Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Server Enterprise Edition 11g Release 1 (11.1.1.7.0) Part Number E28972-01 |
|
|
PDF · Mobi · ePub |
Oracle Directory Server Enterprise Edition (ODSEE) provides a browser interface and command-line tools for administering multiple servers, instances, and suffixes in a replicated environment. This chapter provides overview information about Directory Server administration tools.
This chapter covers the following topics:
Information about the Directory Server administration framework is provided in other guides in this documentation set.
For an overview of the Directory Server administration framework, see Directory Server Enterprise Edition Administration Model in the Deployment Planning Guide for Oracle Directory Server Enterprise Edition.
For more detailed reference information about the Directory Server administration framework, see Chapter 2, Directory Server Overview, in the Reference for Oracle Directory Server Enterprise Edition.
Directory Server Enterprise Edition provides two user interfaces for managing Directory Servers and Directory Proxy Servers: a browser interface, Directory Service Control Center (DSCC), and a command-line interface.
Most procedures in this guide can be performed using either the command line or DSCC. The procedures in this guide show how to use the command line to accomplish the procedure. In most cases DSCC can be used to perform the same task. If DSCC can be used for a particular procedure, a statement to that effect appears at the beginning of the procedure.
The DSCC online help provides detailed instructions on how to use DSCC to perform the procedures in this guide.
DSCC enables you to perform some operations and tasks more easily than you can perform them from the command line, as explained in the following sections. In general, any command that must be applied to several servers is best performed using DSCC.
DSCC displays tables that show all server instances that have been registered in DSCC, all suffixes that have been configured, and the status of each.
The servers table is on the Directory Servers tab and shows the operational status of the server. For a complete list of possible server states, see the Directory Server online help.
The suffixes table is on the Suffixes tab and shows replication status information, such as the number of entries and the number and age of any missing changes. For more information about the information displayed in this table, see the Directory Server online help.
Server groups assist you in monitoring and configuring servers. You can create groups and assign servers to the groups. For example, you can group servers by geographical location, or by function. If you have a large number of servers, you can filter the servers shown on the Directory Servers tab so that only the servers in the group are shown. You can also copy the server configuration (for example index or cache settings) of one server to all other servers in a group. For instructions on how to set up and use a server group, see the Directory Server online help.
DSCC enables you to copy the configuration settings of an existing server, suffix, or replication agreement to one or more other servers, suffixes, or replication agreements. For information about how to perform each of these tasks, see the Directory Server online help.
With DSCC, you can set up a replication topology quickly and easily. Simply create the server instances, then use the steps provided by DSCC to designate the role of each server. DSCC automatically creates the replication agreements for you. For more information about how to configure replication using DSCC, see the Directory Server online help.
Most tasks you perform on DSCC can be performed using command-line tools. These tools enable you to manage Directory Server directly from the command line, and to manage your server by using scripts.
The main directory server commands are dsadm
, dsconf
, and dsutil
. You can use these commands to perform backups, export to LDIF, manage certificates, manage the administration of users or roles, and so on. For information about these commands, see the dsadm, dsconf, and dsutil man pages.
The dsconf
, dsmig
, dsccmon
, and dsutil
are LDAP based commands so you must specify the user bind DN and password for these commands to authenticate. While the dpadm
and dsadm
commands operate on the instance files.
This section contains the following information about Directory Server command-line tools:
The Directory Server command-line tools are contained in a default installation directory:
install-path/bin
The directory for your installation depends on your operating system. Installation paths for all operating systems are listed in Default Paths and Command Locations.
dsconf
The dsconf
command requires some options that you can preset by using environment variables. If you do not specify an option when using the command, or do not set the environment variable, the default setting is used. You can configure environment variables for the following options:
-D
user DNUser bind DN. Environment variable: LDAP_ADMIN_USER
. Default: cn=Directory Manager
.
-w
password-filePassword file for the user bind DN. Environment variable: LDAP_ADMIN_PWF
. Default: Prompt for password.
-h
hostHost name. Environment variable: DIRSERV_HOST
. Default: local host
.
-p
LDAP-portLDAP port number. Environment variable: DIRSERV_PORT
. Default: 389
.
-e
, --unsecured
Specifies that dsconf
should open a clear connection by default. Environment variable: DIRSERV_UNSECURED
. If this variable is not set, dsconf
opens a secure connection by default.
