|
Contents
|
|
|
|
Introduction
|
|
Netscape Directory Server Restricted Mode
|
|
Netscape Directory Server 4.1 Overview
|
|
Prerequisite Reading
|
|
What Is in This Book?
|
|
Conventions Used in This Book
|
| |
Chapter 1
|
Administering Netscape Directory Server
|
|
Overview of Directory Server Management
|
|
Using the Directory Server Console
|
|
Opening the Directory Server Console
|
|
Binding to the Directory From Netscape Console
|
|
Viewing the Current Bind DN From Netscape Console
|
|
Starting and Stopping the Directory Server
|
|
Starting the Server with SSL Enabled
|
|
Starting the Server in Referral-Only Mode
|
|
Using the Command-Line Utilities
|
|
Finding the Command-Line Utilities
|
|
Setting Environment Variables
|
|
Directory Server Command-Line Scripts
|
|
Directory Server Configuration Files
|
| |
Chapter 2
|
LDAP Data Interchange Format
|
|
LDIF File Format
|
|
Continued Lines
|
|
Base 64 Encoding
|
|
Creating Directory Entries Using LDIF
|
|
Specifying Organization Entries
|
|
Specifying Organizational Unit Entries
|
|
Specifying Organizational Person Entries
|
|
Defining Directories Using LDIF
|
| LDIF File Example |
|
Storing Information in Multiple Languages
|
| |
Chapter 3
|
Extending the Directory Schema
|
|
Overview of Extending Schema
|
|
Turning Schema Checking On and Off
|
|
Managing Object Classes
|
|
Viewing Object Classes
|
|
Creating Object Classes
|
|
Editing Object Classes
|
|
Deleting Object Classes
|
|
Managing Attributes
|
|
Viewing Attributes
|
|
Creating Attributes
|
|
Editing Attributes
|
|
Deleting Attributes
|
| |
Chapter 4
|
Managing Directory Server Databases
|
|
Managing Databases Using LDIF
|
|
Exporting Databases to LDIF
|
| Exporting to LDIF Using the Server Console |
| Exporting to LDIF From the Command Line |
| ns-slapd and slapd Parameters for Exporting Databases |
| Database to LDIF Examples |
|
Importing Databases From LDIF
|
| Importing LDIF From the Server Console |
| Importing LDIF From the Command Line |
| slapd Parameters Used for LDIF Imports |
| LDIF to Database Examples |
|
Deleting LDIF Files
|
|
Backing Up and Restoring Your Database
|
|
Backing Up Your Database From the Server Console
|
|
Backing Up Your Database From the Command Line
|
|
Restoring Your Database From the Server Console
|
|
Restoring Your Database From the Command Line
|
|
Deleting Database Backups
|
|
Restoring Databases That Include Replicated Entries
|
|
Placing a Database in Read-Only Mode
|
|
Setting Suffixes for Your Database
|
|
Enabling and Disabling Plug-Ins From the Server Console
|
|
Managing the Referential Integrity Plug-in
|
|
Managing Referential Integrity From the Server Console
|
|
Managing Referential Integrity From the Command Line
|
|
Configuring Referential Integrity for Replicated Environments
|
|
Changing the Integrity Update Interval
|
|
Modifying Which Attributes to Update
|
|
Managing Database Transaction Logging
|
|
Changing the Location of the Database Transaction Log
|
|
Changing the Database Checkpoint Interval
|
|
Disabling Durable Transactions
|
| |
Chapter 5
|
Managing Access Control
|
|
Understanding Access Control
|
|
Targets
|
| Targeting a Directory Entry |
| Targeting Attributes |
| Targeting Using LDAP Filters |
|
Permissions
|
| Allowing or Denying Access |
| Assigning Rights |
|
Bind Rules
|
| User and Group Access |
| Access From a Specific Machine or Domain |
| Access at a Specific Time of Day or Day of Week |
| Access Based on Authentication Method |
