|
|
Contents
|
|
|
|
|
Introduction
|
|
Netscape Directory Server Restricted Mode
|
|
Netscape Directory Server 4.1 Overview
|
|
Prerequisite Reading
|
|
What Is in This Book?
|
|
Conventions Used in This Book
|
| | |
|
Chapter 1
|
Administering Netscape Directory Server
|
|
Overview of Directory Server Management
|
|
Using the Directory Server Console
|
|
Opening the Directory Server Console
|
|
Binding to the Directory From Netscape Console
|
|
Viewing the Current Bind DN From Netscape Console
|
|
Starting and Stopping the Directory Server
|
|
Starting the Server with SSL Enabled
|
|
Starting the Server in Referral-Only Mode
|
|
Using the Command-Line Utilities
|
|
Finding the Command-Line Utilities
|
|
Setting Environment Variables
|
|
Directory Server Command-Line Scripts
|
|
Directory Server Configuration Files
|
| | |
|
Chapter 2
|
LDAP Data Interchange Format
|
|
LDIF File Format
|
|
Continued Lines
|
|
Base 64 Encoding
|
|
Creating Directory Entries Using LDIF
|
|
Specifying Organization Entries
|
|
Specifying Organizational Unit Entries
|
|
Specifying Organizational Person Entries
|
|
Defining Directories Using LDIF
|
|
LDIF File Example
|
|
Storing Information in Multiple Languages
|
| | |
|
Chapter 3
|
Extending the Directory Schema
|
|
Overview of Extending Schema
|
|
Turning Schema Checking On and Off
|
|
Managing Object Classes
|
|
Viewing Object Classes
|
|
Creating Object Classes
|
|
Editing Object Classes
|
|
Deleting Object Classes
|
|
Managing Attributes
|
|
Viewing Attributes
|
|
Creating Attributes
|
|
Editing Attributes
|
|
Deleting Attributes
|
| | |
|
Chapter 4
|
Managing Directory Server Databases
|
|
Managing Databases Using LDIF
|
|
Exporting Databases to LDIF
|
|
Exporting to LDIF Using the Server Console
|
|
Exporting to LDIF From the Command Line
|
|
ns-slapd and slapd Parameters for Exporting Databases
|
|
Database to LDIF Examples
|
|
Importing Databases From LDIF
|
|
Importing LDIF From the Server Console
|
|
Importing LDIF From the Command Line
|
|
slapd Parameters Used for LDIF Imports
|
|
LDIF to Database Examples
|
|
Deleting LDIF Files
|
|
Backing Up and Restoring Your Database
|
|
Backing Up Your Database From the Server Console
|
|
Backing Up Your Database From the Command Line
|
|
Restoring Your Database From the Server Console
|
|
Restoring Your Database From the Command Line
|
|
Deleting Database Backups
|
|
Restoring Databases That Include Replicated Entries
|
|
Placing a Database in Read-Only Mode
|
|
Setting Suffixes for Your Database
|
|
Enabling and Disabling Plug-Ins From the Server Console
|
|
Managing the Referential Integrity Plug-in
|
|
Managing Referential Integrity From the Server Console
|
|
Managing Referential Integrity From the Command Line
|
|
Configuring Referential Integrity for Replicated Environments
|
|
Changing the Integrity Update Interval
|
|
Modifying Which Attributes to Update
|
|
Managing Database Transaction Logging
|
|
Changing the Location of the Database Transaction Log
|
|
Changing the Database Checkpoint Interval
|
|
Disabling Durable Transactions
|
| | |
|
Chapter 5
|
Managing Access Control
|
|
Understanding Access Control
|
|
Targets
|
|
Targeting a Directory Entry
|
|
Targeting Attributes
|
|
Targeting Using LDAP Filters
|
|
Permissions
|
|
Allowing or Denying Access
|
|
Assigning Rights
|
|
Bind Rules
|
|
User and Group Access
|
|
Access From a Specific Machine or Domain
|
|
Access at a Specific Time of Day or Day of Week
|
|
Access Based on Authentication Method
