffixes The database files for all suffixes must be copied together individual suffixes cannot be copied e Each suffix must have the same indexes configured on both servers including VLV virtual list view indexes The databases for the suffixes must have the same name e The Directory Server to be copied must not hold the o Net scapeRoot suffix which means it cannot be a configuration directory for the Sun ONE Administration Server e Each server must have the same suffixes configured as replicas and replicas must have the same role master hub or consumer on both servers If fractional replication is configured it must be configured identically on all master servers e Attribute encryption must not be used on either server e The attribute value uniqueness plug in must have the same configuration on both servers if enabled and it must be reconfigured on the new copy as explained in the procedures below Under the above conditions you may then initialize or reinitialize either a master from the binary copy of another master server or a consumer from the binary copy of another consumer server The following two procedures describe alternate ways of performing a binary copy
401. ng replication remember that you should always initialize replicas in the following order 1 If you also have multi master replication ensure that one master has the complete set of data to replicate Use this master to initialize the replica on each of the other masters 2 Initialize the replicas on the first level hub replicas from their master replicas 3 If you have several levels of hubs initialize each level from the previously initialized level of hubs 4 From the last level of hub replicas initialize the replicas on the dedicated consumers Convergence After Multi Master Initialization In the case of multi master replication other masters may process change operations while a given master is being initialized Therefore when initialization is complete the new master must also receive new updates that were not included in the initialization data Since initialization may take a significant amount of time the number of pending updates may also be significant To allow convergence of these pending updates newly initialized masters are automatically set to read only mode for client operations after initialization This is true for any type of initialization whether online using the console through an LDIF file from the command line or using a backup to perform a binary copy This behavior is new in Sun ONE Directory Server 5 2 Therefore after initialization a master in a multi master configuration will process replic
402. ng the suffix containing the master replica enabling the master replica using the replication wizard and configuring it for advanced replication if necessary The following sections give the steps for configuring one master server Repeat all procedures on each server that will contain a master replica of a given suffix Defining the Suffix for the Master Replica Choose or create a suffix on the master server that will contain the entries you wish to replicate For instructions refer to Creating Suffixes on page 87 The suffix should contain all the initial data before you create replication agreements This will allow you to initialize consumer replicas immediately from this data To ensure correct multi master configuration and initialization only one of the masters should contain all of the initial data and the suffix on the other masters should be empty Enabling a Master Replica The replication wizard simplifies the task of enabling a master replica Sun ONE Directory Server Administration Guide June 2003 Configuring a Master Replica On the top level Configuration tab of the Directory Server console expand both the Data node and the node for the suffix you wish to be a master replica and then select the Replication node below the suffix The replica status information is displayed in the right hand panel Click the Enable replication button to begin the replication wizard Select the Master Replica radio button
403. nge log are managed automatically by the server and will be updated through multi master updates even after the server is restarted In earlier versions of Directory Server the change log was accessible over LDAP Now however it is intended only for internal use by the server If you have applications that need to read the change log use the Retro Change Log Plug in for backward compatibility For more information refer to Using the Retro Change Log Plug In on page 312 The only time administrators should modify the change log is when its files need to be moved to a different location for example if the disk where it resides becomes full CAUTION The change log is reinitialized when you disable it or move it to a new location In either case you will need to reinitialize all consumers of replicas on this server You must move the change log using the Directory Server console and never using the operating system rename or mv commands 1 On the top level Configuration tab on the Directory Server console select the Data node and choose the Replication tab in the right panel Chapter 8 Managing Replication 305 Modifying the Replication Topology 2 Enter a new location in the text field This is the new path and directory name where you wish to store the change log from now on For example move the change log from the default location ServerRoot slapd serverID changelogdb to ServerRoot slapd serverID newchangelog Th
404. ning With Three Servers me ae Root Suffix on Server A J Sy 7 N oon dc example dc com 4 a A Subsuffix Chained From Pa 7 Server A to Server B 1 Z 1 7 A2 Prai i ou Groups ou People 1 Europe DNE W N amp uc a a N es See X 2Ha ds r r 7 w 1 Subsuffix Chained From ou People ou Groups ee a Sa aoe Setting the Cascading Parameters There are two chaining parameters to configure for cascading e All servers should configure loop detection so that any accidental loop in the chaining topology will be detected If loop detection is not enabled servers ina loop will forward an operation around and around until it overloads them e All intermediate chained suffixes should be configured to evaluate local ACIs which is usually not done on the first level of a chained suffix Setting the Cascading Parameters Using the Console 1 On the top level Configuration tab of the Directory Server console expand the Data node and select the chained suffix you wish to modify 2 Inthe right panel select the Limits amp Controls tab where the Cascading Chaining parameters may be modified 3 On all intermediate servers in a cascading chain select the checkbox to check local ACIs During single level chaining this checkbox is not selected because a user s access rights are not evaluated on the first server but rather on the second server through the proxy However on the intermediate server of
405. nitialized if they have been updated by the other masters You may either initialize the replica online using the console or manually using the command line Online initialization using the console is convenient for initializing a small number of consumers You may initialize a replica online directly from its replication agreement However since each replica is initialized in sequence this method is not suited to initializing a large number of replicas Manual initialization using the command line is a more effective method of initializing a large number of consumers simultaneously from a single LDIF file Finally the new binary copy feature of Directory Server 5 2 can be used by experienced administrators to clone either master or consumer replicas Certain restrictions on this feature make it practical and time efficient only for replicas with very large database files for example replicas containing millions of entries Initializing Replicas in Multi Master Replication In the case of multi master replication you should initialize replicas in the following order 1 Ensure that one master has the complete set of data to replicate Use this master to initialize the replica on each of the other masters 2 Initialize the consumer replicas from their masters or from the LDIF file of any one of the masters Chapter 8 Managing Replication 285 Initializing Replicas Initializing Replicas in Cascading Replication In the case of cascadi
406. nize with the other masters after which time you may allow write operations as described in Convergence After Multi Master Initialization on page 286 The advantage of allowing all replicas to converge before allowing write operations on the restored or reinitialized master is that none of the hub or consumer servers will require reinitialization Restoring a Hub This section only applies to situations where the replication mechanism cannot automatically bring a hub replica up to date for example if the database files become corrupted or if replication has been interrupted for too long In these cases you will need to restore or reinitialize the hub replica in one of the following ways e The simplest way is to not restore a backup but to reinitialize the hub from one of the master replicas This insures that the latest data is sent to the hub and that the data will be ready for replication See Initializing a Replica Using the Console on page 289 or Initializing a Replica From the Command Line on page 290 e For replicas with millions of entries it can be faster to use the new binary copy feature to restore a more recent backup taken from another hub replica See Initializing a Replica Using Binary Copy on page 293 If there is no other hub replica to copy you must reinitialize the hub as described in the previous paragraph or restore it as described in the next paragraph if possible Chapter 4 Populating Di
407. notified For more information see Transmitting LDAP Controls for Cascading on page 130 2 16 840 1 113730 3 4 2 Managed DSA for smart referrals Returns smart referrals as entries rather than following the referral This allows you to change or delete the smart referral itself 2 16 840 1 113730 3 4 9 Virtual list view VLV Provides partial results to a search rather than returning all resulting entries at once 1 Server side sorting and VLV controls are supported through chaining only when the scope of the search is a single suffix Chained suffixes cannot support VLV controls when a client application makes a request to multiple suffixes The following table lists the other LDAP controls you may allow to chain by configuring the chaining policy Table 3 2 LDAP Controls That May be Chained OID of the Control Name and Description of the Control 1 3 6 1 4 1 42 2 27 9 5 2 Get effective rights request Asks the server to return information about access rights and ACIs relating to the entries and attributes in the result 2 16 840 1 113730 3 4 3 Persistent search Indicate that the server should keep the operation active and send results to the client whenever an entry matching the search filter is added deleted or modified 2 16 840 1 113730 3 4 4 Password expired notification Notifies a client application that their password has expired Sun ONE Directory Server Administration Guide June 2003 Managing
408. ns The server will automatically create new files according to each log configuration Log The access log contains detailed information about client connections to the directory Viewing the Access Log 1 On the top level Status tab of the Directory Server console select Logs icon and then select the Access Log tab in the right hand panel Chapter 12 Managing Log Files 391 Access Log This tab displays a table containing the latest entries in the selected access log as shown in the following figure For an explanation of the access messages see Chapter 8 Access Logs and Connection Codes in the Sun ONE Directory Server Reference Manual Figure 12 1 Viewing Log Contents camus red iplanet com Sun ONE Directory Server example Console Edit Mew Object Help Sun ONE Directory Server altel camus red iplanet com 389 lt Q Suffixes Q Chained suffixes Refresh Continuous refresh Replication Select log var Sun mps slapd exampledogs access v Lines to show fsa Show only lines containing _j Do not show Console logs UNBIND closing U1 closed fd 71 slot 71 LDAP connection from 192 16 146 11 BIND dn cn admin sery camus cn Administratio RESULT err 0 tag 97 nentries 0 etime 0 dn cn BIND dn uid admin ou Administrators ou T opol RESULT err 0 tag 97 nentries 0 etime 0 dn uid UNBIND closing U1 closed fd 71 slot 71 LDAP connection from 192 16 146 11
409. nsole you can set this permission by doing the following 1 On the Directory tab right click the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Anonymous example com Check that All Users is displayed in the list of users granted access permission 4 On the Rights tab tick the checkboxes for read compare and search rights Make sure the other checkboxes are clear 5 On the Targets tab click This Entry to display the dc example dc com suffix in the target directory entry field In the attribute table locate the userPassword attribute and clear the corresponding checkbox All other checkboxes should be ticked This task is made easier if you click the Name header to organize the list of attributes alphabetically 6 On the Hosts tab click Add and in the DNS host filter field type example com Click OK to dismiss the dialog box 7 Click OK in the Access Control Editor window The new ACI is added to the ones listed in the Access Control Manager window ACI Anonymous World In LDIF to grant read and search access of the individual subscribers subtree to the world while denying access to information on unlisted subscribers you could write the following statement aci targetfilter unlistedSubscriber y
410. nstances the PTA plug in entry is automatically added to the user directory s configuration If you installed the both directories on the same instance and you wish to perform pass through authentication with other directories you must first create the plug in configuration entry Creating the Plug In Configuration Entry 1 Run the following command to create the plug in configuration entry ldapmodify a h PTAhost p port D cn Directory Manager w password dn cn Pass Through Authentication cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass extensibleObject cn Pass Through Authentication nsslapd pluginPath ServerRoot lib passthru plugin extension nsslapd pluginInitfunc passthruauth_init nsslapd pluginType preoperation nsslapd plugin depends on type database nsslapd pluginId passthruauth nsslapd pluginVersion 5 2 nsslapd pluginVendor Sun Microsystems Inc nsslapd pluginDescription pass through authentication plugin nsslapd pluginEnabled on or off nsslapd pluginarg0 ldap s authenticatingHost port PTAsubtree options where ServerRoot depends on your installation and the extension is s1 on HP UX so on all other UNIX platforms and d11 on Windows The plug in argument specifies the LDAP URL identifying the hostname of the authenticating directory server an optional port and the PTA subtree If no port is specified the default port is 389 with
411. nt through the Administration Server console according to your platform 3 Configure the SNMP subagent through the Directory Server console 4 Start the SNMP subagent through the Directory Server console if applicable to your platform 5 Access the SNMP managed objects defined by the MIB and exposed through the agents This step is entirely dependent on your SNMP management system The steps that are specific to Directory Server configuration are described in the following sections Sun ONE Directory Server Administration Guide June 2003 Overview of the Directory Server MIB Overview of the Directory Server MIB The Directory Server s MIB has the following object identifier iso org dod internet private enterprises netscape nsldap nsldapd OBJECT IDENTIFIER 1 3 6 1 4 1 1450 7 And it is defined in the following file ServerRoot plugins snmp netscape ldap mib The MIB defines the variables that can be monitored through SNMP and the type of values they contain The directory MIB is broken into four distinct tables of managed objects Operations table Contains statistics about binds operations referrals and errors in the directory server Values for these variables are also available in the attributes of the cn snmp cn monitor entry of the directory See Monitoring Attributes in Chapter 4 of the Sun ONE Directory Server Reference Manual Entries Table Contains counts of entries in th
412. nt users to authenticate using SSL switch to manual editing by clicking the Edit Manually button and add authmethod ss1 to the LDIF statement so that it reads as follows targetattr homePostalAddress homePhone mail version 3 0 acl Write Subscribers allow write userdn ldap self and authmethod ss1 7 Click OK The new ACI is added to the ones listed in the Access Control Manager window Restricting Access to Key Roles You can use role definitions in the directory to identify functions that are critical to your business the administration of your network and directory or another purpose Chapter 6 Managing Access Control 223 Access Control Usage Examples 224 For example you might create a superAdmin role by identifying a subset of your system administrators that are available at a particular time of day and day of the week at corporate sites worldwide Or you might want to createa First Aidrole that includes all members of staff on a particular site that have done first aid training For information on creating role definitions refer to Assigning Roles on page 154 When a role gives any sort of privileged user rights over critical corporate or business functions you should consider restricting access to that role For example at example com employees can add any role to their own entry except the superAdmin role This is illustrated in the ACI Roles example ACI Roles In
413. ntify your certificate certFile is the text file containing the PKCS 11 certificate in PEM format and path and prefix are the same as in Step 1 Alternatively if you are managing your certificate database through Netscape Communication there may be a link on your CA s website to install the certificate directly Click this link and step through the dialog boxes that Communicator presents to you Create a binary copy of your certificate with the following command certutil L n certificateName d path r gt userCert bin where certificateName is the name you gave to your certificate when you installed it path is the location of your certificate database and userCert bin is the name of the output file that will contain the certificate in binary format On the Directory Server add the userCertificate attribute to the directory entry for the user who owns the client certificate To add the certificate through the console a From the top level Directory tab of the Directory Server console locate the user entry in the directory tree right click on it and select Edit with Generic Editor from the pop up menu b Inthe Generic Editor click Add Attribute and select the userCertificate attribute from the pop up dialog c Locate the new userCertificate field in the Generic Editor Click the corresponding Set Value button to set a binary value for this attribute Chapter 11 Implementing Security 383 Configuring LDAP Clients to
414. ntries of an indirect CoS definition Chapter 5 Advanced Entry Management 173 Defining Class of Service CoS 174 Creating the CoS Template Entry From the Command Line When using pointer CoS or classic CoS the template entry contains the LDAPsubentry and cosTemplate object classes This entry must be created specifically for the CoS definition Making the CoS template entry an instance of the LDAP subent ry object classes allows ordinary searches to be performed unhindered by the configuration entries The template of the indirect CoS mechanism is an arbitrary existing entry in the directory The target does not need to be identified ahead of time nor given the LDAP subent ry object class but it must have the auxiliary cosTemplate object class The indirect CoS template is accessed only when the CoS is evaluated to generate a virtual attribute and its value In all cases the CoS template entry must contain the attribute and the value that is generated by the CoS on the target entries The attribute name is specified in the cosAttribute attribute of the CoS definition entry The following example shows a template entry of the highest priority for a pointer CoS that generates the post alCode attribute dn cn ZipTemplate ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass extensibleobject objectclass cosTemplate postalCode 95054 cosPriority 0 The following sections provide exa
415. nts you allow to chain Refer to the Chaining Policy of Server Components on page 115 for a description of each component For example the following command adds the referential integrity component to the list of chained components ldapmodify h host p port D cn Directory Manager w password dn cn config cn chaining database cn plugins cn config changetype modify add nsActiveChainingComponents nsActiveChainingComponents cn referential integrity postoperation cn components cn config D 3 Once you have modified the chaining policy configuration entry you must restart the server for your changes to take affect Disabling or Enabling a Chained Suffix Sometime you may need to make a chained suffix unavailable for maintenance or for security reasons Disabling a suffix prevents the server from contacting the remote server in response to any client operations that try to access the suffix If you have a default referral defined that referral will be returned when clients attempt to access a disabled suffix Disabling or Enabling a Chained Suffix Using the Console 1 On the top level Configuration tab of the Directory Server console expand the Data node and select the chained suffix you wish to disable 2 Inthe right panel select the Settings tab By default all chained suffixes are enabled when they are created Sun ONE Directory Server Administration Guide June 2003 Managing Chained Suffixes
416. o an entry 1 Open the generic editor as described in Invoking the Generic Editor on page 54 Scroll through the list of attributes and select the ob jectclass attribute The Add Value button is activated If this button is not activated you do not have permission to modify this entry s object class Click the Add Value button The Add Object Class dialog is displayed It shows a list of object classes that you can add to the entry Select one or more object classes that you want to add to this entry and click OK The object classes you selected will appear in the list of values for the objectclass attribute If the new object class has required attributes that did not already exist in your entry the generic editor will add them automatically You must provide a value for all of the required attributes Edit any other values or perform other modifications as desired to this entry then click OK to save your changes and close the generic editor Chapter 2 Creating Directory Entries 59 Managing Entries Using the Console 60 To remove an object class from an entry 1 Open the generic editor as described in Invoking the Generic Editor on page 54 2 Scroll through the list of attributes and click on the specific value of the objectclass attribute you wish to remove The Delete Value button is activated if removing the selected object class is allowed by the schema and you have permission to modify this entr
417. o button to make a lockout permanent until the Directory Manager resets the user password e Otherwise select the Lockout duration radio button and enter the number of minutes the user account will be temporarily locked 4 When you have finished making changes to the password policy click Save The new global password policy will be enforced immediately Configuring the Password Policy From the Command Line The global password policy is defined by the attributes of the cn Password Policy cn config entry Use the ldapmodify utility to change the global policy in this entry Chapter 7 User Account Management 253 Managing Individual Password Policies The definition of all possible attributes in a password policy is given in cn Password Policy in Chapter 4 of the Sun ONE Directory Server Reference Manual For example password syntax and length checking are off by default and account lockout is disabled Use the following command to turn on syntax checking set the minimum length to 8 and enable a temporary five minute lockout after 5 incorrect password attempts ldapmodify h host p port D cn Directory Manager w password dn cn Password Policy cn config changetype modify replace passwordCheckSyntax passwordCheckSyntax on replace passwordMinLength passwordMinLength 8 replace passwordLockout passwordLockout on replace passwordMaxFailure passwordMaxFailure 5 replace passwordLockoutDuration passwordLo
418. object class To create an entry using one of these templates follow the instructions in Creating an Entry Using a Custom Editor on page 49 To create any other type of entry refer to Creating Other Types of Entries on page 51 Creating an Entry Using a Custom Editor 1 On the top level Directory tab of the Directory Server console expand the directory tree to display the entry that you wish to be the parent of the new entry Right click the parent entry select the New menu item and then select the type of entry from the submenu User Group Organizational Unit Role Class of Service Password Policy or Referral Alternatively you may left click the parent entry to select it and then choose the type of entry from the Object gt New menu The custom editor dialog for the entry type you selected is displayed The custom editor has a list of tabs in the left hand column and the fields of each tab is displayed on the right By default all custom editors open with the topmost User or General tab selected which contains the fields to name and describe the new entry For example the following figure shows the custom editor for user entries Chapter 2 Creating Directory Entries 49 Managing Entries Using the Console Figure 2 1 Directory Server Console Custom Editor for User Entries Create New User Phone Fax User Fj a oes FirstName earra SCS S NT User Last Name Jensen Posix User
419. ocumentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR S BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE END COPYRIGHT The source code to the Standard Version of Perl can be obtained from CPAN sites including http www perl com This product incorporates compression code by the Info ZIP group There are no extra charges or costs due to the use of this code and the original compression sources are freely available from ftp ftp cdrom com pub infozip on the Internet 430 Sun ONE Directory Server Administration Guide June 2003 A access control ACI attribute 180 ACI syntax 184 allowing or denying access 191 and replication 247 and schema checking 187 anonymous access 197 209 218 bind rules 194 access at specific time or day 208 access based on value matching 201 general access 198 user and
420. od and will thus ensure the data can only be transmitted over a secure channel For more information see Bind Rules on page 194 For a complete description of SSL internet security and certificates including how to configure SSL in your Administration Server as well see Chapter 10 Using SSL and TLS with Sun ONE Servers in the Sun ONE Server Console Server Management Guide Sun ONE Directory Server Administration Guide June 2003 Summary of Steps for Enabling SSL Summary of Steps for Enabling SSL Each of the following steps are covered in the subsequent sections of this chapter 1 Obtain and install a certificate for your Directory Server and configure the Directory Server to trust the certification authority s certificate This procedure includes a Creating a certificate database if necessary b Generating and sending a certificate request from your server to your Certificate Authority who will provide your server certificate c Installing your new certificate in the server d Trusting your Certificate Authority and all certificates it issues Activate and configure SSL in your directory including the secure ports for LDAP and DSML operations You may also configure the Directory Server console to access the server using SSL Optionally configure the server for one or more of the following client authentication mechanisms a The default certificate based authentication b The DIGEST_MD5 auth
421. odd hob daly a daa cohen eta a Shade ae ees 415 Creating the Plug In Configuration Entry 0 cece eee eee enn es 415 Configuring PTA to Use a Secure Connection 0066 ee 416 Setting the Optional Connection Parameters 60 c cece een ene 416 Sun ONE Directory Server Administration Guide June 2003 Specifying Multiple Servers and Subtrees 0 ccc eects 417 Modifying the PTA Plug In Configuration 0 0 ccc ccc eee eee ennes 418 Using the UID Uniqueness Plug In 0 e cece eee eee 419 Overview 5 ont fe ants a ee aa cys tnd att Seen rte rhe S aE aana SND ate AME OG ier te Te Bale th ye 419 Enforcing Uniqueness of the uid Attribute 6 eens 420 Configuring the Plug In Using the Console 0 ccc cece nets 420 Configuring the Plug In From the Command Line 0 60 c cece cece eee 421 Enforcing Uniqueness of Another Attribute 0 6 6 cee ene 423 Using the Uniqueness Plug In With Replication 0 00 c cece eee eens 425 Single Master Replication Scenario 6 6 eet ete nnn ees 425 Multi Master Replication Scenario 0 1 enn ete teen eens 425 Third Party Licence Acknowledgements 00s eee e eee eee e ene 427 Nde modnie teen Ted earning ol neti Rina aia na a aan the amu g cir a a mln met als 431 12 Sun ONE Directory Server Administration Guide June 2003 About This Guide TM Sun ONE Directory Server 5 2 is a powerful and scalable distri
422. odification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software The source code must either be included in the distribution or be available for no more than the cost of distribution plus a nominal fee and must be freely redistributable under reasonable conditions For an executable file complete source code means the source code for all modules it contains It does not include source code for modules or files that typically accompany the major components of the operating system on which the executable file runs THIS SOFTWARE IS PROVIDED BY SLEEPYCAT SOFTWARE AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED IN NO EVENT SHALL SLEEPYCAT SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOOD
423. of a master This allows you to control which data is distributed and use replication bandwidth and consumer resources more efficiently For example if you wish to reduce replication bandwidth you may choose to not replicate attributes with typically large values such as photo jpegPhoto and audio Asa result these attributes will not be available on consumers As another example you may choose to replicate only the uid and userpassword attributes to a consumer server that is dedicated to performing authentication Chapter 8 Managing Replication 281 Configuring Fractional Replication 282 Considerations for Fractional Replication Enabling or modifying the fractional set of attributes requires you to reinitialize the consumer replica Therefore you should determine your fractional replication needs before deployment and define your attribute set before you initialize your replicas for the first time You should proceed with caution when replicating a small set of attributes given the dependency of complex features such as ACIs roles and CoS on certain attributes In addition not replicating other attributes that are mentioned in specifiers or filters of the ACI roles or CoS mechanisms may compromise the security of the data or result in different sets of attributes being returned in searches Managing a list of attributes to exclude is safer and less prone to human error than managing a list of attributes to include You shoul
424. of a request 2 16 840 1 113730 3 4 19 Virtual attributes only request Indicates that the server should return only attributes generated by the roles and class of service features 1 Applications may use either control for proxied authorization You should have the same chaining policy for both of these OIDs For more information see Transmitting LDAP Controls for Cascading on page 130 Chaining Policy of Server Components A component is any feature or functional unit of the server that uses internal operations For example plug ins are considered to be components To perform their task most components must access the directory contents either the configuration data or the user data stored in the directory By default no server components are allowed to chain You must explicitly allow chaining if you want them to access chained suffixes The components that may access chained data are listed by their DN below Chapter 3 Creating Your Directory Tree 115 Managing Chained Suffixes 116 As described in Creating Chained Suffixes Using the Console on page 105 you must grant certain rights in an ACI on the remote server to allow chaining When chaining server components you must allow search read and compare in this ACI so that the server components may perform these operations In addition certain components require write permission on the remote server as explained in the list e cn ACL Plugin cn plugins cn c