| Boolean Bind Rules |
|
Setting Access Control Using the Server Console
|
|
Creating a New ACI
|
|
Editing an Existing ACI
|
|
Deleting an Existing ACI or ACR
|
|
Access Control Usage Examples
|
| Setting Anonymous Access for Read, Search, and Compare |
| Allowing Users to Modify Their Own Directory Entries |
| Allowing Users to Change Some of Their Own Attributes |
| Granting a Group Full Access to a Suffix |
| Granting a Group Rights to Add and Delete Entries |
| Allowing Full Access to a Specific Branch Point |
| Allowing Access at a Specific Time of Day or Day of Week |
| Allowing Updates Only From a Specific Location |
| Allowing Access to a Suffix Over SSL Only |
| Setting a Target Using Filtering |
| Allowing Users to Add or Remove Themselves From a Group |
|
Setting Access Control Using LDIF Files
|
|
The ACI Language Syntax
|
|
Setting Targets Using LDIF
|
| Using the target Keyword |
| Using the targetattr Keyword |
| Using the targetfilter Keyword |
|
Setting Permissions Using LDIF
|
|
Setting Bind Rules Using LDIF
|
| Using the userdn Keyword |
| Using the groupdn Keyword |
| Using the userdnattr and groupdnattr Keywords |
| Using the ip Keyword |
| Using the dns Keyword |
| Using the timeofday Keyword |
| Using the dayofweek Keyword |
| Using the authmethod Keyword |
| Using Boolean Expressions in LDIF Bind Rules |
|
ACI Usage Examples
|
| Defining Permissions for All Users |
| Defining Anonymous Access |
| Defining Permissions for Individual Users |
| Defining Permissions for a Group of Users |
| Defining Permissions for a Specific Subtree |
| Defining Permissions for a Specific Location |
| Defining Permissions Based on the Day of Week or the Time of Day |
| Defining Permissions Based on Authentication Method |
| Defining Permissions for DNs That Contain a Comma |
|
Overview of Proxied Authorization
|
|
Proxied Authorization ACI Syntax
|
|
Proxied Authorization ACI Example
|
|
Specifying Proxy Authorization Rights On a Target
|
| Setting Proxy Rights Using the Server Console |
| Setting Proxy Rights Using the Command Line |
|
Viewing the Access Control List for a Suffix
|
| |
Chapter 6
|
Managing Password and Account Lockout Policies
|
|
Managing the Password Policy
|
|
Configuring the Password Policy
|
|
Password Policy Parameters
|
| Password Change After Reset |
| User-Defined Passwords |
| Password Expiration |
| Expiration Warning |
| Password Syntax Checking |
| Password Length |
| Password Minimum Age |
| Password History |
| Password Storage Scheme |
|
Managing the Account Lockout Policy
|
|
Configuring the Account Lockout Policy
|
|
Account Lockout Policy Parameters
|
| Account Lockout |
| Password Failure Counter Reset |
| Lockout Duration |
|
Setting User Passwords
|
| |
Chapter 7
|
Managing Indexes
|
|
The Searching Algorithm
|
|
Types of Indexes
|
|
Presence Index
|
|
Equality Index
|
|
Approximate Index
|
|
Substring Index
|
|
International Index
|
|
Browsing Index
|
|
The Cost of Indexing
|
|
Slower Database Modification and Creation Times
|
|
Higher System Resource Use
|
|
Creating Indexes
|
|
System and Default Indexes
|
| System Indexes |
| Default Indexes |
|
Standard Index Files
|
|
Creating Indexes From the Server Console
|
|
Creating Indexes From the Command-Line
|
| Adding Index Descriptions to slapd.ldbm.conf |
| Creating Indexes Using db2index |
|
Removing Indexes
|
|
Removing Indexes Using the Server Console
|
|
Removing Standard Indexes Using the Command Line
|
|
Using Browsing Indexes
