Complete Contents
Introduction
Chapter 1 Administering the Directory Server
Chapter 2 LDAP Data Interchange Format
Chapter 3 Extending the Directory Schema
Chapter 4 Managing Directory Server Databases
Chapter 5 Managing Access Control
Chapter 6 Managing Password and Account Lockout Policies
Chapter 7 Managing Indexes
Chapter 8 Finding Directory Entries
Chapter 9 Managing Directory Entries
Chapter 10 Managing Your Directory Server
Chapter 11 Managing SSL
Chapter 12 Managing Replication
Chapter 13 Managing Referrals
Chapter 14 NT Directory Synchronization
Chapter 15 Managing SNMP
Chapter 16 Configuration Parameters
Appendix A LDAP URLs
Appendix B Internationalization
Appendix C UI Reference
Glossary
Previous Next Contents Index Bookshelf


Chapter 1 Administering Netscape Directory Server

The Netscape Directory Server simplifies management and retrieval of corporate user information. Using the directory server, corporate IS organizations can manage all their user information from a single point of control, and corporate users can retrieve this information from multiple, easily accessible network locations.

The Netscape Directory Server product ships with a directory server, an administration server, and Netscape Console.

This chapter provides the information you need to get started administering the directory server, in the following sections:


Overview of Directory Server Management
Netscape Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The directory server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources. The directory server runs as the ns-slapd process or service on your machine. The server manages the directory databases and responds to client requests.

You perform most Directory Server administrative tasks through the Administration Server, a second server that Netscape provides to help you manage the Directory Server (and all other Netscape Servers). For Directory Server, you use a part of the Administration Server called Netscape Console. The Directory Server Console is a part of Netscape Console designed specifically for use with Netscape Directory Server.

You can perform most directory server administrative tasks from the Directory Server Console. You can also perform administrative tasks manually by editing the configuration files or by using command-line utilities. For more information about the Netscape Console see Managing Servers with Netscape Console.


Using the Directory Server Console
From the Directory Server Console you can do the following:

Opening the Directory Server Console

You bring up the Directory Server Console from the Netscape Console, which is described in Managing Servers with Netscape Console. See Installing the Netscape Directory Server for information on installing the server.

To open the Directory Server Console, from the Netscape Console:

  1. On the Console tab, open the folder designated by the domain in which the directory server resides, for example, airius.com.
  2. Open the folder designated by the hostname of the directory server, for example, dirserver.airius.com.
  3. Expand the Server Group folder.
  4. Double-click the Directory Server entry (for example, slapd-phonebook).
  5. This brings up the Directory Server Console with the Tasks tab displayed by default.

Binding to the Directory From Netscape Console

When you create or manage entries from the Directory Server Console, and when you first access the Netscape Console, you are given the option to log in by providing a bind DN and a password. This option allows you to indicate who you are accessing the directory tree as. This in turn determines whether you can perform the requested operation in the tree.

You can log in with the root DN when you first bring up the Netscape Console. If you choose not to do this, you can log in as the root DN or a different user through the Directory Server Console.

To log in to Netscape Console:

  1. On the Directory Server Console, select the Tasks tab.
  2. Click "Log on to the Directory Server as a New User".
  3. A login dialog box appears.

  4. Enter the new DN and password and click OK.
  5. Enter the full distinguished name of the entry with which you want to bind to the server. For example, if you want to bind as the Root DN and the Root DN is Directory Manager, then enter the following in the Distinguished Name text box:

    cn=Directory Manager

    For more information about the root DN and password, refer to "Managing the Root DN".

    Do not perform daily administrative tasks using the directory manager as your bind DN. Instead, set up a directory server administrator account with the access control privileges required for the most common tasks you perform. For information on how to do this, see Managing Servers with Netscape Console.

Viewing the Current Bind DN From Netscape Console

You can view the bind DN you used to log in to the Directory Server Console by clicking the login icon in the lower-left corner of the display. The current bind DN appears next to the login icon as shown here.

Figure 1.1 Viewing the bind DN


Starting and Stopping the Directory Server
If you are not using Secure Sockets Layer (SSL), you can start and stop the directory server using the methods listed here. If you are using SSL, see "Starting the Server with SSL Enabled".

From the Directory Server Console. On the Tasks tab, click "Start the Directory Server" or "Stop the Directory Server" as appropriate.

When you successfully start or stop your directory server from the server console, the server displays a message box stating either that the server started or has shut down.

From the Windows NT Services Control Panel.

  1. Select Start|Settings|Control Panel from the desktop.
  2. Double-click the Services icon.
  3. Scroll through the list of services and select the Netscape Directory Server.
  4. The service name is Netscape Directory Server 4.0 (<serverID>) where <serverID> is the identifier you gave the server when you installed it.

  5. Start or stop the service:
From the Unix or Windows NT command line. Use one of the following scripts:

<NSHOME>/slapd-<serverID>/start-slapd

or

<NSHOME>/slapd-<serverID>/stop-slapd

where <NSHOME> is the location where your server is installed, and <serverID> is the identifier you gave the server when you installed it.

On Unix, both of these scripts must run with the same UID and GID as that used by the directory server. For example, if the directory server runs as nobody, you must run the start-slapd and stop-slapd utilities as nobody.


Starting the Server with SSL Enabled
On Windows NT, if you are using SSL with your server, then you must start the server from the server's host machine. This is because a dialog box will prompt you for the certificate PIN before the server will start. For security reasons, this dialog box appears only on the server's host machine.

On Unix, you must start the server from the command line.

Alternatively, on either platform, you can create a password file to store your certificate password. By placing your certificate database password in a file, you can start your server from the server console, and also allow your server to automatically restart when running unattended.