425. of a supplier replica in a large replication topology 1 On the top level Configuration tab on the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix From the list of replication agreements select one that you wish to duplicate If you wish to create a new agreement with a secure connection to the consumer you must select an existing agreement that also uses a secure port If you wish to create a new non secure agreement you must select a non secure one Verify the configuration of this agreement by clicking Edit and browsing the tabs of the Replication Agreement dialog The configurations on these tabs are described in the following sections o The Connection tab is described in Changing the Replication Manager on page 300 o The Schedule and Network tabs are described in Replication Over a WAN on page 297 o The Replicated Attributes tab is described in Configuring Fractional Replication on page 281 3 With the same replication agreement still selected click the Duplicate button Chapter 8 Managing Replication 301 Modifying the Replication Topology 302 4 Select the hostname and port number of the new consumer from the list or click the Add Host button to use a different host and port The list and the Add Host dialog will only allow you to select a consumer with the same type of security as the consumer agre
426. of the following two forms ServerRoot The ServerRoot is the location of the Sun ONE Directory Server product This path contains the shared binary files of the directory server the administration server and LDAP commands Sun ONE Directory Server Administration Guide June 2003 Default Paths and Filenames The actual ServerRoot path depends on your platform your installation and your configuration The default path depends on the product platform and packaging as shown in Table 1 on page 15 ServerRoot slapd serverID The serverID is the name of the Directory Server instance that you defined during installation or configuration This path contains database and configuration files that are specific to the given instance NOTE Paths specified in this manual use the forward slash format of Unix and commands are specified without file extensions If you are using a Windows version of Sun ONE Directory Server use the equivalent backslash format Executable files on the Windows platforms have the same name with the exe or bat extension Table 1 Default ServerRoot Paths Product Installation ServerRoot Path Solaris Packages var mps serverroot After configuration this directory contains links to the following locations e etc ds v5 2 static configuration files e usr admserv mps admin Sun ONE Administration Server binaries e usr admserv mps console Server Console binaries e usr ds
427. of this file is more prone to error and is therefore not recommended You should be aware of the following behavior Chapter 2 Creating Directory Entries 47 Managing Entries Using the Console e The dse 1dif file is read only once at startup Thereafter the server configuration is based on the in memory LDAP image of the configuration entries Therefore modifications to the file after startup will not be taken into account until the next restart e Modifying the configuration using the console or from the command line changes the LDAP image of the configuration Some directory features read the current configuration when invoked and do not require restarting the server e The server will write the dse 1dif file whenever the LDAP image of the configuration is changed Some directory features only read their configuration when the server starts and writing the file ensures the change will be present The existing dse 1dif file will be copied to dse 1dif bak and the existing dse 1dif bak will be overwritten Therefore any manual changes to the dse 1dif file will be lost if the configuration is changed through LDAP before the server is restarted e After every successful startup of the directory the dse 1dif file is copied to dse 1ldif startoxk in the same location If your server cannot start because of a faulty configuration change you will need to restore the dse 1dif from this file Managing Entries Using the Console 48 You
428. ol Panel and select Services Select SNMP from the list of Services Click Start to start the SNMP Service click Stop to stop the SNMP Service or click Stop then Start to restart the SNMP Service Stopping the directory does not stop the Windows SNMP service you must do so explicitly from the Control Panel Chapter 13 Monitoring Directory Server Using SNMP 411 Starting and Stopping the SNMP Subagent 412 Sun ONE Directory Server Administration Guide June 2003 Chapter 14 Using the Pass Through Authentication Plug In Pass through authentication PTA is a mechanism by which one directory server consults another to authenticate bind requests The PTA plug in provides this functionality allowing a directory server to accept simple bind operations password based for entries not stored in its local suffixes Sun ONE Directory Server 5 2 uses PTA to allow you to administer your user and configuration directories on separate instances of Directory Server NOTE The PTA plug in is not listed in Directory Server console when you use the same server for your user directory and your configuration directory but you may create it to use pass through authentication This chapter describes the PTA plug in in the following sections e How Directory Server Uses PTA e Configuring the PTA Plug In How Directory Server Uses PTA If you install the configuration directory and the user directory on separate instances of Directory Server
429. ole For more information about how to use roles in your directory refer to Chapter 4 Designing the Directory Tree in the Sun ONE Directory Server Deployment Guide Assigning Roles Using the Console This section describes the procedures for creating and modifying roles Creating a Managed Role Managed roles have a role definition entry and members are designated by adding the nsRoleDN attribute to each member entry To create and add members to a managed role using the console 156 Sun ONE Directory Server Administration Guide June 2003 Assigning Roles 1 On the top level Directory tab of the Directory Server console right click the entry in the directory tree where you want to add the new role definition and select the New gt Role item Alternatively select the entry and choose the New gt Role item from the Object menu 2 Inthe Create New Role dialog you must type a name for your new role in the Role Name field and you may add an optional description of the role in the Description field The group name will become the value of the cn common name attribute for the new role entry and appear in its DN 3 Click Members in the left hand list of the dialog In the right pane the Managed Role radio button is selected by default 4 Click Add below the list of members to add new members to the role The standard Search users and groups dialog box appears 5 Inthe Search drop down list select
430. ole definitions including other nested roles The set of members of a nested role is union of all members of the roles it contains Nested roles may also define extended scope to include the members of roles in other subtrees Roles allow client applications to know all role membership of an entry by directly reading its nsRole attribute This simplifies client processing optimizes directory usage Roles can be used in combination with the CoS mechanism to generate other attributes for role members see Creating Role Based Attributes on page 177 Roles can be used to define access control see Defining Role Access roledn Keyword on page 200 Roles also support other functionality such as activating or deactivating all of their members at once see Inactivating and Activating Users and Roles on page 260 Searching the nsRole Attribute Sun ONE Directory Server 5 2 now permits the use of the nsRole attribute in any search filter You may search for a particular value for this attribute using any of the comparison operators However keep in mind the following considerations e Searches involving the nsRole attribute may take significantly longer because all roles must be evaluated before the entries may be filtered Chapter 5 Advanced Entry Management 155 Assigning Roles e The directory server is optimized for equality searches on membership in specific in managed roles For example the following search will be nearl
431. on Topology ldapmodify h host p port D cn Directory Manager w password dn cn east example com 389 cn replica cn suffixDN cn mapping tree cn config changetype modify add ds5ReplicaTransportCompressionLevel ds5ReplicaTransportCompressionLevel 3 D Modifying the Replication Topology 300 This section contains procedures for managing an existing replication topology such as editing or removing replication agreements promoting demoting or disabling a replica forcing updates to consumers and managing the change log Managing Replication Agreements From the replication panel for a master suffix you can manage the replication agreements to change the authentication information in an agreement interrupt replication to a specific consumer or remove consumers from the topology Changing the Replication Manager You can edit a replication agreement to change the replication manager identity used to bind to the consumer server To avoid any interruption of the replication you should define the new replication manager entry or certificate entry on the consumer before modifying the replication agreement However if replication is interrupted due to a bind failure the replication mechanism will automatically send all the necessary updates when you correct the error within the limits of the replication recovery settings see Advanced Consumer Configuration on page 271 To change the replication manager used to a
432. on entry While this command is running the contents of the suffix remain available through the server but searches will not be indexed until the script has completed Reindexing is a resource intensive task that may impact the performance of other operations on the server Depending on the size of the directory reinitializing the suffix is usually faster than reindexing two or more attribute but a suffix is unavailable during the initialization For more information see Reinitializing a Suffix on page 351 The command for this script is platform dependent usr sbin directoryserver db2index task Windows Platforms cd ServerRoot Other Installations bin slapd admin bin perl slapd serverID db2index pl ServerRoot slapd serverID db2index pl The following examples regenerate the sn index in the suffix corresponding to the databaseName UNIX shell script use directoryserver db2index task in Solaris Packages installations var Sun mps slapd example db2index pl D cn Directory Manager w password n databaseName t sn Windows batch file C Program Files Sun MPS bin slapd admin bin perl exe C Program Files Sun MPS slapd example db2index pl D cn Directory Manager w password n databaseName t sn For more information see db2index p1 in Chapter 2 of the Sun ONE Directory Server Reference Manual Deleting all Indexes for an Attribute If you wish to remove all indexes configured for an
433. onfig The ACL plug in implements the access control feature Operations used to retrieve and update ACI attributes are not chained because it is not safe to mix local and remote ACI attributes However requests used to access user entries may be chained For further information on the limitations surrounding ACIs and chaining see ACI Limitations on page 188 e cn old plugin cn plugins cn config This plug in represents all Directory Server 4 x plug ins and whether or not they are allowed to chain The 4 x plug ins share the same chaining policy You may need to set ACIs on the remote server depending upon the operations performed by the 4 x plug ins e cn resource limits cn components cn config This component sets resource usage limits based on the user bind DN You can enforce resource limits on users whose identity is stored in a chained suffix when this component is allowed to chain e cn certificate based authentication cn components cn config This component is used when the SASL external bind method is used It retrieves the user certificate from the remote server CAUTION Allowing certificate based authentication from chained suffixes may create a security hole If other suffixes are chained to remote servers that are not trusted a certificate on an untrusted server could be used for authentication e cn referential integrity postoperation cn plugins cn config This plug in ensures that the removal of an
434. onfiguration of your new suffix you may choose to clone an existing suffix Select the Clone Suffix Configuration and choose the suffix you wish to clone from the drop down menu Then select any of the following configurations to clone e Clone index configuration The new suffix will maintain the same indexes on the same attributes as the cloned suffix e Clone attribute encryption configuration The new suffix will enable encryption for the same list of attributes and the same encryption schemes as in the cloned suffix Clone replication configuration The new suffix will be the same replica type as the cloned suffix all replication agreements will be duplicated if it is a supplier and replication will be enabled Click OK when you have configured all of the new suffix options The new suffix dialog will show all the options you chose 4 Click OK in the new suffix dialog to create the new root suffix The root suffix appears automatically under the Data branch See Managing Suffixes on page 95 to further configure the new suffix 88 Sun ONE Directory Server Administration Guide June 2003 Creating Suffixes A new root suffix does not contain any entries not even an entry for the suffix DN Consequently it will not be accessible in the directory nor visible in the Directory tab of the console until it has been initialized and given the appropriate access permissions If you will initialize the suffix from an LDIF
435. onsole 58 subtypes not supported in class of service CoS 166 using referential integrity 81 attributes values targeting 190 audit log see logs authentication access control and 209 bind DN 30 authentication methods proxy authorization 235 authmethod keyword 209 B backing up data 142 default directory location 142 dse ldif server configuration file 143 from the command line 143 using the console 142 bak2db utility 147 bak2db pl perl script 148 bind DN changing using the console 30 viewing current 29 bind rules access at specific time or day 208 access based on authentication method 209 LDIF example 210 access based on value matching overview 201 ACI syntax 185 all keyword 198 anonymous access 197 example 218 anyone keyword 197 authmethod keyword 209 Boolean 210 dayofweek keyword 209 dns keyword 207 general access 198 group access 199 group access example 225 groupdn keyword 199 ip keyword 206 LDAP URLs 198 LDIF keywords 196 overview 194 parent keyword 198 role access 200 roledn keyword 200 self keyword 198 timeofday keyword 208 user access parent 198 self 198 user access example 220 userattr keyword 201 userdn keyword 197 Boolean bind rules example 210 overview 210 browsing index see indexing C cascading replication see replication certificate based authentication 370 certificates see SSL chained suffixes see chaining chaining access control evaluation 111 cascading chaining configuration 1
436. onsumer replica in sync this is not sufficient to bring back up to date immediately a replica that has been offline for over five minutes To ensure that directory information will be synchronized immediately when a server comes back online you can use either the Directory Server console or a customizable script 306 Sun ONE Directory Server Administration Guide June 2003 Modifying the Replication Topology Forcing Replication Updates from the Console To ensure that replication updates are sent immediately when a consumer or a master in a multi master replication configuration comes back online after a period of time you can perform these steps on the supplier that holds the most recent version of the directory data 1 On the top level Configuration tab on the Directory Server console expand both the Data node and the suffix node for the master replica and select the Replication node below the suffix The replica status information is displayed in the right hand panel 2 Select the replication agreement from the list that corresponds to the consumer you wish to update and then click Action gt Send updates now This initiates replication toward the replica that holds the information that needs to be updated Forcing Replication Updates from the Command Line From the consumer that requires updating the following script will prompts its supplier to send replication updates immediately You can copy this example and give i
437. ontains the hostname and optional port number of on or more remote servers in the following format ldap s hostname port hostname port Chapter 3 Creating Your Directory Tree 121 Managing Chained Suffixes The URL it does not include any suffix information For information about specifying a secure port refer to Chaining Using SSL on page 112 The servers in URL will be contacted in the order listed when the first one fails to respond to a chained request All remote servers listed in the LDAP URL must contain the suffixDN that is the base entry of the chained suffix To change the DN of the proxy user enter a new value in the Bind DN field Enter and confirm the corresponding password for this DN in the Password fields The proxyDN is the DN of a user on the remote server The local server will use this DN as a proxy when accessing contents of the suffix on the remote server Operations performed through the chained suffix will use this proxy identity in the creatorsName and modifiersNane attributes If no proxy DN is specified the local server will bind anonymously when accessing the remote server The text box at the bottom of the tab shows the ACIs required to allow chaining of this suffix If you changed the remote server URL you must add the ACI to the entry with the suffixDN on the new remote server or servers If you modified the proxy DN you should update the ACI on all chained servers Use the Copy ACI b
438. oot of the configuration tree and select the Network tab in the right hand panel 2 Select the Return Referral checkbox and enter an LDAP URL in the text field Alternatively click Contstruct URL to be guided through the definition of an LDAP URL An example of an LDAP URL to a secure port is ldaps east example com 636 dc example dc com You can enter multiple referral URLs separated by spaces and in quotes as follows ldap east example com 389 ldap backup example com 389 3 Click Save for your changes to take effect immediately Chapter 2 Creating Directory Entries 73 Setting Referrals Setting a Default Referral From the Command Line Use the ldapmodify command line utility to add or replace one or more default referrals to the cn config entry in your directory configuration file For example ldapmodify a h host p port D cn Directory Manager w password dn cn config changetype modify replace nsslapd referral nsslapd referral ldap east example com 389 nsslapd referral ldap backup example com 389 You do not need to restart the server Creating Smart Referrals Smart referrals allow you to map a directory entry or directory tree to a specific LDAP URL Using smart referrals you can refer client applications to a specific server or a specific entry on a specific server Often a smart referrals points to an actual entry with the same DN on another server However you may define the smart
439. oot slapd serverID start slapd The following example restores a backup from the default backup directory bak2db var Sun mps slapd example bak 2001_07_01_11_34_00 For more information refer to bak2db in Chapter 2 of the Sun ONE Directory Server Reference Manual Using bak2db pl Perl Script To restore your directory from the command line while the server is running use the following perl script usr sbin directoryserver bak2db task Windows platforms cd ServerRoot Other Installations bin slapd admin bin perl slapd serverID bak2db pl ServerRoot slapd serverID bak2db pl The following examples import an LDIF file using the 1dif2db p1 script The a option gives the full path of the backup directory UNIX shell script use directoryserver bak2db task on Solaris Packages installations var Sun mps slapd example bak2db pl D cn Directory Manager w password a var Sun mps slapd example bak checkpoint Windows batch file C Program Files Sun MPS bin slapd admin bin perl exe C Program Files Sun MPS slapd example bak2db pl D cn Directory Manager w password a C Program Files Sun MPS slapd example bak 2001_07_01_11_34_00 For more information refer to bak2db pl in Chapter 2 of the Sun ONE Directory Server Reference Manual Restoring the dse ldif Configuration File The directory creates two backup copies of the dse 1dif file in the following directory 148 Sun ONE Dire
440. op up menu This displays the Generic Editor with the contents of the cn config entry 2 Scroll down the list of attribute value pairs to locate the nsslapd errorlog level attribute 3 Add 128 to the value already displayed in the nsslapd errorlog level field For example if the value already displayed is 8192 replication debugging you should change the value to 8320 For complete information on error log levels refer to the Sun ONE Directory Server Reference Manual 4 Click OK to save your changes and dismiss the Generic Editor Chapter 6 Managing Access Control 247 Compatibility with Earlier Releases Compatibility with Earlier Releases 248 Some ACI keywords that were used in earlier releases of Directory Server have been deprecated in Sun ONE Directory Server 5 2 However for reasons of backward compatibility they are still supported These keywords are e userdnattr e groupdnattr Therefore if you have set up a replication agreement between a legacy supplier server and a consumer Directory Server 5 2 you should not encounter any problems in the replication of ACIs However we recommend that you replace these keywords with the functionality of the userattr keyword as described in Defining Access Based on Value Matching on page 201 Sun ONE Directory Server Administration Guide June 2003 Chapter 7 User Account Management When a user connects to your directory server the user is authenticated
441. operations but it may cause a slight performance degradation Multi Master Replication Scenario The UID uniqueness plug in was not designed for use in a multi master replication scenario Because multi master replication uses a loosely consistent replication model simultaneously adding the same attribute value on both servers will not be detected even if the plug in is enabled on both servers However you can use the UID uniqueness plug in under the following conditions e The attribute on which you are performing the uniqueness check is a naming attribute Chapter 15 Using the UID Uniqueness Plug In 425 Using the Uniqueness Plug In With Replication e The uniqueness plug in is enabled for the same attribute in the same subtrees on all masters When these conditions are met uniqueness conflicts are reported as naming conflicts at replication time Naming conflicts require manual resolution For information on resolving replication conflicts refer to Solving Common Replication Conflicts on page 317 426 Sun ONE Directory Server Administration Guide June 2003 Appendix A Third Party Licence Acknowledgements This product includes software covered by the following copyright notices All trademarks and registered trademarks mentioned herein are the property of their respective owners Copyright c 1990 2000 Sleepycat Software All rights reserved Redistribution and use in source and binary forms with or without m
442. ople dc example dc com changetype replac replace telephoneNumber telephoneNumber 408 555 1234 In order to modify the smart referral entry you must use the option of ldapmodify for example ldapmodify M h host p port D cn Directory Manager w password dn uid bjensen ou People dc example dc com changetype replac replace ref ref ldap east example com cn Babs 20Jensen ou Marketing o east dc example dc com Encrypting Attribute Values Attribute encryption is a new feature in Sun ONE Directory Server 5 2 that protects sensitive data while it is stored in the directory Attribute encryption allows you to specify that certain attributes of an entry be stored in an encrypted format This prevents data from being readable while stored in database files backup files and exported LDIF files 76 Sun ONE Directory Server Administration Guide June 2003 Encrypting Attribute Values With this feature attribute values are encrypted before they are stored in the Directory Server and decrypted before being returned in the clear You should use other mechanisms such as ACIs to prevent LDAP clients from accessing forbidden data and SSL to encrypt communications For an architectural overview of data security in general and attribute encryption in particular please see Chapter 7 Designing a Secure Directory in the Sun ONE Directory Server Deployment Guide Attribute encryption is active
443. or stopped To export the contents of a datatbase to an LDIF file use the following command usr sbin directoryserver db2ldif ServerRoot slapd serverID db21dif The following example exports two suffixes to a single LDIF file db21dif a output ldif s dc example dc com s o NetscapeRoot The following table describes the db21dif options used in this example Table 4 4 Description of db2ldif Options Used in the Example Option Description a Defines the name of the output file in which the server saves the exported LDIF This file is stored by default in the ServerRoot slapd serverID directory s Specifies the suffix or subtree to include in the export You may use multiple s arguments to specify multiple suffixes or subtrees The db21dif command may also be used with the r option to export replicated suffixes to an LDIF file The resulting LDIF will contain attribute subtypes that are used by the replication mechanism This LDIF file can then be imported on the consumer server to initialize the consumer replica as described in Initializing Replicas on page 284 The server must not be running when using the db21dif command with the r option You must stop the server first and start it afterwards or use the db21dif p1 script with the r option that does not require the server to be stopped For more information about using this script see db2lidf in Chapter 2 of the Sun ONE Directory Serv
444. ord policy is defined by a subentry in the directory tree which is then referenced by user entries having that policy If a user entry does not reference an individual policy the global password policy in cn PasswordPolicy cn config applies to it The following sections explain how to implement password policies and assign them to users and groups For more information see Designing Your Password Policies in Chapter 7 of the Sun ONE Directory Server Deployment Guide Preventing Dictionary Style Attacks Ina dictionary style attack an intruder attempts to crack a password by repeatedly guessing the password until gaining authorization The server provides three tools to counter such attacks e Password syntax checking verifies that a password does not match values of the uid cn sn givenName ou or mail attributes of the user entry The server will not allow a user to set a password if it matches one of these values However syntax checking does not thwart actual dictionary attacks in which the intruder tries every word in usr dict words for example e A minimum password length ensures that the user cannot set a short password Passwords with more characters are exponentially harder to guess or attempt all values In Directory Server you must enable password syntax checking and minimum length simultaneously e The account lockout mechanism prevents binding after a certain number of failed authentication attempts The lockout ma
445. ord2 dn suffixDN changetype modify add aci aci targetattr target ldap suffixDN version 3 0 acl Allows use of admin for chaining allow proxy userdn 1dap proxyDN AT 5 Set any of the attributes described in Setting Default Chaining Parameters on page 102 to control the connection and operation handling on the remote server The cascading parameters are further described in Configuring Cascading Chaining on page 127 Optimizing Thread Usage You may also set the number of threads used globally by the server to take into account the thread resources used for chaining Chained operations may take significantly longer because they must be forwarded to the remote server but their threads are idle while the remote server processes the operation If your chained servers add significant delays you should increase the number of threads so that more are available to process local operations in the meantime By default the number of threads used by the server is 30 However when using chained suffixes you can improve performance by increasing the number of threads available for processing operations The number of threads you need depends on the number of chained suffixes the number and types of operations on them and the average time needed to process the operations on the remote server In general you should increase the number of threads by 5 to 10 per chained suffix assuming the chained suff
446. ory users It is safer to define several mappings to handle different client credential formats than to create a single overly generic and permissive mapping You should always try to map client connections to specific users according to the client credentials 378 Sun ONE Directory Server Administration Guide June 2003 Configuring LDAP Clients to Use Security Configuring LDAP Clients to Use Security The following sections explain how to configure and use SSL in LDAP clients that wish to establish secure connections with the directory server In an SSL connection the server sends its certificate to the client The client must first authenticate the server by trusting its certificate Then the client may optionally initiate one of the client authentication mechanisms by sending its own certificate or information for one of the two SASL mechanism either DIGEST MD5 or GSSAPI using Kerberos V5 The following sections use the ldapsearch tool as an example of an SSL enabled LDAP client The ldapmodify ldapdelete and ldapcompare tools provided with the directory server are configured in the same way These directory access tools are based on the Sun ONE LDAP SDK for C and are further documented in the Sun ONE Directory Server Resource Kit Tools Reference To configure SSL connections on other LDAP clients please refer to the documentation provided with your application NOTE Some client applications implement SSL but do not verify
447. ost p port D cn Directory Manager w password dn cn suffixDN cn mapping tree cn config changetype modify replace nsslapd state nsslapd state referral on update or referral add nsslapd referral nsslapd referral LDAPURL D You may repeat the last change statement to add any number of LDAP URLs to the nsslapd referral attribute When the value of nsslapd state is referral on update the suffix is read only and all LDAP URLs will be returned as referrals for write operations When the value is referral both read and write operations are denied and the referrals are returned for any request The suffix will become read only or inaccessible and ready to return referrals immediately after the command is successful Modifying the Chaining Parameters Once you have defined a chained suffix you may modify the parameters that control chaining You may specify how to access the remote server change the DN used for proxying or even change the remote server You may also modify performance parameters that control how the server establishes and maintains connections to chained servers Modifying the Chaining Parameters Using the Console 1 On the top level Configuration tab of the Directory Server console expand the Data node and select the chained suffix you wish to modify In the right panel select the Remote Server tab To change the name or port of the remote server modify the Remote Server s URL field The URL c