|
|
Creating Browsing Indexes
|
|
Removing Browsing Indexes
|
|
Managing All IDs Threshold
|
|
Benefits of the All IDs Mechanism
|
|
Drawbacks of the All IDs Mechanism
|
| When All IDs Threshold is Too Low |
| When All IDs Threshold is Too High |
|
All IDs Threshold Tuning Advice
|
|
Default All IDs Threshold Value
|
|
Symptoms of an Inappropriate All IDs Threshold Value
|
|
Changing the All IDs Threshold Value
|
| |
Chapter 8
|
Finding Directory Entries
|
|
Finding Entries Using the Server Console
|
|
LDAP Search Filters
|
|
Search Filter Syntax
|
|
Using Attributes in Search Filters
|
|
Using Operators in Search Filters
|
|
Using Compound Search Filters
|
| Boolean Operators |
|
Search Filter Examples
|
|
Using ldapsearch
|
|
Using Special Characters
|
|
ldapsearch Command Line Format
|
|
Commonly Used ldapsearch Parameters
|
|
SSL Parameters
|
|
Additional ldapsearch Parameters
|
|
ldapsearch Examples
|
| Returning All Entries |
| Specifying Search Filters on the Command Line |
| Searching the root DSE Entry |
| Searching the Schema Entry |
| Using LDAP_BASEDN |
| Displaying Subsets of Attributes |
| Specifying Search Filters Using a File |
| Specifying DNs that Contain Commas in Search Filters |
| Using Client Authentication When Searching |
|
Searching an Internationalized Directory
|
|
Supported Search Types
|
|
Matching Rule Filter Syntax
|
| Matching Rule Formats |
| Using Wildcards in Matching Rule Filters |
|
International Search Examples
|
| Less Than Example |
| Less Than or Equal to Example |
| Equality Example |
| Greater Than or Equal to Example |
| Greater Than Example |
| Substring Example |
| |
Chapter 9
|
Managing Directory Entries
|
|
Managing Entries Using the Server Console
|
|
Managing Users, Groups, and Org. Units Using the Server Console
|
| Adding Users, Groups, and Org. Units Using the Server Console |
| Modifying Users, Groups, and Org. Units Using the Server Console |
|
Using the Property Editor to Manage Entries
|
| Adding Other Types of Entries Using the Property Editor |
| Adding an Object Class to an Entry Using the Property Editor |
| Removing an Object Class From an Entry Using the Property Editor |
| Adding an Attribute Value to an Entry Using the Property Editor |
| Adding Values to an Attribute Using the Property Editor |
| Removing an Attribute Value From an Entry Using the Property Editor |
| Adding an Attribute Subtype Using the Property Editor |
|
Deleting Entries Using the Server Console
|
|
Managing Entries Using the Command-Line Utilities
|
|
Using Special Characters
|
|
Providing Input From the Command Line
|
|
Adding Entries Using LDIF
|
|
Adding and Modifying Entries Using ldapmodify
|
| Commonly Used ldapmodify Parameters |
| SSL Parameters |
| Additional ldapmodify Parameters |
| ldapmodify Example |
|
Deleting Entries Using ldapdelete
|
| Commonly Used ldapdelete Parameters |
| SSL Parameters |
| Additional ldapdelete Parameters |
| ldapdelete Examples |
|
LDIF Update Statements
|
|
Adding an Entry Using LDIF
|
| Using the ldapmodify -a Parameter |
|
Renaming an Entry Using LDIF
|
| A Note on Renaming Entries |
|
Modifying an Entry Using LDIF
|
| Adding Attributes to Existing Entries Using LDIF |
| Changing an Attribute Value Using LDIF |
| Deleting All Values of an Attribute Using LDIF |
| Deleting a Specific Attribute Value Using LDIF |
|
Deleting an Entry Using LDIF
|
|
Modifying an Entry in an Internationalized Directory
|
| |
Chapter 10
|
Managing Your Directory Server
