Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0) |
Part I Directory Server Administration
Directory Server Administration Overview
Deciding When to Use DSCC and When to Use the Command Line
Determining Whether a Procedure Can Be Done Using DSCC
Cases Where Using DSCC Is Better
Viewing Servers and Suffix Replication Status
Copying Configuration Settings
Directory Server Command-Line Tools
Location of Directory Server Commands
Setting Environment Variables for dsconf
Comparison of dsadm and dsconf
Obtaining Help for Using dsadm, dsconf, and dsutil
Modifying Configuration Properties by Using dsconf
Setting Multi-Valued Properties With dsconf
2. Directory Server Instances and Suffixes
3. Directory Server Configuration
6. Directory Server Access Control
7. Directory Server Password Policy
8. Directory Server Backup and Restore
9. Directory Server Groups, Roles, and CoS
10. Directory Server Replication
13. Directory Server Attribute Value Uniqueness
15. Directory Server Monitoring
Part II Directory Proxy Server Administration
16. Directory Proxy Server Tools
17. Directory Proxy Server Instances
19. Directory Proxy Server Certificates
20. Directory Proxy Server Load Balancing and Client Affinity
21. Directory Proxy Server Distribution
22. Directory Proxy Server Virtualization
23. Virtual Data Transformations
24. Connections Between Directory Proxy Server and Back-End LDAP Servers
25. Connections Between Clients and Directory Proxy Server
26. Directory Proxy Server Client Authentication
27. Directory Proxy Server Logging
28. Directory Proxy Server Monitoring and Alerts
Part III Directory Service Control Center Administration
Most tasks you perform on DSCC can be performed using command-line tools. These tools enable you to manage Directory Server directly from the command line, and to manage your server by using scripts.
The main directory server commands are dsadm, dsconf, and dsutil. You can use these commands to perform backups, export to LDIF, manage certificates, manage the administration of users or roles, and so on. For information about these commands, see the dsadm(1M), dsconf(1M), and dsutil(1M) man pages.
The dsconf, dsmig, dsccmon, and dsutil are LDAP based commands so you must specify the user bind DN and password for these commands to authenticate. While the dpadm and dsadm commands operate on the instance files.
This section contains the following information about Directory Server command-line tools:
The Directory Server command-line tools are contained in a default installation directory:
install-path/bin
The directory for your installation depends on your operating system. Installation paths for all operating systems are listed in Default Paths and Command Locations.
The dsconf command requires some options that you can preset by using environment variables. If you do not specify an option when using the command, or do not set the environment variable, the default setting is used. You can configure environment variables for the following options:
User bind DN. Environment variable: LDAP_ADMIN_USER. Default: cn=Directory Manager.
Password file for the user bind DN. Environment variable: LDAP_ADMIN_PWF. Default: Prompt for password.
Host name. Environment variable: DIRSERV_HOST. Default: local host.
LDAP port number. Environment variable: DIRSERV_PORT. Default: 389.
Specifies that dsconf should open a clear connection by default. Environment variable: DIRSERV_UNSECURED. If this variable is not set, dsconf opens a secure connection by default.
For more details, see the dsconf(1M) man page.
The following table shows a comparison of the dsadm and dsconf commands.
Table 1-1 Comparison of the dsadm and dsconf Commands
|
For complete information about how to use the dsadm, dsconf, and dsutil commands, see the dsadm(1M), dsconf(1M), and dsutil(1M) man pages.
To obtain a list of subcommands, type the appropriate command:
$ dsadm --help
$ dsconf --help
$ dsutil --help
To obtain information about how to use a subcommand, type the appropriate command:
$ dsadm subcommand --help
$ dsconf subcommand --help
$ dsutil subcommand --help
Many of the dsconf subcommands enable you to view and modify configuration properties.
To list the configuration properties used in Directory Server, type:
$ dsconf help-properties
To find a particular property, search the output of the help properties.
For example, if you are using a UNIX platform and you want to search for all properties relating to referrals, use the following command.
$ dsconf help-properties | grep -i referral SER referral-url rw M LDAP_URL | undefined Referrals returned to clients requesting a DN not stored in this Directory Server (Default: undefined) SUF referral-mode rw disabled|enabled|only-on-write Specifies how referrals are used for requests involving the suffix (Default: disabled) SUF referral-url rw M LDAP_URL | undefined Server(s) to which updates are referred (Default: undefined) SUF repl-rewrite-referrals-enabled rw on|off Specifies whether automatic referrals are overwritten (Default: off)
Note that the properties are grouped by targeted objects, such as suffixes (SUF) and server (SER). The rw keyword indicates that the property is readable and writable. The M keyword indicates that the property is multivalued.
To see the server attribute, use verbose mode. For example, on a UNIX system, type:
$ dsconf help-properties -v | grep -i referral-mode SUF referral-mode rw disabled|enabled|only-on-write nsslapd-state Specifies how referrals are used for requests involving the suffix (Default: disabled)
For more information about individual properties, see the man page for that property. The man pages are in Oracle Directory Server Enterprise Edition Man Page Reference.
Certain Directory Server properties can take multiple values. The syntax to specify these values is as follows:
$ dsconf set-container-prop -h host -p port container-name \ property:value1 property:value2
For example, to set multiple encryption ciphers for a server, use the following command:
$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \ ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
To add a value to a multi-valued property that already contains values, use the following syntax:
$ dsconf set-container-prop -h host -p port container-name property+:value
To remove a value from a multi-valued property that already contains values, use the following syntax:
$ dsconf set-container-prop -h host -p port container-name property-:value
For example, in the scenario described previously, to add the SHA encryption cipher to the list of ciphers, run this command:
$ dsconf set-server-prop -h host1 -p 1389 \ ssl-cipher-family+:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
To remove the MD5 cipher from the list, run this command:
$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family-:SSL_RSA_WITH_RC4_128_MD5
You must create the following ACIs to work with the dsutil command successfully:
$ldapmodify -h host -p port -D cn=admin,cn=Administrators,cn=config -w - -c dn: cn=config changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "Allow the Suffix Manager to browse the tree"; \ allow (read,search,compare)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="nsslapd-rootpw")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="userPassword")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="dsKeyedPassword")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";)
For more information about dsutil command, see dsutil(1M).
The man pages provide descriptions of all commands and attributes used in Directory Server. In addition, the man pages show some useful examples of how to use the commands in deployment.