448. ou did not use inheritance you would have to do one of the following to achieve the same result e Explicitly set read and search access for user bjensen on the cn Profiles cn mail and cn news entries in the directory e Add the owner attribute and the following ACI to the cn mail cn Profiles and cn news cn Profiles entries aci targetattr version 3 0 acl profiles access allow read search userattr owner USERDN Granting Add Permission Using the userattr Keyword If you use the userattr keyword in conjunction with all or add permissions you might find that the behavior of the server is not what you expect Typically when a new entry is created in the directory Directory Server evaluates access rights on the entry being created and not on the parent entry However in the case of ACIs using the userattr keyword this behavior could create a security hole and the server s normal behavior is modified to avoid it Consider the following example aci target ldap dc example dc com targetattr version 3 0 acl manager write allow all userattr manager USERDN Chapter 6 Managing Access Control 205 Bind Rules This ACI grants managers all rights on the entries of employees that report to them However because access rights are evaluated on the entry being created this type of ACI would also allow any employee to create an entry in which the manager attribute is set to their own D
449. our directory server is stopped and the Directory Server console is not running you must start the server from the command line If you do not wish to use the Directory Server console you may also stop the server from the command line With root privileges run one of the following commands Solaris Packages usr sbin directoryserver start Other Installations ServerRoot slapd serverID start slapd or Solaris Packages usr sbin directoryserver stop Other Installations ServerRoot slapd serverID stop slapd where serverID is the identifier you specified for the server during installation On UNIX both of these scripts must run with the same UID and GID as the Directory Server For example if the Directory Server runs as nobody you must run the start slapd and stop slapd utilities as nobody Note that referral mode is no longer available You can set global referrals by using the Directory Server console This procedure is explained in Setting the Default Referrals on page 73 Starting and Stopping the Server From the Control Panel Windows If you are using a Windows system perform the following steps from the Services Control Panel 1 Select Start gt Settings gt Control Panel from the desktop 2 Double click the Services icon 3 Scroll through the list of services and select the Sun ONE Directory Server The service name is Sun ONE Directory Server 5 2 serverID where serverID is the identifier you specifie
450. owing example shows how you may use the same add LDIF syntax to add values to existing multivalued attribute and to attributes which do not exist yet ldapmodify h host p port D cn Directory Manager w password dn uid b jensen ou People dc example dc com changetype modify add cn cn Babs Jensen add mobile mobile 408 555 7844 mobile 408 555 7845 This operation may fail and the server will return an error if The given value already exists for an attribute The value does not follow the syntax defined for the attribute The attribute type is not required or allowed by the entry s object classes The attribute type is not multivalued and a value already exists for it Sun ONE Directory Server Administration Guide June 2003 Managing Entries From the Command Line Adding a Binary Attribute Value Binary attribute values are marked with the attribute binary subtype While the subtype is not required it helps users and clients determine the contents of an attribute Appropriate subtypes may be added to attribute names in any of the LDIF statements used with the ldapmodify command To enter a binary value you may enter it directly in the LDIF text or read it from another file The LDIF syntax for reading it from a file is shown in the following example ldapmodify h host p port D cn Directory Manager w password version 1 dn uid b jensen ou People dc example dc com changetyp
451. pecific value and then add it as a new value because these attributes are multivalued see Modifying One Value of a Multi Valued Attribute on page 70 You must use the syntax for defining schema elements that is described in RFC 2252 http www ietf org rfc rfc2252 txt Any new element definitions and changes you make to user defined elements will be saved in the file 99user 1dif Modifying schema definitions from the command line is prone to error because of the long values you must enter exactly However you may use this functionality in scripts that need to update your directory schema Modifying the Schema Using the Console The recommended method for customizing your directory schema is to use the Directory Server console interface described in the following sections The console lets you view the standard schema and provides a graphical interface for defining new attributes and object classes and editing the elements you have defined Again any new element definitions and changes you make to user defined elements will be saved in the file 99user 1dif To extend the directory schema you should proceed in the following order 1 Create the new attributes first as described in Creating Attributes on page 330 2 Then create an object class to contain the new attributes and add the attributes to the object class See Creating Object Classes on page 333 for information Chapter 9 Extending the Directory Sche
452. ponents are contained in the Sun ONE Directory Server Installation and Tuning Guide Finally this guide assumes you are familiar with the Directory Server console and the basic commands described in the Sun ONE Directory Server Getting Started Guide In particular the command line procedures rely on the 1dapmodify command and you should understand the LDIF LDAP data interchange format input used by this tool Also the Sun ONE Server Console Server Management Guide contains general background information on how to use Sun ONE servers Typographical Conventions This section explains the typographical conventions used in this book Monospaced font This typeface is used for literal text such as the names of attributes and object classes when they appear in text It is also used for URLs filenames and examples Italic font This typeface is used for emphasis for new terms and for text that you must substitute for actual values such as placeholders in path names The greater than symbol gt is used as a separator when naming an item ina menu or sub menu For example Object gt New gt User means that you should select the User item in the New sub menu of the Object menu NOTE Notes Cautions and Tips highlight important conditions or limitations Be sure to read this information before continuing Default Paths and Filenames All path and filename examples in the Sun ONE Directory Server product documentation are one
453. provides beneficial troubleshooting information To configure the access log for your directory 1 On the top level Configuration tab of the Directory Server console select Logs icon and then select the Access Log tab in the right hand panel This tab contains configuration settings for the access log as shown in the following figure Chapter 12 Managing Log Files 393 Access Log Figure 12 2 Configuration Panel for Log File Rotation and Deletion camus red iplanet com Sun ONE Directory Server example Console Edit Mew Object Help Sun ONE Directory Server Version 5 2 Configuration B Data Performance x Enable Logging Schema Log File Pe Backups i var Sun mps slapd exam pleJogs access Browse Creation Policy Maximum number of logs fio File size for each log 100 MB _ Unlimited size Create a newlog every fi Day s wv Deletion Policy v hen total log size exceeds 500 MB Must be greater than the log file size Ahen free disk space is less than 5 MB Ahen a file is older than 1 2 To enable access logging select the Enable Logging checkbox Clear this checkbox if you do not want the directory to maintain an access log Access logging is enabled by default 3 In the Log File field enter the full path and filename you want the directory to use for the access log The default is file is ServerRoot slapd serverID logs access 4 Set the maximum number o
454. r Installations 4 Inthe File for Rejects field enter the full path to the file in which you want the console to record all entries it cannot import or click Browse to select the file in the local file system For example the server cannot import an entry that already exists in the directory or an entry that has no parent object The console will write the error message sent by the server in the rejects file If you leave this field blank the server will not record rejected entries 5 Click OK to begin the import operation The Directory Server console displays a dialog containing the status of the operation and the text of any errors that occur If the File for Rejects is not blank all error messages will also be written in the named file Importing LDIF From the Command Line The 1dif2ldap command directoryserver 1dif21dap in the Solaris Packages will import an LDIF file through LDAP and perform all operations it contains Using this script you import data to all directory suffixes at the same time The server must be running in order to import using 1dif21dap The full path of the command is usr sbin directoryserver ldif2ldap ServerRoot slapd serverID 1dif2ldap The following examples perform an import using the 1dif21dap command You do not need root privileges to run the command but you must give credentials for the directory manager on the command line The last parameter is the name of one or more LDIF f
455. r of parameters at once 2 Modify the nsfarmserverURL attribute to change the name or port of the remote server The value is a URL containing the hostname and optional port number of on or more remote servers in the following format ldap s hostname port hostname port The URL it does not include any suffix information For information about specifying a secure port refer to Chaining Using SSL on page 112 The servers in URL will be contacted in the order listed when the first one fails to respond to a chained request All remote servers listed in the LDAP URL must contain the suffixDN that is the base entry of the chained suffix 3 Modify the nsmultiplexorBindDN and nsmultiplexorCredentials attributes to change the DN used for proxy access to the remote server The local server will use this DN as a proxy when accessing contents of the suffix on the remote server Operations performed through the chained suffix will use this proxy identity in the creatorsName and modifiersName attributes If no proxy DN is specified the local server will bind anonymously when accessing the remote server 4 Ifyou modify the proxy DN or its credentials you must create the corresponding ACI on the remote server This ACI is needed to allow the proxied operation through chaining Sun ONE Directory Server Administration Guide June 2003 Managing Chained Suffixes ldapmodify h host2 p port2 D cn Directory Manager w passw
456. r subagent gathers information from the application or device in response to a query from the SNMP manager This information is structured as variables in tables which are defined by a management information base MIB for the agent Usually the network manager queries the SNMP variables in the subagent and the subagent return the requested value SNMP also defines a mechanism that allows an agent to report an event by sending a trap message to all network managers However Directory Server does not implement traps and its subagent will never send a trap message You can have multiple subagents installed on a host machine For example if you have Directory Server Enterprise Server and Messaging Server all installed on the same host the subagents for each of these servers communicates with the same master agent In the Windows environment the master agent is the SNMP service provided by the Windows operating system In the UNIX environment the master agent is installed with the Sun ONE Administration Server For further information see Chapter 11 Using SNMP to Monitor Servers in the Sun ONE Server Console Server Management Guide The general procedure for setting up your server to be monitored through SNMP is the following 1 Compile the Directory Server MIB and integrate it into your SNMP management system Refer you your system s documentation 2 Set up SNMP on your machine then configure and start the SNMP master age
457. ractors dc example dc com objectclass top objectclass organizationalUnit description base of separate subsuffix for contractor identities D You must include the naming attributes of the DN and their values You must also include all attributes that are required by the schema of the base entry s object class and you may add any others that are allowed A subsuffix will have the access control defined by ACIs on its parent provided the scope of those ACIs includes the new subsuffix To define a different access policy on the subsuffix specify your aci attributes when you create the base entry Managing Suffixes Creating suffixes allows you to manage all of their contents together This section explains how to manage access to the suffix including disabling all operations making the suffix read only and creating suffix level referrals Many other directory administration tasks are configured at the suffix level but covered in separate chapters of this book Importing Data on page 132 Exporting Data on page 138 Managing Indexes on page 339 Encrypting Attribute Values on page 76 Managing Replication on page 265 Chapter 3 Creating Your Directory Tree 95 Managing Suffixes 96 Disabling or Enabling a Suffix Sometime you may need to make a suffix unavailable for maintenance or make its contents unavailable for security reasons Disabling a suffix prevents the server from reading or
458. rated password value cannot be used to bind to the directory server e aci The directory server will not apply any access control based on the contents of a virtual ACI value defined by CoS e objectclass The directory server will not perform schema checking on the value of a virtual object class defined by CoS e nsRoleDN A CoS generated nsRoleDN value will not be used by the server to generate roles Attribute subtypes not supported The CoS mechanism will not generate attributes with subtypes such as languages or binary Real and virtual attribute values The CoS mechanism never generates multivalued attributes containing real values defined in the entry and virtual values defined by the CoS template The values of an attribute are either those stored in the entry or those generated by the CoS mechanism as described in Overriding Real Attribute Values and Multivalued CoS Attributes on page 172 All templates must be local The DNs of template entries either in a CoS definition or in the specifier of the target entry must refer to local entries in the directory server Templates and the values they contain cannot be retrieved through directory chaining or referrals Managing CoS Using the Console This section describes how to create and edit CoS definitions through the Directory Server console Sun ONE Directory Server Administration Guide June 2003 Defining Class of Service CoS In addi
459. rder to be returned It also has the same behavior as the override qualifier Chapter 5 Advanced Entry Management 171 Defining Class of Service CoS 172 You can only make an attribute operational if it is also defined as operational in the schema For example if your CoS generates a value for the description attribute you cannot use the operational qualifier because this attribute is not marked operational in the schema The merge qualifier is either absent or given with the following value e merge schemes Allows the virtual CoS attribute to be multivalued either from multiple templates or multiple CoS definitions For more information see Multivalued CoS Attributes on page 172 Overriding Real Attribute Values You might create a pointer CoS definition entry that contains an override qualifier as follows dn cn pointerCoS dc example dc com objectclass top objectclass LDAPsubentry objectclass cosSuperDefinition objectclass cosPointerDefinition cosTemplateDn cn exampleUS cn data cosAttribute postalCode override This pointer CoS definition entry indicates that it is associated with the template entry cn exampleUS cn data that generates the value of the postalCode attribute The override qualifier indicates that this value will take precedence over the value of the postalCode attribute if it exists in a target entry NOTE If the CoS attribute is defined with the operational or override qualifi
460. reate the following ACI on the dc example dc com node aci targetattr userPassword version 3 0 acl modify own password allow write userdn ldap self Parent Access parent Keyword Specifies that users are granted or denied access to the entry only if their bind DN is the parent of the targeted entry Note that you must edit ACIs manually in Server Console to use the parent keyword For example if you want to allow users to modify any child entries of their bind DN you would create the following ACI on the dc example dc com node aci version 3 0 acl parent access allow write userdn ldap parent LDAP URLs You can dynamically target users in ACIs using a URL with a filter as follows userdn ldap lt suffix gt sub filter For example all users in the accounting and engineering branches of the example com tree would be granted or denied access to the targeted resource dynamically based on the following URL userdn ldap dc example dc com sub ou eng ou acct 198 Sun ONE Directory Server Administration Guide June 2003 Bind Rules NOTE Do not specify a hostname or port number within the LDAP URL LDAP URLs always apply to the local server Wildcards You can also specify a set of users by using the wildcard character For example specifying a user DN of uid b dc example dc com indicates that only users with a bind DN beginning with the letter b will
461. rectory 2 Remove the corresponding database configuration entry located in cn databaseName cn chaining database cn plugins cn config and the monitor entry below it ldapdelet h host p port D cn Directory Manager w password cn monitor cn dbName cn chaining database cn plugins cn config cn dbName cn chaining database cn plugins cn config Configuring Cascading Chaining In cascading chaining a subtree being chained from one server may itself be a chained suffix or contain chained subsuffixes When an operation involves the chained suffix in the one server it will be forwarded to the intermediate server that will contact a third server and so on A cascading chain occurs any time more than one hop between servers is required to access all of the data in a directory tree For example the following diagram show how access to the entry ou People 1 Europe dc example dc com is chained from Server A to Server B and finally to Server C Server A contains a root suffix dc example dc com and a chained subsuffix to Server B for the branch 1 Europe dc example dc com Server B contains the entry 1 Europe dc example dc com but the branch ou People 1 Europe dc example dc com is a chained subsuffix to Server C Server C actually contains the entry ou People 1 Europe dc example dc com Chapter 3 Creating Your Directory Tree 127 Configuring Cascading Chaining 128 Figure 3 3 Cascading Chai
462. rectory Contents 145 Restoring Data from Backups 146 e Ifyou have a backup of your hub that is not older than the maximum age of the change log contents on any of its suppliers either hub or master replicas then it may be used to restore this hub See Advanced Multi Master Configuration on page 277 for a description of change log age When the old backup is restored its suppliers will use their change logs to update this hub with all modifications that have been processed since the backup was saved NOTE Regardless of how you restore or reinitialize the hub replica you must then reinitialize all consumers of this hub including any other levels of hubs Restoring a Dedicated Consumer This section only applies to situations where the replication mechanism cannot automatically bring a dedicated consumer replica up to date for example if the database files become corrupted or if replication has been interrupted for too long In these cases you will need to restore or reinitialize the consumer in one of the following ways e The simplest way is to not restore a backup but to reinitialize the consumer from one of its suppliers either a master or a hub replica This insures that the latest data is sent to the consumer and that the data will be ready for replication See Initializing a Replica Using the Console on page 289 or Initializing a Replica From the Command Line on page 290 e For replicas with million
463. rectory Server After setting up the SNMP agent or service on your platform you must configure the SNMP parameters in your Directory Server instance To configure SNMP settings from the Directory Server console 1 On the top level Configuration tab of the Directory Server console select the server node at the root of the configuration tree then select the SNMP tab in the right hand panel Chapter 13 Monitoring Directory Server Using SNMP 409 Starting and Stopping the SNMP Subagent 2 Select the Enable Statistics Collection checkbox By default statistics for SNMP variables are not collected in order to improve resource usage If you do not use SNMP and do not monitor the attributes of the cn snmp cn monitor entry through LDAP you should leave this checkbox disabled 3 For UNIX servers you must enter the hostname and port number of the master agent in the corresponding text fields The defaults are localhost and port 199 respectively 4 Enter information in the text fields of the Descriptive Properties box These values will be reflected in the SNMP Entity table exposed by this server o Description Enter a description of your directory server similar to the description field for this instance in the topology tree of the Sun ONE Server Console o Organization Enter the name of the company or internal organization to which the directory server belongs o Location Enter a geographical location for the directory
464. rectory Server Deployment Guide Enabling DSML Requests Because LDAP is the standard protocol for accessing a directory DSML requests are not enabled by default after installing Directory Server If you want your server to respond to DSML requests sent over HTTP SOAP you must explicitly enable this feature To enable DSML requests on your server through the console 1 On the top level Configuration tab of the Directory Server console select the root node in the configuration tree and select the Network tab in the right hand panel 2 Select the Enable DSML checkbox and choose one of the following security options The secure port options are only available if you have activated SSL as described in Chapter 11 Implementing Security o Only non secure port Only DSML requests over unencrypted HTTP will be accepted on the non secure port o Only secure port Only DSML requests over HTTPS will be accepted on the secure port o Both secure and non secure ports Both ports will be active and clients may choose either one 3 Then edit any of the following fields o Port The HTTP port for receiving DSML requests 40 Sun ONE Directory Server Administration Guide June 2003 Configuring DSML o Encrypted Port The HTTPS port using SSL to received encrypted DSML requests o Relative URL A relative URL that when appended to the host and port determines the full URL that clients must use to send DSML requests B
465. rectory structure See Managing Groups on page 152 for more information To modify the size limit enforced by the server on data sent by clients 1 Set a new value for the nsslapd maxbersize attribute of the cn config entry e Todo this using the console log on as Administrator or Directory Manager and edit the cn config entry according to the procedure in Modifying Entries With the Generic Editor on page 54 Set the nsslapd maxbersize attribute to the maximum number of bytes that a client may send at once e Todo this from the command line use the following command ldapmodify h host p port D cn Directory Manager w password dn cn config changetype modify replace nsslapd maxbersize nsslapd maxbersize sizeLimitInBytes For more information see nsslapd maxbersize in Chapter 4 of the Sun ONE Directory Server Reference Manual 2 Restart the server as described in Starting and Stopping the Directory Server on page 20 Error Handling The command line tools process all entries or modifications in the LDIF input sequentially The default behavior is to stop processing when the first error occurs Use the c option to continue processing all input regardless of any errors You will see the error condition in the output of the tool In addition to the considerations listed above common errors are e Not having the appropriate access permission for the operation e Adding an entry with a DN
466. red and initialized suffix of the same type of replica as you wish to initialize either master hub or consumer and perform a normal backup on it according to the procedure in Backing Up Your Server Using the Console on page 142 4 Copy or transfer the files from the backup directory to a directory on the target machine for example using the ftp command 5 Load the files into the target server according to the procedures in Restoring Data from Backups on page 143 6 If you have initialized a new master in a multi master replication scenario follow the procedures in Convergence After Multi Master Initialization on page 286 to ensure the new replica will begin accepting update operations from clients Binary Copy Using Minimum Disk Space The following procedure uses less disk space and takes less time because it does not make backup copies of the database files However it requires you to stop the server being cloned to ensure the database files are in a coherent state 294 Sun ONE Directory Server Administration Guide June 2003 Enabling the Referential Integrity Plug In CAUTION This procedure must not be used to reinitialize a master that has already participated in a multi master replication scenario It may only be used to reinitialize a consumer server or to initialize a new master server To reinitialize an existing master replica use online initialization import an LDIF file or follow the procedur
467. result as if it had been performed locally The location of the data is transparent because the client is unaware that the suffix is chained and that the data is retrieved from a remote server A root suffixes on one server may have sub suffixes that are chained to another server thus creating a single tree structure from the client s point of view In the special case of cascading chaining the chained suffix may reference another chained suffix on the remote server and so on Each server will forward the operation and eventually return the result to the server handling the client s request For more general information about chaining refer to Chapter 5 Designing the Directory Topology in the Sun ONE Directory Server Deployment Guide Creating Suffixes You can create both root suffixes and subsuffixes using either the Directory Server console or the command line Creating a New Root Suffix Using the Console 1 On the top level Configuration tab of the Directory Server console right click on the Data node and select New Suffix from the pop up menu Alternatively you may select the Data node and choose New Suffix from the Object menu The New Suffix dialog box is displayed 2 Enter a unique suffix name in the Suffix DN field The name must use the distinguished name format consisting of one or more attribute value pairs separated by commas By convention root suffixes use domain component dc naming attribut
468. rformed through the chained suffix will use this proxy identity in the creatorsName and modifiersName attributes If no proxy DN is specified the local server will bind anonymously when accessing the remote server The ProxyPassword is the non encrypted value of the password for the proxy DN The password will be encrypted when it is stored in the configuration file For example nsmultiplexorbinddn uid hostl_proxy cn config nsmultiplexorcredentials secret CAUTION You should perform the ldapmodify command through an encrypted port to avoid sending a clear password The new entry will automatically include all of the chaining parameters with the default values defined in cn default instance config cn chaining database cn plugins cn config You may override any of these values by setting the attributes with different values when you create the chaining configuration entry See Setting Default Chaining Parameters on page 102 for the list of attributes for which you may define values Chapter 3 Creating Your Directory Tree 109 Creating Chained Suffixes Use the following command to create an ACI on the remote entry This ACI is needed to allow the proxied operation through chaining For more information on ACIs refer to Chapter 6 Managing Access Control ldapmodify h host2 p port2 D cn Directory Manager w password2 dn suffixDN changetype modify add aci aci targetattr target ldap suffixDN
469. ric placeholder value such as New which you should replace with a meaningful value for your entry 5 To define other attributes that are allowed on the chosen object class you must add them explicitly To provide values for optional attributes a Click the Add Attribute button to display a list of allowed attributes b Select one or more attributes from the Add Attribute dialog and click OK c Enter values beside the new attribute name in the generic editor For further details about other controls in this dialog see Modifying Entries With the Generic Editor on page 54 Chapter 2 Creating Directory Entries 51 Managing Entries Using the Console 6 By default one of the required attributes is selected as the naming attribute and appears in the entry DN displayed in the generic editor To change the naming attribute a Click the Change button to display the Change Naming Attribute dialog b Inthe table of attributes select the checkbox beside one or more attributes you wish to use in the DN of your new entry c Click OK in the Change Naming Attribute dialog The DN in the generic editor shows the new DN using the selected naming attributes 7 Click OK in the generic editor to save the new entry The new entry is displayed as a child of the parent entry in the directory tree Modifying Entries With a Custom Editor For object classes listed in Table 2 1 on page 49 you have the option of editing the entry with eith
470. ries is specified in the following registry key HKEY_LOCAL_MACHINE SOFTWARE Carnegie Mellon Project Cyrus SASL Library Available Plugins If you have installed Directory Server on the same host this key is automatically set to ServerRoot 1ib sas1 and does not need to be modified Examples of the Idapsearch Command You may perform DIGEST MD5 client authentication without using SSL The following example will use the default DIGEST MD5 identity mapping to determine the bind DN ldapsearch h host p nonSecurePort D w bindPassword mech DIGEST MD5 o realm hostFQDN o authid dn uid bjensen dc example dc com o authzid dn uid bjensen dc example dc com b dc example dc com givenname Richard The example above shows the use of the o lowercase letter o option to specify SASL options The Realm is optional but if specified it must be the fully qualified domain name of the server host machine The authid and authzid must both be present and identical although the authzid intended for proxy operations is not used The value of authid is the Principal used in identity mapping It is recommended that the authid contain the dn prefix followed by a valid user DN in the directory or the u prefix followed by any string determined by the client This allow you to use the mappings shown in DIGEST MD5 Identity Mappings on page 372 Usually you will want an SSL connection to p
471. rights is the time on the directory server not the time on the client The LDIF syntax for setting a bind rule based on the time of day is as follows timeofday operator time where operator can be one of the following symbols equal to not equal to greater than gt greater than or equal to gt less than lt or less than or equal to lt The time is expressed as four digits representing hours and minutes in the 24 hour clock 0 to 2359 For example e timeofday 1200 is true if the client is accessing the directory during the minute that the system clock shows noon e timeofday 0100 is true for access at any other time than 1 a m e timeofday gt 0800 is true for access from 8 01 a m through 11 59 p m e timeofday gt 0800 is true for access from 8 00 a m through 11 59 p m e timeofday lt 1800 is true for access from 12 00 midnight through 5 59 p m NOTE The time and date on the server are used for the evaluation of the timeofday and dayofweek bind rules and not the time on the client 208 Sun ONE Directory Server Administration Guide June 2003 Bind Rules The LDIF syntax for setting a bind rule based on the day in the week is as follows dayofweek day1 day2 The possible values for the dayofweek keyword are the English three letter abbreviations for the days of the week sun mon tue wed thu fri sat Specify all days you wish to grant access for ex