|
|
Viewing and Configuring Log Files
|
|
Access Log
|
| Viewing the Access Log |
| Configuring the Access Log |
|
Error Log
|
| Viewing the Error Log |
| Configuring the Error Log |
|
Audit Log
|
| Viewing the Audit Log |
| Configuring the Audit Log |
|
Manual Log File Rotation
|
|
Monitoring Server Activity
|
|
Monitoring Your Server From the Server Console
|
| General Information (Server) |
| Resource Summary |
| Current Resource Usage |
| Connection Status |
|
Monitoring Your Server From the Command Line
|
|
Monitoring Database Activity
|
|
Monitoring Database Activity From the Server Console
|
| General Information (Database) |
| Summary Information Table |
| Database Cache Information Table |
| Database File-Specific Table |
|
Monitoring the Database From the Command-Line
|
|
Managing the Root DN
|
|
Tuning Performance
|
|
Tuning Server Performance
|
|
Tuning Database Performance
|
|
Managing Network and LDAP Settings
|
|
Changing Directory Server Port Numbers
|
|
Enabling the Directory Server to use the NT Synchronization Service
|
|
Placing the Entire Directory Server in Read-only Mode
|
|
Tracking Modifications to Directory Entries
|
| |
Chapter 11
|
Managing SSL
|
|
Obtaining and Installing Server Certificates
|
|
Step 1: Generate a Certificate Request
|
|
Step 2: Send the Certificate Request
|
|
Step 3: Install the Certificate
|
|
Step 4: Trust the Certificate Authority
|
|
Step 5: Confirm That Your New Certificates Are Installed
|
|
Activating SSL
|
|
Setting Security Preferences
|
|
Using Certificate-Based Authentication
|
|
Creating Certificate Databases for LDAP Clients
|
| |
Chapter 12
|
Managing FORTEZZA
|
|
What You Need To Do
|
|
Setting Up FORTEZZA
|
|
Step 1: Install the FORTEZZA PKCS #11 Module
|
|
Step 2: Create a Trust Database
|
|
Activating FORTEZZA
|
|
Starting the Server with FORTEZZA Enabled
|
|
Starting a FORTEZZA-Enabled Server From the Server Console (Windows NT Only)
|
|
Starting a FORTEZZA-Enabled Server From the Command Line
|
|
Disabling FORTEZZA
|
|
Specifying FORTEZZA Options
|
|
Using FORTEZZA With Client Authentication
|
| |
Chapter 13
|
Managing Replication
|
|
Replication Overview
|
|
Managing Supplier-Initiated Replication (SIR)
|
|
Configuring Servers for SIR
|
| Configuring the Supplier DN for SIR |
| Configuring the Change Log for SIR |
|
Creating an SIR Agreement
|
|
Duplicating an SIR Agreement
|
|
Editing an SIR Agreement
|
|
Managing Consumer-Initiated Replication (CIR)
|
|
Configuring Servers for CIR
|
| Configuring the Change Log for CIR |
| Providing Consumer Access to the Change Log for CIR |
|
Creating a CIR Agreement
|
|
Duplicating a CIR Agreement
|
|
Editing a CIR Agreement
|
|
Removing the Change Log
|
|
Initializing Consumers
|
|
When to Initialize a Consumer
|
|
Online Consumer Creation
|
| When You Should Use Online Consumer Creation |
| How to Use Online Consumer Creation |
|
Manual Consumer Creation
|
| Converting the Supplier Tree to LDIF |
| Importing the LDIF File to the Consumer Server |
|
Monitoring Replication Status
|
|
Replication Algorithms
|
|
SIR Algorithm
|
|
CIR Algorithm
|
|
Machine data
|
| |
Chapter 14
|
Managing Referrals
|
|
Understanding Referrals
|
|
Setting Default Referral URLs
|
|
Creating and Changing Smart Referrals
|
|
Creating Smart Referrals Using the Directory Server Console
|
|
Creating Smart Referrals From the Command-line
|
| |
Chapter 15
|
NT Directory Synchronization
|
|
The Synchronization Service
|
|
