|Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition
11g Release 1 (18.104.22.168.0)
Part Number E28972-01
|PDF · Mobi · ePub|
Oracle Directory Server Enterprise Edition (ODSEE) provides a browser interface and command-line tools for administering multiple servers, instances, and suffixes in a replicated environment. This chapter provides overview information about Directory Server administration tools.
This chapter covers the following topics:
For an overview of the Directory Server administration framework, see Directory Server Enterprise Edition Administration Model in the Deployment Planning Guide for Oracle Directory Server Enterprise Edition.
For more detailed reference information about the Directory Server administration framework, see Chapter 2, Directory Server Overview, in the Reference for Oracle Directory Server Enterprise Edition.
Directory Server Enterprise Edition provides two user interfaces for managing Directory Servers and Directory Proxy Servers: a browser interface, Directory Service Control Center (DSCC), and a command-line interface.
Most procedures in this guide can be performed using either the command line or DSCC. The procedures in this guide show how to use the command line to accomplish the procedure. In most cases DSCC can be used to perform the same task. If DSCC can be used for a particular procedure, a statement to that effect appears at the beginning of the procedure.
The DSCC online help provides detailed instructions on how to use DSCC to perform the procedures in this guide.
DSCC enables you to perform some operations and tasks more easily than you can perform them from the command line, as explained in the following sections. In general, any command that must be applied to several servers is best performed using DSCC.
DSCC displays tables that show all server instances that have been registered in DSCC, all suffixes that have been configured, and the status of each.
The servers table is on the Directory Servers tab and shows the operational status of the server. For a complete list of possible server states, see the Directory Server online help.
The suffixes table is on the Suffixes tab and shows replication status information, such as the number of entries and the number and age of any missing changes. For more information about the information displayed in this table, see the Directory Server online help.
Server groups assist you in monitoring and configuring servers. You can create groups and assign servers to the groups. For example, you can group servers by geographical location, or by function. If you have a large number of servers, you can filter the servers shown on the Directory Servers tab so that only the servers in the group are shown. You can also copy the server configuration (for example index or cache settings) of one server to all other servers in a group. For instructions on how to set up and use a server group, see the Directory Server online help.
DSCC enables you to copy the configuration settings of an existing server, suffix, or replication agreement to one or more other servers, suffixes, or replication agreements. For information about how to perform each of these tasks, see the Directory Server online help.
With DSCC, you can set up a replication topology quickly and easily. Simply create the server instances, then use the steps provided by DSCC to designate the role of each server. DSCC automatically creates the replication agreements for you. For more information about how to configure replication using DSCC, see the Directory Server online help.
The main directory server commands are
dsutil. You can use these commands to perform backups, export to LDIF, manage certificates, manage the administration of users or roles, and so on. For information about these commands, see the dsadm, dsconf, and dsutil man pages.
dsutil are LDAP based commands so you must specify the user bind DN and password for these commands to authenticate. While the
dsadm commands operate on the instance files.
This section contains the following information about Directory Server command-line tools:
The Directory Server command-line tools are contained in a default installation directory:
The directory for your installation depends on your operating system. Installation paths for all operating systems are listed in Default Paths and Command Locations.
dsconf command requires some options that you can preset by using environment variables. If you do not specify an option when using the command, or do not set the environment variable, the default setting is used. You can configure environment variables for the following options:
User bind DN. Environment variable:
Password file for the user bind DN. Environment variable:
LDAP_ADMIN_PWF. Default: Prompt for password.
Host name. Environment variable:
LDAP port number. Environment variable:
dsconf should open a clear connection by default. Environment variable:
DIRSERV_UNSECURED. If this variable is not set,
dsconf opens a secure connection by default.
For more details, see the dsconf man page.
The following table shows a comparison of the
Table 1-1 Comparison of the
Administration commands that must be run directly on the local host. For example:
Administration commands that can be run from a remote host. For example:
The server must be stopped (except for the
The server is identified by the server instance path (instance-path).
You must have OS access permissions to the server instance path.
The server must be running.
The server is identified by host name (
If you do not specify a port number,
You must have LDAP access permissions to configuration data, for example, as the user cn=admin,cn=Administrators,cn=config.
To obtain a list of subcommands, type the appropriate command:
$ dsadm --help $ dsconf --help $ dsutil --help
To obtain information about how to use a subcommand, type the appropriate command:
$ dsadm subcommand --help $ dsconf subcommand --help $ dsutil subcommand --help
To list the configuration properties used in Directory Server, type:
$ dsconf help-properties
To find a particular property, search the output of the help properties.
For example, if you are using a UNIX platform and you want to search for all properties relating to referrals, use the following command.
$ dsconf help-properties | grep -i referral SER referral-url rw M LDAP_URL | undefined Referrals returned to clients requesting a DN not stored in this Directory Server (Default: undefined) SUF referral-mode rw disabled|enabled|only-on-write Specifies how referrals are used for requests involving the suffix (Default: disabled) SUF referral-url rw M LDAP_URL | undefined Server(s) to which updates are referred (Default: undefined) SUF repl-rewrite-referrals-enabled rw on|off Specifies whether automatic referrals are overwritten (Default: off)
Note that the properties are grouped by targeted objects, such as suffixes (SUF) and server (SER). The
rw keyword indicates that the property is readable and writable. The
M keyword indicates that the property is multivalued.
To see the server attribute, use verbose mode. For example, on a UNIX system, type:
$ dsconf help-properties -v | grep -i referral-mode SUF referral-mode rw disabled|enabled|only-on-write nsslapd-state Specifies how referrals are used for requests involving the suffix (Default: disabled)
For more information about individual properties, see the man page for that property. The man pages are in the Man Page Reference for Oracle Directory Server Enterprise Edition.
$ dsconf set-container-prop -h host -p port container-name \ property:value1 property:value2
For example, to set multiple encryption ciphers for a server, use the following command:
$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \ ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
To add a value to a multi-valued property that already contains values, use the following syntax:
$ dsconf set-container-prop -h host -p port container-name property+:value
To remove a value from a multi-valued property that already contains values, use the following syntax:
$ dsconf set-container-prop -h host -p port container-name property-:value
For example, in the scenario described previously, to add the
SHA encryption cipher to the list of ciphers, run this command:
$ dsconf set-server-prop -h host1 -p 1389 \ ssl-cipher-family+:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
To remove the
MD5 cipher from the list, run this command:
$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family-:SSL_RSA_WITH_RC4_128_MD5
You must create the following ACIs to work with the
dsutil command successfully:
$ldapmodify -h host -p port -D cn=admin,cn=Administrators,cn=config -w - -c dn: cn=config changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "Allow the Suffix Manager to browse the tree"; \ allow (read,search,compare)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="nsslapd-rootpw")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="userPassword")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="dsKeyedPassword")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";)
For more information about
dsutil command, see dsutil.
The man pages provide descriptions of all commands and attributes used in Directory Server. In addition, the man pages show some useful examples of how to use the commands in deployment.