This chapter provides an introduction to the Sun JavaTM System Directory Server Enterprise Edition components, describes the new administration model, and summarizes the latest features. This chapter covers the following topics:
Directory Server Enterprise Edition (DSEE) serves as the backbone to an enterprise identity infrastructure. DSEE includes the following components:
Directory Service Control Center (DSCC). Provides a browser-based administration interface to handle the configuration of directory and directory proxy services.
Directory Server. Provides the highly scalable, secure, flexible means to store and manage identity data.
Directory Proxy Server. Enhances security, offers virtual directory capabilities, and further increases directory service availability and scalability.
Identity Synchronization for Windows. Brings bidirectional, on-demand synchronization with Microsoft Active Directory and with Microsoft Windows NT SAM Registry.
Directory Editor. Offers a configurable, browser-based user interface to manage directory content.
Directory Server Resource Kit (DSRK). Includes a set of utilities to access and tune directory services. The DSRK supports the Lightweight Directory Access Protocol (LDAP) v2 and v3, and the Directory Services Markup Language (DSML) v2. You can use the DSRK to create custom applications to access your directory data.
DSEE includes a completely new administration architecture. Before you can evaluate the features of DSEE, you need to understand the basics of this new architecture.
In DSEE 6.x, all previous administrative interfaces (the Java console and the ldapmodify and ldapsearch commands) are replaced by two new administrative interfaces:
A web-based console
A command-line interface
As an administrator, you can perform most administrative tasks with either interface. The following figure illustrates the DSEE administration framework.
This administration framework supports Directory Server and Directory Proxy Server and consists of the following components:
Directory Service Control Center (DSCC). The graphical user interface used to administer Directory Server and Directory Proxy Server instances. The DSCC plugs into the Sun Java Web Console. The DSCC registry maintains a list of registered Directory Servers and Directory Proxy Servers and enables you to group multiple server instances into a single directory service.
DSCC agents. One DSCC agent runs on each server through which you remotely administer Directory Server or Directory Proxy Server. The DSCC agent runs the local Directory Server and Directory Proxy Server commands for administering local instances of Directory Server.
Directory Server and Directory Proxy Server product installation on local or remote servers.
Directory Server and Directory Proxy Server instances created on local or remote servers.
Although this guide provides information about both the console and the command-line interface (CLI), the console is usually shown when illustrating a feature.
For a more in-depth description of the new administration model, see Directory Server Enterprise Edition Administration Model in Sun Java System Directory Server Enterprise Edition 6.2 Deployment Planning Guide.
This section describes the main new features and enhancements in all of the component products of DSEE and includes the following information:
The following sections contain the new features list for DSEE 6.1. For the list of new features in this release, see What’s New in Directory Server Enterprise Edition 6.2 in Sun Java System Directory Server Enterprise Edition 6.2 Release Notes.
General DSEE enhancements include the following:
Web-based administration interface (Directory Service Control Center). The DSCC provides a graphical user interface for managing individual Directory Server and Directory Proxy Server instances, as well as groups of servers. The DSCC therefore enables a unified view of an entire directory service topology.
Global account lockout. You can configure global account lockout for a directory service topology so that a user account is locked, due to consecutive failures to bind, across the entire collection of servers.
A Web archive (WAR) that contains the DSCC. This WAR file can be deployed on an application server, allowing you to install the DSCC when using the ZIP distribution.
Directory Server 6.1 includes the following new features and enhancements:
Service manageability command-line tools. Directory Server includes new tools to facilitate command-line management of the server.
Replication enhancements. These enhancements include: no fixed limit to the number of replication masters, the ability to prioritize replication, a global retro changelog, replicated account lockout data, fast replication restart for recovery (minutes or less), and a fast count of pending replication changes so that you can get accurate status on replication convergence.
Security enhancements. These enhancements include: additional connection-based access control files, rejection of binds with no password, forced password change after reset, multiple directory superusers, changes to passwords using the LDAP Password Modify Extended Operation specified in RFC 3062, last login time tracking, enhanced auditing for updates performed using proxy authorization, and improved ACI processing performance.
Enhanced password policy. The new password policy provides a grace login limit, safe password modifications, as well as two new controls, passwordPolicyRequest and passwordPolicyResponse. These controls enable LDAP clients to obtain account status information on LDAP add, delete, modrdn, compare, and search operations. The password policy can now be applied to proxy authentication to prevent client operations when an account is locked.
New operational attribute for group membership. Entries that are members of static groups now have the operational attribute isMemberOf, which holds the DNs of the static groups to which the members belong.
Enhancements to static group management. These enhancements include performance improvements for large, multi-valued attributes and membership testing for group entries.
More configuration changes while the server is online. You can change the configuration of suffixes, indexes, schema, and the replication topology while the server is running.
Attribute syntax validation on update. When syntax checking is on, all import and update operations are checked to ensure that updated attributes adhere to the syntax definitions.
Threshold on heap memory. When the threshold is reached, Directory Server attempts to free memory from the entry caches.
Frozen mode for database backup. You can stop database updates on disk so that a file system snapshot can be taken safely
Log management improvements. This version of Directory Server brings improvements to time-based log rotation, rotate now functionality for access, error, and audit logs, and configurable permissions for log files. It also provides more flexible logging of users involved in proxy authorization.