|
|
Boolean Bind Rules
|
|
Setting Access Control Using the Server Console
|
|
Creating a New ACI
|
|
Editing an Existing ACI
|
|
Deleting an Existing ACI or ACR
|
|
Access Control Usage Examples
|
|
Setting Anonymous Access for Read, Search, and Compare
|
|
Allowing Users to Modify Their Own Directory Entries
|
|
Allowing Users to Change Some of Their Own Attributes
|
|
Granting a Group Full Access to a Suffix
|
|
Granting a Group Rights to Add and Delete Entries
|
|
Allowing Full Access to a Specific Branch Point
|
|
Allowing Access at a Specific Time of Day or Day of Week
|
|
Allowing Updates Only From a Specific Location
|
|
Allowing Access to a Suffix Over SSL Only
|
|
Setting a Target Using Filtering
|
|
Allowing Users to Add or Remove Themselves From a Group
|
|
Setting Access Control Using LDIF Files
|
|
The ACI Language Syntax
|
|
Setting Targets Using LDIF
|
|
Using the target Keyword
|
|
Using the targetattr Keyword
|
|
Using the targetfilter Keyword
|
|
Setting Permissions Using LDIF
|
|
Setting Bind Rules Using LDIF
|
|
Using the userdn Keyword
|
|
Using the groupdn Keyword
|
|
Using the userdnattr and groupdnattr Keywords
|
|
Using the ip Keyword
|
|
Using the dns Keyword
|
|
Using the timeofday Keyword
|
|
Using the dayofweek Keyword
|
|
Using the authmethod Keyword
|
|
Using Boolean Expressions in LDIF Bind Rules
|
|
ACI Usage Examples
|
|
Defining Permissions for All Users
|
|
Defining Anonymous Access
|
|
Defining Permissions for Individual Users
|
|
Defining Permissions for a Group of Users
|
|
Defining Permissions for a Specific Subtree
|
|
Defining Permissions for a Specific Location
|
|
Defining Permissions Based on the Day of Week or the Time of Day
|
|
Defining Permissions Based on Authentication Method
|
|
Defining Permissions for DNs That Contain a Comma
|
|
Overview of Proxied Authorization
|
|
Proxied Authorization ACI Syntax
|
|
Proxied Authorization ACI Example
|
|
Specifying Proxy Authorization Rights On a Target
|
|
Setting Proxy Rights Using the Server Console
|
|
Setting Proxy Rights Using the Command Line
|
|
Viewing the Access Control List for a Suffix
|
| | |
|
Chapter 6
|
Managing Password and Account Lockout Policies
|
|
Managing the Password Policy
|
|
Configuring the Password Policy
|
|
Password Policy Parameters
|
|
Password Change After Reset
|
|
User-Defined Passwords
|
|
Password Expiration
|
|
Expiration Warning
|
|
Password Syntax Checking
|
|
Password Length
|
|
Password Minimum Age
|
|
Password History
|
|
Password Storage Scheme
|
|
Managing the Account Lockout Policy
|
|
Configuring the Account Lockout Policy
|
|
Account Lockout Policy Parameters
|
|
Account Lockout
|
|
Password Failure Counter Reset
|
|
Lockout Duration
|
|
Setting User Passwords
|
| | |
|
Chapter 7
|
Managing Indexes
|
|
The Searching Algorithm
|
|
Types of Indexes
|
|
Presence Index
|
|
Equality Index
|
|
Approximate Index
|
|
Substring Index
|
|
International Index
|
|
Browsing Index
|
|
The Cost of Indexing
|
|
Slower Database Modification and Creation Times
|
|
Higher System Resource Use
|
|
Creating Indexes
|
|
System and Default Indexes
|
|
System Indexes
|
|
Default Indexes
|
|
Standard Index Files
|
|
Creating Indexes From the Server Console
|
|
Creating Indexes From the Command-Line
|
|
Adding Index Descriptions to slapd.ldbm.conf
|
|
Creating Indexes Using db2index
|
|
Removing Indexes
|
|
Removing Indexes Using the Server Console
|
|
Removing Standard Indexes Using the Command Line