472. rmat specific to each mechanism In DIGEST MD5 it is recommended that clients create a Principal which contains either a dn prefix and an LDAP DN or a u prefix followed by any text determined by the client During the mapping the Principal sent by the client is available in the Principal place holder The default identity mapping for DIGEST MD5 is given by the following entry in your server configuration dn cn default cn DIGEST MD5 cn identity mapping cn config objectClass top objectClass nsContainer objectClass dsIdentityMapping objectClass dsPatternMatching cn default dsMatching pattern Principal dsMatching regexp dn dsMappedDN 1 This identity mapping assumes the dn field of the Principal contains the exact DN of an existing user in the directory To define you own identity mappings for DIGEST MD5 372 Sun ONE Directory Server Administration Guide June 2003 Configuring Client Authentication 1 Edit the default mapping entry or create new mapping entries under cn DIGEST MD5 cn identity mapping cn config See Identity Mapping on page 376 for the definition of the attributes in an identity mapping entry An example mapping for DIGEST MD5 is located in the following file ServerRoot slapd serverID 1dif identityMapping_Examples ldif This example assumes that the unqualified text field of the Principal contains the username of the desired identity The following comma
473. rol which may be included in a search operation The response to this control is to return the effective rights information about the entries and attributes in the search results This extra information includes read and write permissions for each entry and for each attribute in each entry The permissions may be requested for the bind DN used for the search or for an arbitrary DN allowing administrators to test the permissions of directory users Sun ONE Directory Server Administration Guide June 2003 Viewing Effective Rights CAUTION Viewing effective rights is itself a directory operation that should be protected and appropriately restricted Create further ACIs for the aclRights and aclRightsInfo attributes to restrict access by directory users to this information Effective rights functionality relies on an LDAP control To view the effective rights on a chained suffix you must enable this control in the chaining policy as described in Configuring the Chaining Policy on page 113 You must also ensure that the proxy identity used to bind to the remote server is also allowed to access the effective rights attribtues Using the Get Effective Rights Control Specify the Get Effective Rights control by using the ldapsearch command with the J 1 3 6 1 4 1 42 2 27 9 5 2 option By default the control will return the effective rights of the bind DN entry on the entries and attributes in the search results Use the follow
474. rovide encryption over secure port and DIGEST MD5 to provide the client authentication The following example will perform the same operation over SSL ldapsearch h host p securePort Z P home bjensen netscape cert7 db N certificateName wW keyPassword mech DIGEST MD5 o realm hostFQDN o authid dn uid bjensen dc example dc com o authzid dn uid bjensen dc example dc com b dc example dc com givenname Richard In this example the N and w options are required by the ldapsearch command but they are not used for client authentication Instead the server will again perform a DIGEST MD5 identity mapping of the Principal in the authid value Sun ONE Directory Server Administration Guide June 2003 Configuring LDAP Clients to Use Security Using Kerberos SASL GSSAPI in Clients When using the GSSAPI mechanism in clients you do not need to install a user certificate but you must configure the Kerberos V5 security system Also if you wish to use encrypted SSL connections you must trust the server certificate as described in Configuring Server Authentication in Clients on page 379 Configuring Kerberos V5 on a Client Host You must configure Kerberos V5 on the host machine where your LDAP clients will run 1 Install Kerberos V5 according to its installation instructions Sun recommends installing the Sun Enterprise Authentication Mechanism SEAM 1 0 1 client soft
475. rs and Groups window a Select a search area from the drop down list enter a search string in the Search field and click the Search button The search results are displayed in the list below b Highlight the entries you want in the search result list and click the Add button to add them to the list of entries which have access permission c Click OK to dismiss the Add Users and Groups window The entries you selected are now listed on the Users Groups tab in the ACI editor In the Access Control Editor click the Rights tab and use the checkboxes to select the rights to grant Click the Targets tab then click This Entry to display the node targeted by the ACI You can change the value of the target DN but the new DN must be a direct or indirect child of the selected entry If you do not want every entry in the subtree under this node to be targeted by the ACI you must enter a filter in the Filter for Sub entries field Additionally you can restrict the scope of the ACI to only certain attributes by selecting the attributes you want to target in the attribute list Chapter 6 Managing Access Control 215 Creating ACIs Using the Console Click the Hosts tab then the Add button to display the Add Host Filter dialog box You can specify a hostname or an IP address If you specify an IP address you can use the wildcard character Click the Times tab to display the table showing at what times access is allowed
476. rticiper d une fa on directe ou indirecte aux exportations des produits ou des services qui sont r gi par la l gislation am ricaine en mati re de contr le des exportations et la liste de ressortissants sp cifiquement d sign s sont rigoureusement interdites LA DOCUMENTATION EST FOURNIE EN L TAT ET TOUTES AUTRES CONDITIONS DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE A L APTITUDE A UNE UTILISATION PARTICULIERE OU A L ABSENCE DE CONTREFACON Y SUNTONE CERTIFIED Contents About This Guide t 0 c5 2 stave a kee oe See ei A Da a 13 Purpose of This Guide iscsi edit yw dee ehnie dears hl es Ve ees ea Pee eee eee Bi eae 13 Prerequisites skipi a Souk eis Mpa hn e AEG at ENNE Mons tee coal Bins R EE e RAA Wee NENNE aan tee 13 Typographical Conventions errnisrens asip testa saGr dead tas ES E E TEE ba bates 14 Default Paths and Filenames sn isaer ieii e e een enn e cnet eee e tent een eens 14 Downloading Directory Server Tools 0 0 c cece teen eens 16 Suggested Reading os syc 5 2 dul atu shtts aa Lae G le gas ce Mesh eae aes de allege 16 Introduction to Sun ONE Directory Server eee eee eee eee 19 Overview of Directory Server Management 6 66 c cece eect eens 20 Starting and Stopping the Directory Server 6 c eee eee eens 20 Starti
477. rting entries from LDIF 133 initializing a suffix from the command line 136 137 initializing a suffix using the console 135 monitoring entry and database cache usage 400 read only mode 131 reindexing a suffix 350 setting suffix level referrals 97 temporarily disabling 96 Sun Tone Certified TM logo 2 T targattrfilters keyword 190 target ACI syntax 184 attribute values 190 attributes 187 DNs containing commas 186 235 keywords in ACIs 186 overview 185 using LDAP search filters 188 using LDAP URLs 198 target keyword 186 targetattr keyword 187 targetfilter keyword 188 targeting directory entries 186 timeofday keyword 208 TLS 357 Triple DES cipher 369 U UID uniqueness plug in 419 unique attribute plug in configuring 420 Unix master agent 406 user access 197 example 220 to child entries 198 to own entry 198 user accounts inactivating 260 lockout policy after wrong passwords 250 setting individual resource limits 262 userattr keyword 201 restriction on add 205 userdn keyword 197 V value based ACI 190 virtual attributes generated by class of service CoS generated by roles 154 VLV index see indexing with browsing index vlvindex utility 356 W wildcard in LDAP URL 199 in target 187 Windows master agent 406 Windows registry key for SASL library path 386 write right 192 Index 441 442 Sun ONE Directory Server Administration Guide June 2003
478. run the following ldapmodify command ldapmodify a h host p port D cn Directory Manager w password dn cn Marketing ou marketing ou People dc example dc com objectclass top objectclass LDAPsubentry objectclass nsRoleDefinition objectclass nsSimpleRoleDefinition objectclass nsManagedRoleDefinition cn Marketing description managed role for marketing staff Notice that the nsManagedRoleDef inition object class inherits from the LDAPsubentry nsRoleDefinition and nsSimpleRoleDefinition object classes Chapter 5 Advanced Entry Management 161 Assigning Roles Assign the role to a marketing staff member named Bob by updating his entry with the following ldapmodify command ldapmodify h host p port D cn Directory Manager w secret dn cn Bob Arnold ou marketing ou People dc example dc com changetype modify add nsRoleDN nsRoleDN cn Marketing ou marketing ou People dc example dc com The nsRoleDN attribute present in the entry indicates that the entry is a member of a managed role identified by the DN of its role definition To prevent users from adding or removing themselves from a managed role by modifying the nsRoleDN attribute add the following access control instruction ACI aci targetattr nsRoleDN targattrfilters add nsRoleDN nsRoleDN cn AdministratorRole dc example dc com del nsRoleDN nsRoleDN cn nsManagedDisabledRole dc example dc com v
479. rver but it is returned as part of the target entry For example if Babs Jensen s manager is defined to be Carla Fuentes her department number will be the following ldapsearch h host p port D cn Directory Manager w password b ou People dc example dc com s sub cn Jensen dn cn Babs Jensen ou People dc example dc com cn Babs Jensen manager cn Carla Fuentes ou People dc example dc com departmentNumber 318842 Example of a Classic CoS This example shows how to generate a postal address with a classic CoS The generated value is given in a template entry that is found by a combination of the cosTemplateDN in the CoS definition and the value of the cosSpecifier attribute in the target entry The following command creates the definition entry using the cosClassicDefinition object class ldapmodify a h host p port D cn Directory Manager w password dn cn classicCoS dc example dc com objectclass top objectclass LDAPsubentry objectclass cosSuperDefinition objectclass cosClassicDefinition cosTemplateDn ou People dc example dc com cosSpecifier building cosAttribute postalAddress Continuing the same command create the template entries that give the postal address for each building dn cn B07 cu People dc example dc com objectclass top objectclass LDAPsubentry objectclass extensibleobject objectclass cosTemplate postalAddres 7 Old Oak Street Anytown
480. ry not only the attributes being modified Therefore the operation may fail if any object class or attribute in the entry does not conform to the schema 323 Schema Checking Schema checking is turned on by default in the Directory Server and you should always run the Directory Server with schema checking turned on Many client applications assume that having schema checking turned on is an indication that all entries conform to the schema However turning on schema checking will not verify the existing contents in the directory The only way to guarantee that all directory contents conform to the schema is to turn on schema checking before adding any entries or before reinitializing all entries The only case where you might want to turn schema checking off is to accelerate import operations of LDIF files known to conform to the schema However there is a always risk of importing entries that do not conform to the schema and this cannot be detected When an entry does not conform to the schema it is impossible to search for this entry and modification operations on it will fail To make an entry comply with the schema you must do the following 1 If your server is in a production environment you may want to first make the entire server read only to prevent any modifications while schema checking is turned off See Setting Global Read Only Mode on page 36 2 Turn off schema checking as described below 3 Retrieve
481. ry Manager in order to perform the import Both import methods are described in Importing LDIF From the Command Line on page 134 The following example shows how to import an LDIF file to initialize the dc example dc com consumer replica usr sbin directoryserver stop usr sbin directoryserver ldif2db s dc example dc com i example_master 1ldif usr sbin directoryserver start ServerRoot slapd serverID stop slapd ServerRoot slapd serverID 1dif2db s dc example dc com i example_master 1ldif ServerRoot slapd serverID start slapd Using the 1dif2db p1 script does not require stopping the server beforehand For more information see Idif2db pl in Chapter 2 of the Sun ONE Directory Server Reference Manual 292 Sun ONE Directory Server Administration Guide June 2003 Initializing Replicas Initializing a Replica Using Binary Copy The new binary copy feature of Directory Server 5 2 clones an entire server by using the binary backup files from one server to restore the identical directory contents on another server This advanced feature interacts with the database files of the directory server and should only be used by experienced administrators Binary Copy Restrictions Because the binary copy feature moves database files from one machine to another the mechanism is subject to the following strict limitations e Both machines must use the same hardware and the same operating system includi
482. ry important to create and configure all replicas before you attempt to create a replication agreement This also allows you to initialize consumer replicas immediately after you create the replication agreement Consumer initialization is always the last stage in setting up replication Choosing Replication Managers A critical part of setting up replication is to choose the entry referred to as the replication manager that the suppliers will use to bind to a consumer server when sending replication updates All servers that contain suffixes receiving updates which includes dedicated consumers hubs and masters participating in multi master replication must have at least one replication manager entry Directory Server has a default replication manager entry that you may use on every server Its DN is cn Replication Manager cn replication cn config NOTE It is recommended that you use the default replication manager for all simple replication scenarios The replication wizard automatically configures consumer replicas with this entry thereby simplifying the deployment of your replicas The replication wizard will prompt you to set the password for the default replication manager if none is defined To change the password of the default replication manager at a later time 1 On the top level Configuration tab of the Directory Server console select the Data node and then select the Replication tab in the right hand panel 2
483. ry in the subtree and choose Set Access Permissions from the pop up menu The Access Control Manager window is displayed It contains the list of ACIs belonging to the entry 2 Inthe Access Control Manager window select the ACI that you want to delete 3 Click Remove The ACT is no longer listed in the Access Control Manager Access Control Usage Examples The examples provided in this section illustrate how an imaginary ISP company example com would implement its access control policy All the examples explain how to perform a given task from the console and using an LDIF file Example com s business is to offer a web hosting service and internet access Part of Example com s web hosting service is to host the directories of client companies Example com actually hosts and partially manages the directories of two medium sized companies Company333 and Company999 It also provides internet access to a number of individual subscribers These are the access control rules that example com wants to put in place e Grant anonymous access for read search and compare to the entire example com tree for example com employees see Granting Anonymous Access on page 218 e Grant write access to example com employees for personal information for such as homeTelephoneNumber homeAddress see Granting Write Access to Personal Entries on page 220 e Grant example com employees the right to add any role to their entry
484. s hubs or dedicated consumers Disabling Replicas Disabling a replica will remove it from the replication topology It will no longer be updated or send updates depending on its role as a master hub or consumer Disabling a supplier will delete all replication agreements and they will have to be recreated if the replica is enabled again To disable a replica 1 On the top level Configuration tab on the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix 2 Inthe right panel select the Change gt Disable Replication menu item Sun ONE Directory Server Administration Guide June 2003 Modifying the Replication Topology 3 Click Yes in the confirmation dialog 4 Optionally reset the write permissions and referrals for this suffix These settings are left as is when the replica is disabled for example a disabled consumer still sends modification requests to its former master replica To modify the write permissions and referrals select the node for this suffix on the Configuration tab and make modifications on the Settings tab in the right hand panel For more information see Setting Access Permissions and Referrals on page 119 Moving the Change Log The change log is an internal record of all modifications on a given supplier replica that the server uses to replay modifications to the other replicas The contents of the cha
485. s stapes eel ole eet aude Ce tannin caged eeu ead Oates ka de 284 When totmnitialize s 2 2 eyes out a dant eee ea ih in oe SE Sh TY Bid hte 285 Convergence After Multi Master Initialization 0 06 286 Initializing a Replica Using the Console 0 cece tenn ees 289 Initializing a Replica From the Command Line 6 66 c cece eee eens 290 Initializing a Replica Using Binary Copy 6 ccc cence enn eens 293 Enabling the Referential Integrity Plug In 6 ccc ect e rener 295 Replication Over SSL oss erran ea p DEn ea ell COG Salat de gku sate A S ane eit thats 296 Replication Overa WAN i 2 ccadene tind eal ce eet addy Leste Sao aeed yal A EE A da antetey Be 297 Configuring Network Parameters 1 2 0 0 ccc ene tenets 297 Scheduling Replication Activity 2 0 0 6 cece enn eee een eens 298 Data Compression ces nriran aens ARESE det ead dade degen sta S E A EAE det a aaa 299 Modifying the Replication Topology 0 0 6 0 ccc nent een eens 300 Managing Replication Agreements 6 6c cent tenes 300 Promoting or Demoting Replicas 0 c cece nett e rnrn 303 Dis bling Replicas iis s 2 2 c 08 aoaaa athens Gk ede dee de pea a a i cee aah ales 304 Moving the Chatige Lop iscsi vate eet ogee EE U tec Ged orca eee ALETE ented 305 Keeping Replicas in Syne seor essen Os aa Sie iad chutes Saw aes Mia ial edd lis 306 Replication With Earlier Releases 6 ccc cent ete een ees 308
486. s are shown in the corresponding lists o To define attributes that must be present select one or more of them in the Available Attributes list and then click the Add button to the left of the Required Attributes box o To define attribute that may be present select one or more of them in the Available Attributes list and then click the Add button to the left of the Allowed Attributes box Sun ONE Directory Server Administration Guide June 2003 Replicating Schema Definitions o To remove an attribute that you previously added highlight the attribute in either list and then click the corresponding Remove button You cannot remove allowed or required attributes that are inherited from the parent object class 4 When you have finished editing the object class click OK to save your changes Deleting Object Classes You can delete only the user defined object classes using the console Before deleting an object class definition you must ensure that no entry in directory currently uses this object class otherwise clients will be unable to access that entry To delete the schema definition of an object class 1 On the top level Configuration tab of the Directory Server console select the Schema node in the configuration tree then select the Object Class tab in the right hand panel 2 In the list of user defined object classes select the object class name and click Delete 3 Confirm the delete when prompted The server
487. s being targeted and efficiently set multiple access controls for a given target For example aci target target version 3 0 acl name permission bindRule permission bindRule permission bindRule The following is an example of a complete LDIF ACI aci target ldap uid bjensen dc example dc com targetattr version 3 0 acl example allow write userdn ldap self In this example the ACI states that the user bjensen has rights to modify all attributes in her own directory entry The following sections describe the syntax of each portion of the ACI in more detail Defining Targets The target identifies what the ACI applies to When a client requests an operation on attributes in an entry the server evaluates the target to see if the ACI must be evaluatated to allow or deny the operation If the target is not specified the ACI applies to all attributes in the entry containing the aci attribute and to the entries below it The general syntax for a target is one of the following keyword expression keyword expression where e keyword indicates the type of target The following types of targets are defined by the keywords in Table 6 1 on page 186 o A directory entry or its subtree Chapter 6 Managing Access Control 185 ACI Syntax o The attributes of an entry o A set of entries or attributes that match an LDAP filter o An attribute value or combination of values th
488. s bound to the directory as the Directory Manager the server does not evaluate any ACIs before performing operations As a result performance of LDAP operations as Directory Manager is not comparable to the expected performance of other users You should always test directory performance with a typical user identity Chapter 6 Managing Access Control 181 Access Control Principles 182 By default if no ACI applies to an entry access is denied to all users except for the Directory Manager Access must be explicitly granted by an ACI for a user to access any entry in the server The default ACIs define anonymous read access and allow users to modify their own entries except for attributes needed for security For more information see Default ACIs on page 183 Although the server processes the ACIs closest to the target entry first the effect of all ACIs that apply to an entry is cumulative Access granted by any ACI is allowed unless any ACI denies it ACIs that deny access no matter where they appear in the list take precedence over ACIs that allow access to the same resource For example if you deny write permission at the directory s root level then none of the users can write to the directory regardless of the specific permissions you grant them To grant a specific user write permissions to the directory you have to restrict the scope of the original denial for write permission so that it does not include the user
489. s disabled Enabling a Replication Agreement Enabling a replication agreement will resume replication with the designated consumer However if replication has been interrupted longer than the replication recovery settings will allow and the consumer was not updated by another supplier you will have to reinitialize the consumer The replication recovery settings are the maximum size and age of this supplier s change log and the purge delay of the consumer see Advanced Consumer Configuration on page 271 When the interruption is short and replication can recover the master will update the consumer automatically when the agreement is re enabled Sun ONE Directory Server Administration Guide June 2003 Modifying the Replication Topology To enable a replication agreement 1 On the top level Configuration tab on the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix 2 Inthe right panel select the replication agreement you want to enable 3 Click the Enable button in the box below the list of agreements 4 Reinitialize the consumer replica if necessary Deleting a Replication Agreement Deleting a replication agreement will stop the replication to the corresponding consumer and remove all configuration information about the agreement If you wish to resume replication at a later date disable the agreement instead as described in
490. s of entries it can be faster to use the new binary copy feature to restore a more recent backup taken from another consumer replica See Initializing a Replica Using Binary Copy on page 293 If there is no other consumer to copy you must reinitialize the replica as described in the previous paragraph or restore it as described in the next paragraph if possible e If the backup of your consumer is not older than the maximum age of change log contents on any of its suppliers either hub or master replicas then it may be used to restore the consumer See Advanced Multi Master Configuration on page 277 for a description of change log age When the old backup is restored its suppliers will use their change logs to update this hub with all modifications that have been processed since the backup was saved Sun ONE Directory Server Administration Guide June 2003 Solaris Packages Other Installations Solaris Packages Other Installations Restoring Data from Backups Restoring Your Server Using the Console If your directory data become corrupted you can restore data from a previously generated backup using the Directory Server console In order to restore your server using the console the directory server must be running However the corresponding suffixes will be unavailable for processing operations during the restore To restore your server from a previously created backup 1 On the top level Tasks tab of the Director
491. s to add or remove themselves from groups This is useful for example for allowing users to add and remove themselves from mailing lists At example com employees can add themselves to any group entry under the ou social committee subtree This is illustrated in the ACI Group Members example Chapter 6 Managing Access Control 233 Access Control Usage Examples 234 ACI Group Members In LDIF to grant example com employees the right to add or delete themselves from a group you would write the following statement aci targettattr member version 3 0 acl Group Members allow selfwrite userdn ldap uid ou People dc example dc com This example assumes that the ACI is added to the ou social committee dc example dc com entry From the console you can set this permission by doing the following 1 On the Directory tab right click the People entry under the example com node in the left navigation tree and choose Set Access Permissions from the pop up menu to display the Access Control Manager 2 Click New to display the Access Control Editor 3 On the Users Groups tab in the ACI name field type Group Members In the list of users granted access permission do the following a Select and remove All Users then click Add The Add Users and Groups dialog box is displayed b Set the Search area in the Add Users and Groups dialog box to Special Rights and select All Authenticat
492. s you may add to allow anonymous reading secure self modification and full administrator access aci targetattr userPassword Anonymous access allow read search targetattr nsroledn nsSizeLimit nsTimeLimit passwordPolicySubentry passwordExpWarned accountUnlockTime passwordAllowChangeTime version modification except for nsroledn attributes aci attributes allow aci targetattr version 3 0 Configuration Administrator allow all userdn ldap uid Sun ONE Directory Server Administration Guide June 2003 compare userdn aci nsIdleTimeout passwordExpirationTime passwordRetryCount passwordHistory version 3 0 acl ldap anyone nsLookThroughLimit retryCountResetTime 340 aci acl Allow self entry resource limit passwordPolicySubentry and password policy state write userdn ldap sel acl admin ou Administrators Managing Suffixes ou TopologyManagement o NetscapeRoot aci targetattr version 3 0 acl Configuration Administrators Group allow all groupdn ldap cn Configuration Administrators ou Groups ou TopologyManagement o NetscapeRoot As an example of a subsuffix the base entry for ou Contractors dc example dc com can be created with the following command ldapmodify a h host p port D cn Directory Manager w password dn ou Cont
493. se to store users and services and in it create the principal for the LDAP service The LDAP service principal is 1ldap serverFQDN REALM where the serverFQDN is the fully qualified domain name of your server 3 Create a keytab to store the service keys including one for the LDAP service 4 Start the Kerberos daemon processes Please refer to your software documentation for detailed instructions for each of these steps Configuring the GSSAPI Mechanism The following procedure explains the steps necessary to configure Directory Server to use GSSAPI on the Solaris platform 1 Using either the console or the ldapsearch command verify that GSSAPI is a value of the supportedSASLMechanisms attribute on the root entry For example the following command will show which SASL mechanisms are enabled ldapsearch h host p port D cn Directory Manager w password s base b objectclass supportedSASLMechanisms dn supportedSASLMechanisms EXTERNAL supportedSASLMechanisms DIGEST MD5 2 By default GSSAPI is not enabled and you may use the following ldapmodify command to enable it ldapmodify h host p port D cn Directory Manager w password dn cn SASL cn security cn config changetype modify add dsSaslPluginsEnable dsSaslPluginsEnable GSSAPI replace dsSaslPluginsPath dsSaslPluginsPath ServerRoot lib sasl 3 Create the default identity mapping for GSSAPI and any cu
494. server host o Contact Enter the email address or contact information of the directory server administrator 5 Click Save to store your changes 6 Start or restart the SNMP subagent on UNIX platforms or the SNMP service on a Windows platform as described in the following section Starting and Stopping the SNMP Subagent The following procedures describe how to start restart or stop the SNMP subagent on UNIX platforms including AIX and the SNMP service on Windows platforms NOTE If you add another server instance on the same host and you want the instance to be part of the SNMP network you must restart the SNMP subagent UNIX and AIX or SNMP service Windows On UNIX and AIX Platforms To start stop and restart the SNMP subagent for a directory running on UNIX 410 Sun ONE Directory Server Administration Guide June 2003 Starting and Stopping the SNMP Subagent On the top level Configuration tab of the Directory Server console select the server node at the root of the configuration tree then select the SNMP tab in the right hand panel Use the subagent control buttons below the Descriptive Properties box to start stop or restart the subagent Stopping the directory does not stop the directory subagent If you want to stop the subagent you must do so from this tab On Windows Platforms To start stop and restart the SNMP service for a directory running on Windows 1 2 3 Open the Windows Contr