Synchronization: NT to Directory Server
|
| How NT Directory Changes Are Discovered |
| Creating User Entries |
| Creating Group Entries |
| Initially Creating Entries |
|
Synchronization: Directory Server to NT
|
| How Synchronization Occurs |
| Creating User Entries |
| Creating Group Entries |
| Creating Duplicate Entries |
| Deleting Entries |
| Modifying Entries |
| Associating an Existing Directory User with an NT User Account |
| Associating an Existing Directory Group with an NT Group |
| Dissassociating a Directory User or Group from an NT User or Group |
|
Concurrently Changing Directory Server and NT Account Values
|
|
The Synchronization Configuration Tool
|
|
About the OK, Cancel, Apply, and Help Buttons
|
|
Configuring Synchronization
|
|
Configuring Service Settings
|
|
Configuring Directory Server Settings
|
|
If the Selected UID is Not Unique
|
|
Scheduling Synchronization
|
|
Manually Performing Synchronization
|
|
Configuring Account Details
|
|
Surname-based NT Accounts
|
|
Starting and Stopping the Synchronization Service
|
|
Checking Synchronization Status
|
|
Turning Off SSL for the Synchronization Service
|
|
Troubleshooting Errors at Synchronization Time
|
| |
Chapter 16
|
Managing SNMP
|
|
Understanding SNMP
|
|
SNMP Overview
|
| NMS-Initiated Communication |
| Managed Device-Initiated Communication |
|
The Directory Server MIB
|
|
The Operations Table
|
|
The Entries Table
|
|
The Interaction Table
|
|
Setting Up SNMP
|
|
Setting Up SNMP on Windows NT
|
|
Setting Up SNMP on Unix
|
|
Configuring the AIX SNMP Daemon (AIX Only)
|
|
Starting and Stopping the SNMP Subagent on Unix
|
|
Configuring SNMP for the Directory Server
|
| |
Chapter 17
|
Configuration Parameters
|
|
Changing Configuration Parameter Values
|
|
Changing Parameter Values Using the Server Console
|
|
Changing Parameter Values Using slapd.conf
|
|
Changing Parameter Values Using slapd.ldbm.conf
|
|
General Server Parameters
|
|
Access Log
|
|
Access Log Enable Logging
|
|
Access Log Expiration Time
|
|
Access Log Expiration Time Unit
|
|
Access Log Maximum Disk Space
|
|
Access Log Maximum Log Size
|
|
Access Log Maximum Number of Log Files
|
|
Access Log Minimum Free Disk Space
|
|
Access Log Rotation Time
|
|
Access Log Rotation Time Unit
|
|
accessloglevel
|
|
Account Lockout
|
|
Attribute
|
|
Audit Log
|
|
Audit Log Enable Logging
|
|
Audit Log Expiration Time
|
|
Audit Log Expiration Time Unit
|
|
Audit Log Maximum Disk Space
|
|
Audit Log Maximum Log Size
|
|
Audit Log Maximum Number of Log Files
|
|
Audit Log Minimum Free Disk Space
|
|
Audit Log Rotation Time
|
|
Audit Log Rotation Time Unit
|
|
Certificate and Key Directory
|
|
Changelog DB Directory
|
|
Changelog Suffix
|
|
Check Password Syntax
|
|
Enable Access Control
|
|
Enable Online Consumer Creation
|
|
Enable Superior Object Class Enquoting
|
|
Encrypted Port Number
|
|
Encryption Alias
|
|
Encryption Ciphers
|
|
Error Log
|
|
Error Log Enable Logging
|
|
Error Log Expiration Time
|
|
Error Log Expiration Time Unit
|
|
Error Log Maximum Disk Space
|
|
Error Log Maximum Log Size
|
|
Error Log Maximum Number of Log Files
|
|
Error Log Minimum Free Disk Space
|
|
Error Log Rotation Time
|
|
Error Log Rotation Time Unit
|
|
Idle Timeout
|
|
Instance Directory
|
|
IO Block Time Out
|
|
Listen to IP Address
|
|
Local User
|
|
Lockout Duration
|
|
Log Buffering
|
|
Log Level
|
|
Max Changelog Age
|
|
Max Changelog Records
|
|
Maximum File Descriptors
|
|
Maximum Message Size
|
|