|
|
Using Browsing Indexes
|
|
Creating Browsing Indexes
|
|
Removing Browsing Indexes
|
|
Managing All IDs Threshold
|
|
Benefits of the All IDs Mechanism
|
|
Drawbacks of the All IDs Mechanism
|
|
When All IDs Threshold is Too Low
|
|
When All IDs Threshold is Too High
|
|
All IDs Threshold Tuning Advice
|
|
Default All IDs Threshold Value
|
|
Symptoms of an Inappropriate All IDs Threshold Value
|
|
Changing the All IDs Threshold Value
|
| | |
|
Chapter 8
|
Finding Directory Entries
|
|
Finding Entries Using the Server Console
|
|
LDAP Search Filters
|
|
Search Filter Syntax
|
|
Using Attributes in Search Filters
|
|
Using Operators in Search Filters
|
|
Using Compound Search Filters
|
|
Boolean Operators
|
|
Search Filter Examples
|
|
Using ldapsearch
|
|
Using Special Characters
|
|
ldapsearch Command Line Format
|
|
Commonly Used ldapsearch Parameters
|
|
SSL Parameters
|
|
Additional ldapsearch Parameters
|
|
ldapsearch Examples
|
|
Returning All Entries
|
|
Specifying Search Filters on the Command Line
|
|
Searching the root DSE Entry
|
|
Searching the Schema Entry
|
|
Using LDAP_BASEDN
|
|
Displaying Subsets of Attributes
|
|
Specifying Search Filters Using a File
|
|
Specifying DNs that Contain Commas in Search Filters
|
|
Searching an Internationalized Directory
|
|
Supported Search Types
|
|
Matching Rule Filter Syntax
|
|
Matching Rule Formats
|
|
Using Wildcards in Matching Rule Filters
|
|
International Search Examples
|
|
Less Than Example
|
|
Less Than or Equal to Example
|
|
Equality Example
|
|
Greater Than or Equal to Example
|
|
Greater Than Example
|
|
Substring Example
|
| | |
|
Chapter 9
|
Managing Directory Entries
|
|
Managing Entries Using the Server Console
|
|
Managing Users, Groups, and Org. Units Using the Server Console
|
|
Adding Users, Groups, and Org. Units Using the Server Console
|
|
Modifying Users, Groups, and Org. Units Using the Server Console
|
|
Using the Property Editor to Manage Entries
|
|
Adding Other Types of Entries Using the Property Editor
|
|
Adding an Object Class to an Entry Using the Property Editor
|
|
Removing an Object Class From an Entry Using the Property Editor
|
|
Adding an Attribute Value to an Entry Using the Property Editor
|
|
Adding Values to an Attribute Using the Property Editor
|
|
Removing an Attribute Value From an Entry Using the Property Editor
|
|
Adding an Attribute Subtype Using the Property Editor
|
|
Deleting Entries Using the Server Console
|
|
Managing Entries Using the Command-Line Utilities
|
|
Using Special Characters
|
|
Providing Input From the Command Line
|
|
Adding Entries Using LDIF
|
|
Adding and Modifying Entries Using ldapmodify
|
|
Commonly Used ldapmodify Parameters
|
|
SSL Parameters
|
|
Additional ldapmodify Parameters
|
|
ldapmodify Example
|
|
Deleting Entries Using ldapdelete
|
|
Commonly Used ldapdelete Parameters
|
|
SSL Parameters
|
|
Additional ldapdelete Parameters
|
|
ldapdelete Examples
|
|
LDIF Update Statements
|
|
Adding an Entry Using LDIF
|
|
Using the ldapmodify -a Parameter
|
|
Renaming an Entry Using LDIF
|
|
A Note on Renaming Entries
|
|
Modifying an Entry Using LDIF
|
|
Adding Attributes to Existing Entries Using LDIF
|
|
Changing an Attribute Value Using LDIF
|
|
Deleting All Values of an Attribute Using LDIF
|
|
Deleting a Specific Attribute Value Using LDIF
|
|
Deleting an Entry Using LDIF
|
|
Modifying an Entry in an Internationalized Directory
|
| | |
|
Chapter 10
|
Managing Your Directory Server
|
|