495. sh automatically every ten seconds 3 To view an archived audit log select it from the Select Log pull down menu 4 Todisplay a different number of messages enter the number you want to view in the Lines to show text box and click Refresh 5 To filter the log messages you may enter a string in the Show only lines containing text box and then click Refresh Monitoring Server Activity 398 The server always maintains counters and statistics about its activity for example the number of connection and operations and cache activity for all suffixes This information can help you troubleshoot any errors and observe the performance of your server You can monitor your directory server s current activities from either the Directory Server Console or the command line Many of the parameters that can be monitored reflect your Directory Server performance and my be influenced by configuration and tuning For more information about the configurable attributes and how to tune them see the Sun ONE Directory Server Installation and Tuning Guide Monitoring Your Server Using the Console 1 On the top level Status tab of the Directory Server console select server icon at the root of the status tree The right hand panel displays current information about server activity If the server is currently not running this tab will not provide performance monitoring information 2 Click Refresh to refresh the current display If you wan
496. sh to set the activation state For more information see ns inactivate pl and ns activate pl in Chapter 2 of the Sun ONE Directory Server Reference Manual Setting Individual Resource Limits 262 You can control server limits for search operations using special operational attribute values on the client application binding to the directory You can set the following search operation limits e The look through limit specifies the maximum number of entries that will be examined for a search operation e The size limit specifies the maximum number of entries the server returns to the client application in response to a search operation e The time limit specifies the maximum time the server spends processing a search operation e The idle timeout specifies the time a client connection to the server can be idle before the server drops the connection NOTE The Directory Manager may use unlimited resources by default The resource limits you set for a specific user take precedence over the default resource limits you set in the global server configuration You should verify that attributes which store the individual resource limits are protected from self modification by the following ACI on the suffix containing user entries targetattr nsroledn aci nsLookThroughLimit nsSizeLimit nsTimeLimit nsIdleTimeout passwordPolicySubentry passwordExpirationTime passwordExpWarned
497. shedName favoriteDrink fax localityName labeledUrl rfc822mailbox Chapter 10 Managing Indexes 343 Managing Indexes Table 10 3 Primary Attribute Name and Their Alias Primary Attribute Name mobile O ou Attribute Alias mobileTelephoneNumber organizationName organizationalUnitName pager sn st pagerTelephoneNumber surname stateOrProvinceName street ttl uid streetAddress timeToLive userId Managing Indexes This section describes how to create and remove presence equality approximate substring and international indexes for specific attributes using the Directory Server console and the command line See Managing Browsing Indexes on page 352 for the separate procedures required before virtual list view VLV 344 Sun ONE Directory Server Administration Guide June 2003 operations NOTE Because indexes are specific to each suffix you need to remember to create your new indexes in every suffix configuration When you create new suffixes using the console you have the option of cloning the index configuration of an existing suffix Before you create new indexes balance the benefits of maintaining indexes against the costs Keep in mind that e Approximate indexes should not be used for attributes commonly containing numbers such as telephone numbers because they are not efficient e Substring indexes do not work for binary attributes Equality indexes shou
498. sole expand both the Data node and the node for the suffix you wish to be a hub replica and then select the Replication node below the suffix The replica status information is displayed in the right hand panel 2 Click the Enable replication button to begin the replication wizard 3 Select the Hub Replica radio button and click Next to continue Chapter 8 Managing Replication 273 Configuring a Hub If you have not already done so you will be prompted to select the change log file The default change log file is shown in the text field If you do not wish to use the default type in a filename for the change log or click Browse to display a file selector If the change log has already been enabled the wizard will skip this step Click Next If you have not already done so you will be prompted to enter and confirm a password for the default replication manager Type the same password in each field and then click Next to continue If the default replication manager already had a password defined the wizard will skip this step The replication wizard will display a status message while updating the replication configuration Click Close when it has completed The replication status now shows that the replica is ready to receive updates and the icon in the left hand pane changes to reflect this Advanced Hub Configuration As a supplier a hub server requires a change log and the wizard configures the hub replica to use the
499. sory hic she atir ad ek eas Sale ae Sele We aA eta dle eagle 326 Modifying the Schema From the Command Line 066 c cece cece eee eee 327 Modifying the Schema Using the Console n nananana nanaon eect teenies 327 Managing Attribute Definitions syss serrie 6 6 eee eee eens 328 Viewing Atiribites eag 2 ceale ates ik oda deed pane a a aM Maids cardial ea 328 Creating Attributes cne ciel eat aad bein la cdGrd cide eee ies apt ekee Genta eels 330 Editing Attributes ersen ive ain Sia Ad ee hate ae E a aa ded ond eed See 331 Deleting Attributes cece cnc Sand Sah ae eke HL an Snes wb SRT yee Sia Gene cae a8 PE GS 331 Managing Object Class Definitions 6 ccc eee nee re 332 Viewing Object Classes 2 20 ars det aa Get Hind E EEE E ede Reh ee a ve be Oeste 332 Creating Object Class s si piiat cat ae sa fah eel te EG es Se ae edie hae ih eee 333 Editing Object Classes2y5 eia 3 wks deat eye Pate Se Pe as ds ede coe AeA Ss 334 Deleting Obj ct Classes 24 04 09 acs naa haere ok pak eck ae ee ee eee A adits Saree 335 Replicating Schema Definitions 6 6 sesser errer rr rnrn rrene rn rererere 335 Modifying Replicated Schema Files 0 6 ees 336 Limiting Schema Replication 23 0 lt cc aires be eds Heeb ew yea GS eee Sate ed wee Dee 337 Managing IND X S e502 oe eres ec cee ee ace wees era eee eee eed ads ee eee ees 339 Overview of Indexing iore nipe oth ig Gentes ees ute eee dee ben aye yt tn gee tee 339 Sys
500. source and the target servers Enabling the Referential Integrity Plug In If you are using the referential integrity plug in you must enable it on all master servers You do not need to enable it on hub or consumer servers See Using Referential Integrity with Replication on page 83 Chapter 8 Managing Replication 295 Replication Over SSL Replication Over SSL You can configure Directory Servers involved in replication so that all replication operations occur over an SSL connection To do so complete the following steps 1 Configure both the supplier and consumer servers to use SSL Refer to Chapter 11 Implementing Security for details NOTE Replication over SSL will fail if the supplier server certificate is e 6A self signed certificate e An SSL server only certificate that cannot act as a client during an SSL handshake 2 If replication is not configured for the suffix on the consumer server enable it as described in Enabling a Consumer Replica on page 271 3 Follow the procedure in Advanced Consumer Configuration on page 271 to define the DN of the certificate entry on the consumer as another replication manager 4 Ifreplication is not configured for the suffix on the supplier server enable it as described in Enabling a Hub Replica on page 273 or Enabling a Master Replica on page 276 5 On the supplier server create a new replication agreement to send updates to
501. st run the vlvindex command directoryserver vlvindex in the Solaris Packages to generate the new set of browsing indexes This command will scan the directory contents and create a database file for the browsing index To generate browsing indexes use the following command usr sbin directoryserver vlvindex installDir slapd serverID vlvindex The following example generates the browsing indexes defined in the previous section vivindex n databaseName T Browsing ou People Table 10 4 Description of vlvindex Options Used in the Example Option Description n Specifies the name of the database containing the entries to be indexed T Specifies the value of the naming attribute of the vlvSearch entry of the corresponding browsing index All indexes corresponding to the vlvIndex entries of the given vlvSearch entry will be generated For more information see vlvindex in Chapter 2 of the Sun ONE Directory Server Reference Manual 356 Sun ONE Directory Server Administration Guide June 2003 Chapter 11 Implementing Security Sun ONE Directory Server supports several mechanisms to provide secure and trusted communications over the network LDAPS is the standard LDAP protocol that runs on top of the Secure Sockets Layer SSL to encrypt data and optionally use certificates for authentication Sun ONE Directory Server also supports the Start Transport Layer Security Start TLS extended operation to enable TLS o
502. status of salaried or contractor and an attribute representing the number of hours worked as a percentage of a full time position To target all the entries representing contractors or part time employees you could use the following filter targetfilter status contractor fulltime lt 79 NOTE The filter syntax describing matching rules for internationalized values is not supported in ACIs For example the following target filter is not valid targetfilter locality fr lt Quebec Target filters select whole entries as targets of the ACI You can associate the target filter and the targetattr keywords to create ACIs that apply to a subset of attributes in the targeted entries The following LDIF example allows members of the Engineering Admins group to modify the departmentNumber and manager attributes of all entries in the Engineering business category This example uses LDAP filtering to select all entries with businessCategory attributes set to Engineering dn dc example dc com objectClass top objectClass organization aci targetattr departmentNumber manager targetfilter businessCategory Engineering version 3 0 acl eng admins write allow write groupdn ldap cn Engineering Admins dc example dc com TIP Although using LDAP filters can be useful when you are targeting entries and attributes that are spread across the directory the results are som
503. stem s clipboard to copy cut and paste text in this field Edit any other values or perform other modifications as desired to this entry then click OK to save your changes and close the generic editor To remove a value of a multi valued attribute 1 Open the generic editor as described in Invoking the Generic Editor on page 54 Scroll through the list of attributes and click on the specific value you wish to remove The selected attribute is highlighted and the Delete Value button is activated If this button is not activated the selected attribute is read only or you do not have write permission to modify it Click the Delete Value button The text field containing the selected value is removed Edit any other values or perform other modifications as desired to this entry then click OK to save your changes and close the generic editor Adding an Attribute Before you can add an attribute to an entry the entry must contain an object class that either requires or allows the attribute For more information see Managing Object Classes on page 59 and Chapter 9 Extending the Directory Schema To add an attribute to an entry 1 2 Open the generic editor as described in Invoking the Generic Editor on page 54 Make sure that the Show only Attributes with Values option is checked Chapter 2 Creating Directory Entries 57 Managing Entries Using the Console 58 3 Click the Add Attribu
504. stom mappings as described in GSSAPI Identity Mappings on page 375 4 Configure Kerberos for the server on its host machine a Create the following LDAP service principal in Kerberos with a session key ldap serverHostname Realm where Sun ONE Directory Server Administration Guide June 2003 Configuring Client Authentication o The serverHostname is the fully qualified domain name of the server host machine This value must be the same value as the nsslapd localhost attribute in cn config except it must be all in lower case o The Realm is the Kerberos Realm of your server b The LDAP service must have read access to the key database in the following file etc krbs krb5 keytab c DNS must be configured on the host machine 5 Restart the directory server if you modified the SASL configuration entry or one of the GSSAPI identity mapping entries GSSAPI Identity Mappings Identity mappings for SASL mechanisms try to match credentials of the SASL identity with a user entry in the directory See Identity Mapping on page 376 for complete description of this mechanism Authentication will fail if the mapping cannot find a DN that corresponds to the SASL identity The SASL identity is a string called the Principal that represents a user in a format specific to each mechanism In Kerberos using GSSAPI the Principal is an identity with the format wid instance realm where the uid may contain an optional instan
505. sword dn cn uid uniqueness cn plugins cn config changetype modify replace nsslapd pluginArg0 nsslapd pluginArg0 attribute uid replace nsslapd pluginArgl nsslapd pluginArgl markerObjectClass baseObjectClass Sun ONE Directory Server Administration Guide June 2003 Enforcing Uniqueness of Another Attribute replace nsslapd pluginArg2 nsslapd pluginArg2 requiredObjectClass entryObjectClass 2D Restart the server for your changes to take effect Enforcing Uniqueness of Another Attribute The UID uniqueness plug in may be used to enforce the uniqueness of any attribute You must create a new instance of the plug in by creating a new entry under cn plugins cn config in the directory 1 Use the ldapmodify command to add the configuration entry of the new plug in instance The first part of the command is shown below The rest of the command is shown in the following steps ldapmodify a h host p port D cn Directory Manager w password dn cn plug in_name cn plugins cn config objectClass top objectClass nsSlapdPlugin objectClass extensibleObject cn plug in_name nsslapd pluginDescription Enforce unique attribute values nsslapd pluginType preoperation nsslapd plugin depends on type database nsslapd pluginPath ServerRoot lib uid plugin extension nsslapd pluginVersion 5 2 nsslapd pluginVendor Sun Microsystems Inc nsslapd pluginId NSUniqueAttr nsslapd pluginInitfunc NSUniqueAttr_Init nss
506. sword attributes All other checkboxes should be clear This task is made easier if you click the Check None button to clear the checkboxes for all attributes in the table then click the Name header to organize them alphabetically and select the appropriate ones 6 On the Hosts tab click Add to display the Add Host Filter dialog box In the DNS host filter field type example com Click OK to dismiss the dialog box 7 Click OK in the Access Control Editor window The new ACI is added to the ones listed in the Access Control Manager window ACI Write Subscribers NOTE By setting this permission you are also granting users the right to delete attribute values In LDIF to grant example com subscribers the right to update their password and home telephone number you would write the following statement aci targetattr userPassword homePhone version 3 0 acl Write Subscribers allow write userdn ldap self and authmethod ss1 This example assumes that the aci is added to the ou subscribers dc example dc com entry Note that example com subscribers do not have write access to their home address because they might delete the attribute and example com needs that information for billing Therefore the home address is business critical information From the console you can set this permission by doing the following 1 On the Directory tab right click the Subscribers entry under the ex
507. sword of the proxy identity on the remote server The local server will use this DN as a proxy when accessing contents of the suffix on the remote server For example use the uid hostl1_proxy cn config DN defined in Creating a Proxy Identity on page 101 You cannot use the DN of the Directory Manager on the remote server Operations performed through the chained suffix will use this proxy identity in the creatorsName and modifiersName attributes You may omit the proxy DN in which case the local server will bind anonymously when accessing the remote server Click OK to create the chained suffix The new suffix will appear in the configuration tree with the icon for chaining Click on the new chained suffix to select it and select the Remote Server tab in the right hand panel 106 Sun ONE Directory Server Administration Guide June 2003 Creating Chained Suffixes 8 Optionally you may define one or more failover servers for this chained suffix If the server cannot contact the remote server it will try each of the failover servers in the order defined until one of them responds Failover servers must contain the same suffix that is being chained and allow the same bind DN for proxying To define failover servers enter more hostname and port number pairs separated by spaces in the Remote Server URL field This field has the following format ldap s hostname port hostname port 9 At the bottom of the Remote
508. t left click the entry whose DN or URL you want to copy 2 Then select either Edit gt Copy DN or Edit gt Copy URL from the menu Console Settings The Directory Server console provides many settings for customizing how information in displayed in the Configuration and Directory tabs Chapter 1 Introduction to Sun ONE Directory Server 31 Using the Directory Server Console 32 Visual Configuration Preferences When you modify configuration parameters and enter values in fields on the top level configuration tab Directory Server console uses colored text to indicate valid input For example if you enable a feature that requires you to enter further configuration values the labels of the required fields will appear red and then turn blue once you enter valid value By default the console uses red and blue colors but you may modify this behavior as follows 1 On any tab of the Directory Server console select the Edit gt Preferences menu item In the Console Preferences dialog select the Misc tab 2 Choose the radio button for the visual configuration indicator that you prefer You may choose colored fonts or font appearances or both 3 For a description of the settings on the other tabs of the Console Preferences dialog see Customizing Sun ONE Server Console in Chapter 3 of the Sun ONE Server Console Server Management Guide Then click OK to save your changes 4 Exit all windows of the Sun ONE Server Console
509. t a meaningful name for example replicate_now sh You must provide actual values for the variables listed in this example NOTE The administrator must run this script because it cannot be configured to run automatically as soon as the server which was offline comes back online again bin sh SUP_HOST supplier_hostname SUP_PORT supplier_portnumber SUP_MGRDN supplier_directoryManagerDN SUP_MGRPW supplier_directoryManager Password MY_HOST consumer_hostname MY_PORT consumer_portnumber ldapsearch 1 h SUP_HOST p SUP_PORT D S SUP_MGRDN w S SUP_MGRPW b cn mapping tree cn config amp objectclass nsds5replicationagreement nsDS5ReplicaHost MY_HOST nsDS5ReplicaPort MY_PORT dn nsds5ReplicaUpdateSchedule gt tmp S cat tmp Ss Chapter 8 Managing Replication 307 Replication With Earlier Releases awk BEGIN s 0 dn print 0 print changetype modify print replace nsds5SReplicaUpdateSchedule print nsds5ReplicaUpdateSchedule 0000 2359 0123456 PENG a print 1 print 0 print changetype modify print replace nsds5SReplicaUpdateSchedule nsds5ReplicaUpdateSchedule s 1 print 0 8 if s sprint print Me i else print nsds5ReplicaUpdateSchedule 0000 2359 0123456 PELAG SS 4 eprint A he s 0 gt tmp ldif echo Ldif is in tmp ldif s echo ldapmodify c h SUP_H
510. t an effective way of creating this ACI because you would have to use manual editing mode to create the target filter and to check group ownership Granting Conditional Access to a Group or Role In many cases when you grant a group or role privileged access to the directory you want to ensure that those privileges are protected from intruders trying to impersonate your privileged users Therefore in many cases access control rules that grant critical access to a group or role are often associated with a number of conditions Sun ONE Directory Server Administration Guide June 2003 Access Control Usage Examples example com for example has created a Directory Administrator role for each of its hosted companies Company333 and Company999 It wants these companies to be able to manage their own data and implement their own access control rules while securing it against intruders For this reason Company333 and Company999 have full rights on their respective branches of the directory tree provided the following conditions are fulfilled e Connection authenticated using a certificate over SSL e Access requested between 8 am and 6 pm Monday through Thursday and e Access requested from a specified IP address for each company These conditions are illustrated in a single ACI for each company ACI Company333 and ACI Company999 Because the content of these ACIs is the same the examples below illustrate the Company333 A
511. t hand pane changes to reflect this Advanced Consumer Configuration By default the wizard configures the replica to use the default replication manager If you have created a different replication manager entry that you wish to use you need to set the advanced configuration You may also use this dialog to set referrals for modifications and the purge delay Chapter 8 Managing Replication 271 Configuring a Dedicated Consumer 272 On the top level Configuration tab of the Directory Server console expand both the Data node and the node for the suffix you wish to configure and then select the Replication node below the suffix In the right hand panel click the Advanced button to display the Advanced Replica Settings dialog On the Bind DN tab use the Add and Delete buttons to create a list of DNs that are valid replication managers A supplier can then use any one of these DNs in its agreement with this replica You can add a new DN by typing its name or browsing the directory To configure replication using certificates over SSL enter the DN of the certificate entry as one of the replication managers Click OK when you are done or select the Optional tab for more advanced configuration On the Optional tab of the Advanced Replica Settings dialog the list of LDAP URLs specifies additional referrals for modification requests sent to this consumer Use the Add or Delete buttons to create a list of LDAP URLs The replication
512. t on the replication topology The retro change log plug in may be enabled on any server of a single master deployment scenario It will not work properly in a multi master environment and should not be enabled in this case The retro change log is kept in addition to the server s 5 2 change log The retro change log is stored in a separate database under the special suffix cn changelog The retro change log consists of a single level of entries Each entry in the change log has the object class changeLogEnt ry and can include the attributes listed in the following table Sun ONE Directory Server Administration Guide June 2003 Using the Retro Change Log Plug In Table 8 1 Attributes of a Retro Change Log Entry Attribute Definition changeNumber This single valued attribute is always present It contains an integer that uniquely identifies each change This number is related to the order in which the change occurred The higher the number the later the change targetDN This attribute contains the DN of the entry that was affected by the LDAP operation In the case of a modrdn operation the targetDN attribute contains the DN of the entry before it was modified or moved changeTime This attribute specifies the time at which the change operation occurred changeType Specifies the type of LDAP operation This attribute can have one of the following values add delete modify or modrdn changes For add and modify operat
513. t the server to continuously update the displayed information select the Continuous checkbox This server status panel shows e The date and time the server was started e The current date and time on server When replication is enabled you should periodically check that the dates on each server do not begin to diverge Sun ONE Directory Server Administration Guide June 2003 Monitoring Server Activity e The Resource Summary Table For each of the following resources the table lists the total number since startup and the average per minute since startup Table 12 1 Resource Summary Table Resource Connections Operations Initiated Operations Completed Entries Sent to Clients Bytes Sent to Clients Total and Per Minute Average Since Startup Number of client connections established Number of operations requested by clients Number of operations not aborted by clients Number of entries returned in search results Number of bytes in all responses to client requests e The Current Resource Usage Table This table shows the following resources that were in use when the panel was last refreshed Table 12 2 Current Resource Usage Resource Active Threads Open Connections Remaining Available Connections Threads Waiting to Read from Client Databases in Use Most Current Real Time Usage Number of threads used for handling requests Additional threads may be created by internal server mechanisms suc
514. te button to display a dialog with a list of attributes This list contains only attributes that are allowed by the object classes defined for the entry 4 Inthe Add Attribute dialog select the one or more attribute you wish to add 5 Optionally you may select either or both of the following subtypes from the drop down lists at the top of the dialog o Language subtype Use this subtype to indicate the language used in the value of the attribute You may add an attribute multiple times with a different languages to store localization information in your directory Optionally you may select the Pronunciation subtype in addition to a language to indicate that the value of this attribute contains a phonetic equivalent for the value in the given language o Binary subtype Assigning the binary subtype to an attribute indicates that the attribute value is binary data Although you may store binary data in an attribute without the binary subtype it indicates to clients that multiple variants of the attribute type may exist 6 Click OK once you have selected an attribute and its optional subtypes The attribute is added alphabetically to the list in the generic editor 7 Enter anew value for this attribute in the empty text field beside the new attribute name You may use your system s clipboard to copy cut and paste text in this field 8 Edit any other values or perform other modifications as desired to this entry then click OK
515. te using your backup file Once you have your server certificate you are ready to install it in your server s certificate database Using the Console 1 On the top level Tasks tab of the Directory Server console click the Manage Certificates button Alternatively with the Tasks tab showing select the Manage Certificates item from the Console gt Security menu The Manage Certificates window is displayed 2 Select the Server Certs tab and click Install The Certificate Install Wizard is displayed 3 Choose one of the following options for the certificate location In this file Enter the absolute path to the certificate in this field Chapter 11 Implementing Security 363 Obtaining and Installing Server Certificates 364 In the following encoded text block Copy the text from the Certificate Authority or from the text file you created and paste it in this field For example Click Next to continue 4 Verify that the certificate information displayed is correct then click Next 5 Specify a name for the certificate then click Next This is the name that will appear in the table of certificates 6 Verify the certificate by providing the password that protects the private key This password is the same as the one you provided in Step 2 of Creating a Certificate Database on page 360 Click Done when you are finished Your new certificate appears in the list on the Server Certs tab Your server is now ready for SSL
516. ted on the Network tab of root node of the top level Configuration tab For more information see Setting a Default Referral Using the Console on page 73 Disabling or Enabling a Suffix From the Command Line 1 Edit the nsslapd state attribute in the suffix s configuration entry with the following command ldapmodify h host p port D cn Directory Manager w password dn cn suffixcDN cn mapping tree cn config changetype modify replace nsslapd state nsslapd state disabled or backend D Sun ONE Directory Server Administration Guide June 2003 Managing Suffixes where suffixDN is the full string of the suffix DN as it was defined including any spaces Set the nssladp state attribute to the value disabled to disable the suffix and to the value backend to enable full access The suffix will be disabled immediately when the command is successful 2 Optionally you may set the global default referral that will be returned for all operations on this suffix while it is disabled For more information see Setting a Default Referral From the Command Line on page 74 Setting Access Permissions and Referrals If you wish to limit access to a suffix without disabling it completely you may modify the access permissions to allow read only access In this case you must define a referral to another server for write operations You may also deny both read and write access and define a referral for all operations on th
517. ted resource is examined several times each time dropping the left most RDN component until a match is found For example you have an LDAP request targeted at the cn all ou groups dc subdomainl dc hostedCompany1 dc example dc com subtree and the following ACI aci targetattr target ldap ou Groups dn dc example dc com version 3 0 acl Domain access allow read search groupdn ldap cn DomainAdmins ou Groups dn dc example dc com The server proceeds as follows to expand this ACI 1 Sdn in target matches dc subdomainl dc hostedCompanyl 2 Replace an in the subject with dc subdomain1 dc hostedCompanyl The resulting subject is groupdn 1dap cn DomainAdmins ou Groups dc subdomainl dc hostedCompanyl dc example dc com If access is granted because the bind DN is a member of that group the macro expansion stops and the ACI is evaluated If it is not a member the process continues Chapter 6 Managing Access Control 245 Advanced Access Control Using Macro ACIs 246 3 Replace an in the subject with dc hostedCompany1 The resulting subject is groupdn 1dap cn DomainAdmins ou Groups dc hostedCompany1 dc example dc com Again the bind DN is tested as a member of this group and if so the ACI is evaluated fully If it is not a member macro expansion stops with the last RDN of the matched value and ACI evaluation is finished for this ACI The advantage of the dn
518. tem Indexes opin gusen pad Alas eed tena lake Gade Pa eds Sa eae sad mta dae ate 340 Default Indexes scones tanger Pew te he ois Bi coe eas HA Cok RG pe ee 341 Standard Index Files in a Database 0 ene n ene nee e enn nnes 343 Attribute Name Quick Reference Table 0 06 c ccc eee teens 343 Managing Ind xes nio ssrpsswes eager otan ay Siete ih eins BN ee ne SEDERE ALS es 344 Managing Indexes Using the Console 6 ccc cece eee nnn ees 345 Managing Indexes From the Command Line 6 6 c cece rreren rnrn reren 346 Reindexing a Suffe oe oh be bi dee a E etn eae det Rage nan Seah DENS 350 Modifying the Set of Default Indexes 0 nee ete nnn ees 351 Managing Browsing Indexes 3 025 cie ceed pen bee taht eee ea de ee Ue Pane a 352 Browsing Indexes for the Console 66 0 c cece ene teen nee eees 353 Browsing Indexes for Client Searches 6 c ccc ee eens 354 Implementing Security sasi 0600s eee eee eee ee ee ee eee bee eee ee eee eee es 357 Introduction to SSL in the Directory Server 1 0 0 6 eeee teenies 358 Summary of Steps for Enabling SSL 6 nett eens 359 Obtaining and Installing Server Certificates 66 359 Creating a Certificate Database 6 cent teen ES 360 Generating a Certificate Request 0006 0 enn ete tenets 361 Installing th Server Certificate a s ssn tie near GSS Pen Sa ds EE ogee Sea ws 362 Trusting the Certificate Authority scrisori senors dd p
