JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)
search filter icon
search icon

Document Information

Preface

Part I Directory Server Administration

1.  Directory Server Tools

Directory Server Administration Overview

Deciding When to Use DSCC and When to Use the Command Line

Determining Whether a Procedure Can Be Done Using DSCC

Cases Where Using DSCC Is Better

Viewing Servers and Suffix Replication Status

Managing Groups of Servers

Copying Configuration Settings

Configuring Replication

Directory Server Command-Line Tools

Location of Directory Server Commands

Setting Environment Variables for dsconf

Comparison of dsadm and dsconf

Obtaining Help for Using dsadm, dsconf, and dsutil

Modifying Configuration Properties by Using dsconf

Setting Multi-Valued Properties With dsconf

Working With the dsutil Command

Man Pages

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration

Index

Directory Server Command-Line Tools

Most tasks you perform on DSCC can be performed using command-line tools. These tools enable you to manage Directory Server directly from the command line, and to manage your server by using scripts.

The main directory server commands are dsadm, dsconf, and dsutil. You can use these commands to perform backups, export to LDIF, manage certificates, manage the administration of users or roles, and so on. For information about these commands, see the dsadm(1M), dsconf(1M), and dsutil(1M) man pages.

The dsconf, dsmig, dsccmon, and dsutil are LDAP based commands so you must specify the user bind DN and password for these commands to authenticate. While the dpadm and dsadm commands operate on the instance files.

This section contains the following information about Directory Server command-line tools:

Location of Directory Server Commands

The Directory Server command-line tools are contained in a default installation directory:

install-path/bin

The directory for your installation depends on your operating system. Installation paths for all operating systems are listed in Default Paths and Command Locations.

Setting Environment Variables for dsconf

The dsconf command requires some options that you can preset by using environment variables. If you do not specify an option when using the command, or do not set the environment variable, the default setting is used. You can configure environment variables for the following options:

-D user DN

User bind DN. Environment variable: LDAP_ADMIN_USER. Default: cn=Directory Manager.

-w password-file

Password file for the user bind DN. Environment variable: LDAP_ADMIN_PWF. Default: Prompt for password.

-h host

Host name. Environment variable: DIRSERV_HOST. Default: local host.

-p LDAP-port

LDAP port number. Environment variable: DIRSERV_PORT. Default: 389.

-e, --unsecured

Specifies that dsconf should open a clear connection by default. Environment variable: DIRSERV_UNSECURED. If this variable is not set, dsconf opens a secure connection by default.

For more details, see the dsconf(1M) man page.

Comparison of dsadm and dsconf

The following table shows a comparison of the dsadm and dsconf commands.

Table 1-1 Comparison of the dsadm and dsconf Commands

dsadm Command
dsconf Command
Description

Administration commands that must be run directly on the local host. For example:

  • Starting and stopping the server
  • Creating a server instance

Administration commands that can be run from a remote host. For example:

  • Enabling replication
  • Setting cache size

Notes
The server must be stopped (except for the dsadm stop and dsadm info commands).

The server is identified by the server instance path (instance-path).

You must have OS access permissions to the server instance path.

The server must be running.

The server is identified by host name (-h) port (-p) or LDAPS secure port (-P).

If you do not specify a port number, dsconf uses the default port (389 for LDAP).

You must have LDAP access permissions to configuration data, for example, as the user cn=admin,cn=Administrators,cn=config.

Obtaining Help for Using dsadm, dsconf, and dsutil

For complete information about how to use the dsadm, dsconf, and dsutil commands, see the dsadm(1M), dsconf(1M), and dsutil(1M) man pages.

Modifying Configuration Properties by Using dsconf

Many of the dsconf subcommands enable you to view and modify configuration properties.

For more information about individual properties, see the man page for that property. The man pages are in Oracle Directory Server Enterprise Edition Man Page Reference.

Setting Multi-Valued Properties With dsconf

Certain Directory Server properties can take multiple values. The syntax to specify these values is as follows:

$ dsconf set-container-prop -h host -p port container-name \
 property:value1 property:value2

For example, to set multiple encryption ciphers for a server, use the following command:

$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \
 ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

To add a value to a multi-valued property that already contains values, use the following syntax:

$ dsconf set-container-prop -h host -p port container-name property+:value

To remove a value from a multi-valued property that already contains values, use the following syntax:

$ dsconf set-container-prop -h host -p port container-name property-:value

For example, in the scenario described previously, to add the SHA encryption cipher to the list of ciphers, run this command:

$ dsconf set-server-prop -h host1 -p 1389 \
 ssl-cipher-family+:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

To remove the MD5 cipher from the list, run this command:

$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family-:SSL_RSA_WITH_RC4_128_MD5

Working With the dsutil Command

You must create the following ACIs to work with the dsutil command successfully:

$ldapmodify -h host -p port -D cn=admin,cn=Administrators,cn=config -w - -c 
dn: cn=config
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Allow the Suffix Manager to browse the tree"; \
allow (read,search,compare)userdn = "ldap:///$USERSFXADMIN";)
aci: (targetattr="nsslapd-rootpw")\
(version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \
deny (all)userdn = "ldap:///$USERSFXADMIN";)
aci: (targetattr="userPassword")\
(version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \
deny (all)userdn = "ldap:///$USERSFXADMIN";)
aci: (targetattr="dsKeyedPassword")\
(version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \
deny (all)userdn = "ldap:///$USERSFXADMIN";)

For more information about dsutil command, see dsutil(1M).

Man Pages

The man pages provide descriptions of all commands and attributes used in Directory Server. In addition, the man pages show some useful examples of how to use the commands in deployment.