Viewing and Configuring Log Files
|
|
Access Log
|
|
Viewing the Access Log
|
|
Configuring the Access Log
|
|
Error Log
|
|
Viewing the Error Log
|
|
Configuring the Error Log
|
|
Audit Log
|
|
Viewing the Audit Log
|
|
Configuring the Audit Log
|
|
Manual Log File Rotation
|
|
Monitoring Server Activity
|
|
Monitoring Your Server From the Server Console
|
|
General Information (Server)
|
|
Resource Summary
|
|
Current Resource Usage
|
|
Connection Status
|
|
Monitoring Your Server From the Command Line
|
|
Monitoring Database Activity
|
|
Monitoring Database Activity From the Server Console
|
|
General Information (Database)
|
|
Summary Information Table
|
|
Database Cache Information Table
|
|
Database File-Specific Table
|
|
Monitoring the Database From the Command-Line
|
|
Managing the Root DN
|
|
Tuning Performance
|
|
Tuning Server Performance
|
|
Tuning Database Performance
|
|
Managing Network and LDAP Settings
|
|
Changing Directory Server Port Numbers
|
|
Enabling the Directory Server to use the NT Synchronization Service
|
|
Placing the Entire Directory Server in Read-only Mode
|
|
Tracking Modifications to Directory Entries
|
| | |
|
Chapter 11
|
Managing SSL
|
|
Obtaining and Installing Server Certificates
|
|
Step 1: Generate a Certificate Request
|
|
Step 2: Send the Certificate Request
|
|
Step 3: Install the Certificate
|
|
Step 4: Trust the Certificate Authority
|
|
Step 5: Confirm That Your New Certificates Are Installed
|
|
Activating SSL
|
|
Setting Security Preferences
|
|
Using Certificate-Based Authentication
|
|
Creating Certificate Databases for LDAP Clients
|
| | |
|
Chapter 12
|
Managing FORTEZZA
|
|
What You Need To Do
|
|
Setting Up FORTEZZA
|
|
Step 1: Install the FORTEZZA PKCS #11 Module
|
|
Step 2: Create a Trust Database
|
|
Activating FORTEZZA
|
|
Starting the Server with FORTEZZA Enabled
|
|
Starting a FORTEZZA-Enabled Server From the Server Console (Windows NT Only)
|
|
Starting a FORTEZZA-Enabled Server From the Command Line
|
|
Disabling FORTEZZA
|
|
Specifying FORTEZZA Options
|
|
Using FORTEZZA With Client Authentication
|
| | |
|
Chapter 13
|
Managing Replication
|
|
Replication Overview
|
|
Managing Supplier-Initiated Replication (SIR)
|
|
Configuring Servers for SIR
|
|
Configuring the Supplier DN for SIR
|
|
Configuring the Change Log for SIR
|
|
Creating an SIR Agreement
|
|
Duplicating an SIR Agreement
|
|
Editing an SIR Agreement
|
|
Managing Consumer-Initiated Replication (CIR)
|
|
Configuring Servers for CIR
|
|
Configuring the Change Log for CIR
|
|
Providing Consumer Access to the Change Log for CIR
|
|
Creating a CIR Agreement
|
|
Duplicating a CIR Agreement
|
|
Editing a CIR Agreement
|
|
Removing the Change Log
|
|
Initializing Consumers
|
|
When to Initialize a Consumer
|
|
Online Consumer Creation
|
|
When You Should Use Online Consumer Creation
|
|
How to Use Online Consumer Creation
|
|
Manual Consumer Creation
|
|
Converting the Supplier Tree to LDIF
|
|
Importing the LDIF File to the Consumer Server
|
|
Monitoring Replication Status
|
|
Replication Algorithms
|
|
SIR Algorithm
|
|
CIR Algorithm
|
|
Machine data
|
| | |
|
Chapter 14
|
Managing Referrals
|
|
Understanding Referrals
|
|
Setting Default Referral URLs
|
|
Creating and Changing Smart Referrals
|
|
Creating Smart Referrals Using the Directory Server Console
|
|
Creating Smart Referrals From the Command-line
|
| | |
|
Chapter 15
|
NT Directory Synchronization
|
|
The Synchronization Service
|
|