519. ter contains the following sections e Overview of Indexing e Managing Indexes e Managing Browsing Indexes Overview of Indexing Indexes are stored for each suffix in files in the corresponding database directory Each index files contains all of the indexes defined in the suffix for a given attribute For example all indexes maintained for the common name cn attribute are stored in the databaseName_cn db3 file Index files are created when you initialize a suffix or use the commands described in this chapter During client search operations and internal operations the server accesses the indexes to find entries in the directory faster During modify operations the directory must update the directory contents and maintain the index by updating the index files 339 Overview of Indexing 340 Directory Server supports the following types of indexes Presence index pres Contains a list of the entries that contain the particular attribute regardless of its value Equality index eq Allows you to search efficiently for entries containing a specific attribute value Approximate index approx Provides efficient sounds like searches using the filter operator For example the approximate index is useful for searching partial names or misspelled names Directory Server uses a variation of the metaphone phonetic algorithm to perform searches on an approximate index NOTE The metaphone phonetic algorithm in Dir
520. ter when the network is more available and replication messages will not add further congestion to your network when it is already under high use You may schedule updates on a daily or weekly basis independently for every consumer through its replication agreement 1 On the top level Configuration tab of the Directory Server console expand both the Data node and the node for the replicated suffix 2 Select the Replication node below the suffix and in the right pane select the replication agreement you want to configure and click Edit 3 Select the Schedule tab of the Replication Agreement dialog and select the radio button beside the weekly schedule Sun ONE Directory Server Administration Guide June 2003 Replication Over a WAN 4 Define your schedule a Fora weekly update select the checkbox beside the day or days on which you wish replication to occur You may optionally enter a time range using 24 hour notation if you wish to further restrict replication on those days b Fora daily update click All to replicate every day and enter a time range using 24 hour notation when the replication should occur Note that time ranges may not straddle midnight 5 Click OK to save the new values and close the Replication Agreement dialog The new schedule will take effect immediately causing the next replication updates for the corresponding consumer to be delayed until first allowed by the schedule Data Compression
521. termines the substitution value by comparison to the entry targetted by the LDAP request For example you have an LDAP request targeted at the cn all ou groups dc subdomainl dc hostedCompany1 dc example dc com entry and an ACI that defines the target as follows target ldap ou Groups dn dc example dc com The dn macro matches with dc subdomainl dc hostedCompany1 This substring is then used for substitutions in the subject of the ACI Sun ONE Directory Server Administration Guide June 2003 Advanced Access Control Using Macro ACIs Substituting dn in the Subject In the subject of the ACI the dn macro is replaced by the entire substring that matches in the target For example groupdn ldap cn DomainAdmins ou Groups dn dc example dc com becomes groupdn ldap cn DomainAdmins ou Groups dc subdomainl dc hostedCompanyl dc example dc com Once the macro has been expanded Directory Server evaluates the ACI following the normal process to determine whether access is granted or not NOTE Unlike a standard ACI an ACI using macro substitution does not necessarily grant access to the children of the targetted entry The reason for this is that when the DN of the children is the target the substitution may not create a valid DN in the subject string Substituting dn in the Subject The substitution mechanism for an is slightly different than for an The DN of the targe
522. tes tab in the right hand panel 2 Inthe table of user defined attributes select the attribute and click Delete 3 Confirm the delete when prompted The server will delete the attribute definition immediately There is no undo Chapter 9 Extending the Directory Schema 331 Managing Object Class Definitions Managing Object Class Definitions 332 The Directory Server console also provides an interface to view all object classes in your schema and to can create edit and delete your own object class definitions Viewing Object Classes To view information about all object classes that are currently defined in your directory schema 1 On the top level Configuration tab of the Directory Server console select the Schema node in the configuration tree then select the Object Classes tab in the right hand panel This tab contains lists of all the standard read only and user defined object classes in the schema 2 Select the object class that you want to view from either list The other fields in the tab display the following information about the selected object class Table 9 3 Fields of the Object Classes Tab Field Description Required Attributes Contains a list of attributes that must be present in entries that use this object class This list includes inherited attributes Allowed Attributes Contains a list of attributes that may be present in entries that use this object class This list includes inherited
523. that will be returned in response to the chained search operation The default size limit is 2000 entries Set this parameter to a low value if you wish to limit broad searches involving the chained suffix In any case the operation will be limited by any size settings on the remote server nsslapd timelimit This parameter controls the length of time for chained operation The default time limit is 3600 seconds one hour Set this parameter to a low value if you wish to limit the time allowed for operations on the chained suffix In any case the operation will be limited by any time settings on the remote server Cascading Chaining Parameters nsCheckLocalAcl In single level chaining the local server does not check the access rights of the bound user on the chained suffix because that is the responsibility of the remote server Therefore the default value is off However intermediate servers in a cascading chain must set this parameter to on in order to check and limit the access rights of the proxy DN used by the server that is forwarding the chained operation nsHopLimit Loop detection relies on this parameter to define the maximum number of hops allowed Any chained operation that reaches this number of hops will not be forwarded but instead abandoned under the assumption there is an accidental loop in the cascading topology Connection Management Parameters nsOperationConnectionsLimit Maximum number of simultaneous LDAP conn
524. that already exists in the directory e Adding an entry below a parent that does not exist For more information about error conditions and how to avoid them see Chapter 4 ldapmodify and Chapter 5 Idapdelete of the Sun ONE Directory Server Resource Kit Tools Reference Chapter 2 Creating Directory Entries 65 Managing Entries From the Command Line 66 Adding Entries Using Idapmodify You can add one or more entries to the directory by using the a option of ldapmodify The following example creates an structural entry to contain user and then creates a user entry ldapmodify a h host p port D cn Directory Manager w password dn ou People dc example dc com objectclass top objectclass organizationalUnit ou People description Container for user entries dn uid b jensen ou People dc example dc com objectclass top objectclass person objectclass organizationalPerson objectclass inetorgPerson uid bjensen givenName Barbara sn Jensen cn Babs Jensen telephoneNumber 408 555 3922 facsimileTelephoneNumber 408 555 4000 mail bjensen example com userPassword clearPassword The D and w options give the bind DN and password respectively of a user with permissions to create these entries The a option indicates that all entries in the LDIF will be added Then each entry is given by its DN and its attribute values with a blank line between each entry The ldapmodify u
525. the backup in the following directory ServerRoot slapd serverID bak YYYY_MM_DD_hh_mm_ss where serverID is the name of your directory server and the directory name is generated to contain the time and date the backup was created 3 Click OK to create the backup 142 Sun ONE Directory Server Administration Guide June 2003 Solaris Packages Other Installations Restoring Data from Backups Backing Up Your Server From the Command Line You can back up your server from the command line using the db2bak command directoryserver db2bak in the Solaris Packages This script works whether or not the server is running You cannot back up the configuration information using this backup method For information on backing up the configuration information refer to Backing Up the dse ldif Configuration File on page 143 To back up your directory use the following command usr sbin directoryserver db2bak backupDir ServerRoot slapd serverID db2bak backupDir The backupDir parameter specifies the directory where the backup should be stored The default backup directory name is generated from the current date YYYY_MM_DD_hh_mm_ss For more information about using this script refer to db2bak in Chapter 2 of the Sun ONE Directory Server Reference Manual Backing Up the dse Idif Configuration File Directory Server automatically backs up the dse 1dif configuration file When you start your directory server it automaticall
526. the bind DN will be determined from the certificate mapping Using SASL DIGEST MD5 in Clients When using the DIGEST MD5 mechanism in clients you do not need to install a user certificate However if you wish to use encrypted SSL connections you must still trust the server certificate as described in Configuring Server Authentication in Clients on page 379 Specifying a Realm A realm defines the namespace from which the authentication identity is selected In DIGEST MD5 authentication you must authenticate to a specific realm Directory Server uses the fully qualified hostname of the machine as the default realm for DIGEST MD5 The server uses the lower case value of the hostname found in the nsslapd localhost configuration attribute If you do not specify a realm then the default realm offered by the server will be used Specifying Environment Variables In the UNIX environment you must set the SASL_PATH environment variable so the LDAP tools will find the DIGEST MD5 libraries The DIGEST MD5 library is a shared library dynamically loaded by the SASL plug in and therefore you should set the SASL_PATH variable as follows for example in the Korn shell export SASL_PATH ServerRoot lib sasl This path assumes that Directory Server is installed on the same host where the LDAP tools will be invoked Chapter 11 Implementing Security 385 Configuring LDAP Clients to Use Security 386 On Windows the path to the SASL libra
527. the directory as attributes of entries The aci attribute is an operational attribute it is available for use on every entry in the directory regardless of whether it is defined for the object class of the entry It is used by the directory server to evaluate what rights are granted or denied when it receives an LDAP request from a client The aci attribute is returned in an ldapsearch operation if specifically requested The three main parts of an ACI statement are e Target Deterimes the entry or attributes to which the permissions will apply e Permission Defines what operations are allowed or denied e Bind Rule Determines who is subject to the ACI based on their bind DN The permission and bind rule portions of the ACI are set as a pair also called an Access Control Rule ACR The specified permission to access the target is granted or denied depending on whether the accompanying rule is evaluated to be true For more information see ACI Syntax on page 184 Sun ONE Directory Server Administration Guide June 2003 Access Control Principles ACI Placement If an entry containing an ACI does not have any child entries the ACI applies to that entry only If the entry has child entries the ACI applies to the entry itself and all entries below it As a direct consequence when the server evaluates access permissions to any given entry it verifies the ACIs for every entry between the one requested and the base of its root su
528. the entry and manually compare it with the currently defined schema to determine why it does not comply See Viewing Attributes on page 328 and Viewing Object Classes on page 332 4 Modify the entry to make it comply with the schema If you have many nonconforming entries and these entries represent a pattern or new format for your data you may consider modifying the schema instead However you should plan your schema ahead of your deployment to minimize changes to the schema For more information see Chapter 3 Designing the Schema in the Sun ONE Directory Server Deployment Guide 5 Turn on schema checking as described below 6 Unset the global read only mode if you had enabled it Setting Schema Checking Using the Console 1 On the top level Configuration tab of the Directory Server console select the schema node in the configuration tree The right hand panel contains the definition of the schema 324 Sun ONE Directory Server Administration Guide June 2003 Overview of Extending the Schema 2 The status message at the top of the panel indicates whether schema checking is currently enabled or disabled Click the button to the right to toggle schema checking off or on o The button is labeled Disable to turn off schema checking o The button will be labeled Enable when you can turn on schema checking The new schema checking policy is effective immediately Setting Schema Checking From the Command
529. the expression aborted due to a resource limitation then the server handles this case correctly it does not erroneously grant access because an Undefined value occurred in a complex Boolean expression Bind Rule Syntax Whether access is allowed or denied depends on whether an ACI s bind rule is evaluated to be true Bind rules use one of the two following patterns keyword expression keyword expression where equal indicates that keyword and expression must match in order for the bind rule to be true and not equal indicates that keyword and expression must not match in order for the bind rule to be true NOTE The timeofday keyword also supports the inequality expressions lt lt gt gt This is the only keyword that supports these expressions Chapter 6 Managing Access Control 195 Bind Rules 196 The quotation marks around expression and the delimiting semicolon are required The expressions you can use depend on the associated keyword The following table lists each keyword and the associated expressions It also indicates whether wildcard characters are allowed in the expression Table 6 2 LDIF Bind Rule Keywords Keyword userdn groupdn roledn userattr ip dns dayofweek timeofday authmethod Valid Expressions ldap distinguished_name ldap all Idap anyone Idap self Idap parent Idap suffix sub filter Idap DN
530. the reindexing dialog By default the attributes that you modified or added to the index configuration are selected Click OK to begin reindexing these attributes Reindexing many attributes for directories with millions of entries may take several hours but the suffix will always be online during the reindexing If you added or modified indexes on several attributes and you have a recent LDIF file exported from this suffix click on the Initialize suffix button In the Initialize suffix dialog enter or browse the path and name of the LDIF file and click OK The server will reinitialize the suffix from the LDIF file an create all indexes according to the new configuration Depending on the size of the directory reinitializing the suffix is usually faster than reindexing two or more attribute but the suffix is unavailable during the initialization If you do not reindex or reinitialize your suffix all data will still be available but your new index will not be created and will not improve directory access performance If you reindex or reinitialize your suffix the new index is immediately active for any new data that you add and any existing data in your directory You do not have to restart your server Managing Indexes From the Command Line Creating or modifying indexes from the command line involves two steps Using the ldapmodify command line utility to add or modify an index configuration entry Indexes are configured separately in
531. the values of the desired attributes from the list above Click Save in the Generic Editor dialog and the changes will take effect immediately Setting Default Chaining Parameters From the Command Line 1 Use the 1dapmodify command to edit the entry cn default instance config cn chaining database cn plugins cn config All attributes of this entry become the default values of the parameters in a new chained suffix For example the following command will increase the default size limit to 5000 entries and decrease the default time limit to 10 minutes in new chained suffixes ldapmodify h host p port D cn Directory Manager w password dn cn default instance config cn chaining database cn plugins cn config changetype modify replace nsslapd sizelimit nsslapd sizelimit 5000 replace nsslapd timelimit nsslapd timelimit 600 D Modifications to this entry will take effect immediately Creating Chained Suffixes Using the Console The following procedure is nearly identical for creating chained root suffixes and chained subsuffixes 1 Select the Configuration tab of the Directory Server console For a chained root suffix right click on the Data node and select New Chained Suffix from the pop up menu Alternatively you may select the Data node and choose New Chained Suffix from the Object menu Chapter 3 Creating Your Directory Tree 105 Creating Chained Suffixes For a chained subsuffix expand
532. them to chain Create the list of components that you allow to chain by using the Add and Delete buttons See Chaining Policy of Server Components on page 115 for a description of each component 4 Click Save to save your chaining policy 5 Restart the server in order for the changes to take affect Modifying the Chaining Policy From the Command Line The cn config cn chaining database cn plugins cn config entry contains the attributes for the chaining policy configuration Use the ldapmodify command to edit this entry 1 Modify the multivalued nsTransmittedControls attribute so that it contains the OIDs of all LDAP controls you allow to chain Refer to the Chaining Policy of LDAP Controls on page 114 for the OID of all controls that may be chained For example the following command adds the effective rights control to the list of chained controls Chapter 3 Creating Your Directory Tree 117 Managing Chained Suffixes 118 ldapmodify h host p port D cn Directory Manager w password dn cn config cn chaining database cn plugins cn config changetype modify add nsTransmittedControls nsTransmittedControls 1 3 6 1 4 1 42 2 27 9 5 2 D If your client applications use custom controls and you wish to allow them to chain you may also add their OID to the nsTransmittedControls attribute 2 Modify the multivalued nsAct iveChainingComponents attribute so that it contains the DNs of all server compone
533. ther checkboxes are clear 5 Click the Edit Manually button and in the LDIF statement that is displayed change the word allow to deny 6 On the Targets tab click This Entry to display the ou subscribers dc example dc com suffix in the target directory entry field In the attribute table tick the checkboxes for the connectionTime and accountBalance attributes All other checkboxes should be clear This task is made easier if you click the Check None button to clear the checkboxes for all attributes in the table then click the Name header to organize them alphabetically and select the appropriate ones This example assumes that you have added the connect ionTime and account Balance attributes to the schema 7 Click OK The new ACI is added to the ones listed in the Access Control Manager window Setting a Target Using Filtering If you want to set access controls that allow access to a number of entries that are spread across the directory you may want to use a filter to set the target Keep in mind that because search filters do not directly name the object for which you are managing access it is easy to unintentionally allow or deny access to the wrong objects especially as your directory becomes more complex Additionally filters can make it difficult for you to troubleshoot access control problems within your directory Allowing Users to Add or Remove Themselves From a Group Many directories set ACIs that allow user
534. ther subtrees and have members anywhere in the directory 154 Sun ONE Directory Server Administration Guide June 2003 Assigning Roles About Roles Each role has members or entries that possess the role As entries are retrieved from the directory the roles mechanism automatically generates the nsRole attribute in every entry that is a member of any role This multi valued attribute contains the DN of all role definitions in which the entry is a member The nsRo1e attribute is a computed attribute that is not stored with the entry itself but which is returned to the client application as a normal attribute in operation results Sun ONE Directory Server supports three types of roles e Managed role The administrator assigns a managed role by adding the nsRoleDN attribute to the desired member entries The value of this attribute is the DN of the role definition entry A managed role is similar to a static group except that membership is defined in each entry and not in the role definition entry e Filtered role These are equivalent to dynamic groups they define a filter string in their nsRoleFilter attribute The scope of a filtered role is the subtree in which it is located rooted at the parent of its definition entry When the server returns an entry in the scope of a filtered role that matches its filter that entry will contain the generated nsRole attribute identifying the role e Nested role These are roles that name other r
535. tility will create each entry after it is entered and report any errors By convention the LDIF of an entry lists the attributes in the following order e The list of object classes e The naming attribute or attributes This is the attribute used in the DN and it is not necessarily one the required attributes e The list of required attributes for all object classes e Any allowed attributes that you wish to include When entering a value for the userpassword attribute give the clear text version of the password The server will encrypt this value and store only the encrypted value Be sure to limit read permissions to protect clear passwords that appear in LDIF files Sun ONE Directory Server Administration Guide June 2003 Managing Entries From the Command Line You may also use an alternate form of the LDIF that does not require the a option on the command line The advantage of this form is that you may combine entry addition with entry modification statements shown in the next section ldapmodify h host p port D cn Directory Manager w password dn ou People dc example dc com changetype add objectclass top objectclass organizationalUnit ou People description Container for user entries dn uid bjensen ou People dc example dc com changetype add objectclass top objectclass person objectclass organizationalPerson objectclass inetorgPerson uid bjensen givenName Barbara sn Jense
536. time of log rotation You can configure the following parameters 390 Sun ONE Directory Server Administration Guide June 2003 Access Access Log The maximum size of the combined archived logs When the maximum size is reached the oldest archived log is automatically deleted If you don t want to set a maximum size type 1 in this field The default is 500 MB This parameter is ignored in the number of log files is set to 1 The minimum amount of free disk space When the free disk space reaches this minimum value the oldest archived log is automatically deleted The default is 5 MB This parameter is ignored in the number of log files is set to 1 The maximum age of log files When a log file reaches this maximum age it is automatically deleted The default is 1 month This parameter is ignored in the number of log files is set to 1 Manual Log File Rotation You can manually rotate log files if you have not set automatic log file creation or deletion policies By default access errors and audit log files can be found in the following directory ServerRoot slapd serverID logs To manually rotate log files 1 Shut down the server See Starting and Stopping the Directory Server on page 20 for instructions Move or rename the log file you are rotating in case you need the old log file for future reference Restart the server See Starting and Stopping the Directory Server on page 20 for instructio
537. ting the generated request via email or a website Click Next to continue Enter the Requestor Information in the blank text fields Server Name Enter the fully qualified hostname of the Directory Server as it is used in DNS lookups for example east example com Organization Enter the legal name of your company or institution Most CAs require you to verify this information with legal documents such as a copy of a business license Organizational Unit Optional Enter a descriptive name for your division or business unit within your company Chapter 11 Implementing Security 361 Obtaining and Installing Server Certificates 362 Locality Optional Enter your company s city name State or Province Enter the full name of your company s state or province with no abbreviations Country Select the two character abbreviation for your country s name in ISO format The country code for the United States is US Appendix C Directory Internationalization in the Sun ONE Directory Server Reference Manual contains a list of ISO Country Codes Click Next to continue 5 Enter the password of your security device then click Next This is the password set in Creating a Certificate Database on page 360 6 Select Copy to Clipboard or Save to File to save the certificate request information that you must send to the Certificate Authority 7 Click Done to dismiss the Certificate Request Wizard Using the Comm
538. tion if your CoS values need to be secure you should define access control instructions ACIs for both CoS definition and template entries as well as for the specifier attribute in the target entries See the Sun ONE Directory Server Deployment Guide for CoS security considerations and Chapter 6 Managing Access Control for procedures to create ACIs using the console Creating a New CoS In the case of pointer CoS and classic CoS you must create the template entry before the definition entry 1 On the top level Directory tab of the Directory Server console right click the entry in the directory tree where you want to add the new template entry and select the New gt Other item from the pop up menu Alternatively select the parent entry and choose the New gt Other item from the Object menu In the New Object dialog select costemplate from the list of object classes The Generic Editor dialog opens with default values for certain attributes in the new template Edit the new template object in the following manner a Add the LDAPsubentry and extensibleobject values to the objectclass attribute b Add the cn attribute and give it a value that will identify the template for example cosTemplateForHeadquartersFax c Change the naming attribute to the new cn attribute You may add any other attribute and use it as the naming attribute instead but using cn is common practice d Modify the cosPriority attribute b
539. tion tab of the Directory Server console select Logs icon and then select the Audit Log tab in the right hand panel This tab contains configuration settings for the audit log such as those shown in Figure 12 2 on page 394 To enable audit logging select the Enable Logging checkbox To disable audit logging clear the checkbox By default audit logging is disabled In the Log File field enter the full path and filename you want the directory to use for the audit log The default is file is ServerRoot slapd serverID logs audit Set the maximum number of logs log size and periodicity of archiving For information on these parameters see Defining a Log File Rotation Policy on page 390 Set the maximum size of combined archived logs minimum amount of free disk space and maximum age for a log file For information on these parameters see Defining a Log File Deletion Policy on page 390 When you have finished making changes click Save Viewing the Audit Log 1 On the top level Status tab of the Directory Server console select Logs icon and then select the Audit Log tab in the right hand panel This tab displays a table containing the latest entries in the selected audit log such as the one shown in Figure 12 1 on page 392 Chapter 12 Managing Log Files 397 Monitoring Server Activity 2 To refresh the current display click Refresh Select the Continuous checkbox if you want the display to refre
540. tion to the secure port setting described in the previous section you may configure the level of security that is required to accept DSML requests The ds hdsml clientauthmethod attribute of DSML front end plug in determines what authentication methods are required of the client This attribute may have the following values e httpBasicOnly The server will use the contents of the HTTP Authorization header to find a user name that can be mapped to an entry in the directory This process and its configuration are further described in DSML Identity Mapping on page 43 With this setting DSML requests to a secure HTTPS port will be encrypted through SSL but not use client certification e clientCertoOnly The server will use credentials from the client certificate to identify the client With this value all DSML clients must use the secure HTTPS port to send DSML requests and provide a certificate The server will check that the client certificate matches an entry in the directory See Chapter 11 Implementing Security for more information about client certificates e clientCertFirst The server will attempt to authenticate clients first with a client certificate if one is provided Otherwise the server will authenticate clients using the contents of the Authorization header If no certificate and no Authorization header is provided in the HTTP request the server will perform that DSML request with anonymous binding Anonymous bin
541. to override the delay Use the insync tool to ensure that the replica has converged with all other masters Replicas are in sync if the delay between modifications on all servers is zero or if the replica has never had any changes to replicate delay of 1 For more information see insync in Chapter 1 of the Sun ONE Directory Server Reference Manual Chapter 8 Managing Replication 287 Initializing Replicas 3 Click the button to the right of the message to start accepting update operations immediately To Begin Accepting Updates Through the Command Line The following commands may be used in scripts that automate the process of initializing a multi master replica by checking for convergence and explicitly allowing update operations 1 Use the insync tool to ensure that the replica has converged with all other masters Replicas are in sync if the delay between modifications on all servers is zero or if the replica has never had any changes to replicate delay of 1 For more information see insync in Chapter 1 of the Sun ONE Directory Server Reference Manual 2 Modify the ds5BeginReplicaAcceptUpdates configuration attribute with the following command ldapmodify h host p port D cn Directory Manager w password dn cn replica cn suffixName cn mapping tree cn config changetype modify add ds5BeginReplicaAcceptUpdates ds5BeginReplicaAcceptUpdates start D When a replica is initialized ds5BeginReplicaAccept