Fine-grained all IDs threshold configuration. You can configure the all IDs threshold individually for each index, saving you disk space.
Plug-in call ordering. For further information, see Ordering Plug-In Calls in Sun Java System Directory Server Enterprise Edition 6.2 Developer’s Guide.
SNMP monitoring support. Directory Server now supports the Mail and Directory Management Information Base (MADMAN MIB) for use with Simple Network Management Protocol (SNMP) monitoring agents as described in RFC 2605.
Monitoring using the Sun Java Enterprise System Monitoring Console. Directory Server supports the use of the Monitoring Console to view monitored data and to produce threshold alarms.
LDAP utilities and character sets for passwords. The LDAP command-line utilities now convert passwords entered on the command line to UTF8 by default.
In LDAP, userPassword values are binary. The server therefore sees a password as a string of bytes, which is often not the way that the user sees a password. By converting passwords that a user enters to UTF8, the utilities make it possible for passwords entered on one system to be entered on another system.
More LDAP controls and extended operations. Directory Server now supports additional LDAP controls and extended operations.
For a complete list of LDAP controls, see the controls(5dsconf) man page.
For a complete list of extended operations, see the extended-operations(5dsconf) man page.
Database data compaction. Directory Server now allows you to compact the database files to gain space and reduce backup time.
For more information about compacting your database files, see the dsadm(1M) man page.
Migration tools to help you upgrade from Directory Server 5.1. Directory Server provides the dsmig tool to help you migrate your schema, security information, and configuration information including replication.
Improved write and search performance. Directory Server includes improvements to the performance of almost all operations.
Directory Proxy Server 6.1 includes the following new features and enhancements:
Virtual directory. The virtual directory enables you to define how data is displayed to LDAP client applications, define virtual domains that aggregate data from multiple data sources, map attribute names and values to suit LDAP application and multiple disparate data sources, access data repositories that are compliant with the JDBCTM technology, and access flat LDAP Data Interchange Format (LDIF) file resources.
New, richer architecture. To make new functionality possible, the Directory Proxy Server architecture has changed significantly.
Directory data distribution. You can distribute directory data using the proxy, enabling much higher scalability for write operations.
Operation-based routing. Directory Proxy Server can route different LDAP operations on the same client connection to different servers and enable successive requests on the same client connection to be sent to the same LDAP servers.
Full command-line and web-based administrative capabilities. Directory Proxy Server now provides complete administrative capabilities both on the command line and through the Directory Service Control Center.
Administrative alerts. You can configure what Directory Proxy Server does when an alert occurs, such as sending email or running a script.
DN and attribute rewriting. You can configure Directory Proxy Server to automatically modify the DN, attribute types, and attribute values of entries such that a client application view of an entry can be significantly different that what is stored in the directory.
Fewer server restarts. Directory Proxy Server now requires fewer configuration-related restarts than ever before, making it easier to respond automatically to the need for changes in how the server behaves.
Logging aligned with Directory Server. Directory Proxy Server log files now fit more effectively with those of Directory Server. Their formats are very similar, and they allow you to trace requests through Directory Proxy Server to Directory Server and back to client applications.
Improved resource management. Directory Proxy Server now pools connections to data sources such as Directory Server and can use proxy authentication to further reduce resources used to establish connections, and to authenticate repeatedly.
Schema management. Directory Proxy Server generates a single schema from multiple heterogeneous data sources, performs schema checking, and performs attribute value syntax checking.
Access controls. Directory Proxy Server supports access control instructions (ACIs) that determine which permissions are granted to users.
Data views can be used in multiple joins. Directory Proxy Server allows you to create a new join that combines a new data view with an existing data view without any restrictions.
Extended JDBC support. JDBC now supported for Java DB® 10.2 , Oracle® 9i and 10g, DB2® v9.1, and MySQL® 5.0.
Improved write and search performance. Directory Proxy Server includes improvements to JDBC performance and RDBMS operation response time.
Support modifications to multiple RDBMS tables. Directory Proxy Server can now take a single LDAP modification and apply it to multiple RDBMS tables.
Identity Synchronization for Windows includes the following new features and enhancements:
Group synchronization with Active Directory. Identity synchronization between Directory Server and Active Directory is simplified because you can map a group on Directory Server to Microsoft Active Directory domain global distribution groups and domain global security groups.
Failover support for multiple master replicas. For more information about failover support, see Appendix E, Identity Synchronization for Windows Installation Notes for Replicated Environments, in Sun Java System Directory Server Enterprise Edition 6.2 Installation Guide.
Account lockout synchronization with Active Directory. Identity Synchronization for Windows synchronizes account lockout information between Directory Server and Active Directory, improving security coherency between the two directories.
No need for a local Directory Server. A Directory Server instance does not need to be installed on the system that is running Identity Synchronization for Windows. When the installer does not find a local Administration Server, the installer adds the Administration Server at the specified server root location, so you do not have to install the Directory Server software.
Integrated Directory Server Plug-in. The Identity Synchronization for Windows plug-in for Directory Server is now installed with Directory Server rather than Identity Synchronization for Windows. The installer provides an option to configure the plug-in while installing the Directory Server Connector. The same option is available through the command line interface.
Support for Red Hat Linux. Identity Synchronization for Windows now supports Red Hat Linux.