Synchronization: NT to Directory Server
|
|
How NT Directory Changes Are Discovered
|
|
Creating User Entries
|
|
Creating Group Entries
|
|
Initially Creating Entries
|
|
Synchronization: Directory Server to NT
|
|
How Synchronization Occurs
|
|
Creating User Entries
|
|
Creating Group Entries
|
|
Creating Duplicate Entries
|
|
Deleting Entries
|
|
Modifying Entries
|
|
Associating an Existing Directory User with an NT User Account
|
|
Associating an Existing Directory Group with an NT Group
|
|
Dissassociating a Directory User or Group from an NT User or Group
|
|
Concurrently Changing Directory Server and NT Account Values
|
|
The Synchronization Configuration Tool
|
|
About the OK, Cancel, Apply, and Help Buttons
|
|
Configuring Synchronization
|
|
Configuring Service Settings
|
|
Configuring Directory Server Settings
|
|
If the Selected UID is Not Unique
|
|
Scheduling Synchronization
|
|
Manually Performing Synchronization
|
|
Configuring Account Details
|
|
Surname-based NT Accounts
|
|
Starting and Stopping the Synchronization Service
|
|
Checking Synchronization Status
|
|
Turning Off SSL for the Synchronization Service
|
|
Troubleshooting Errors at Synchronization Time
|
| | |
|
Chapter 16
|
Managing SNMP
|
|
Understanding SNMP
|
|
SNMP Overview
|
|
NMS-Initiated Communication
|
|
Managed Device-Initiated Communication
|
|
The Directory Server MIB
|
|
The Operations Table
|
|
The Entries Table
|
|
The Interaction Table
|
|
Setting Up SNMP
|
|
Setting Up SNMP on Windows NT
|
|
Setting Up SNMP on Unix
|
|
Configuring the AIX SNMP Daemon (AIX Only)
|
|
Starting and Stopping the SNMP Subagent on Unix
|
|
Configuring SNMP for the Directory Server
|
| | |
|
Chapter 17
|
Configuration Parameters
|
|
Changing Configuration Parameter Values
|
|
Changing Parameter Values Using the Server Console
|
|
Changing Parameter Values Using slapd.conf
|
|
Changing Parameter Values Using slapd.ldbm.conf
|
|
General Server Parameters
|
|
Access Log
|
|
Access Log Enable Logging
|
|
Access Log Expiration Time
|
|
Access Log Expiration Time Unit
|
|
Access Log Maximum Disk Space
|
|
Access Log Maximum Log Size
|
|
Access Log Maximum Number of Log Files
|
|
Access Log Minimum Free Disk Space
|
|
Access Log Rotation Time
|
|
Access Log Rotation Time Unit
|
|
accessloglevel
|
|
Account Lockout
|
|
Attribute
|
|
Audit Log
|
|
Audit Log Enable Logging
|
|
Audit Log Expiration Time
|
|
Audit Log Expiration Time Unit
|
|
Audit Log Maximum Disk Space
|
|
Audit Log Maximum Log Size
|
|
Audit Log Maximum Number of Log Files
|
|
Audit Log Minimum Free Disk Space
|
|
Audit Log Rotation Time
|
|
Audit Log Rotation Time Unit
|
|
Certificate and Key Directory
|
|
Changelog DB Directory
|
|
Changelog Suffix
|
|
Check Password Syntax
|
|
Enable Access Control
|
|
Enable Online Consumer Creation
|
|
Enable Superior Object Class Enquoting
|
|
Encrypted Port Number
|
|
Encryption Alias
|
|
Encryption Ciphers
|
|
Error Log
|
|
Error Log Enable Logging
|
|
Error Log Expiration Time
|
|
Error Log Expiration Time Unit
|
|
Error Log Maximum Disk Space
|
|
Error Log Maximum Log Size
|
|
Error Log Maximum Number of Log Files
|
|
Error Log Minimum Free Disk Space
|
|
Error Log Rotation Time
|
|
Error Log Rotation Time Unit
|
|
Idle Timeout
|
|
Instance Directory
|
|
IO Block Time Out
|
|
Listen to IP Address
|
|
Local User
|
|
Lockout Duration
|
|
Log Buffering
|
|
Log Level
|
|
Max Changelog Age
|
|
Max Changelog Records
|
|
Maximum File Descriptors
|
|
Maximum Message Size
|
|