542. to save your changes and close the generic editor Removing an Attribute To remove an attribute and all of its values from an entry 1 Open the generic editor as described in Invoking the Generic Editor on page 54 2 Scroll through the list of attributes and click on the attribute name you wish to remove The selected attribute is highlighted and the Delete Attribute button is activated If this button is not activated the selected attribute is read only or you do not have write permission to modify it Sun ONE Directory Server Administration Guide June 2003 Managing Entries Using the Console NOTE The generic editor allows you to remove attributes that are required by object classes that may be defined for this attribute If you try to save the entry without a required object class the server will respond with an object class violation Make sure your entry includes the required attributes for all object classes it defines Click the Delete Attribute button The attribute and all of its text field values are removed Edit any other values or perform other modifications as desired to this entry then click OK to save your changes and close the generic editor Managing Object Classes The object classes of an entry are defined by the multi valued objectclass attribute The generic editor provides special dialogs when modifying this attribute to help you manage the defined object classes To add an object class t
543. tory 199 creating dynamic groups 153 static groups 152 dynamic groups 152 modifying a group definition 154 referential integrity management 81 removing a group definition 154 static groups 152 GSSAPI see SASL H hub replica configuration 273 Index 435 id2children db2 file 343 id2entry db2 file 343 identity mapping 376 importing LDIF 132 from the command line 134 initializing a suffix using the console 135 initializing a suffix with ldif2db 136 initializing a suffix with ldif2db pl 137 using the console 133 inactivating user accounts 260 indexing 339 approximate index 340 browsing index 352 creating browsing indexes for client searches 354 creating browsing indexes for the console 353 creating indexes from the command line 346 creating indexes using the console 345 database files 343 deleting an index file 349 equality index 340 matching rule index 340 modifying the default indexes 351 presence index 340 reindexing a suffix 350 reindexing by reinitializing a suffix 351 substring index 340 system indexes 340 viewing the default indexes 341 indirect CoS see CoS internationalization modifying entries 69 ip keyword 206 K Kerberos see SASL L LDAP clients 436 Sun ONE Directory Server Administration Guide June 2003 authentication over SSL 379 LDAP controls chaining 114 LDAP search filters in targets 188 example 233 examples 189 LDAP URLs in access control 198 Idapdelete utility deleting entri
544. tribute value syntax The deleteoldrdn line indicates whether the previous naming attribute should be removed from the entry at the same time 1 is yes 0 is no In both cases the new naming attribute will also be added to the entry Deleting Entries Using Idapdelete Use the 1dapdelete command line utility to delete entries from the directory This utility binds to the directory server and deletes one or more entries given by their DN You must provide a bind DN that has permission to delete the specified entries For the same reason you cannot rename a parent entry you cannot delete an entry that has children The LDAP protocol forbids the situation where children entries would no longer have a parent For example you cannot delete an organizational unit entry unless you have first deleted all the entries that belong to the organizational unit Chapter 2 Creating Directory Entries 71 Setting Referrals CAUTION Do not delete the suffix o Net scapeRoot The Sun ONE Administration Server uses this suffix to store information about installed Sun ONE servers Deleting this suffix could force you to reinstall all of your Sun ONE servers including the directory server In the following example there is only one entry in the organizational unit so we can delete it and then the parent entry ldapdelete h host p port D cn Directory Manager w password uid bjensen ou People dc example dc com ou People dc example dc com
545. tries beneath the same parent must be unique Therefore you must choose naming attributes whose values or combination of values are unique The server will refuse to save an entry if its DN is not unique By convention all entries such as those representing users should use the same naming attributes Sun ONE Directory Server Administration Guide June 2003 Managing Entries Using the Console Click OK in the Change Naming Attribute dialog The display in the generic editor shows the new DN of this entry Edit any other values or perform other modifications as desired to this entry then click OK to save your changes and close the generic editor Deleting Directory Entries To delete entries using the Directory Server console 1 On the top level Directory tab of the Directory Server console expand the directory tree to display the entry that you wish to remove You may also delete entire branches of the directory by selecting the root node of the subtree Right click the entry and select the Delete item Several alternate actions will also delete the entry o _Left click the entry to select it then select the Edit gt Delete menu item You may also use the Edit gt Cut menu item if you wish to paste this entry elsewhere in the directory o _Left click the entry to select it then use the keyboard shortcut Control D When you have selected the View gt Layout option to display children in the right hand panel of the Directory
546. tries that either name their members in a static list or give a filter which defines a dynamic set of entries See Assigning Roles on page 154 for procedures that create equivalent role definitions The scope of possible members of a group is the entire directory regardless of where the group definition entries are located To simplify administration all group definition entries are usually stored in a single location usually ou Groups under the root suffix The entry that defines a static group inherits from the groupOfUniqueNames object class The group members are listed by their DN as multiple values of the uniqueMember attribute The entry that defines a dynamic group inherits from the groupOfUniqueNames and groupOfURLs object classes Group membership is defined by one or more filters given in the multi valued memberURL attribute The members in a dynamic group are the entries that match any one of the filters whenever they are evaluated The following sections describe how to create and modify both static and dynamic groups using the console Adding a New Static Group 1 On the top level Directory tab of the Directory Server console right click the entry in the directory tree where you want to add the new group and select the New gt Group item Alternatively select the entry and choose the New gt Group item from the Object menu 2 Inthe Create New Group dialog you must type a name for your new group in the Group
547. ts are replaced and new index files are created as the new contents are imported Reinitializing a suffix is usually faster than reindexing more than one attribute because all attributes are indexed in one pass as the entries are loaded However the suffix is unavailable while it is being reinitialized All of the following steps may be performed using the Directory Server console or from the command line 1 Set the suffix to read only as described in Setting Access Permissions and Referrals on page 97 You must make the suffix unwritable first so that no modifications are made after you export the contents 2 Export the entire suffix to an LDIF file as described in Exporting a Single Suffix to LDIF Using the Console on page 140 3 Import the same LDIF file to reinitialize the suffix as described in Initializing a Suffix on page 135 During the initialization the suffix will be unavailable When the initialization is done all configured indexes will be ready to use 4 Make the suffix writable again as described in Setting Access Permissions and Referrals on page 97 Modifying the Set of Default Indexes The set of default indexes that is used when creating a new suffix is defined under the following entry cn default indexes cn config cn ldbm database cn plugins cn config Whenever you create a suffix using the console or from the command line the default index definition entries will be copied
548. ttribute in the entry This right is granted by default but could be restricted using the targattrfilters keyword Deleting an entry e Grant delete permission on the entry to be deleted e Grant write permission on the value of each attribute in the entry This right is granted by default but could be restricted using the targattrfilters keyword Modifying an attribute in an entry e Grant write permission on the attribute type e Grant write permission on the value of each attribute type This right is granted by default but could be restricted using the targattrfilters keyword Modifying the RDN of an entry e Grant write permission on the entry e Grant write permission on the attribute type used in the new RDN e Grant write permission on the attribute type used in the old RDN if you want to grant the right to delete the old RDN e Grant write permission on the value of attribute type used in the new RDN This right is granted by default but could be restricted using the targattrfilters keyword Comparing the value of an attribute e Grant compare permission on the attribute type Searching for entries e Grant search permission on each attribute type used in the search filter e Grant read permission on attribute types used in the entry Chapter 6 Managing Access Control 193 Bind Rules The permissions you need to set up to allow users to search the directory are more readily understood with an example Consider th
549. ttribute used for value matching e bindType is one of USERDN GROUPDN LDAPURL Chapter 6 Managing Access Control 201 Bind Rules e attrValue is any string representing an attribute value NOTE You must not use an attribute generated by a Class of Service CoS definition with the userattr keyword ACIs containing bind rules that depend on attribute values generated by CoS will not work The following sections provide examples of the userattr keyword with the various possible bind types Example with USERDN Bind Type The following is an example of the userattr keyword associated with a bind based on the user DN userattr manager USERDN The bind rule is evaluated to be true if the bind DN matches the value of the manager attribute in the targeted entry You can use this to allow a user s manager to modify employees attributes This mechanism only works if the manager attribute in the targeted entry is expressed as a full DN The following example grants a manager full access to his or her employees entries aci target ldap dc example dc com targetattr version 3 0 acl manager write 1 866 222 0917 73398lallow all userattr manager USERDN Example with GROUPDN Bind Type The following is an example of the userattr keyword associated with a bind based on a group DN userattr owner GROUPDN The bind rule is evaluated to be true if the bind DN is a member of the group spe
550. ttributes contain the name of the chaining proxy needed to bind to the remote server For information on proxy authorization refer to Creating a Proxy Identity on page 101 When tracking modification times of replicated suffixes the name and timestamp attributes are replicated as normal attributes As a result these attributes reflect the time of the original modification to the entry on the master server not the time that the entry was replicated to a consumer To enable the Directory Server to track this information 1 On the top level Configuration tab of the Directory Server console select the root node in the configuration tree then select the Settings tab in the right hand panel Select the Track entry modification times checkbox The server will add the creatorsName createTimestamp modifiersName and modifyTimestamp attributes to every newly created or modified entry Existing entries will not contain the creation attributes Click Save and then restart the server See Starting and Stopping the Directory Server on page 20 for more information Chapter 1 Introduction to Sun ONE Directory Server 37 Verifying Plug In Signatures Verifying Plug In Signatures 38 The verification of plug in signatures is a new feature of Directory Server 5 2 Plug ins provided with Directory Server each have a digital signature which may be verified by the server at startup By default the server will ver
551. tween a supplier and one or more consumer replicas e entrycmp Compares the same entry in two or more replicas These tools are located in the following directory Chapter 8 Managing Replication 315 Monitoring Replication Status 316 ServerRoot shared bin Replication Monitoring Tools in Chapter 1 of the Sun ONE Directory Server Reference Manual gives the full command line syntax and usage examples for these tools Replication Status Tab To view a summary of replication status in the Directory Server console 1 On the top level Status tab on the Directory Server console select the Replication node The right panel displays a table that contains information about each of the replication agreements configured for this server 2 If you wish to monitor the replication status select the Continuous refresh checkbox For example you will see when a replica has finished initializing 3 Click the Pending Change Number button if you wish to determine the last modification on the master that has not yet been replicated to the consumer You will be warned that this operation may take a long time and asked to confirm Determining the pending change number requires downloading the consumer s record of updates and comparing it to the master s change log If these logs are very large this operation may take significant time and server resources 4 You can modify the layout of the table by clicking on the column headers
552. u may select the suffix node and then choose Export from the Object menu The Export Suffix dialog is displayed In the LDIF file field enter the full path to the LDIF file or click Browse to locate it on your machine When the Browse button is not enabled by default the file is stored in the following directory ServerRoot slapd serverID 1dif If the suffix is replicated you may select the checkbox to Export Replication Information This feature is only necessary if you will use the exported LDIF to initialize another replica of this suffix If attribute encryption is enabled for this suffix you may select the checkbox to Decrypt attributes In order to do so you must provide the password that protects the server s certificate database Select the option to enter the password or to enter the name of a file containing the password If you cannot provide the password to decrypt attribute values the encrypted values will appear in the LDIF output Click OK to export the contents of the suffix to the file Sun ONE Directory Server Administration Guide June 2003 Solaris Packages Other Installations Exporting Data Exporting to LDIF From the Command Line You can export any suffix or subtree of the directory to LDIF using the db21dif command directoryserver db21dif in the Solaris Packages This script exports all of your suffix contents or a part of their contents to an LDIF file when the server is either running
553. ue is reserved for schema elements that are defined through the LDAP view of cn schema and that appear in 99user 1ldif The file 99user 1dif contains additional ACIs for the cn schema entry and all schema definitions added from the command line or using the console The file 99user 1dif will be overwritten when new schema definitions are added If you wish to modify this file you must restart the server immediately to ensure your changes will be permanent You should not modify the standard schema defined in the other schema files However you may add new files to define new attributes and object classes For example to define new schema elements in many servers you could define them ina file named 98mySchema 1dif and copy this file to the schema directory of all servers You must then restart all servers to load your new schema file Sun ONE Directory Server Administration Guide June 2003 Overview of Extending the Schema Modifying the Schema From the Command Line Because the schema is defined by the LDAP view in cn schema you may view and modify the schema online using the ldapsearch and ldapmodify utilities However you may modify only schema elements that have the value user defined for the x ORIGIN field The server will refuse any modification to the other definitions Use ldapmodify to add and delete individual values of the attributeTypes and objectClasses attributes To modify one of the values you must delete the s
554. ue of the first naming component of the suffixDN Unlike a local suffix chained suffixes do not have any database files on the local server For a subsuffix the parentSuffixDN is the exact DN of the parent suffix The parent may be either a local suffix or a chained suffix 2 Create the chaining configuration entry with the following command Sun ONE Directory Server Administration Guide June 2003 Creating Chained Suffixes ldapmodify a h host p port D cn Directory Manager w password dn cn databaseName cn chaining database cn plugins cn config objectclass top objectclass extensibleObject objectclass nsBackendInstance cn databaseName nsslapd suffix suffixDN nsfarmserverurl LDAPURL nsmultiplexorbinddn proxyDN nsmultiplexorcredentials ProxyPassword Sp where databaseName and suffixDN must have the same value as those used in the previous step The LDAPURL is the URL of the remote server but it does not include any suffix information The URL may include failover servers listed in the following format ldap s hostname port hostname port All remote servers listed in the LDAP URL must contain the suffixDN For information about specifying a secure port refer to Chaining Using SSL on page 112 The proxyDN is the DN of the proxy identity on the remote server The local server will use this DN as a proxy when accessing contents of the suffix on the remote server Operations pe
555. ur subsuffix is not listed select Other and choose it from list in the New Object dialog that is displayed Alternatively select the parent of the subsuffix and then choose the New item from the Object menu The console now displays the custom or generic editor for the new object Add and edit any attribute values necessary for your topology including any modifications to the set of ACIs When you have edited the entry click OK in the Editor to create the entry for the new subsuffix The new subsuffix now appears in the directory tree and can be managed through the console according to the rights given by the ACIs Creating Suffixes From the Command Line You may also use the ldapmodify command line utility to create suffixes in your directory Because root suffixes and subsuffixes are managed internally in the same way by the server the procedure for creating them from the command line is nearly the same 1 Create the suffix configuration entry under cn mapping tree cn config with the following command for a root suffix 92 Sun ONE Directory Server Administration Guide June 2003 Creating Suffixes ldapmodify a h host p port D cn Directory Manager w password dn cn suffixDN cn mapping tree cn config objectclass top objectclass extensibleObject objectclass nsMappingTree cn suffixDN nsslapd state backend nsslapd backend databaseName D For a subsuffix use the same command with an ad
556. ure of the DN creates branches and leaves which structure the data in the tree In order to manage the directory tree it is defined administratively in terms of suffixes subsuffixes and chained suffixes Directory Server console provides the controls for creating and administering all of these elements or you may use command line tools For conceptual information on structuring your directory data refer Chapter 4 Designing the Directory Tree in the Sun ONE Directory Server Deployment Guide This chapter includes the following sections e Introduction e Creating Suffixes e Managing Suffixes e Creating Chained Suffixes e Managing Chained Suffixes e Configuring Cascading Chaining Introduction A suffix is a branch or subtree whose entire contents are treated as a unit for administrative tasks For example indexing is defined for an entire suffix an entire suffix may be initialized in a single operation and a suffix is the unit of replication Data that you wish to access and manage in the same way should be located in the same suffix A suffix may be located at the root of the directory tree where it is sometimes called a root suffix 85 Introduction The following figure shows a directory with two root suffixes each for a separate corporate entity Figure 3 1 Two Root Suffixes in a Single Directory Server eecccte ma eercce e se oo oy dc example dc com y Bd P 7 dc example dc org
557. userdn uid MoneyWizAcctSoftware ou Applications dc example dc com With this ACI in place the MoneyWizAcctSoftware client application can bind to the directory and send an LDAP command such as ldapsearch or ldapmodify that requires the access rights of the proxy DN In the above example if the client wanted to perform an ldapsearch command the command would include the following controls ldapsearch D uid MoneyWizAcctSoftware ou Applications dc example dc com w password y uid AcctAdministrator ou Administrators dc example dc com Note that the client binds as itself but is granted the privileges of the proxy entry The client does not need the password of the proxy entry NOTE You cannot use the Directory Manager s DN as a proxy DN Nor can you grant proxy rights to the Directory Manager In addition if Directory Server receives more than one proxied authentication control in the same bind operation an error is returned to the client application and the bind attempt is unsuccessful Viewing Effective Rights 236 When maintaining the access policy on the entries of a directory it is very helpful to know what are the effects on security of the ACIs you define Sun ONE Directory Server 5 2 introduces a new mechanism to evaluate existing ACIs and report the effective rights that they grant for a given user on a given entry Directory Server will respond to the new Get Effective Rights cont
558. users must change their password the first time they log on by selecting the User must change password after reset checkbox If you select this checkbox only the Directory Manager is authorized to reset the users s password A regular administrative user cannot force the user to update their password To allow users to change their own passwords select the User may change password checkbox To limit how often users may change their own password enter the number of days in the Allow changes in X day s text box To allow users to change their password as often as they desire select the No Limitation checkbox To prevent users from using the same password over and over select the Keep password history checkbox and specify the number of passwords you want the server to keep for each user text box Users will not be able to set a password that still exists in the list To be effective you should also limit how often users may change their password If you do not want user passwords to expire select the Password never expires radio button Otherwise select the Password expires after X days radio button to force users to periodically change their passwords and then enter the number of days that a user password is valid Chapter 7 User Account Management 255 Managing Individual Password Policies e If you selected expiring passwords you can specify how long before the password expires to send a w
559. ut the server is offline When you have finished the agreement appears in the list of replication agreements for this master replica You may edit the replication agreement later to change the DN and password of the replication manager on the consumer server 1 Select the replication agreement from the list and click the Edit button 2 Inthe Replication Agreement dialog select the Connection tab 3 Edit the replication manager DN or password for the consumer server 4 Optionally edit the description string for the agreement 5 Click OK to save the new settings and begin using them immediately when sending updates to this consumer The configuration parameters in the other tabs are described in Enabling Fractional Replication on page 284 and Replication Over a WAN on page 297 6 After creating each replication agreement you may optionally configure fractional replication for this suffix and then immediately initialize the replica as described in Initializing Replicas on page 284 Configuring Fractional Replication By default replication will copy entire entries in the replicated suffix to consumer replicas With the fractional replication feature new in Sun ONE Directory Server 5 2 you may specify the subset of attributes that is replicated or excluded during replication Fractional replication is configured in the replication agreement allowing you to define the attribute set for each consumer replica
560. ute will be processed Defines the name of the attribute in target entries whose value is used by indirect CoS to identify the template entry The named attribute is called the specifier and must contain a full DN string in each target entry This attribute is single valued but the specifier attribute may be multivalued to designate multiple templates Defines the name of the attribute in target entries whose value is used by classic CoS to identify the template entry The named attribute is called the specifier and must contain a string that can be found in the RDN of template entries This attribute is single valued but the specifier attribute may be multivalued to designate multiple templates Provides the full DN of the template entry for a pointer CoS definition or the base DN of the template entry for classic CoS The cosAttribute attribute allows two qualifiers following the name of the CoS attribute The override qualifier has one of the following values e default or no qualifier Indicates that the server does not override a real attribute value stored in the entry when it has the same type as the virtual attribute e override Indicates that the server always returns the value generated by the CoS even when there is a value stored with the entry e operational Indicates that the attribute will only be returned if it is explicitly requested in the search Operational attributes do not need to pass a schema check in o
561. utes list and then click the Add button to the left of the Allowed Attributes box o To remove an attribute that you previously added highlight the attribute in either list and then click the corresponding Remove button You cannot remove allowed or required attributes that are inherited from the parent object class 5 Click OK in the Create Object Class dialog to define your new object class It will appear in the table of user defined object classes and you may now define entries with this object class Editing Object Classes You can edit only the user defined object classes using the console Before modifying the definition of an object class you must ensure that no entry in the directory currently uses it otherwise clients will be unable to access that entry To modify the schema definition of an object class 1 On the top level Configuration tab of the Directory Server console select the Schema node in the configuration tree then select the Object Class tab in the right hand panel 2 Select the object class that you want to edit in the list of User Defined Object Classes and click Edit 3 Modify the fields of the Edit Object Class dialog to redefine your object class You cannot rename the object class nor change its OID To modify these delete the object class and create a new one o Parent Select an existing object class to be the parent The required and allowed attributes inherited from the parent and its parent
562. uthenticate to a consumer 1 On the top level Configuration tab on the Directory Server console expand both the Data node and the node for the replicated suffix and select the Replication node below the suffix 2 Inthe right panel select the replication agreement you want to modify and click Edit Sun ONE Directory Server Administration Guide June 2003 Modifying the Replication Topology In the Replication Agreement dialog select the Connection tab The status line indicates the hostname and port number of the consumer server Modify the DN and password field to contain either the DN and password of another replication manager entry or the DN of a certificate entry on the consumer server If this replication agreement uses SSL over a secure port you may also click the Options button to select the type of secure authentication If you connect using a password the supplier will use simple authentication with the given DN over an encrypted SSL connection If you connect using a certificate the DN field is the DN of the certificate entry and no password is required You cannot switch an existing replication agreement from non secure to secure authentication nor vice versa To enable replication with a different security setting you must create another replication agreement Click OK to save your changes Duplicating a Replication Agreement Duplicating a replication agreement is a simple way to configure many consumers
563. uthentication on page 370 NOTE If you are using certificate based authentication with replication then you must configure the consumer server to either allow or require client authentication Require client authentication With this option the client connection will be refused if the client does not respond to the server s request for authentication NOTE If Sun ONE Server Console connects to Directory Server over SSL selecting Require client authentication disables communication because the Sun ONE Server Console does not have a certificate to use for client authentication To modify this attribute from the command line see Allowing Client Authentication on page 370 10 Optionally select Use SSL in Sun ONE Server Console if you want the Console to use SSL when communicating with Directory Server Click Save when done Optionally set the secure port you want the server to use for SSL communications in both LDAP and DSML over HTTP protocols See Changing Directory Server Port Numbers on page 34 for information All connections to the secure port must use SSL Regardless of whether you configure the secure port once SSL is activated clients may use the Start TLS operation to perform SSL encryption over the non secure port Restart the Directory Server See Starting the Server with SSL Enabled on page 22 for more information Chapter 11 Implementing Security 367 Activating
564. utton to copy the ACI text to your system s clipboard for pasting Select the Limits amp Controls tab to configure the parameters for chained requests The cascading chaining parameters are described in Configuring Cascading Chaining on page 127 Set the Control Client Return parameters to limit the size and time of a chained operation o Return Referral on Scoped Search A search whose scope is entirely within the chained suffix is inefficient because the results are transmitted twice By default the server will instead return a referral to the chained server forcing the client to perform the search directly on the chained server If you deselect this option you should set the following parameters to limit the size of results that will be chained o Size Limit or No Size Limit This parameter determines the number of entries that will be returned in response to the chained search operation The default size limit is 2000 entries Set this parameter to a low value if you wish to limit broad searches involving the chained suffix In any case the operation will be limited by any size settings on the remote server 122 Sun ONE Directory Server Administration Guide June 2003 Managing Chained Suffixes Time Limit or No Time Limit This parameter controls the length of time for chained operations The default time limit is 3600 seconds one hour Set this parameter to a low value if you wish to limit the time allowed for oper
565. v5 2 Directory Server binaries Compressed Archive var Sun mps Installation on Solaris and Other Unix Systems Zip Installation on C Program Files Sun MPS Windows Systems 1 If you are working on the Solaris Operating Environment and are unsure which version of the Sun ONE Directory Server software is installed check for the existence a key package such as SUNWdsvu using the pkginfo command For example pkginfo grep SUNWdsvu Directory Server instances are located under ServerRoot slapd serverID where serverID represents the server identifier given to the instance on creation For example if you gave the name dirserv to your Directory Server then the actual path would appear as shown in Table 2 If you have created a Directory Server instance in a different location adapt the path accordingly About This Guide 15 Downloading Directory Server Tools Table 2 Example dirserv Instance Locations Product Installation Instance Location Solaris Packages var mps serverroot slapd dirserv Compressed Archive usr Sun mps slapd dirserv Installation on Solaris and Other Unix Systems Zip Installation on C Program Files Sun MPS slapd dirserv Windows Systems Downloading Directory Server Tools Some supported platforms provide native tools for accessing Directory Server More tools for testing and maintaining LDAP directory servers download the Sun ONE Directory Server Resource Kit DSRK This software is available at th