This password is stored in clear text within the password file, so its usage represents a significant security risk. Do not use a password file if your server is running in an unsecured environment.

The password file must be placed in the following location:

<NSHOME>/alias/slapd-<serverID>-password.txt

where <NSHOME> is the location where your server is installed, and <serverID> is the identifier you gave the server when you installed it.

You create certificate databases using the administration server and the Certificate Setup Wizard. For information on certificate databases, certificate aliases, SSL, and obtaining a server certificate, see Managing Servers with Netscape Console. For information on using SSL with your directory server, see Chapter  11, "Managing SSL."


Starting the Server in Referral-Only Mode
You can also start the server in referral-only mode. You might want to do this if you're making configuration changes to the directory server and you want all clients to be referred to another master for the duration. There are two ways to configure the server to start up in referral-only mode:


Using the Command-Line Utilities
Netscape Directory Server comes with a robust set of command-line utilities that you can use to manage the entries in your directory. The most important of these are listed in Table 1.1.

Table 1.1 Commonly used command-line utilities  

Command-line utility
Description
aclupg
Upgrades LDIF formatted with the 1.x access control statements to the 4.0 ACI. See the Netscape Directory Server Installation Guide for more information.
ldapdelete
Allows you to delete entries in the directory. For information on using this utility, see "Deleting Entries Using ldapdelete".
ldapsearch
Allows you to search the directory. Returns search results in LDIF format. For details on this tool, see Chapter  8, "Finding Directory Entries."
ldapmodify
Allows you to add, delete, modify, or rename entries. All operations are specified using LDIF update statements. For details on this tool, see "Adding and Modifying Entries Using ldapmodify".
ns-slapd (Unix)
slapd (Windows NT)

Used to start the directory server process, to build a directory database from an LDIF file, or to convert an existing database to an LDIF file. For details, see
ldif
Automatically formats LDIF files for you, and creates base 64 encoded attribute values. For details on this tool, see "Base 64 Encoding".

Finding the Command-Line Utilities

Most of the directory server's command line utilities are stored in a single location. You can find them in the following directory:

<NSHOME>/bin/slapd/server

where <NSHOME> is your server installation directory.

The remaining three—ldapdelete, ldapmodify, and ldapsearch—are stored in the following directory:

<NSHOME>/shared/bin

where <NSHOME> is your server installation directory.

Warning. The command-line utilities in these directories that are not described in this manual are used internally by the directory server. Their use outside of that environment is not recommended.

Setting Environment Variables

On Windows NT, before using the command-line utilities, set your PATH variable to include the locations of the directory server command-line utilities:

<NSHOME>/bin/slapd/server

and

<NSHOME>/shared/bin

For information on how to set environment variables, see the documentation available for your operating system.

On Unix, to run the command-line utilities, change to the directory where they are stored.


Directory Server Command-Line Scripts
In addition to the command-line utilities described in "Using the Command-Line Utilities", the Netscape Directory Server provides several scripts you can use to invoke the utilities with the most common options set. These scripts are stored in the following directory:

<NSHOME>/slapd-<serverID>/

All of these scripts assume that you want to use the slapd.conf file located in

<NSHOME>/slapd-<serverID>/config/

You can copy these scripts and modify your copies to suit your needs. In general, the rest of this manual does not describe the use of these scripts. Some of the most commonly used scripts are listed in Table  1.2.

Table 1.2 Commonly used command-line scripts  

Command-line script
Description
bak2db
Restores the database from the most recent archived backup. Syntax: bak2db [backup_directory]
db2bak
Creates a backup of the current database contents. Syntax: db2bak [backup_directory]. For more information, see "Backing Up Your Database From the Command Line".
db2ldif
Exports the contents of the database to LDIF. By default, the server stores the LDIF file in: <NSHOME>/slapd-<serverID>/ldif/
Syntax: db2ldif <ldif_filename> [-s <include suffix>] [-x <exclude suffix>]
getpwenc
Prints the encrypted form of a password using one of the server's encryption algorithms. If a user cannot log in, you can use this script to compare the user's password to the password stored in the directory. Syntax:  getpwenc  sha  <password>
or: getpwenc  crypt  <password>
ldif2db
Runs the slapd (Windows NT) or ns-slapd (Unix) command-line utility with the ldif2db keyword. By default, the script first saves and then merges any existing configuration tree (o=NetscapeRoot), with any files to be imported. You can specify -noconfig if you want to overwrite the configuration information.
Warning. Netscape recommends that you do not overwrite the configuration data unless instructed to do so by Netscape Techical Support.
Syntax:
ldif2db [-noconfig] -i <ldif filename> [-i <ldif filename>] ... [-s <include suffix>] [-x <exclude suffix>}
monitor
Retrieves performance monitoring information using the ldapsearch command-line utility.
Syntax: monitor  -b  <baseDN>  [options]  filter
or:
monitor "cn=monitor" <port>
See "Using ldapsearch" for more information on ldapsearch.
restart-slapd
Restarts the directory server. Syntax: restart-slapd
start-slapd
Starts the directory server. Syntax: start-slapd
stop-slapd
Stops the directory server. Syntax: stop-slapd
vlvindex
Reserved.


Directory Server Configuration Files
You can also perform many administrative tasks manually by editing the directory server's configuration files. There are two main configuration files:

All of the directory server's configuration files are located in the following directory:

<NSHOME>/slapd-<serverID>/config

where <NSHOME> is your server installation directory and <serverID> is the server identifier that you defined when you installed your directory server. Thus, if you installed your directory server in /usr/dirserver and you selected a server identifier of phonebook, then your configuration files are all stored under

/usr/dirserver/slapd-phonebook/config

 

© Copyright 1998 Netscape Communications Corporation