Maximum Password Failures
|
|
Maximum Threads Per Connection
|
|
nagle
|
|
NLS
|
|
NT Synchronization Service Enabled
|
|
NT Synchronization Service Port Number
|
|
NT Synchronization Service Use SSL
|
|
Number of Passwords to Remember
|
|
Object Class
|
|
Password Change
|
|
Password Expiration
|
|
Password History
|
|
Password Maximum Age
|
|
Password Minimum Age
|
|
Password Minimum Length
|
|
Password Must Change
|
|
Password Storage Scheme
|
|
Port Number
|
|
Referral
|
|
Reserved File Descriptors
|
|
Reset Password Failure Count After
|
|
result_tweak
|
|
Return Exact Case
|
|
Root DN
|
|
Root Password
|
|
Root Password Storage Scheme
|
|
Schema Checking
|
|
Security
|
|
Send Warning
|
|
Size Limit
|
|
Supplier DN
|
|
Supplier Password
|
|
Supplier SSL Clients
|
|
Thread Number
|
|
Time Limit
|
|
Track Modification Time
|
|
Unlock Account
|
|
User-Defined Attributes File
|
|
User-Defined Object Class File
|
|
Database Parameters
|
|
All IDs Threshold
|
|
Attribute to be Indexed
|
|
Database
|
|
Database Checkpoint Interval
|
|
Database Configuration File
|
|
Database Directory
|
|
Database Durable Transactions
|
|
Database Transaction Log Directory
|
|
db_home_directory
|
|
Look Through Limit
|
|
Maximum Cache Size
|
|
Maximum Entries in Cache
|
|
Mode
|
|
Read-only
|
|
Suffix
|
| | |
|
Appendix A
|
LDAP URLs
|
|
Components of an LDAP URL
|
|
Escaping Unsafe Characters
|
|
Examples of LDAP URLs
|
| | |
|
Appendix B
|
Internationalization
|
|
Identifying Supported Locales
|
|
Supported Language Subtypes
|
| | |
|
Appendix C
|
UI Reference
|
|
Confirmation Preferences Dialog Box
|
|
Import Database Dialog Box (Import Command)
|
|
Export Database Dialog Box (Export Command)
|
|
Settings Tab (Root Node)
|
|
Performance Tab (Root Node)
|
|
Encryption Tab (Root Node)
|
|
Encryption Preferences Dialog Box
|
|
SNMP Tab (Root Node)
|
|
Manager Tab (Root Node)
|
|
Indexes Tab (Database)
|
|
New Attribute Dialog Box
|
|
Passwords Tab (Database)
|
|
Account Lockout Tab (Database)
|
|
Performance Tab (Database)
|
|
Settings Tab (Database)
|
|
Backup Directory Dialog Box
|
|
Restore Directory Dialog Box
|
|
Object Classes Tab
|
|
Create or Edit Object Class Dialog Box
|
|
Attributes Tab
|
|
Create or Edit Attribute Dialog Box
|
|
Matching Rules Tab
|
|
Replication Status Tab
|
|
Consumer Server Settings Tab
|
|
Supplier Server Settings Tab
|
|
Replication Agreement Wizard Dialog Box
|
|
Agreement Name Dialog Box
|
|
Source and Destination Dialog Box
|
|
Host Info Dialog Box
|
|
Scheduling Dialog Box
|
|
Consumer Initialization Dialog Box
|
|
Summary Dialog Box
|
|
Summary Tab (Supplier-Initiated or Consumer-Initiated Agreements Folder)
|
|
Schedule Tab (Supplier-Initiated or Consumer-Initiated Agreements Folder)
|
|
Content Tab (Supplier-Initiated or Consumer-Initiated Agreements Folder)
|
|
Access Log Tab (Status Tab)
|
|
Access Log Tab (Configuration Tab)
|
|
Error Log Tab (Status Tab)
|
|
Error Log Tab (Configuration Tab)
|
|
Audit Log Tab (Status Tab)
|
|
Audit Log Tab (Configuration Tab)
|
|
Plugins Tabs
|
|
Server Tab (Performance Counters)
|
|
Database Tab (Performance Counters)
|
|
Property Editor Dialog Box
|
|
File Menu Commands (Property Editor)
|
|
Edit Menu Commands (Property Editor)
|
|
View Menu Commands (Property Editor)
|
|
Add Object Class Dialog Box
|
|
Add Attribute Dialog Box
|
|
Search Users and Groups By Filter Dialog Box
|
|
Configure New Instance Dialog Box
|
|
Subtree Selection Dialog Box
|
|
Glossary
|
|
Index
|
|
|
|