566. ver 23 Using the Directory Server Console If you are running the Sun ONE Server Console on a machine other than the one where the Sun ONE Administration Server is installed you may need to configure the connection restrictions on the Administration Server as described in Network Settings in Chapter 7 of the Sun ONE Server Console Server Management Guide The Console login window is displayed Or if your configuration directory the directory that contains the o NetscapeRoot suffix is stored in a separate instance of Directory Server a window is displayed requesting the administrator user DN password and the URL of the Administration Server for that directory server 4 Login using the bind DN and password of a user with sufficient access permissions for the operations you want to perform For example use cn Directory Manager and the appropriate password The Sun ONE Server Console is displayed 5 Navigate through the tree in the left hand panel to find the machine hosting your Directory Server and click on its name or icon to display its general properties Figure 1 1 The Sun ONE Server Console Sun ONE Server Console Console Edit View Object Help Sun ONE Server Console Servers and Applications Directory Server example Open example com Q BR camus red iplanet com Server name Directory Server example a Server Group Description Main LDAP server Installation date April 8 2003 1 56 04 PM PDT S
567. ver Administration Guide June 2003 Chapter 13 Monitoring Directory Server Using SNMP The Simple Network Management Protocol SNMP is a standardized management protocol for monitoring and managing devices and application in real time Directory Server provides a subagent interface so that it can be monitored by an SNMP manager application This allows network applications to know the status of the directory server and obtain metrics about its activity However the Directory Server SNMP subagent only contains read only values and SNMP management applications cannot perform actions on the server Nor does the subagent send SNMP traps which are messages to report events In general the activity and error logs described in Chapter 12 Managing Log Files provide much more detailed information about the server and LDAP is the protocol of choice for securely accessing and modifying the server configuration However the SNMP subagent does allow Directory Server instances to participate in existing network management systems This chapter contains the following topics e SNMP in Sun ONE Servers e Overview of the Directory Server MIB e Setting Up SNMP e Configuring SNMP in the Directory Server e Starting and Stopping the SNMP Subagent 405 SNMP in Sun ONE Servers SNMP in Sun ONE Servers 406 SNMP allows a management application to query applications and devices which run an agent or subagent application The SNMP agent o
568. ware Configure the Kerberos software With SEAM configure the files under etc krb5 in order to setup the kdc server define the default realm and any other configuration required by your Kerberos system If necessary modify the file etc gss mech so that the first value listed is kerberos_v5 Specifying SASL Options for Kerberos Authentication 1 Before using a GSSAPI enabled client application you must initialize the Kerberos security system with your user Principal using the following command kinit userPrincipal The userPrincipal is your SASL identity for example bjensen example com The following example of the 1dapsearch tool shows the use of the o lowercase letter 0 option to specify SASL options for using Kerberos ldapsearch h host p securePort Z P home bjensen netscape cert7 db N certificateName wW keyPassword o mech GSSAPI o realm example com o authid bjensen example com o authzid bjensen example com b dc example dc com givenname Richard Chapter 11 Implementing Security 387 Configuring LDAP Clients to Use Security In this example the N and w options are required by the ldapsearch command but they are not used for client authentication The realm authid and authzid may be omitted because they are present in the Kerberos cache which was initialized by the kinit command If present authid and authzid must be identical although the authz
569. was created Adding a New Dynamic Group 1 On the top level Directory tab of the Directory Server console right click the entry in the directory tree where you want to add the new group and select the New gt Group item Alternatively select the entry and choose the New gt Group item from the Object menu In the Create New Group dialog you must type a name for your new group in the Group Name field and you may add an optional description of the group in the Description field The group name will become the value of the cn common name attribute for the new group entry and appear in its DN Click Members in the left hand list of dialog and select the Dynamic Group tab in the right panel Click Add to create a LDAP URL containing the filter string that will define group members The standard Construct and Test LDAP URL dialog box appears Chapter 5 Advanced Entry Management 153 Assigning Roles 5 Enter an LDAP URL in the text field or select Construct to be guided through the construction of an LDAP URL containing the filter for your group Click Test to view the list of entries that are returned by this filter Click OK when you have constructed the URL Repeat this step to add all of the URLs containing the filters that define your dynamic group 6 Click Languages in the left hand list to give your group a name and descriptions string in another language These will be displayed when the console is usin
570. will delete the object class definition immediately There is no undo Replicating Schema Definitions Whenever you configure the replication of one or more suffixes between two servers the schema is automatically replicated as well This ensures that all replicas have a complete identical schema that defines all object classes and attributes that may be replicated to the consumers Therefore master servers also contain the master schema To enforce the schema on all replicas you must enable schema checking on all masters Because the schema is checked on the master where the LDAP operation is performed it does not need to be checked when updating the consumer To improve performance the replication mechanism bypasses schema checking on consumer replicas Chapter 9 Extending the Directory Schema 335 Replicating Schema Definitions NOTE You should not turn off schema checking on hubs and dedicated consumers Schema checking has no performance impact on a consumer and it should be left on to indicate that the replica contents conform to its schema Master servers replicate the schema automatically to their consumers during consumer initialization and anytime the schema is modified through the console or through the command line tools By default the entire schema is replicated and any additional schema elements that do not yet exist on the consumer will be created there and stored in the 99user 1dif file For example assume a
571. wing command ldapmodify h host p port D cn Directory Manager w password dn cn suffixDN cn mapping tree cn config changetype modify replace nsslapd state nsslapd state referral on update or referral add nsslapd referral nsslapd referral LDAPURL D You may repeat the last change statement to add any number of LDAP URLs to the nsslapd referral attribute When the value of nsslapd state is referral on update the suffix is read only and all LDAP URLs will be returned as referrals for write operations When the value is referral both read and write operations are denied and the referrals are returned for any request 98 Sun ONE Directory Server Administration Guide June 2003 2 Managing Suffixes The suffix will become read only or inaccessible and ready to return referrals immediately after the command is successful Deleting a Suffix Deleting a suffix will remove its entire branch from the directory You may delete a parent suffix and keep its subsuffixes in the directory as new root suffixes CAUTION When you delete a suffix you permanently remove all of its entries from the directory and remove all configuration of the suffix including its replication configuration Deleting a Suffix Using the Console 1 On the Configuration tab of the Directory Server console expand the Data node Right click on the suffix you wish to remove and select Delete from the pop up menu Altern
572. word e Each replica keeps separate non replicated account lockout counters As a result the lockout policy will be enforced on any single replica but may be circumvented when a user attempts to bind to several replicas For example if you have 10 servers in the replication topology and lock out is activated after three attempts an intruder could potentially try 30 guesses of the password While replication does allow an intruder more guesses the number is insignificant when compared to the billions of password values It is much more important to force users to have strong passwords by turing on password checking and setting a password length of six characters or more You should also give them guidelines on how to select and remember a password that is not a common dictionary word Finally you should ensure that all directory administrator users have very strong passwords Chapter 7 User Account Management 251 Configuring the Global Password Policy Configuring the Global Password Policy The global password policy applies to all users in the directory who do not have an individual policy defined However the global password policy does not apply to the Directory Manager Configuring the Password Policy Using the Console To set up or modify the global password policy for your Directory Server 1 On the top level Configuration tab of the Directory Server console select the Data node then select the Passwords tab in the ri
573. writing the contents of the suffix in response to any client operations that try to access the suffix If you have a default referral defined that referral will be returned when clients attempt to access a disabled suffix Disabling or Enabling a Suffix Using the Console 1 On the top level Configuration tab of the Directory Server console expand the Data node and select the suffix you wish to disable 2 Inthe right panel select the Settings tab By default all suffixes are enabled when they are created If you have enabled replication for this suffix you will see a note informing you that the contents of this tab may be updated automatically Disabling a suffix that is replicated will also interrupt replication to this suffix As long as replication is not interrupted longer than the recover settings the replication mechanism will resume updates to this replica when the suffix is enabled again The replication recovery settings are the purge delay of this consumer replica and the maximum size and age of its supplier s change log see Advanced Consumer Configuration on page 271 3 Deselect the Enable access to this suffix checkbox to disable the suffix or select the checkbox to enable it 4 Click Save to apply the change and immediately disable or enable the suffix 5 Optionally you may set the global default referral that will be returned for all operations on this suffix while it is disabled This setting is loca
574. xt field containing the selected value 3 Use the mouse and the keyboard to edit the text to the desired value You may use your system s clipboard to copy cut and paste text in this field If you cannot edit the contents of the text field that attribute is read only or you do not have write permissions to modify it 4 Edit any other values or perform other modifications as desired to this entry then click OK to save your changes and close the generic editor Editing Multi Valued Attributes Attributes which are defined to be multi valued in your directory schema may have more than one value field in the generic editor See Chapter 9 Extending the Directory Schema for more information Sun ONE Directory Server Administration Guide June 2003 Managing Entries Using the Console To add a new value to a multi valued attribute 1 Open the generic editor as described in Invoking the Generic Editor on page 54 Scroll through the list of attributes and click on the attribute or one of its values The selected attribute is highlighted and the Add Value button is activated If this button is not activated the selected attribute is not defined to be multi valued or it is read only or you do not have write permission to modify it Click the Add Value button A new blank text field is displayed beside the attribute name in the list Enter a new value for this attribute in the new text field You may use your sy
575. y s object class 3 Click the Delete Value button The specific object class is removed When you remove an object class the generic editor will automatically remove any attributes that are not allowed or required by the remaining object classes If one of the naming attributes was removed another one will be selected automatically and the console will inform you of this change 4 Edit any other values or perform other modifications as desired to this entry then click OK to save your changes and close the generic editor Renaming an Entry The naming attributes are the attribute value pairs of an entry that appear in its distinguished name DN The naming attributes are chosen from the existing attributes of an entry Modify the naming attributes to rename an entry 1 Open the generic editor as described in Invoking the Generic Editor on page 54 The text beside the Change button shows the current naming attributes for this entry If the Show DN checkbox is selected you can see these attributes in the DN below the list of attribute values 2 Click on the Change button If this button is not activated you do not have permission to rename this entry The Change Naming Attribute dialog is displayed 3 Scroll through the list of attributes to choose the ones you wish to have in this entry s DN Select or deselect the checkbox beside the attribute to add or remove from the naming attributes respectively DNs of en
576. y Server an Administration Server to manage multiple directories and Sun ONE Server Console to manage both servers through a graphical interface This chapter provides overview information about the Directory Server and the most basic tasks you need to start administering a directory service using the console Two new features of Directory Server 5 2 covered in this chapter are plug in signatures and the DSML over HTTP protocol Verifying plug in signatures is an additional security feature that allows the server to detect or prevent unauthorized plug ins from being loaded Directory Server Markup Language DSML is a new XML based format for sending requests to a directory server This chapter includes the following sections e Overview of Directory Server Management e Starting and Stopping the Directory Server e Starting the Server with SSL Enabled e Using the Directory Server Console e Configuring LDAP Parameters e Verifying Plug In Signatures e Configuring DSML Overview of Directory Server Management Overview of Directory Server Management Sun ONE Directory Server is a robust scalable server designed to manage an enterprise wide directory of users and resources It is based on an open systems server protocol called the Lightweight Directory Access Protocol LDAP The Directory Server runs as the ns slapd process or service on your machine The server manages the directory contents and responds to client requests You perform
577. y Server console click the button beside Restore Directory Server The Restore Directory dialog box is displayed 2 Select the backup from the Available Backups list or enter the full path to a valid backup in the Directory text box The Available Backups list shows all of the backups located in the default directory ServerRoot slapd serverID bak 3 Click OK to restore your server Restoring Your Server from the Command Line You can restore your server from the command line by using the following scripts e Using the bak2db command directoryserver bak2db in the Solaris Packages This script requires the server to be shut down e Using the bak2db p1 perl script directoryserver bak2db task in the Solaris Packages This script requires the server to be running Using the bak2db Command Line Script To restore your directory from the command line while the server is shut down 1 As root from the command line stop the server with the following command usr sbin directoryserver stop ServerRoot slapd serverID stop slapd 2 Use the bak2db command with the full path of the backup directory usr sbin directoryserver bak2db backupDir ServerRoot slapd serverID bak2db backupDir Chapter 4 Populating Directory Contents 147 Restoring Data from Backups Solaris Packages Other Installations Solaris Packages 3 Start the server with the appropriate command usr sbin directoryserver start ServerR
578. y Server console to change the Directory Manager DN its password and the encryption scheme used for this password 1 Log in to the Console as Directory Manager If you are already logged in to the Console see Changing Your Login Identity on page 30 for instructions on how to log in as a different user 2 On the top level Configuration tab select the server node at the root of the navigation tree and select the Settings tab in the right hand panel 3 Enter the new distinguished name in the Directory Manager DN field The default value is the one defined during installation 4 From the Manager Password Encryption pull down menu select the storage scheme you want the server to use to store the password for Directory Manager 5 Enter the new password and confirm it using the text fields provided 6 Click Save Changing Directory Server Port Numbers You can modify the port or secure port number of your user directory server using the Directory Server console or by changing the value of the nsslapd port attribute under the cn config entry Sun ONE Directory Server Administration Guide June 2003 Configuring LDAP Parameters If you want to modify the port or secure port for a Sun ONE Directory Server that contains the Sun ONE configuration information o NetscapeRoot subtree you may do so through Directory Server console If you change the configuration directory or user directory port or secure port numbers you
579. y an entryObjectClass in the third argument so that the plug in enforces uniqueness only in operations that target entries with this object class Sun ONE Directory Server Administration Guide June 2003 Using the Uniqueness Plug In With Replication nsslapd pluginarg0O attribute attribute_name nsslapd pluginargl markerObjectClass baseObjectClass nsslapd pluginarg2 requiredObjectClass entryObjectClass aD In all plug in arguments there must be no white space before or after the sign 4 Restart the server to load this new instance of the uniqueness plug in into the server Using the Uniqueness Plug In With Replication The UID uniqueness plug in does not perform any checking on attribute values when an update is performed as part of a replication operation This does not affect single master replication but the plug in cannot automatically enforce attribute uniqueness for multi master replication Single Master Replication Scenario Because all modifications by client applications are performed on the master replica the UID uniqueness plug in should be enabled on the master server The plug in should be configured to enforce uniqueness in the replicated suffix Because the master ensures that the values of the desired attribute are unique it is unnecessary to enable the plug in on the consumer server Enabling the UID uniqueness plug in on the consumer of a single master will not interfere with replication or normal server
580. y as fast as a search on real attributes amp objectclass person nsRole cn managersRole ou People dc example dc com e The nsRoleDN attribute used to define managed role membership is indexed by default in all suffixes Optimizations for searching managed role membership will be lost if indexing for this attribute is disabled e Searching for entries containing a filtered role involves an internal search using the role filter This internal operation will be fastest if all attributes that appear in the role filter are indexed in all suffixes in the scope of the role Permissions on the nsRole Attribute The nsRole attribute may only be assigned by the roles mechanism and is never writable nor modifiable by any directory user However you should keep in mind the following considerations e The nsRole attribute is potentially readable by any directory user and you may define access controls to protect it against reading e The nsRoleDN attribute defines managed role membership and you should decide whether users may add or remove themselves from the role See Example of a Managed Role Definition on page 161 for the ACI that prevents users from modifying their own roles e Filtered roles determine membership through filters that are based on the existence or the values of attributes in user entries You should define carefully the user permissions of these attributes to control who may define membership in the filtered r
581. y creates a backup of the dse 1dif file in a file named dse 1dif startoOk in the following directory ServerRoot slapd serverID config When you make modifications to the cn config branch the file is first backed up to a file called dse 1dif bak in the config directory before the server writes the modifications to the dse 1dif file Make copies of either of these files if you need to save your configuration Restoring Data from Backups The following procedures describe how to restore suffixes in your directory using the Directory Server console or the command line Your server must have been backed up using the procedures described in Backing Up Data on page 142 Before restoring suffixes involved in replication agreements please read Restoring Replicated Suffixes on page 144 Chapter 4 Populating Directory Contents 143 Restoring Data from Backups 144 CAUTION Do not stop the server during a backup or restore operation Restoring your server overwrites any existing database files and thus loses any modifications of the data since the back up Restoring Replicated Suffixes Suffixes that are replicated between supplier servers and consumer servers require special consideration before being restored If possible you should update the suffix through the replication mechanism instead of restoring it from a backup This section explains how and when to restore a replica and how to ensure that it is synchronized wit
582. y default the server will process requests sent to the following URL http host 80 dsml Click Save and you will be reminded that you must restart the server to begin responding to DSML requests To enable DSML requests through the command line 1 Perform the following ldapmodify command to enable the DSML front end plug in and modify its settings Modifying the ds hdsml port ds hdsml secureport and ds hdsml rootur1 attributes is optional ldapmodify h host p LDAPport D cn Directory Manager w passwd dn cn DSMLv2 SOAP HTTP cn frontends cn plugins cn config changetype modify replace nsslapd pluginEnabled nsslapd pluginEnabled on replace ds hdsml port ds hdsml port DSMLport add ds hdsml secureport ds hdsml port secureDSMLport replace ds hdsml rooturl ds hdsml root relativeURL D According to the parameters and attribute values you defined DSML clients may use the following URLs to send requests to this server http host DSMLport relative URL https host secureDSMLport relativeURL When the DSML front end plug in has been modified you must restart the server for the changes to take effect However before you restart the server you may wish to configure the security and identity mappings for DSML authentication as described in the following sections Chapter 1 Introduction to Sun ONE Directory Server 41 Configuring DSML Configuring DSML Security In addi
583. y either be temporary or permanent depending on how strict you wish to make your password policy Sun ONE Directory Server Administration Guide June 2003 Overview of Password Policies Both will effectively prevent automated guessing of passwords For example if you allow five attempts and then lock the user account for five minutes the intruder can make only one guess per minute on average and a poor typist is inconvenienced only momentarily If the lock is permanent the user s password must be reset manually by the Directory Manager Password Policies in a Replicated Environment Both individual and the global password policies are replicated As a result you may define them on a master and allow replication to propagate the policy to replicated servers All the attributes you set are replicated as are operational attributes containing the password history old passwords already used and password expiration dates However you should consider the following impact of password policies in a replicated environment e A user with an impending password expiration will receive a warning from every replica to which they bind before changing their password e When a user changes their password it may take time for this information to be updated on all replicas If a user changes a password and then immediately rebinds to one of the consumer replicas with the new password the bind may fail until the replica receives the updated pass
584. y setting it to an integer value or remove the priority attribute altogether if it is not needed For more information see Cos Attribute Priority on page 173 e Add the attribute and its value that you wish to be generated on target entries by the CoS mechanism Click OK in the Generic Editor dialog to create the template entry If you are going to define a pointer CoS for this template select the new template entry in directory tree and select Edit gt Copy DN from the menu The procedure for creating the definition entry is the same for all types of CoS Chapter 5 Advanced Entry Management 167 Defining Class of Service CoS 168 On the top level Directory tab of the Directory Server console right click the entry in the directory tree where you want to add the new CoS definition and select the New gt Class of Service item from the pop up menu Alternatively select the parent entry and choose the New gt Class of Service item from the Object menu The custom editor for Class of Service entries is displayed Enter a name and optional description for your new Class of Service The name will appear in the cn naming attribute for the CoS definition entry Click the Attributes tab in the left hand list The dialog displays the list of attributes that will be generated by the CoS mechanism on the target entries Click Add to browse the list of possible attributes and add them to the list Once you have added an attribut
585. y that you wish edit 2 Double click on the entry Several alternate actions also invoke the custom editor of an entry o Right click the entry and select the Edit With Custom Editor item o _Left click the entry to select it then select the Object gt Edit With Custom Editor menu item o Left click the entry to select it then use the keyboard shortcut Control P The custom editor for the object class of your entry will be displayed For example the custom editor for User entries is shown in Figure 2 1 on page 50 3 By default all custom editors open with the topmost User or General tab selected which contains the fields to name and describe the new entry Edit or remove values in the fields of the custom editor for the attributes you wish to modify You may modify but not remove the value of mandatory attributes that are identified by an asterisk beside the field name You may leave any of the other fields blank In fields that allow multiple values you my type Return to separate the values Select the other tabs in the left hand column to modify the values on the corresponding panel Click the Help button for further assistance with specific fields in the custom editor for your entry type For an explanation of the Languages tab of the User and Organizational Unit editors see Setting Attributes for Language Support on page 53 The fields of the Account tab of user and group entries are described in Chapter 7
586. y the role and by the CoS for example ldapsearch h host p port D cn Directory Manager w password b ou People dc example dc com s sub cn Fuentes dn cn Carla Fuentes ou People dc example dc com cn Carla Fuentes isManager TRUE nsRol cn ManagerRole ou People dc example dc com mailboxquota 1000000 NOTE The role entry and the CoS definition entry should be located in the same place in the directory tree so that they have the same target entries in their scope The CoS target entry should also be located in the same place so that it is easy to find and maintain Sun ONE Directory Server Administration Guide June 2003 Chapter 6 Managing Access Control Controlling access to your directory contents is an integral part of creating a secure directory This chapter describes access control instructions ACIs that determine what permissions are granted to users who access the directory Sun ONE Directory Server 5 2 introduces the ability to view the effective rights of a given user for a given entry This feature simplifies the administration of the complex and powerful access control mechanism While you are in the planning phase for your directory deployment you should define an access control strategy that serves your overall security policy Refer to Designing Access Control in Chapter 7 of the Sun ONE Directory Server Deployment Guide for tips on planning your access control strate
587. you may copy into your new LDIF ACI definition for editing NOTE To view the effect of an aci value in terms of the permissions that it grants or denies see Viewing Effective Rights on page 236 Creating ACIs Using the Console 212 The Directory Server console can be configured to show which entries in the directory have aci attributes Select or deselect the View gt Display gt ACI Count menu item to toggle this display Entries listed in the top level Directory tab will then be appended with the number of ACIs which are defined in their aci attribute You may then use the Directory Server console to view create edit and delete access control instructions for your directory See Access Control Usage Examples on page 217 for a collection of access control rules commonly used in Directory Server security policies along with step by step instructions for using the Directory Server console to create them The Access Control Editor does not enable you to construct some of the more complex ACIs when you are in Visual editing mode In particular from the Access Control Editor you cannot e Deny access see Permissions Syntax on page 194 e Create value based ACIs see Targeting Attribute Values Using LDAP Filters on page 190 e Define parent access see Parent Access parent Keyword on page 198 e Create ACIs that contain Boolean bind rules see Using Boolean Bind Rules on page 210
588. you will edit the certmap conf file so that the server maps the user certificate presented through the LDAP client to the corresponding user DN Make sure that the verifyCert parameter is set to on in the certmap conf file The server will then verify that the user entry contains the same certificate thereby positively identifying the user Specifying SSL Options for Certificate Based Client Authentication To perform certificate based client authentication in SSL with the ldapsearch tool users need to specify several command line options to use their certificate When establishing the SSL connection through the secure port the tool will authenticate the server s certificate and then send the user certificate to the server The following command shows how a user would specify the options to access his or her certificate database if it was created by Netscape Communicator Sun ONE Directory Server Administration Guide June 2003 Configuring LDAP Clients to Use Security ldapsearch h host p securePort Z P home bjensen netscape cert7 db N certificateName K home bjensen netscape key3 db W keyPassword b dc example dc com givenname Richard The z option indicates certificate based authentication the certificateName specifies which certificate to send and the x and w options allow the client application to access the certificate so that it can be sent By not specifying the D and w options
Download Pdf Manuals
Related Search