For more details, see the dsconf man page.
dsadm
and dsconf
The following table shows a comparison of the dsadm
and dsconf
commands.
Table 1-1 Comparison of the dsadm
and dsconf
Commands
dsadm Command |
dsconf Command |
|
---|---|---|
Description |
Administration commands that must be run directly on the local host. For example:
|
Administration commands that can be run from a remote host. For example:
|
Notes |
The server must be stopped (except for the The server is identified by the server instance path (instance-path). You must have OS access permissions to the server instance path. |
The server must be running. The server is identified by host name ( If you do not specify a port number, You must have LDAP access permissions to configuration data, for example, as the user cn=admin,cn=Administrators,cn=config. |
dsadm
, dsconf
, and dsutil
For complete information about how to use the dsadm
, dsconf
, and dsutil
commands, see the dsadm, dsconf, and dsutil man pages.
To obtain a list of subcommands, type the appropriate command:
$ dsadm --help $ dsconf --help $ dsutil --help
To obtain information about how to use a subcommand, type the appropriate command:
$ dsadm subcommand --help $ dsconf subcommand --help $ dsutil subcommand --help
dsconf
Many of the dsconf
subcommands enable you to view and modify configuration properties.
To list the configuration properties used in Directory Server, type:
$ dsconf help-properties
To find a particular property, search the output of the help properties.
For example, if you are using a UNIX platform and you want to search for all properties relating to referrals, use the following command.
$ dsconf help-properties | grep -i referral
SER referral-url rw M LDAP_URL | undefined
Referrals returned to clients requesting a DN not stored in this
Directory Server (Default: undefined)
SUF referral-mode rw disabled|enabled|only-on-write
Specifies how referrals are used for requests involving the suffix
(Default: disabled)
SUF referral-url rw M LDAP_URL | undefined
Server(s) to which updates are referred (Default: undefined)
SUF repl-rewrite-referrals-enabled rw on|off
Specifies whether automatic referrals are overwritten (Default: off)
Note that the properties are grouped by targeted objects, such as suffixes (SUF) and server (SER). The rw
keyword indicates that the property is readable and writable. The M
keyword indicates that the property is multivalued.
To see the server attribute, use verbose mode. For example, on a UNIX system, type:
$ dsconf help-properties -v | grep -i referral-mode
SUF referral-mode rw disabled|enabled|only-on-write nsslapd-state
Specifies how referrals are used for requests involving the suffix
(Default: disabled)
For more information about individual properties, see the man page for that property. The man pages are in the Man Page Reference for Oracle Directory Server Enterprise Edition.
dsconf
Certain Directory Server properties can take multiple values. The syntax to specify these values is as follows:
$ dsconf set-container-prop -h host -p port container-name \ property:value1 property:value2
For example, to set multiple encryption ciphers for a server, use the following command:
$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 \ ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
To add a value to a multi-valued property that already contains values, use the following syntax:
$ dsconf set-container-prop -h host -p port container-name property+:value
To remove a value from a multi-valued property that already contains values, use the following syntax:
$ dsconf set-container-prop -h host -p port container-name property-:value
For example, in the scenario described previously, to add the SHA
encryption cipher to the list of ciphers, run this command:
$ dsconf set-server-prop -h host1 -p 1389 \ ssl-cipher-family+:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
To remove the MD5
cipher from the list, run this command:
$ dsconf set-server-prop -h host1 -p 1389 ssl-cipher-family-:SSL_RSA_WITH_RC4_128_MD5
dsutil
CommandYou must create the following ACIs to work with the dsutil
command successfully:
$ldapmodify -h host -p port -D cn=admin,cn=Administrators,cn=config -w - -c dn: cn=config changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "Allow the Suffix Manager to browse the tree"; \ allow (read,search,compare)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="nsslapd-rootpw")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="userPassword")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";) aci: (targetattr="dsKeyedPassword")\ (version 3.0; acl "Prevent the Suffix Manager from accessing passwords"; \ deny (all)userdn = "ldap:///$USERSFXADMIN";)
For more information about dsutil
command, see dsutil.
The man pages provide descriptions of all commands and attributes used in Directory Server. In addition, the man pages show some useful examples of how to use the commands in deployment.