Maximum Password Failures
|
|
Maximum Threads Per Connection
|
|
nagle
|
|
NLS
|
|
NT Synchronization Service Enabled
|
|
NT Synchronization Service Port Number
|
|
NT Synchronization Service Use SSL
|
|
Number of Passwords to Remember
|
|
Object Class
|
|
Password Change
|
|
Password Expiration
|
|
Password History
|
|
Password Maximum Age
|
|
Password Minimum Age
|
|
Password Minimum Length
|
|
Password Must Change
|
|
Password Storage Scheme
|
|
Port Number
|
|
Referral
|
|
Reserved File Descriptors
|
|
Reset Password Failure Count After
|
|
result_tweak
|
|
Return Exact Case
|
|
Root DN
|
|
Root Password
|
|
Root Password Storage Scheme
|
|
Schema Checking
|
|
Security
|
|
Send Warning
|
|
Size Limit
|
|
Supplier DN
|
|
Supplier Password
|
|
Supplier SSL Clients
|
|
Thread Number
|
|
Time Limit
|
|
Track Modification Time
|
|
Unlock Account
|
|
User-Defined Attributes File
|
|
User-Defined Object Class File
|
|
Database Parameters
|
|
All IDs Threshold
|
|
Attribute to be Indexed
|
|
Database
|
|
Database Checkpoint Interval
|
|
Database Configuration File
|
|
Database Directory
|
|
Database Durable Transactions
|
|
Database Transaction Log Directory
|
|
db_home_directory
|
|
Look Through Limit
|
|
Maximum Cache Size
|
|
Maximum Entries in Cache
|
|
Mode
|
|
Read-only
|
|
Suffix
|
| |
Appendix A
|
LDAP URLs
|
|
Components of an LDAP URL
|
|
Escaping Unsafe Characters
|
|
Examples of LDAP URLs
|
| |
Appendix B
|
Internationalization
|
|
Identifying Supported Locales
|
|
Supported Language Subtypes
|
| |
Appendix C
|
UI Reference
|
|
Confirmation Preferences Dialog Box
|
|
Import Database Dialog Box (Import Command)
|
|
Export Database Dialog Box (Export Command)
|
|
Settings Tab (Root Node)
|
|
Performance Tab (Root Node)
|
|
Encryption Tab (Root Node)
|
|
Encryption Preferences Dialog Box
|
|
SNMP Tab (Root Node)
|
|
Manager Tab (Root Node)
|
|
Indexes Tab (Database)
|
|
New Attribute Dialog Box
|
|
Passwords Tab (Database)
|
|
Account Lockout Tab (Database)
|
|
Performance Tab (Database)
|
|
Settings Tab (Database)
|
|
Backup Directory Dialog Box
|
|
Restore Directory Dialog Box
|
|
Object Classes Tab
|
|
Create or Edit Object Class Dialog Box
|
|
Attributes Tab
|
|
Create or Edit Attribute Dialog Box
|
|
Matching Rules Tab
|
|
Replication Status Tab
|
|
Consumer Server Settings Tab
|
|
Supplier Server Settings Tab
|
|
Replication Agreement Wizard Dialog Box
|
|
Agreement Name Dialog Box
|
|
Source and Destination Dialog Box
|
|
Host Info Dialog Box
|
|
Scheduling Dialog Box
|
|
Consumer Initialization Dialog Box
|
|
Summary Dialog Box
|
|
Summary Tab (Supplier-Initiated or Consumer-Initiated Agreements Folder)
|
|
Schedule Tab (Supplier-Initiated or Consumer-Initiated Agreements Folder)
|
|
Content Tab (Supplier-Initiated or Consumer-Initiated Agreements Folder)
|
|
Access Log Tab (Status Tab)
|
|
Access Log Tab (Configuration Tab)
|
|
Error Log Tab (Status Tab)
|
|
Error Log Tab (Configuration Tab)
|
|
Audit Log Tab (Status Tab)
|
|
Audit Log Tab (Configuration Tab)
|
|
Plugins Tabs
|
|
Server Tab (Performance Counters)
|
|
Database Tab (Performance Counters)
|
|
Property Editor Dialog Box
|
| File Menu Commands (Property Editor) |
| Edit Menu Commands (Property Editor) |
| View Menu Commands (Property Editor) |
|
Add Object Class Dialog Box
|
|
Add Attribute Dialog Box
|
|
Search Users and Groups By Filter Dialog Box
|
|
Configure New Instance Dialog Box
|
|
Subtree Selection Dialog Box
|
|
Glossary
|
|
Index
|
|
|